Lynn Settles With Cisco, Investigated By FBI 357
Following up on yesterday's story, daria42 writes "Security researcher Michael Lynn has settled a dispute with Cisco over his presentation on hacking the company's routers, which was given at the Black Hat security conference in Las Vegas this week. The two parties and Black Hat organisers have agreed not to further discuss the presentation, which contained techniques Lynn said could bring the Internet to its knees." Not all is good news, though. jzeejunk writes "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."
The real issue is... (Score:5, Informative)
The reality of it is that Cisco fixed the exploit last April with a patch and no longer offers the vulnerable IOS for download on their site. The problem with that though is that they did not inform anyone what the patch fixed and who needed to download it. Most people who are vulnerable to this attack are those who have not updated to Cisco's version as of April (which are a few I'm sure. No point on upgrading a working system with a patch that could break you.)
The real problem is Cisco and their disregard to release information over a severe vulnerability in order to press forward their new OS next year.
OUTGOING (Score:0, Informative)
60691 60691
HELLO WORLD
41529 41529 37391 37391 16079 16079 00583 00583 28145 28145 10248 10248
65200 65200 54451 54451 61814 61814 71645 71645 89370 89370 83390 83390
83850 83850 35222 35222 82600 82600 32861 32861 14891 14891 84629 84629
98985 98985 62184 62184 78713 78713 69353 69353 67395 67395 47211 47211
04383 04383 03368 03368 19687 19687 63126 63126 75503 75503 60948 60948
21683 21683 71130 71130 24901 24901 14226 14226 49885 49885 29738 29738
15491 15491 63673 63673 71613 71613 53775 53775
K-BYE
PDF of the Presentation (Score:5, Informative)
TFA (Score:4, Informative)
In other words, probably not really in trouble with the FBI.
Re:I hope they nail him to the wall! (Score:3, Informative)
Why didn't he blow the whistle to the US-CERT, then? Yeah, this is a good idea, let's present it at a Black Hat convention. Jeez
Do you have any idea who is at Black Hat these days? It is a huge security convention sponsored by hundreds of major computer and security vendors, even Microsoft is a sponsor. Heck the Department of Defense, the Army, West Point, Stanford Law School, etc. all had people giving presentations. If you want to get the word out when a major threat is being ignored, blackhat is a pretty good place to do it. It seems to have worked, don't you think?
Re:No good deed goes unpunished. (Score:5, Informative)
One specific buffer overflow vulnerability was patched. But Lynn's presentation was a general approach to exploit any buffer overflow, with dire consequences. There is likely more exploitable code inside those routers; it's just a matter of time before some is found. At that point Lynn's attack could be executed.
Cisco discloses actual vulnerability (Score:4, Informative)
http://www.cisco.com/warp/public/707/cisco-sa-200
http://www.eweek.com/article2/0,1759,1841669,00.a
Upshot is that if you aren't running IPv6 on the router, this doesn't affect you.
Re:It may or may not be illegal (Score:3, Informative)
One day people in this country will realize that congresscritters and senators don't listen to their constituents anymore, and they haven't done so for a very long time. Mostly they listen to corporations and their lobbies.
I'm glad you still have the proper democratic reflex a citizen should have when confronted with issues, but really you should realize "writing to your congressman" nowadays amounts to pushing a button that's been disconnected.
Re:No good deed goes unpunished. (Score:2, Informative)
Details of Cisco security hole (Score:2, Informative)
Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
Download the Presentation (Score:1, Informative)
Lynn-cisco.pdf" [infowarrior.org]
So you didn't go through proper channels... (Score:3, Informative)
In the mean time, time to do a Freenet search for his paper. I can't believe all of the copies were destroyed.
You are making a *LARGE* assumption... (Score:4, Informative)
He gave Cisco *FOUR MONTHS* to fix it, which is hardly "instantaneous".
Cisco issues advisory (Score:3, Informative)
Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Re:PDF of the Presentation (Score:2, Informative)
Re:No good deed goes unpunished. (Score:2, Informative)
As the FBI is investigating, I presume this is the USA. That's where companies like the well known Paladin Press are. For those that don't know, they publish some very weird stuff. They publish books on subjects like Improvised Explosives, weapons conversions (making a semi-auto into full-auto), improvised silencers, as well as how-to's on electronics for Surveillance and sabotage. Since they're still advertising in the back of various hobby magazines, I presume they're still legal in at least some states.
What I find weird is, if stuff like that is still legal why would something like this be an issue? This is pretty lightweight stuff by comparison.
By the way, being "investigated" doesn't mean anything. Law enforcement agencies around the world "investigate" useless crap all the time. All it requires is someone filing an official complaint and it has to be followed up. You can't infer guilt just because the police want to talk to someone.