| |
Current Topic: Computer Security |
|
Dept. of Homeland Security Raises the Red Flag |
|
|
Topic: Computer Security |
3:38 pm EDT, Aug 2, 2005 |
A post on The Lazy Genius blog points out that US-CERT believes we should be on the lookout for usage of bugs in the wild based on what Lynn discovered. Basically, network administrators should be vigilant and prepared. US−CERT Operations Center Synopsis: A presentation at Defcon entitled "Live penetration Test of the Backbone" was scheduled to include use of an exploit disclosed by Michael Lynn earlier this week. The exploit is NOT the weak version demo'd by Lynn, but a fully working version that is capable of re−routing traffic, man in the middle and / or dropping the router. EFF lawyers toned down the presentation to avoid ISS and/or Cisco lawsuits. Analysis: There is an exploit. It will fall into the wrong hands. Prepare your Networks. RECOMMENDATIONS AND COUNTERMEASURES If your network doesn’t need IPv6, disable it. This will eliminate exposure to this vulnerability. On a router which supports IPv6, disable it by issuing the command "no ipv6 enable" and "no ipv6 address" on each interface.
There seems to be a fair amount of concern over this situation present in the pharmaceutical and health care industry, although few are talking publicly. Over at the HIPAA Blog there is the following post advising what most are advising: What does this all mean? Beats the hell out of me. But it is a good lesson for everyone who is subject to HIPAA (and even those who aren't) that you need to keep track of your systems and software, find out about security issues ASAP, and make sure you patch up any security issues as soon as you find out about them. That may mean making sure your IT staff knows what's up, or leaning on your vendors to make sure they're taking the right steps to keep your backside covered.
Everyone should have their guard up. The keyword of the day is vigilance. Dept. of Homeland Security Raises the Red Flag |
|
Non-Technical Explanation of Mike Lynn's Disclosure |
|
|
Topic: Computer Security |
3:26 pm EDT, Aug 2, 2005 |
Kudos to MemeStreams user Dagmar for putting together a post with breaks the technical aspects of Lynn's disclosure down in a way that non-technical people can understand. Be sure to click through and read his entire post. Someone who takes the time to tie a few existing exploits together and utilize a technique similar to what Lynn discovered to make a worm that infects equipment, spends a small amount of time trying to infect other equipment, and then viciously puts the equipment out of commission in the aforementioned fashion, could in a very real sense turn off large chunks of the Internet. No, I was not joking about the last sentence. If you work in an IT (Information Technology shop) take a moment to look around your office at all the very important equipment you have that just happens to have the Cisco logo on it. (I say "just happens to have the Cisco logo" because the root problem here has nothing to do with Cisco in particular, they're just the first company who have had this weakness uncovered--and as I said earlier, they were already in better shape than most.) Now imagine what would happen if that all that equipment just shut off, and you couldn't get it back up and running any time in the next twelve hours or so. You might think, "well, I will just go to their website and get the updates" but no, no... the Internet connection ran through one of the pieces of equipment that is now down so you can't do that. ...and even if it's not, there's a good chance that the people who your company connects to in order to reach the Internet has equipment that's has been effected, so you still can't get to the website with the updates you need. So you pick up the phone and call the manufacturer, and get to wait on hold for a very long time indeed, because many thousands of other people are just as stuck as you are. FedEx can get things out fast, but they're not nearly instantaneous, and hundreds of thousands of packages all marked "Red Tag, Highest Priority" at once are going to give them fits. Unless you know someone with magic powers of teleportation, you're looking at a very long wait for a package to be delivered by a truck that can fix your problem, and you're going to have to deal with all the upper-management types freaking out in the meantime. (Mind you, if you're lucky, your inter-office email system will also have been shut down by this, so they can only get to you through your cell phone and pager, which limits the number of panicked managers who can get to you at once.)
