The big news coming out of the Black Hat Conference this year was the Cisco Systems/Internet Security Systems suit of security researcher Michael Lynn after he disclosed an exploit against Cisco routers. Though I seem to be taking an unpopular position, I don't think he's any sort of hero.
He isn't a whistleblower; the vulnerability he provided details about was already patched. Cisco wasn't standing in the way of fixing the problems, and apparently did so quickly. When you read the forum on SearchSecurity.com, most posters seem to believe that Cisco did something to stop the vulnerability from being announced, but Cisco was only taking measures to stop it from being exploited.
Having to prove a vulnerability can be exploited is just not acknowledging reality. Practitioners know that if a
Comments like this coming out of Black Hat are just delusional: "Now people know what can happen so they know they have to fix it." The fact is that security savvy admins already knew about it, and likely patched the vulnerability.
Let's look at history as a sign as to what will likely happen in the coming months. The underlying vulnerability Blaster exploited was released a few years ago at Black Hat. The media loved it. They announced to the world how there was a critical vulnerability in the Windows operating system that would create immense damage if exploited. It practically dared someone to write a worm to exploit the vulnerability and within a month we had Blaster causing billions of dollars in damage. No matter how widely reported, there were still more than enough people who left their systems unnecessarily vulnerable.
Coverage of the Cisco problem has been limited to the technical community, and mostly the IT security community at that. The "black hat" community has also been put on notice. So the grand exposure this presentation gave the vulnerability has been limited to the people who likely patched the problem already, and more importantly, the people who are likely to exploit it.
I don't see how this has helped the infrastructure at all; how can describing how to exploit the code at any level help the situation? Again, a fix is already available. To Lynn's credit, he is much more talented than the average attacker, however he has now lowered the bar for others.
If that isn't bad enough, Defcon attendees claiming to support Lynn are racing to try to recreate all of his work so that they can release the attack themselves. In their demented minds, or at least their claims, they're doing this to discredit Cisco for taking action against Lynn. The reality is that they are punishing Cisco's less security aware customers, or those customers that decided not to take down their routers to fix the problem. The irony is that this is why Cisco didn't want Lynn to make the presentation in the first place.
Many researchers fail to realize that the vulnerability lifecycle never resolves itself the way it should. More naÏve researchers, like Lynn, believe that by releasing details of the vulnerabilities, more end users will know to implement the patches. However, most users never hear about it, and are punished when attackers take the researchers' information and exploit it. In this case, a devastating worm could result. By failing to realize that the release of vulnerability information is more likely to result in devastating attacks than in more people implementing the patch, Lynn has enabled the attacks against the infrastructure he somehow rationalizes he is protecting. If there are no massive attacks resulting from the vulnerability, no harm, no foul. However it is more likely that Lynn has lowered the bar and thrown up a challenge to the criminal community.
The release of vulnerability information has rarely helped anyone but attackers. That is except of course for the consultants who answer the phone when the attacks are launched. I guess I should thank Lynn for the future business. Sadly, most consultants don't really need the work.
Security professionals are supposed to exercise good judgment in the application of their skills and abilities. When you note that Lynn violated agreements with his employer, and that reverse engineering the software is technically against Cisco licensing, it is difficult for Lynn to claim the moral high ground unless he was blowing the whistle on a complete cover up, which even Lynn admits didn't occur.
At some point, people have to stop and consider that they knowingly entered into agreements and realize that barring any violation of law, they have to adhere to them. The irresponsibility of releasing exploitation information aside, when security researchers start practicing situational morality, they are no better than the criminals security practitioners have to deal with on a daily basis.
About the author
Ira Winkler, CISSP, CISM, has almost 20 years of experience in the intelligence and security fields and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.