[IP] Cisco Failed to Alert DHS, Other Agencies About Software Security Flaw

To: <ip@xxxxxxxxxxxxxx>
Subject: [IP] Cisco Failed to Alert DHS, Other Agencies About Software Security Flaw
From: "David Farber" <dave@xxxxxxxxxx>
Date: Wed, 3 Aug 2005 12:41:55 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx

-----Original Message-----
From: "Justin Rood"<jrood@xxxxxx>
Sent: 8/3/05 11:11:04 AM
To: "dave@xxxxxxxxxx"<dave@xxxxxxxxxx>
Subject: Cisco Failed to Alert DHS, Other Agencies About Software Security Flaw

Dave,

Thanks for your help with this article.  JR

Cisco Failed to Alert DHS, Other Agencies About Software Security Flaw
By Justin Rood, CQ Staff

If you learn of a security hole that could bring down a nuclear power plant, a 
bank, major corporate networks - or all of the above - do you have to tell the 
Department of Homeland Security?

According to at least one company, the answer appears to be no.

Despite knowing since at least April of a security flaw in the software that 
runs on its computers, Cisco Systems did not tell DHS, one of its customers. 
But with more than 37,000 employees and annual revenues topping $20 billion, 
the San Jose, Calif.-based company is much more than a vendor to DHS. It is the 
world's largest maker of networking hardware and software - including the 
routers that keep most of the Internet and corporate and government networks 
humming. 

The company did not alert anyone about the flaw. Instead, it made a software 
update available to fix the problem - but did not tell its customers the update 
was urgently needed to fix a hole that could allow hackers to gain control of 
their computers and wreak malicious havoc.

"They deliberately kept this from their customers, and now everyone is 
scrambling to patch [it]," said Raven Alder, a Seattle-based computer security 
expert who consults for several government agencies and private companies, in 
an interview. "By keeping the seriousness of the threat away from paying 
customers - that has outraged a lot of people."

Alder declined to name the government agencies for which she consulted or to 
say if she had worked for DHS. "They may not want that to be public," she said 
by telephone Tuesday.

Cisco's actions outraged Michael Lynn, a 24-year-old computer security expert 
who worked for a Cisco contractor, Atlanta-based Internet Security Systems 
(ISS), and who had worked on the problem quietly for months.

Before a crowd of fellow computer security experts assembled at the Black Hat 
hacker conference in Las Vegas last week, Lynn demonstrated how the flaw could 
be exploited. It was the first public announcement of the security hole Cisco 
and its contractor discovered at least four months earlier.

Cisco and ISS filed for an injunction to prevent Lynn from talking about the 
flaw. The parties reached an out-of-court agreement the next day that simply 
prevented him from giving the same presentation elsewhere. A subsequent FBI 
investigation has led Lynn to decline further press interviews, his attorney, 
Jennifer Granick, said Aug. 1.

Possibilities for Hackers

The possibilities the security hole presents to a sophisticated hacker are 
significant, according to several experts.

If the conditions were right, hackers "can mess with a bank . . . [or] a 
nuclear power plant," said Alder. "They would be able to take [a network] over, 
and do anything they want."

"It could allow criminals to . . . steal identity information, engage in 
[network] attacks and blackmail," said Bruce Schneier of Mountain View, 
Calif.-based Counterpane Internet Security. "It's a major vulnerability." His 
company does not compete with ISS, Schneier said, but offers complementary 
security services.

Despite the seriousness of the flaw, Lynn's presentation at Black Hat last week 
was the first the department heard of the problem.

"We just found out about it at Black Hat," DHS spokesman Kirk Whitworth told CQ 
Homeland Security July 28.

Jeff Moss, founder and president of the Black Hat conference, said he spoke to 
several representatives from DHS and other government agencies at his event. 
All were surprised by Lynn's presentation, he said - and none was particularly 
pleased with Cisco.

"They seemed kind of unhappy that Cisco never gave them a heads up that any of 
this was possible," Moss said Tuesday by phone. "This huge thing got dropped in 
their lap, and they had to learn about it [by] coming to Black Hat."

DHS Coordination

The Homeland Security Department coordinates the federal government's 
infrastructure protection efforts. It has established a complex web of 
information-sharing systems to pass along critical information on 
vulnerabilities such as the Cisco security hole.

The department has also worked to create legal shields for such "critical 
infrastructure information," which exempts it from public release under federal 
law. That protection is meant to ease companies' fears that handing the 
government such delicate information means it could be widely shared.

"This sort of thing is a pretty strong argument for eliminating that 
exemption," said David McGuire of a Washington-based think tank, the Center for 
Democracy and Technology. "Not only do we not know what information they're 
sharing, we now know they're not sharing any information at all."

For its part, Cisco declined to confirm it did not tell DHS of the flaw before 
Lynn's presentation. "Because of the number of touch points between Cisco and 
any of its customers, there is no way for Cisco to determine when any one 
customer organization became aware" of the flaw, wrote company spokesman Robert 
Barlow in an e-mail Tuesday to CQ Homeland Security.

"What we can state," wrote Barlow, "is that we did issue a security advisory on 
July 29th" - which was two days after Lynn's presentation in Las Vegas.

In a phone interview Tuesday, Barlow downplayed the seriousness of the flaw. It 
only affects a portion of Cisco customers who have their machines set a 
particular way - a "very small" number of users, he said, although he did not 
have statistics to demonstrate that.

Some observers expressed disbelief at Cisco's failure to notify DHS of its 
problem.

"I'm really surprised they didn't disclose [the flaw] earlier," said Michael 
Wendy, spokesman for the Washington policy office of the Computing Technology 
Industry Association. "It's in their best interests to head this off at the 
pass."

Justin Rood can be reached at jrood@xxxxxxx 

Source: CQ Homeland Security 
© 2005 Congressional Quarterly Inc. All Rights Reserved

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Science is for Pansies - REAL Men believe in Genesis!
Next by Date: [IP] Analysts say ATM systems highly vulnerable to fraud
Previous by thread: [IP] Science is for Pansies - REAL Men believe in Genesis!
Next by thread: [IP] Analysts say ATM systems highly vulnerable to fraud
Index(es):
- Date
- Thread