Unravelling Ciscogate

Can the IT security business be trusted to police itself when industry heavyweights like Cisco sue security researchers who expose product flaws? Are security researchers little more than hackers who put the enterprise in danger with irresponsible disclosures? NME investigates the Michael Lynn incident in search of answers.

  • E-Mail
By  Simon Duddy Published  August 17, 2005

|~||~||~|The contemporary security landscape is a very dangerous place with vendors and end users increasingly nervous. It makes this writer yearn for the simpler days of the late 1980s when the Yankee Doodle virus shook the PC world by infecting PCs and well, playing Yankee Doodle. These days, hackers tend to have much more criminal intent and work stealthily to undermine enterprise networks and PCs. The first a user may know of an attack is when the network is down or when someone has cleaned out your internet banking account. This increased threat has created a new level of twitchiness and paranoia among end users, IT vendors and security researchers, which came to a head recently when Cisco slapped an injunction on Michael Lynn, an IT security researcher, stopping him from continuing to publicise a security flaw in the internetworking operating system (IOS) found on its routers. ISS and Cisco refused to give Lynn permission to disclose the flaw but he resigned from his post at ISS and gave a presentation showing how the flaw could be exploited at the Black Hat Briefings conference on 27 July in Las Vegas. Lynn put his defiant stance down to two recent thefts of Cisco IOS code, which he believes increases the likelihood of a serious breach of Cisco routers and the potentially damaging consequences of a router worm. Lynn has talked up the potential damage of a router worm, saying that if the network goes down it will be very difficult to get back up again as router vendors will be unable to ship patches over the network. He also says that vendors cannot post a CD fix as routers don’t have CD drives. The allowed Lynn to insist that he acted out of concern for national security, which is not as far fetched as it might seem, as a large percentage of internet traffic relies on Cisco routers to reach its destination. Even companies that do not use Cisco routers will be affected by an attack on Cisco routers as many of their business partners will use Cisco and if they go offline, then in effect so does a non-Cisco-based company. Cisco responded in two ways, one by taking legal action against Lynn and secondly by releasing a security advisory for the flaw, which can be found at www.cisco.com/en/US/products/products_security_advisory09186a00804d82c9.shtml. Cisco says the Federal District Court’s issuance of a permanent injunction against Michael Lynn and Black Hat was to prevent further disclosure of code and code pointers that could aid in the development of an exploitation of a network infrastructure. Cisco says that it did not object to a flaw being identified but took action because Lynn and Black Hat “chose to address the issue outside of established industry practices and procedures for responsible disclosure… [which] was not in the best interest of protecting the internet.” Lynn conceded and agreed not to further disclose information on the exploit and also handed over all of his documents relating to the incident to Cisco. Cisco was backed in its legal action by Lynn’s former employer ISS, which also felt the disclosure was premature. “This is not an announcement of a new vulnerability. However, this new research may help uncover new vulnerabilities, which we will proactively address with customers and partners, as we have done in the past,” says Ahmed Etman, senior territory technical manager for the ISS Gulf. “Whether or not new vulnerabilities are found as a result of this research, ISS and Cisco believe that the work will help us collectively improve router security. However, the danger of releasing this information at Black Hat revolved around the fact that ISS felt the presentation was not complete and that further research needed to be done before the details were made public,” he adds. The action by Cisco and ISS has generated furious debate in the world of internet security, and highlights the uneasy relationship between vendors and the security researchers who uncover and disclose flaws. Unfortunately as these parties clash, the number one group at risk is enterprise IT managers. So, how does the issue affect IT managers? Is it in their interests to know about product flaws that undermine security? The initial reaction of the typical enterprise IT manager is that they would prefer to know about any flaws or potential risks to the network, however the issue is not that simple. Disclosure not only warns enterprises to patch systems, it alerts hackers of vulnerabilities that can be exploited. Unfortunately hackers and virus writers often approach their endeavours with greater speed and enthusiasm than IT professionals patching systems in a data centre. This is why many systems get caught by worms and hacks despite fixes and patches being available. Cisco was able to promptly release a fix for the problem, so the savvy enterprise should not be in danger. However, had the vendor not been able to publish a fix before exploits became available, the internet could have been hit hard, with a resulting cost of many millions of dollars to customers and vendors alike. On the question of whether network professionals deserved to know about the bug, Hatem Al-Sibai, the chief information officer (CIO) at the Al Ghurair Group, feels this presents a difficult dilemma but strongly favours controlled release of security flaw information. “The ideal situation for network mangers is to be able to patch routers before public disclosure of the exploit. This means that Cisco would keep a lid on this exploit until they have concrete plans for the roll-out of patches to affected customers around the world. At that time, Cisco should disclose complete information about the exploit and urge users to patch affected products according a predetermined and simple procedure. This would shorten the time between public exposure of the exploit and patching affected routers thus reducing the possibility of malicious code appearing,” he explains. Other commentators have voiced concerns that the action could gag potential whistle blowers and that un-disclosed flaws could prove more dangerous in the long run. Some commentators fear the corporate heavy-handedness shown by Cisco could lead to vendors using interminable procedure to bury potentially damaging flaws. Taken to an extreme this could create a more dangerous environment for enterprises, for while hackers may be able to sniff out the secrets of gagged security researchers, an Abu Dhabi-based IT manager will not. “This certainly puts a chill on having those professional researchers who care about their clients and about the ethics of disclosure,” says Robert Hillery, senior security consultant with Intelguardians.com. “But I do not believe that is the only problem. It will mean that the network and security community may be reluctant to reveal vulnerabilities that large vendors wish to keep under wraps. This will create a false sense of security because these vulnerabilities will remain obscure only to the defenders, not the attackers, who will be handed a greater advantage.” Indeed, even many observers sympathetic to Cisco’s plight, have said that the legal action was counter-productive. Al-Sibai feels that the action will attract the attention of hackers who will find it rewarding to write malicious code for this exploit. “Furthermore, Cisco's legal action against Mr Lynn rewards him by giving him instant fame of global magnitude, which may very well be the real motive behind the disclosure. I think Mr Lynn's disclosure is irresponsible but legal behavior,” he says. The incident has provoked a certain backlash against security researchers, with Hussein Ali Ghanimah, head of IT operations at Juma Al Majid continuing. “As an IT professional I understand that there is no perfect product, every product has bugs and it’s not a big deal. It is a problem to have a bug and hide it, but disclosure should be controlled. If I know about a bug, I should not announce it to everybody so people can use it in a negative way. Suppose I know that the door is open in your home, I should not make a public announcement about it. If I am looking for appreciation that I found the door is open I can tell you or tell a responsible body about it,” he explains. In response to this crisis and others, vendors and consultants are promoting measures to remedy the situation. On the researchers side, consultants have suggested that boosting ethical awareness among security professionals should be a priority. They say awareness of ethical issues is not as high among security professionals as in other professions such as law and medicine because the training of security professionals tends to focus on skills and technical knowledge. Not all IT professionals agree with this assessment. Al Sibai says that at the Al Ghurair Group, legality is emphasised rather than ethics. “I do not subscribe to the idea that people can be held accountable for their actions on the basis that actions are legal but not ethical. Simply put, if it is legal, then it cannot be unethical. It is not right to single out IT professionals for additional training and scrutiny since many other professionals such as auditors and HR staff have access to highly confidential information as well. All staff should receive training on information security and privacy laws applicable in a specific country,” he explains. He says the information security and privacy policy is a fundamental part of Al Ghurair’s orientation of all new employees, with violations dealt with on a case-by-case basis. One helpful by-product of the controversy is that it might accelerate efforts to tighten security. Many end users are asking for more developed policies for dealing with potential threats. “Looking at the bright side of this story, Cisco’s legal action has stirred serious discussions that hopefully will lead to standard policies and laws to organise and control the announcements of newly discovered vulnerabilities,” says Rabih Itani, network and security manager, Computing and Networking Services, American University of Beirut (AUB). Vendors are also being more proactive in solving these problems, although this in turn has caused controversy. One example is the recently launched Zero Day Initiative (ZDI) from TippingPoint. With ZDI, TippingPoint is asking security researchers to give it information on newly discovered vulnerabilities in return for monetary rewards. TippingPoint, which has recently been acquired by 3Com, plans to then notify the affected vendors so they can work on a fix. “Through this programme, we seek to ensure that newly discovered vulnerabilities are managed, disclosed and remediated responsibly, so they don’t pose a threat to businesses,” says 3Com chief technology officer, Marc Willebeek-LeMair. However some commentators have criticised the scheme for providing an incentive for hackers to break into software and find weaknesses. “You end up getting people who aren’t necessarily experts in the field trying to find something and sell it to the highest bidder. Once you start this, unless there’s a strict process in place to manage it, you may end up with more problems for everyone,” says Firas Raouf, chief operating officer of eEye Digital Security. For the vendors, the ultimate accountability rests with the users. Simply put, if products and solutions fail to live up to promises and businesses take a serious hit, then the vendor is likely to be finished with that customer and their reputation in the sector will be seriously damaged. The Lynn incident, dubbed Ciscogate in some quarters, shows how stakes are steadily rising in the security business and how small coding errors can cost millions of dollars. Antivirus software vendor Trend Micro lowered its revenue and profit forecasts for the quarter running from April to June 2005 because of a bug in its software. Trend Micro estimates that the mistake cost it up to US$8 million. Increasing threat and its attendant hype, customer spend and vendor investment are rapidly changing the security landscape. Whether you think he is a freewheeling chancer or a brave whistleblower, this increasingly serious atmosphere is likely to see the marginalisation of characters like Michael Lynn. Vendors are increasingly wary of security professionals with hacking skills, and they will seek to promote empirical means to define needs and value in the security sphere. For example, many commentators see managed security services (MSS) becoming more important in the coming years as companies seek to focus on core competencies and outsource some security functions to dedicated companies. “However, what will dominate is the ability to take the knowledge provided by security monitoring through MSS and benchmark against other companies’ security postures and measure against global averages,” says Kevin Issac, Middle East regional director for New Symantec. Therefore, what will be key in the future is not simply buying a solution and hoping that it makes the company secure, it will be about creating measures and precisely defining how secure the enterprise is. This will help vendors to justify their solutions, and CIOs to justify their expenditure. At the moment, the benefits of security are hard to measure because if solutions work correctly, then nothing happens. One firm working in this arena is nCircle, which manufactures enterprise-class vulnerability and risk management solutions. It surveyed 1,700 CIOs, CSOs and security directors for its Vulnerability and Risk Management Trend survey and found that while reducing network security risk is a key concern for businesses, half of all respondents had no way to measure and report on that risk. For example, 60% of respondents were unable to determine whether their network security risk was decreasing or increasing over time. “We conducted this survey to better understand how businesses view and manage their network security risk,” says Elizabeth Ireland, vice-president of marketing, nCircle. “These results highlight the need for a significant number of enterprises to implement solutions and processes that will enable them to more effectively measure, manage and ultimately reduce their risk,” she adds. As enterprises ramp up security efforts, they could be forgiven for feeling complacent. However, the Lynn incident illustrates that a potentially disastrous internet outage is a possibility. A nightmare scenario would an attack such as that feared by Michael Lynn, which could perhaps result in billions of dollars worth of damage and liability and create a widespread loss of faith in security vendors. We can only hope that this does not come to pass.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code