Update2: Cisco nixes conference session on hacking IOS router code
In a follow-on to a previous story-line here on the blog, Ellen Messmer and Phil Hochmuth write in NetworkWorld:
Cisco this week asked that a presentation on how to hack its IOS router software be pulled from a security conference in Las Vegas.Update: CRN.com is running this story:
A presentation called “The Holy Grail: Cisco IOS Shellcode Remote Execution” was slated to run at the Black Hat conference in Las Vegas this week. But Internet Information Systems and Cisco, the companies presenting the segment, decided to pull the presentation after discussions between the two firms.
“Based on our discussions, both companies felt that it was premature to present this research at this time,” said a Cisco spokesman. Cisco and ISS “decided to pull the presentation and requested that the conference material be pulled. We don’t have a date on when it will be presented next.”
ISS confirmed that after discussion with Cisco, it was decided that presenting the materials about exploration of shellcode on IOS would be premature and that they wanted to conduct further research.
“The research was to understand if IOS is exploitable with shellcode and buffer overflows,” says Chris Rouland, CTO for ISS. “We were expecting to validate this.”
"Cisco 'Cover Up' Ignites Black Hat Controversy"
Cisco Systems and ISS came to an agreement to cancel the talk and remove the presentation from the conference materials, the companies said. A Cisco spokesperson added that there was no "cover up" of new vulnerabilities. Cisco and ISS plan to research the vulnerabilities further and disclose them in the proper forum at a later date, the spokesperson said.Update2: Wow...this thing just keep growing to a monstrosity in the press.
“Cisco respects and encourages the work of independent research scientists; however, we follow an industry established disclosure process for communicating to our customers and partners,” the company said in a statement released Wednesday. “It is especially regretful, and indefensible, that the Black Hat Conference organizers have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained.”
Cisco’s statement added that Lynn’s presentation was not a disclosure of a new vulnerability or a flaw with Cisco IOS software, but an exploration of “ways to expand exploitations of existing security vulnerabilities impacting routers.”
A story by Kim Zetter in Wired News reports:
A bug discovered in an operating system that runs the majority of the world's computer networks would, if exploited, allow an attacker to bring down the nation's critical infrastructure, a computer security researcher said Wednesday against threat of a lawsuit.
Michael Lynn, a former research analyst with Internet Security Solutions, quit his job at ISS Tuesday morning before disclosing the flaw at Black Hat Briefings, a conference for computer security professionals held annually here.
The security hole in Cisco IOS, the company's "infrastructure operating system" that controls its routers, was patched by Cisco in April, Lynn said, and the flawed version is no longer available for download. But Cisco didn't want the information disclosed until next year when a new version of the operating system would be out of beta testing and ready for distribution.
posted by Fergie @ 7/27/2005 04:54:00 PM
0 Comments:
Post a Comment
<< Home