By Andy Sullivan
Computer hackers worked through the weekend to expose a flaw that
could allow an attacker to take control of the Cisco Systems Inc.
Angered and inspired by Cisco's attempts to suppress news of the flaw
earlier in the week, several computer security experts at the Defcon
computer-security conference worked past midnight Saturday to discover
and map out the vulnerability.
"The reason we're doing this is because someone said you can't," said
one hacker, who like the others spoke to Reuters on condition of
anonymity.
Cisco's routers direct traffic across at least 60 percent of the
Internet and the security hole has dominated a pair of conferences
that draw thousands of security researchers, U.S. government employees
and teenage troublemakers to Las Vegas each summer.
The hackers said they had no intention of hijacking e-commerce
payments, reading private e-mail, or launching any of the other
malicious attacks that could be possible by exploiting the flaw.
Rather, they said they wanted to illustrate the need for Cisco
customers to update their software to defend against such
possibilities. Many Cisco customers have postponed the difficult
process because it could require them to unplug entirely from the
Internet.
Security researcher Michael Lynn first described the flaw on Wednesday
at the Black Hat conference over the objections of Cisco and his
former employer, Internet Security Systems Inc.
Lynn helped Cisco develop a fix but wanted to discuss it publicly to
raise awareness of the problem, according to associates, going so far
as to quit his job with ISS so he could talk freely.
"What (Lynn) ended up doing was describing how to build a missile
without giving all the details. He gave enough (details) so people
could understand how a missile could be built, and they could take
their research from there," said a security expert who gave his name
only as Simonsaz and who said he is not involved in the hacking
effort.
COURT ORDER
After his presentation Cisco and ISS obtained a court order barring
Lynn and the Black Hat organization from further disseminating details
of the flaw. Cisco employees ripped Lynn's presentation from the
conference program, according to witnesses, and Black Hat handed over
its video recording of his talk.
"ISS and Cisco's actions with Mr. Lynn and Black Hat were not based on
the fact that a flaw was identified, rather that they chose to address
the issue outside of established industry practices," said Cisco
spokeswoman Mojgan Khalili, who added that the company is committed to
protecting its customers.
But those efforts have only inspired other security experts to take a
crack at Cisco's software.
"It's really saddening and disheartening to see Cisco taking this
approach, because it leaves their customers less secure," one of the
hackers said.
In one of the hackers' hotel room, several Cisco routers sat
surrounded by plastic beer cups on a coffee table. Two laptops on the
floor displayed the software's source code, an endless blur of
numbers.
If they don't figure out how to take over Cisco's Internet Operating
System software by the end of the weekend, their counterparts at a
hacking festival in Europe will certainly do so, the hackers said.
Some experts said the flaw has been blown out of
proportion. Malevolent attackers are more likely to focus on easier
targets such as home computers rather than the complex routers that
direct traffic across the Internet, said Jon Callas, chief technical
officer of PGP Corp., a provider of encryption software.
"An awful lot of the buzz that is going around is buzz because of the
use of lawyers and injunctions and lawsuits rather than the actual
thing itself," said Callas, who is not involved in efforts to hack the
software.
Copyright 2005 Reuters Limited.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.
Andy Sullivan (reuters-newswire@telecom-digest.org)