[Spookie]

LAS VEGAS--Cisco Systems has taken legal action to keep a researcher from further discussing a hack into its router software.

The networking giant and Internet Security Systems jointly filed a request Wednesday for a temporary restraining order against Michael Lynn and the organizers of the Black Hat security conference. The motion came after Lynn showed in a presentation how attackers could take over Cisco routers--a problem that he said could bring the Internet to its knees.

The filing in U.S. District Court for the Northern District of California asks the court to prevent Lynn and Black Hat from "further disclosing proprietary information belonging to Cisco and ISS," said John Noh, a Cisco spokesman.

"It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual property rights," Noh added.

Lynn decompiled Cisco's software for his research and by doing so violated the company's rights, Noh said.

The legal moves came Wednesday afternoon, only hours after Lynn gave the talk at the Black Hat security conference here. Lynn told the audience that he had quit his job as a researcher at ISS to deliver the presentation, after ISS had decided to pull the session. Notes on the vulnerability and the talk, "The Holy Grail: Cisco IOS Shellcode and Remote Execution," were removed from the conference proceedings, leaving a gap in the thick book.

Lynn outlined how to run attack code on Cisco's Internetwork Operating System by exploiting a known security flaw in IOS. The software runs on Cisco routers, which make up the infrastructure of the Internet. A widespread attack could badly hurt the Internet, he said.

The actual flaw he exploited for his attack was reported to Cisco and has been fixed in recent releases of IOS, experts attending Black Hat said.

The ISS research team, including Lynn, on Monday decided to cancel the presentation, Chris Rouland, chief technology officer at ISS, said in an interview. "It wasn't ready yet," he said. Lynn resigned from ISS on Wednesday morning and delivered the presentation anyway, Rouland added.

Lynn presented ISS research while he was no longer an employee, Rouland said.

Adding to the controversy, a source close to the Black Hat organization said that it wasn't ISS and Lynn who wanted to cancel the presentation, but Cisco. Lynn was asked to give a different talk, one on Voice over Internet Protocol security, the source said.

But ISS' Rouland said there "was never a VoIP presentation" and that Wednesday's session was supposed to be cancelled altogether.

"The research is very important, and the underlying work is important, but we need to work with Cisco to determine the full impact," Rouland said.

Cisco was involved in pulling the presentation, a source close to the company said. The networking giant had discussions with ISS and they mutually agreed that the research was not yet fully baked, the source said.

The demonstration on Wednesday showed an attack on a directly connected router, not a remote attack over the Internet. "You could bring down your own router, but not a remote one," Rouland said.

One Black Hat attendee said he was impressed with Lynn's presentation. "He got a shell really easy and showed a basic outline how to do it. A lot of folks have said this could not be done, and he sat up there and did it," said Darryl Taylor, a security researcher. "Shell" is a command prompt that gives control over the operating system.

Noh said that Lynn's presentation did not disclose information about a new security vulnerability or new security flaws. "His research explored possible ways to expand the exploitation of existing vulnerabilities affecting routers," the Cisco spokesman said.

Cisco has patched several flaws in IOS over the past year. Last year, the San Jose, Calif., networking giant said that part of the IOS source code had been stolen, raising fears of more security bugs being found.

On Wednesday, Noh reiterated the company's usual advice that customers upgrade their software to the latest versions to mitigate vulnerabilities.

Following his presentation, Lynn displayed his resume to the audience and announced he was looking for a job. Lynn was not available for comment. Representatives of the Black Hat organization said the researcher was meeting with lawyers.

[wiz561]

Anybody have the presentation? I'm in the process of googling it now...

[andydis]

i wonder if this has anything to do with my earlier post..........?


interesting


http://www.governmen...iew=getlastpost

[Blake]

That could be an interesting possibility

[packet]

I'm in talks with Cisco security right now, according to them these are based on older vulnerabilities and that upgrading to newer IOS will resolve the issue. Other than that they will not give out any additional details and have been given a serious gag order.

My worry is that Mr. Lynn will not be hireable now as it sounds like he did violate some company confidences and obviously has some serious lawsuits hanging over his head. We could be witnessing the birth of a serious black black hat if someone doesn't hire this guy quickly.

-P>G>>

PS: Yup, anyone have a copy of the presentation?

[TK_man]

I doubt he'll do anything. Remember, he has a million pound gorilla and their legal team staring down at him. If he releases this thing into the public, and the next big "hack/worm/whatever" occurs, then his case is pretty weak. He'll be doing time in a Federal "pound me in the A$$" Prison.....

packet, on Jul 28 2005, 06:26 PM, said:

I'm in talks with Cisco security right now, according to them these are based on older vulnerabilities and that upgrading to newer IOS will resolve the issue.  Other than that they will not give out any additional details and have been given a serious gag order. 

My worry is that Mr. Lynn will not be hireable now as it sounds like he did violate some company confidences and obviously has some serious lawsuits hanging over his head.  We could be witnessing the birth of a serious black black hat if someone doesn't hire this guy quickly. 

-P>G>>

PS: Yup, anyone have a copy of the presentation?

<{POST_SNAPBACK}>

[thend]

There is a copy of presentation at tomhardware.com

[wiz561]

Odd....the name doesn't exist in DNS, but does in whois and shows up in google. Can anybody get an IP?

Hmmmm......

Errr.... tomshardware.com

[pedropalmeiro]

there is a missing "s", you sould read tomShardware.com

here's a direct link hxxp://www.tomsnetworking.com/Sections-article131.php

[beardednose]

Evidently, he and Cisco already settled. He says he won't disclose anything about it in the future.

He got the best of both worlds....blew the lid off the kettle and now Cisco's off his back. ;)

[FiNaLBeTa]

Yes, and he lost his job.
Oh right, that may not be a good thing.
Plus ISS may even sew him, because he took company information with him when he left and exposed it. (I know I would)

[cvh]

Here is the full presentation not the photographed projector one.

I can't upload in this forum section so here is a direct link, get it before its gone.

http://tinyurl.com/af98o

[Spookie]

UPDATE:

Here is the lawsuit that was placed against Mr. Lynn and the BlackHat Inc by Cisco and Internet Security Systems

FBI is investigating Mr. Lynn info can be found here

Update:

Lawsuit is settled info can be found here

MORE INFO can be found here on the cisco and iss vs Mr.Lynn along with rants :blink:

Quote

"In large part I had to quit to give this presentation because ISS and Cisco would rather the world be at risk, I guess," Lynn said. "They had to do what's right for their shareholders; I understand that. But I figured I needed to do what's right for the country and for the national critical infrastructure."