Last week an ISS employee left his job and had a restraining order request filed against him as he made a presentation on exploiting a security flaw in Cisco routers. Cisco and ISS did their best to keep the information from getting out, but that move could now have backfired on them.
To recap, the security flaw in the IOS operating system found on Cisco routers allowed former ISS employee Michael Lynn to demonstrate that a shell could be accessed. However, at the time it was suggested that this flaw could only be exploited with direct access to the router, rather than remotely.
After Cisco and ISS tried to pull Lynn's presentation, forcing him to resign so that he could present it, they filed a request for a restraining order against him to prevent him divulging any further information.
It would seem that Cisco's attempts to keep this one quiet has resulted in various computer brains working through the weekend to investigate the vulnerability further.
Speaking to Reuters an anonymous hacker claimed to be attempting to use the exploit "because someone said you can't". The hackers working on the exploit, at the Defcon security conference, say they were trying to highlight the importance of applying the necessary fix to affected Cisco routers, rather than cause havoc across the Internet.
Cisco routers perform large amount of the Internet's routing, so any possible vulnerability in them is serious and needs rapid attention, although performing the necessary fix to any affected routers will require downtime, making some reluctant to apply the update if there's no proof of the flaw's severity.
Computer security is now a massive concern for all companies and it would seem software writers and hardware manufacturers all deal with security issues differently.
Let's take some examples. First you have the open source crew. These guys tend to want to fix any flaw quickly because anybody can examine an application's code and discover a possible exploit. Move on to the closed source crew and again anyone can discover an exploit, which will often be fixed fairly quickly, but there could be bugs in the source code resulting in flaws that nobody has discovered yet. Or, the software writers could be aware of the flaw, but as nobody has exploited it yet, they put fixing it lower down on their list of priorities - without us knowing. Then we have attempts at keeping a security exploit quiet, the whole Cisco/Lynn story bring a prime example.
So what is the best way to deal with security issues? Being open with the problem will increase awareness and (hopefully) result in all customers updating and patching as necessary. For those bugs that nobody but the programmers know about, quietly rolling out a fix in the next update might be wise. So what if a security researcher wants to make a presentation about a security flaw in your routers that you'd rather he didn't make? What Lynn did may have been a little naughty, after all he did quit his job to enable him to make the presentation, but similarly the 'cover up' attempt has resulted in more hackers attempting to map out the exploit. The most dangerous problem here being that the people that know most about the exploit are good at hacking. One bad apple could cause a lot of trouble.
My opinion? Keeping a security flaw quiet isn't necessary a bad thing, but once the cat's out the bag, don't try to put it back in again; you might get scratched.
