Part-Time Pundit: It's Time to Ditch Cisco and ISS

« Figures... | Main | The Two-Tiered Legal System »

July 30, 2005

It's Time to Ditch Cisco and ISS

Much has already been said about Michael Lynn’s presentation at Black Hat regarding exploitation of Cisco routers. ( Read about the injunction). What hasn’t been talked about is what to do now.

Michael Lynn revealed no new vulnerabilities but only shot down the deception peddled by Cisco that their devices can’t be taken over. Lynn’s presentation essentially shows a Cisco rootkit that will take over a router. ISS, his former employer, told him not to give the presentation so he resigned instead. In response, ISS and Cisco enjoined him permanently from discussing anything else about the matter and that he has to destroy all data he may have about Cisco vulnerabilities. Further, the FBI has begun a criminal investigation on the matter. The defense of ISS and Cisco is that he didn’t follow the methods of responsible disclosure, which apparently means that one week after every router on the Internet has gotten owned people can then say they knew about this a year ago.

Cisco and ISS have demonstrated with this incident that their first and foremost concern is saving face even when they have to bury huge security threats that are probably already known. Why would anyone trust ISS to consult on the state of their information security when they’ve demonstrated that they are willing to cover up for a vendor instead of giving solid unbiased advice? Why would anyone trust Cisco devices when instead of acknowledging flaws they seek to silence those who would disclose them? Through this incident, ISS and Cisco have a lot of egg on their faces but that’s not enough. People should stop buying their services until they display a commitment to security instead of a commitment to silencing security researchers that show vendors aren’t doing their jobs.

BNN Link

Posted by John Bambenek at July 30, 2005 1:45 PM