ISS and Cisco v. Granick’s Gambling Plans. By Jennifer Granick
[FAC: Jennifer Granick is Michael Lynn's personal attorney, representing him in the referenced situation above. (See Message 10874 above as well). Her views are presented in four parts, starting at the bottom of the following page and working their way up to the top (today): granick.com The openning several paragraphs of this ongoing account follow, starting with her August 2nd message that followed the Black Hat event:]
---snip
What follows is my take on “Ciscogate”, the uproar over researcher Michael Lynn’s presentation at this year’s Black Hat conference, in which he revealed that he was able to remotely execute code on Cisco routers. I have been representing Mike during this crisis, so I’m clearly partisan, and what I can say is limited by attorney-client responsibilities. But while many people are speculating about the facts, there hasn’t been much on the law, which turns out to be really interesting.
I arrived in Las Vegas around 1:00 PM on Wednesday. My plane had been delayed and I was anxious to get to Caesar’s Palace and get prepared for my presentation, scheduled for 3:15P. My parents and sister also were coming to see me and I had to get approval for their day passes from the Black Hat powers-that-be. I had heard that there was a chance of some legal problems with a talk that Mike Lynn had planned to give about Cisco router vulnerability and that the night or so before the conference, Cisco sent temp workers to cut Lynn’s slides out of the presentation materials and to seize CDs containing his powerpoint presentation. But I wasn’t involved in the case yet.
---end snip
From NANOG, some additional, cogent comments from poster MD on the same subject that struck me as being highly pertinent:
---snip:
/* ARTICLE
> Experts and users say the hole in IOS appears not to be an immediate
> concern based on what is public knowledge at the moment, since patches
> are available. But what concerns some is that Lynn's exploit
> techniques take router hacking to a new level, which eventually could
> have security implications for Cisco customers.
> */
They are not "Lynn's exploit techniques". The techniques were
published by someone else in considerable more detail than
Lynn along with source code. And this other person has also
described techniques for attacking other brands of network
equipment not just Cisco.
There is a sea change in hacker activity under way as
they realize that most embedded systems (including routers
and switches) are now based on general purpose computer
technology and that such systems are full of opportunities
for software exploits. Hackers no longer just attack OSes
like Windows and Linux, they now are beginning to go after
any kind of smart device, especially when the exploits can
be leveraged for blackmail or to earn cash from espionage.
You aren't safe just because your network runs on brand X
boxes. The only way to be safe is for your brand X vendors
to take software security and systemic security much more
seriously. I also believe that there are lessons to be
learned from the open source community's approach to security.
This doesn't mean that Cisco or any other Brand X vendor
should just run out and replace their box's OS with
OpenBSD or NetBSD or Linux. But they need to seriously
ask themselves what advantage they gain from inventing
their own wheel and rejecting the work of thousands of
highly skilled and dedicated people.
There really is no such thing as closed source. The people
building these exploits are fully capable of taking
code from ROM or flash memory and reading what it does.
It's all fine and well to have layers of security but
hiding your source code really shouldn't be counted
as a security layer.
Even if someone managed to eliminate Lynn and all past
and current employees of ISS by exiling them to Cuba,
this would not stop the hackers who are exploiting
network device flaws.
---end snip
Those are some interesting ideas to contemplate and digest, eh? They speak volumes about the need for robustness through diversity, as opposed to the dependence on monoculturist defaults that the universe of networking platforms shares, if nothing else ... Comments?
------
FAC |
