Disclosing system flaws risky
DAVID CANTON - For the London Free Press - August 20, 2005 Read this on Canoe
Black Hat is a group of security experts that provides consulting, training, and briefings to corporations and government agencies around the world. Court action surrounding a recent Black Hat conference highlighted how sensitive this topic is.
Founded in 1997, Black Hat was established to provide education to security professionals in corporations and federal agencies. Black Hat offers global forums that feature the most respected underground hackers in the world and the best minds from government and global corporations.
Recently, at the Black Hat computer security conference in Las Vegas, security expert Michael Lynn demonstrated how easily a router can be taken over. Lynn's presentation focused on a previously undisclosed flaw allegedly present in Cisco Systems routers, units which are prevalent throughout the Internet.
Lynn gave conference-goers highly technical details of his research into the Cisco flaw. Though Lynn did not outline the entire procedure to gain access, he gave enough information to allow a security professional to replicate the attack.
Lynn stated he would rather quit his job at Internet Security Systems than keep the information from conference attendees.
Consequently, he lost his job at ISS.
He also faced an injunction that prevents him from discussing the details and required him to return and destroy certain files from his computer.
Regardless of the facts of this situation, it highlights a constant dilemma in the security area.
On one hand, it is not a good thing if malfeasants are aware of vulnerabilities as it increases the chances they will be exploited.
On the other hand, how can people defend against them unless they are disclosed? It is common for hardware and software manufacturers to be aware of flaws - but users are notorious for not implementing them.
No producer of hardware or software wants customers to think there are flaws in products. Some are more open about disclosing there are serious security issues that require immediate action by users to implement patches.
In reality, most determined hackers will already be aware of the exploits through their own network of contacts before they are made public in a conference.
Though Lynn did not give a complete explanation of how to attack the routers, simply drawing attention to this problem will cause many to focus on this area.
Many believe that what little information Lynn offered should not have been distributed. The information was posted on the Internet, even though organizers of the Black Hat conference agreed not to post it themselves.
Cisco senior manager Mojgan Khalili issued a statement saying "It is important to note the information Mr. Lynn presented was not a disclosure of a new vulnerability or a flaw with Cisco IOS software."
Lynn said he went ahead with his presentation because the Cisco flaw is serious.
He said he will take a stand so other security researchers aren't bullied into burying their findings when the companies they're researching decide not to publicly address serious security flaws in their products.