Why are vendors stupid when it comes to security
July 29, 2005 – 4:43 pmThis week at the Blackhat conference a researcher called Michael Lynn was to present on a tried and true method to screw over Cisco networking equipment that is running IOS. It is interesting in that Cisco lent on Michael Lynn’s employer ISS to get the presentation pulled at the last minute. They even went to the trouble to get a court order too.
Problem is, this has fueled the whole Full Disclosure debate, and the whole affair is going to result in no winners, Cisco look shit now as this was bad PR for them, ISS too for looking spineless and now Michael Lynn for caving under legal pressure to no longer discuss the work and hand over all materials relating to the flaws to Cisco. Which they will likely just destroy and forget about. The people that will lose out more are every single Cisco customer, why, because now the cat is out of the bag chances are they will do nothing while the ‘Bad People™’ basically take this initial work further to make something that will mean all networks powered by Cisco kit become just that ‘little less secure’ (i.e. 0wN3d).
What it is also going to do to the security industry in the US? Because this has been brought up before with regards the DMCA, but this may have a similar impact as the DMCA did at first with many researchers refusing to publish work and just keeping it to themselves. It will impact how some researchers deal with Cisco, in that some will just not inform Cisco of issues, because simply releasing information about security vulns in Cisco stuff will best be done anonymously from here on in to avoid any nasty legal threats.
What Cisco has done here is not responsible, the research is something many in the security community have suspected is possible for a long time, all they have done is highlight something that is a problem and made sure more people are aware of it..
Cisco kit and many other network equipment from the likes of Juniper, F5 Networks, Nokia, Ericsson, Nortel, et. al. All run on general purpose CPUs, some use OSes that are based on things like VXWorks, NetBSD, FreeBSD and so on, all these are open to exploitation in numerous ways that would make life interesting. Killing off this research will do more to harm the industry that it will do protecting the infrastructure of companies and countries.
Think of it this way, I know of a couple of Linux based router products produced by a well known vendors that are running Linux Kernels in which the kernels are so old that it would present a very good target for exploiting with vulnerabilities that have been fixed many months ago. Exploitation could allow the attacker to control the router and mount all manner of attacks that normally are in the realms of requiring a lot of work to do such as Man in the middle attacks..