One message that Dagmar tries to get across in this, that should be spread and embraced, is that equipment (and software) mono-cultures are inherently dangerous. A post on the blog Art Of Noh... [ Read More (0.1k in body) ]Non-Technical Explanation of Mike Lynn's Disclosure |
|
Cisco and the Serpent’s Broken Tooth (Response) |
|
|
Topic: Computer Security |
2:47 pm EDT, Aug 2, 2005 |
Part of what boggles my mind at the idea of any of the hacker community championing Lynn’s actions is that he broke a legal agreement for the management of intellectual property. And, hello!, such an agreement is of the same nature and function as all of the open source licensing practices currently in use. How would most hackers react if I grabbed a big blob of GPL’d source code, stripped out all the attributions, used it to shore up my own weak proprietary code, and started selling it as closed source? I don’t know who would get me first, the blogosphere or the army of lawyers that would surely descend upon me. But I can almost guarantee that you wouldn’t see the hacker community rallying around me in support of my free speech rights under the first ammendment. The fact that there are hackers coming out in support of Lynn when he has effectively trod upon all the legally essential principles of the GPL is downright shocking to me. Either I don’t understand the hacker community as well as I like to think I do, or these individuals are in serious need of upgrades to their memetic firewall code.
This is the first comment in the blogosphere about this situation I've seen that's been truly misguided.. I would like to respond to the two sections of this quote I've put in bold face. First, it would be Mike Lynn who would catch you, or someone like him. As proof of this, I offer the recent situation where Mike Lynn did the analysis that proved CherryOS stole the code for its emulator product from the PearPC open source project. I pointed this our earlier. Here are a few quotes from his article: just incase anyone didn't believe them already here goes the analysis (I do this sort of thing for a living) first off CherryOS.exe is what we call in the security industry "packed", that means that they have taken a compiled binary and run it through an obfuscator to make it hard to reverse engineer (or at least with hard if all you're doing is strings)...this is common for virus writers, worm writers, 31337 bot net kiddies, and on the legitimate side, game developers do this a lot...its not very common among the commercial (or free) legitimate software market (mostly because it doesn't work and doesn't do any good) so, the easiest way to defeat the packing is simply to let it start up (this one has several annoying checks for debuggers so its easiest to just attach after its loaded)... the eula for this thing says its a violation to reverse engineer it, but if you do disassemble it you find they never had the rights to license it in the first place, so I don't feel worried to put this here... I think I have made it clear beyond a shadow of a doubt that CherryOS.exe, shipped as the core of cherryos is nothing but a recompiled version of PearPC...it has at most minor changes, most to strip attribution, hide the theft, or remove debugging output...
As far as our memetic firewalls go, we are working on that, and have been for quite awhile. Mike's analysis of the CherryOS situation was posted here on MemeStreams. Cisco and the Serpent’s Broken Tooth (Response) |
|
The Public Opinion on Lynn's Disclosure |
|
|
Topic: Computer Security |
11:32 pm EDT, Aug 1, 2005 |
Technorati has been a great tool for surfing public opinion over CiscoGate (which I actually prefer to call the Ciscopocalypse..).Here are a few blog posts worth parsing. The best of the crop is from John S. Quarterman, the CEO of InternetPerils, who rounds up a number of articles and comments on them: As for disclosure, not only were the plaintiffs not able to restrain the Internet nor the bloggers nor the press, Michael Lynn didn't even have to quit his job and give the presentation to get his point across. He could have just stood up there and said he couldn't give the presentation, and it's pretty likely a copy of the PDF would have made its way to the Internet within two days anyway.
That part I did not agree with. Integrity is best served real. This isn't really about Cisco; the principles illustrated here are larger than that. Security by obscurity just doesn't work, no matter how big you are, and even if you have the law backing you up. Which would you rather have? A public relations disaster brought on by not disclosing a fixed vulnerability? Or a reputation burnished by assisting security researchers in publishing such a vulnerability?
