The Art Of Noh

« Romanian phishing on the rise | Main | Intel MacOS X or the Tiger gets the x86 »

August 2, 2005

Don't panic, or what is the issue after all?

There is a heated debate over the so called right to irresponsible disclosure.

Michael Lynn, a security reseacher who used to work for ISS before the whole story, discovered a very serious security problem in Cisco's IOS class of operating systems for their popular routers and network firewalls. Lynn started by working with Cisco to patch this vulnerability, as any white hat would responsibly do, giving the company a chance to patch before the bad guys find out.

Apparently, somewhere during this process Cisco panicked. And they panicked so big that they've decided to completely bury the story and never allow anybody to speak of it. Lesson number one for Cisco: don't panic yet, it is just about to get worse.

Seeing that Cisco panicked, Michael Lynn did the right thing to do - from the point of view of some people, or the worst thing in the world - from the point of view of other people, which was to go ahead and speak about this terrible secret at the BlackHat Briefings conference last week in Las Vegas. Even more panicked by the panicking Michael Lynn, Cisco went ahead and destroyed all the original BlackHat Proceedings CDs, ripped Lynn's presentation from the printed conference proceedings and threatened just about everybody in the unlikely case the researcher decides to speak about this unfathomable truth. Lesson number two for Cisco: if the rabbit is out of the hat, be it even a Black Hat, the worst thing to do is to claim there is no rabbit.

When the time came up for Mr. Lynn to go ahead and present at BlackHat, he started by speaking on the subject which was imposed to him by the conference organizers, his ex-employer and Cisco, which is about some rather common and not so groundbreaking wireless vulnerabilities. In a striking proof of anarchy, the mob at BlackHat started yelling and demanding the Cisco IOS presentation. Encouraged by the crowd, or better said, left with no other choice, Michael Lynn went on, and on and on to Cisco's despair. And so we come up with Lesson Number Three for Cisco: never underestimate the mob.

The rest will be decided in a long series of trials, of which the company which has already been named a lot of times in the post will most likely have most to loose. The right for responsible, or irresposible disclosure is maybe less important in this story. What is important, in my personal opinion, is the base reason for which everybody is so scared, panicked and out of control. Which is the following: the Internet is so dependant on Cisco hardware that a coordinated attack using the unspeakable vulnerability that Lynn discovered may bring it down. Which brings me down to the last and final lesson in the post, to nobody in particular: diversity.

Choose your hardware wisely, and don't rely on a single brand. If you have the budget to buy the no 1 hardware out there, buy one which is just as good and a little bit less expensive. Or if you have just about the budget to buy no 3, add a few more bucks and buy no 2. If your entire company network is based on routers from company X, buy a few from company Y as well. Of course, be sure to test their interoperability in the first place. Finally, when the unspeakable happens, don't panic. Just upgrade that flash and carry on.

Posted by Costin Raiu at August 2, 2005 6:37 PM

Comments

Posted by: thewhiterabbit at August 3, 2005 11:23 AM

Posted by: Costin at August 4, 2005 1:28 PM

Post a comment

Name:

Email Address:

URL:
Remember Me? YesNo

Comments: