Cisco Failed to Alert DHS, Other Agencies About Software Security Flaw

["David Farber" <dave () farber net>]

-----Original Message-----
From: "Justin Rood"<jrood () cq com>
Sent: 8/3/05 11:11:04 AM
To: "dave () farber net"<dave () farber net>
Subject: Cisco Failed to Alert DHS, Other Agencies About Software Security Flaw

Dave,

Thanks for your help with this article.  JR

Cisco Failed to Alert DHS, Other Agencies About Software Security Flaw
By Justin Rood, CQ Staff

If you learn of a security hole that could bring down a nuclear power plant, a bank, major corporate networks - or all 
of the above - do you have to tell the Department of Homeland Security?

According to at least one company, the answer appears to be no.

Despite knowing since at least April of a security flaw in the software that runs on its computers, Cisco Systems did 
not tell DHS, one of its customers. But with more than 37,000 employees and annual revenues topping $20 billion, the 
San Jose, Calif.-based company is much more than a vendor to DHS. It is the world's largest maker of networking 
hardware and software - including the routers that keep most of the Internet and corporate and government networks 
humming. 

The company did not alert anyone about the flaw. Instead, it made a software update available to fix the problem - but 
did not tell its customers the update was urgently needed to fix a hole that could allow hackers to gain control of 
their computers and wreak malicious havoc.

"They deliberately kept this from their customers, and now everyone is scrambling to patch [it]," said Raven Alder, a 
Seattle-based computer security expert who consults for several government agencies and private companies, in an 
interview. "By keeping the seriousness of the threat away from paying customers - that has outraged a lot of people."

Alder declined to name the government agencies for which she consulted or to say if she had worked for DHS. "They may 
not want that to be public," she said by telephone Tuesday.

Cisco's actions outraged Michael Lynn, a 24-year-old computer security expert who worked for a Cisco contractor, 
Atlanta-based Internet Security Systems (ISS), and who had worked on the problem quietly for months.

Before a crowd of fellow computer security experts assembled at the Black Hat hacker conference in Las Vegas last week, 
Lynn demonstrated how the flaw could be exploited. It was the first public announcement of the security hole Cisco and 
its contractor discovered at least four months earlier.

Cisco and ISS filed for an injunction to prevent Lynn from talking about the flaw. The parties reached an out-of-court 
agreement the next day that simply prevented him from giving the same presentation elsewhere. A subsequent FBI 
investigation has led Lynn to decline further press interviews, his attorney, Jennifer Granick, said Aug. 1.

Possibilities for Hackers

The possibilities the security hole presents to a sophisticated hacker are significant, according to several experts.

If the conditions were right, hackers "can mess with a bank . . . [or] a nuclear power plant," said Alder. "They would 
be able to take [a network] over, and do anything they want."

"It could allow criminals to . . . steal identity information, engage in [network] attacks and blackmail," said Bruce 
Schneier of Mountain View, Calif.-based Counterpane Internet Security. "It's a major vulnerability." His company does 
not compete with ISS, Schneier said, but offers complementary security services.

Despite the seriousness of the flaw, Lynn's presentation at Black Hat last week was the first the department heard of 
the problem.

"We just found out about it at Black Hat," DHS spokesman Kirk Whitworth told CQ Homeland Security July 28.

Jeff Moss, founder and president of the Black Hat conference, said he spoke to several representatives from DHS and 
other government agencies at his event. All were surprised by Lynn's presentation, he said - and none was particularly 
pleased with Cisco.

"They seemed kind of unhappy that Cisco never gave them a heads up that any of this was possible," Moss said Tuesday by 
phone. "This huge thing got dropped in their lap, and they had to learn about it [by] coming to Black Hat."

DHS Coordination

The Homeland Security Department coordinates the federal government's infrastructure protection efforts. It has 
established a complex web of information-sharing systems to pass along critical information on vulnerabilities such as 
the Cisco security hole.

The department has also worked to create legal shields for such "critical infrastructure information," which exempts it 
from public release under federal law. That protection is meant to ease companies' fears that handing the government 
such delicate information means it could be widely shared.

"This sort of thing is a pretty strong argument for eliminating that exemption," said David McGuire of a 
Washington-based think tank, the Center for Democracy and Technology. "Not only do we not know what information they're 
sharing, we now know they're not sharing any information at all."

For its part, Cisco declined to confirm it did not tell DHS of the flaw before Lynn's presentation. "Because of the 
number of touch points between Cisco and any of its customers, there is no way for Cisco to determine when any one 
customer organization became aware" of the flaw, wrote company spokesman Robert Barlow in an e-mail Tuesday to CQ 
Homeland Security.

"What we can state," wrote Barlow, "is that we did issue a security advisory on July 29th" - which was two days after 
Lynn's presentation in Las Vegas.

In a phone interview Tuesday, Barlow downplayed the seriousness of the flaw. It only affects a portion of Cisco 
customers who have their machines set a particular way - a "very small" number of users, he said, although he did not 
have statistics to demonstrate that.

Some observers expressed disbelief at Cisco's failure to notify DHS of its problem.

"I'm really surprised they didn't disclose [the flaw] earlier," said Michael Wendy, spokesman for the Washington policy 
office of the Computing Technology Industry Association. "It's in their best interests to head this off at the pass."

Justin Rood can be reached at jrood () cq com. 

Source: CQ Homeland Security 
© 2005 Congressional Quarterly Inc. All Rights Reserved



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/