Bruce Schneier, CTO of Counterpane Internet Security, chimed in very early on: The security implications of this are enormous. If companies have the power to censor information about their products they don't like, then we as consumers have less information with which to make intelligent buying decisions. If companies have the power to squelch vulnerability information about their products, then there's no incentive for them to improve security. (I've written about this in connection to physical keys and locks.) If free speech is subordinate to corporate demands, then we are all much less safe. Full disclosure is good for society. But because it helps the bad guys as well as the good guys (see my essay on secrecy and security for more discussion of the balance), many of us have championed "responsible disclosure" guidelines that give vendors a head start in fixing vulnerabilities before they're announced. The problem is that not all researchers follow these guidelines. And laws limiting free speech do more harm to society than good. (In any case, laws won't completely fix the problem; we can't get laws passed in every possible country security researchers live.) So the only reasonable course of action for a company is to work with researchers who alert them to vulnerabilities, but also assume that vulnerability information will sometimes be released without prior warning. I can't imagine the discussions inside Cisco that led them to act like thugs. I can't figure out why they decided to attack Michael Lynn, BlackHat, and ISS rather than turn the situation into a public-relations success. I can't believe that they thought they could have censored the information by their actions, or even that it was a good idea. And these are the people building the hardware that runs much of our infrastructure? Somehow, I don't feel very secure right now.
And of course, its been noted that Cisco is going after any place that has posts Mike's presentation... The Public Opinion on Lynn's Disclosure |
|
Router Flaw Is a Ticking Bomb | Mike Lynn Has Integrity^3 |
|
|
Topic: Computer Security |
11:13 pm EDT, Aug 1, 2005 |
Wired has done a great interview with Mike. It should clear up a number of the questions people have had with recent events.I would like to specifically point out one part of this interview: WN: So ISS knew the seriousness of the bug. Lynn: Yes, they did. In fact, at one point ... they apparently didn't get it, and they actually wanted to distribute the full working exploit very widely inside the company.... I was told ... "Give this to all the sales engineers and to all the pen testers." WN: Why would they want you to do that? Lynn: Well, because it bruises Cisco, remember? Mind you, this was something that Cisco hadn’t gone public with yet and that's not useful to pen testers because what do they advise their customers to do (to protect themselves if no information about the vulnerability has been released yet)? I told them, "You do realize if you do that, it's going to leak?" And (one of the ISS guys) says, "That's Cisco's problem." And then (another ISS guy) turns to me and says that they need to understand this could be their Witty worm. I was like, Whoa, what meeting did I walk into? (The Witty worm was a particularly aggressive and destructive code released by someone last year that targeted computer systems running a security program made by Internet Security Systems and even more specifically targeted military bases using the software. It infected more than 12,000 servers and computer systems in about an hour. Because of the worm's speed in spreading and its creators' apparent knowledge of who ISS' customers were, some security experts speculated that someone working for or connected to ISS might have been responsible for writing and releasing it.) At that point, I told them all no, and they fought it and I resigned right there on the spot. And this was about a month ago. I thought they were handling this in a non-ethical manner. Because it was just way too fast and loose with who can see this.... I mean, I don't even want people to see it now. (ISS talked him out of the resignation by agreeing to give him control over who could see or have the exploit.)
All I can say is WOW. A big "wow". Caps, bold, and feeling. Anyone who says that Mike is not on the level needs to reference this. This says truly horrible things about ISS. This should cost them some serious reputation capitol. One thing that Mike did a great job of in this interview is getting the idea out that in order to defeat the "bad guys", you must run faster then them. It is the only option. Case in point, via the Wall Street Journal: "The vulnerabilities are out there on the Net in full broadcast mode," said Gilman Louie, a tech-industry veteran who heads In-Q-Tel, a venture-capital firm backed by the Central Intelligence Agency. "The bad guys get to it faster than everybody else. I'd rather have disclosure and let everybody respond."
Disclosure is a great thing, but it must be done properly. I would argue that Mike did it properly. I would argue that he has displayed the best kind of ethics through this entire mess. Given the content of this Wired interview, I would argue that ISS has its head up its ass. Router Flaw Is a Ticking Bomb | Mike Lynn Has Integrity^3 |
|
The Shout | Jennifer Granick | Supporting Mike Lynn |
|
|
Topic: Computer Security |
10:14 pm EDT, Aug 1, 2005 |
First, Mike gave his talk. Then he got sued. Then I decided to represent him.
I just noticed that Jennifer Granick has a blog. Please shower this woman with comments thanking her for helping/representing Mike. The Shout | Jennifer Granick | Supporting Mike Lynn |
|
Mike Lynn Legal Defense Fund |
|
|
Topic: Computer Security |
12:07 am EDT, Jul 30, 2005 |
Please support Mike Lynn by contributing to his defense fund! Currently this fund exists in the form of sending funds directly to Mike via Paypal. Mike Lynn's Paypal ID is "Abaddon@IO.com". A form to submit funds to this account can also be found at: http://www.memestreams.net/lynndefense.html A dangerous culture regarding hardware based network devices as impervious to remote compromise has been allowed to exist. Mike has taken on enormous personal risk to do the right thing for the security research community by coming forward with his research and bringing this problem into focus. Cisco has consistently been on the forefront of this dangerous culture. They exercise a strategy of walling off updates and information only to those with support contracts. In many areas of critical infrastructure, engineers are often limited in their ability to utilize the latest security updates due to their IOS feature train. For years, attempting to adopt SSH as the primary method of administration for Cisco hardware has provided a perfect example of Cisco's broken security culture. Their handling of this situation is putting icing on the cake. We must encourage change in Cisco's security culture. ISS's actions to date have shown an effect of this broken security culture. ISS's handling of this critical security threat and the researcher that found it have been less then desirable. We are confident our free-market business and media environment will result in both ISS and Cisco learning lessons from this event. We expect the FBI to be both diligent and respectful in its handling of the investigation against Lynn. The security reality of our critical infrastructure demands such a response. In this big picture, the civil and government security communities are on the same team, and should be viewed as such. If our whistleblowers are not protected, we will eventually find we have no whistles available to us to blow. This would be a disaster for both America and the globalized world. If we are to protect our critical infrastructure, we too must be protected. The most important thing we the security research community can do in regard to this event is support Mike Lynn, and encourage positive change to broken security culture wherever it exists. Right now, by supporting Mike Lynn, you support the entire community. Mike Lynn Legal Defense Fund |
|
FBI Looking for Lynn & Settlement Details |
|
|
Topic: Computer Security |
10:06 pm EDT, Jul 28, 2005 |
According to a copy of the injunction obtained by washingtonpost.com, the settlement also requires Lynn to "prepare complete mirror images of all computer data in his possession or control. ISS and Lynn shall appoint a third party forensic expert to verify, in the presence of ISS and Lynn (or his representative), on the mirror image, that Lynn has provided to ISS and/or Cisco any ISS- or Cisco-owned materials."
The latest word out of Vegas is that the FBI is looking for Lynn. Its unclear if they are the ones going to play the role of third party.. But it would make logical sense. FBI Looking for Lynn & Settlement Details |
|
Cisco gives in to Mike Lynn |
|
|
Topic: Computer Security |
8:16 pm EDT, Jul 28, 2005 |
Cisco Systems Inc. and a network security firm reached a settlement Thursday with a researcher who quit his job so he could deliver a speech on a serious flaw in Cisco software that routes data over the Internet. He also must return any proprietary Cisco source code in his possession. "The purpose of doing this presentation was to prevent a worm from being made," he said. He also said he decided to defy his employer because Cisco's operating system source code had been stolen and posted on a hacker Web site. Additionally, Lynn said, he has seen discussions of Cisco vulnerabilities posted on Web sites for Chinese hackers. "Cisco has never told anybody that it was possible to take over one of their routers," Lynn said. "They fought that argument for a long time. You can see how far they're willing to go. I demonstrated it live on stage. That debate is over now."
Cisco gives in to Mike Lynn |
|