Cisco Files Suit to Gag Researcher, Security Conference

By Paul F. Roberts  |  Posted 07-27-2005
Cisco Systems and Internet Security Systems have asked a U.S. District Court to issue a restraining order against a former ISS researcher and Black Hat over the leak of information about security holes in Cisco's Internetwork Operating System.

The two companies jointly filed an injunction and temporary restraining order Wednesday against researcher Michael Lynn and the Black Hat Briefings Conference, demanding that Lynn and Black Hat Inc. stop disseminating information on security holes in IOS (Internetwork Operating System) that Cisco Systems Inc. alleges was illegally obtained.

Lynn and Black Hat were not immediately available for comment. A Black Hat spokesperson said she was not aware that the companies had taken legal action.

The legal move follows two days of high drama, in which Cisco tore pages concerning the hole out of the Black Hat Briefings conference proceedings and had CDs containing the presentation removed.

Read more here about Cisco's attempts to prevent discussion of an IOS vulnerability at Black Hat.

On Wednesday, Black Hat organizers announced that a planned talk on the IOS hole would be cancelled, prompting Lynn to resign his position at ISS (Internet Security Systems Inc.) and give the talk anyway, to a packed audience of security experts and hackers.

According to Lynn, flaws in IOS could allow attackers to use existing "heap overflow" vulnerabilities to take control of Cisco routers running IOS.

In heap overflow attacks, chunks of data are sent to vulnerable systems that cause areas of the device's memory to be overwritten with code of the attacker's choosing.

The technique developed by Lynn would give remote attackers access to the IOS "shell," from which the attacker could control the device. With control of a Cisco router running IOS, for example, attackers could control or snoop on the content of network traffic passing through the device, Lynn said.

While the strategy does not involve new security vulnerabilities in IOS, it provides a way for malicious hackers to amplify the affect of known heap overflows, a Cisco spokesperson said.

By reverse-engineering IOS code, Lynn found a way to disable a process called "check heap" that is designed to detect such irregularities, and used an older exploit, known as an "uncontrolled pointer exchange," to gain control of IOS systems.

Click here to read about the Black Hat conference and database security.

Lynn violated the terms of his end-user agreement when he reverse-engineered, then publicized snippets of the IOS code, according to a Cisco spokesperson.

As of Wednesday evening, a Federal district court judge in San Jose, Calif. was reviewing the request for an injunction and cease-and-desist order, the Cisco spokesperson said.

"We hope the facts come out that what [Lynn] did was illegal. Cisco will do what is necessary to protect our customers and intellectual property," he said.

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.