Researcher heats up Black Hat conference with controversial Cisco presentation

by John McCormick | Aug 01, 2005 7:00:00 AM

Tags: John McCormick, Michael Lynn, vulnerability, Cisco Systems Inc., security, Black Hat, IT Locksmith Newsletter

Takeaway: While last month's Black Hat conference in Las Vegas focused on known vulnerabilities in antivirus software, the really hot news was the court battle spurred by Michael Lynn's presentation on Cisco IOS vulnerabilities. In this edition of the IT Locksmith, get John McCormick's take on the clash between Cisco and a security researcher, and get the best of the rest of recent security news.

This year's Black Hat conference offered more than its organizers bargained for when a researcher's presentation instigated a court battle with Cisco. But don't let the controversy detract from the conference's theme of security vulnerabilities in antivirus software, which could become hackers' next big target.

Details

This summer's Black Hat USA 2005 Briefings, which just wrapped up in Las Vegas, focused on taking advantage of known vulnerabilities in antivirus software to penetrate systems. But the really hot news this year was the court battle spurred by Michael Lynn's presentation. Lynn allegedly decompiled Cisco code and used the information to exhibit how to hack into Cisco routers, exposing a problem that could potentially place the entire Internet at serious risk.

In response, Cisco and Internet Security Systems (ISS), Lynn's former employer, sought a temporary restraining order from a U.S. District Court after Lynn's presentation because of the disclosure of the information. The next day, Lynn and Black Hat organizers agreed to a permanent injunction, which forbids any further discussion of the presentation or dissemination of any information or recordings.

Lynn reputedly resigned from his ISS position when the company opted to cancel his presentation. So, while his lecture was apparently an open job application�he displayed his resume at the end of it�it was one that showed a new way to exploit known (and recently patched) flaws in Cisco's Internetwork Operating System (IOS).

Whether Cisco likes it or not, the information is now out there. And, if nothing else, it should serve as a strong encouragement to update IOS.

A recent report from Yankee Group reveals that vulnerabilities are now showing up in security software more than the traditional Microsoft targets. As a result, these holes are becoming the latest target of opportunity for hackers. According to the report, 77 new vulnerabilities in major security programs emerged in the 15-month period between January 2004 and March 2005.

And the rate of discovery of new flaws appears to be accelerating. In fact, a critical vulnerability surfaced in the widely used GPL Clam Antivirus Library in July. Buffer overruns in several components could allow a remote attacker to take over a system.

The vulnerabilities affect ClamAV 0.86.1 and prior versions; version 0.86.2 fixes the problems. Secunia has rated the vulnerabilities as highly critical.

For more information on how hackers exploit a vulnerability in a security product, check out the SANS tutorial, "Exploiting BlackICE: When a Security Product has a Security Flaw." (Remember: You can't fight 'em if you don't understand them.)

Final word

It's rock-and-a-hard-place time, folks: We can't safely connect to the Web without antivirus software and a firewall, but now it turns out that the very security software we're using could become our biggest enemy�at least for those of us who took the plunge and upgraded Windows XP to the more secure SP2 version. Ever since a flawed Symantec automatic update locked me out of Office applications for a few days, I've stopped updating my antivirus software�just the programs, not the signatures�but I may have to reevaluate my position.

In other news, the Financial Times reported in its July 27 edition that 64-bit computers are about to flood even desktops. Of course, when the financial papers get hold of a technology story, you know it's getting old, but I find myself in agreement with its brilliant acknowledgement of the incredibly obvious.

PCs are now a commodity, and the industry is struggling to find the next killer app, which will probably require faster hardware. However, in the same week, eSecurityPlanet.com posted a report that security software vendors aren't ready to meet the demand for anti-malware software that runs on 64-bit platforms.

While the first big wave of 64-bit malware hasn't yet hit, it can't be far behind Symantec's discovery of the first-known proof-of-concept virus, W64.Shruggle.1318, which was almost a year ago. Personally, I think the vandals are just waiting at the gates�salivating over the fact that the flood of new 64-bit computers will be less protected than the average office PC was before Windows XP's release.

Also watch for �

If you've ever wondered just how annoying spam can get, consider this: In Russia, where spam is legal, authorities recently found the savagely beaten body of major spammer Vardan Kushnir. Moscow police are looking for a motive in the death of the big-time spam purveyor.
Meanwhile, back in the United States, disgruntled Phillies fan Allan Eric Carlson recently received a four-year federal prison sentence for spoofing thousands of e-mail addresses in spam messages. Technically, the conviction was for identity fraud due to the use of other people's account names in the From line.
Pretty Good Privacy (PGP) creator Phil Zimmerman is setting out to do for voice over IP (VoIP) what he already did for e-mail security by developing a PGP for IP telephony. Programs are already available that capture VoIP conversations, so companies need to be aware of the need for encryption.
Last week, the Mozilla Foundation marked the 75-millionth download of its Firefox Web browser.That includes every update download�of which there have been many recently�but it doesn't take into account a single download distributed throughout an organization. So, while the browser's popularity obviously continues to grow, we can't really determine the number of Firefox users.
And finally, for those of you still waiting for UNIX to take over the world�beware of what you wish for; as adoption increases, it will become a bigger hacker target�Linux Today reports that Asian users have seen the light. The lower cost seems to be the main driver of a Linux adoption surge in Asia. Of course, UNIX is inherently more hacker-friendly due to the availability of all the open source tools and code for learning about computers.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

10 comment(s)