Cisco Systems Inc."s efforts this week to stop an IT security researcher from discussing a hack into its router software evoked criticism from some users and analysts, along with calls for more information from the vendor about the issues surrounding the flaw.
The dispute between Cisco and Michael Lynn, who until Wednesday worked at Internet Security Systems Inc. (ISS), also reignited the debate on responsible practices for disclosing vulnerabilities and how vendors should respond to security problems.
The controversy erupted after Lynn made a presentation at the Black Hat USA conference in Las Vegas, where he detailed a way to shut down a Cisco router by taking advantage of a known and already patched flaw in the vendor"s Internetworking Operating System software.
Both Cisco and Atlanta-based ISS tried to stop Lynn from giving the presentation -- and even compelled Black Hat"s organizers to destroy CDs and rip out more than 30 pages containing Lynn"s slides from thousands of copies of the conference proceedings.
But Lynn, who initially agreed not to make the presentation, resigned from ISS Wednesday morning and proceeded with his talk, prompting Cisco and ISS to secure a federal court injunction preventing him from further spreading the information.
At a press conference Thursday, Lynn said his decision was prompted by a desire to show the world that Cisco routers - which power a vast portion of the Internet infrastructure - are susceptible to devastating attacks. The theft of some IOS source code last year lent urgency to his decision to go public with the information, Lynn noted.
Cisco said it would release a security advisory to "clarify confusion" about the router flaw. But it and ISS defended their actions, saying that Lynn"s presentation was based on incomplete research.
"Both companies agreed that further research was needed to better inform customers" of the issues involved, said Cisco spokesman John Noh. He added that while Cisco supports the work of security researchers, "we believe that Lynn"s presentation contained proprietary information that he illegally obtained" by decompiling source code.
The manner in which Cisco handled the dispute raises questions, said Christofer Hoff, director of enterprise security services at Western Corporate Federal Credit Union in San Dimas, Calif.
"I"d like to understand that if this isn"t a security vulnerability but more an issue of protecting [intellectual property] rights, why were ISS and Cisco going to allow the presentation in the first place?" Hoff said. "If it is a vulnerability, what is the extent of the issue? What are they going to do about it? And when are they going to do it?"
Researchers often disclose security flaws and exploits for self-promotional reasons. But Cisco"s evasive actions are likely to attract more hacker attention rather than less, said Lloyd Hession, chief information security officer at BT Radianz, a New York-based network services firm. "If you want to get your company onto CNN, this is one way of doing it," Hession said, adding that he wants Cisco to provide more details on the flaw and the exploit described by Lynn.
"The horse is out of the barn at this point," he said. "What we would expect from them is no different than what we would expect from Cisco when any type of new vulnerability is discovered. We need a clear and concise explanation from them about the circumstances under which it can be exploited."
Though Lynn"s presentation dealt with an already known hole, it provided the hacker community with the knowledge needed to exploit it successfully, said Thor Larholm, a senior security researcher at PivX Solutions Inc. in Newport Beach, Calif. "The main point of this disclosure is that there will be a lot more focus on IOS as being an exploitable system," Larholm said.
Cisco"s actions reek of highhandedness, said Bruce Schneier, chief technology officer at Counterpane Internet Security Inc. in Mountain View, Calif. "It"s downright scary if you are allowed to argue that negative things about your company can"t be disclosed," Schneier said.
But researchers do need to be responsible when making disclosures, Hoff said.
"It"s a slippery slope between full disclosure and responsible delivery [of information]," he said. "As a consumer, I"d like actionable intelligence as soon as I can get it, but I would like to have a solution to the problem, not just a shrinking [exploit] window."
The actions of researchers such as Lynn are "reprehensible, bordering on the criminal," said Dennis Treece, director of corporate security at the Massachusetts Port Authority in Boston. "If he published a paper telling every burglar how to compromise a certain alarm system or get through a certain type of door because of some manufacturing defect, he would be equally out of line."