My Photo

About

Blog powered by TypePad

Good security blogs

« Malicious Web sites on the rise | Main | Emergency reset: Cisco passwords »

Stupidity from the top: Cisco's new black eye

Maybe Cisco should take a clue from Microsoft. Like Cisco, Microsoft back in the 90's tried to put the heat on hackers who released exploits against its products. But now Microsoft sends engineers from its product groups to mingle with the same hackers who spend most their time beating up on Microsoft software.

In all, Microsoft had more than 80 people at Black Hat, according to a Microsoft spokesperson. Like an IE guy I met at the Venus pool as Black Hat was wrapping up (sorry, can't remember his name, as I didn't have any pockets to carry my notepad in). Microsoft rented a poolside tent and this IE guy wandered in and out of the pool looking for users to give him their perceptions and concerns. He hit me up in the pool where I was cooling my jets, and I gave him an earful about all the heavy security software running on my XP and the impossible security complexities for the clueless end user. He responded with a historic perspective leading to how he's particularly proud of Microsoft's automatic alerting and updating services, which we all know is the best thing going today to minimize risk to the end user. Then he went away for a minute and found me on my chaise lounge, where he handed me a collector's IE 7 water bottle and tickets to Microsoft's exclusive bash at Vegas' hottest night club, Pure, in Caesar's Palace – a bash only the hacker elite are invited to, and many others tried to social engineer their way into.

Instead of working with these hacking resources, essentially acting as free security researchers, what does Cisco do? It sends reps to literally cut all of Michael Lynn's pages out of the Black Hat proceedings and erase the session from the Black Hat CD. Then it slaps Michael Lynn and conference organizer, Jeff Moss, with court orders and sends two FBI agents to collect the materials. At this point, Jennifer Granick, a famous hacker attorney and director of Internet and Society at Stanford Law School, accused the two FBI agents of being "lackeys" for Cisco. The court order, she reminded them, was to turn over the materials to Cisco, not the FBI. The FBI left empty handed.

Sure, Lynn essentially violated a non-disclosure with his company, ISS, and he gave up his job for it. But the horse was out of the barn, the cat out of the bag, the chicken had flown the coop. And Cisco, who's in the information business, should know that once it's out in the wild, such information can't be reigned in.

In the end, Cisco did the right thing by dropping the suits and ultimately posting the vulnerability information. But not without giving itself a big, black eye. So instead of lining up for a Cisco party, the hacking community is up in arms about how Cisco tried to lie to its customers and risk an outage on the Internet the likes of which has never been seen.

If there's one thing I know about hackers, it's that they value freedom of information above all. I also know that when they're pissed off, there's no telling what they'll do. So I wasn't surprised when, at Defcon two days later, I heard talk of releasing a zero day against Cisco IOS and not alerting Cisco in advance about it.

Kind of makes you wonder what the best minds at Cisco were thinking when they pulled this blunder.

August 02, 2005 |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83452b9f769e200d83458b9e469e2

Listed below are links to weblogs that reference Stupidity from the top: Cisco's new black eye:

» Cisco forces Lynn presentation taken down.. oh.. here it is from Computer Internet Security ★ eLamb
Mike Lynn publicly released flaws to Cisco routers and presented at the Black Hat and Defcon 13. Cisco gnashes of teeth and tries to hide the flaw. Cisco site recently hacked. The plot thickens... [Read More]

Tracked on August 05, 2005 at 10:24 AM

Comments

Did you accept the IE water bottle? If you did, shame on you...

Posted by: John | August 03, 2005 at 10:34 AM

Right I accepted the bottle. Must of cost them about $2.50 to produce. A real collector's item! And I went to the party at Pure and the Tangerine, both hosted by Microsoft. I even ate some of their food and drank three or four of my non-alcoholic beverages consisting of cranberry and grapefruit juice with a splash of soda. Probably worth another $20 or so. So I guess that means I've been bribed for hmm about $22.50, eh?

Shame shame shame, huh?

Posted by: Deb Radcliff | August 03, 2005 at 10:40 AM

It looks as though Cisco really did take a page from MS. They just had some kind of security incident - they have had to reset ALL their CCO user login passwords.

Posted by: John | August 03, 2005 at 10:53 AM

It looks as though Cisco really did take a page from MS. They just had some kind of security incident - they have had to reset ALL their CCO user login passwords.

Posted by: John | August 03, 2005 at 10:55 AM

Forgive the shameless self-promotion but I had sent emails to Cisco and ISS with a couple of questions. ISS came back today with answers (well, more or less, as much as can be expected under the circumstances, I guess). It makes an interesting read.

Posted by: Axel Eble | August 03, 2005 at 03:18 PM

Not shameless at all. It's the typical party line and says no more than what we already know, but at least they responded to you!

Posted by: Deb Radcliff | August 03, 2005 at 06:18 PM

Indeed. I think they managed to steer clear (but only barely) of the barrage. Which is kinda interesting since they are actively pursuing everyone hosting any document related to Lynn's presentation. Must be the lawyers at it :)

Posted by: Axel Eble | August 03, 2005 at 11:00 PM

CISCO/ISS may have dropped their lawsuits but the FBI is still investigating last I heard. Since when is it the FBI's business to investigate CIVIL lawsuits????? Abuse of something.

Posted by: Anon | August 04, 2005 at 07:50 AM

Anon: they're investigating whether Lynn broke criminal law.

Posted by: Axel Eble | August 05, 2005 at 06:04 AM

I thought CCIE's were like sub-gods. They should have used their powers to know not the "F" with an army of Gray & Black Hats. Bad mojo.

P.s. Linking is not illegal:
www.cryptocrome.org/lynn-cisco.zip

Posted by: rob | August 05, 2005 at 09:30 AM

Hey, Rob. Nice to hear from ya again. Yes, as I said in first blog about the Cisco fiasco, the hackers were talking Zero day. Then in next post, we showed hackers hit Cisco on Monday. They had to reset all their Cisco.com passwords. What's next? I think they're going to continue pounding away at Cisco IOS to release a working exploit.

Meanwhile, ISS continues to wage legal wars against document posters and am wondering if Cisco's behind this, or if ISS is freaked that Cisco might sue them for breech of contract.

Posted by: Hell yes we saw it coming | August 05, 2005 at 10:14 AM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment