Cisco Failed to Alert DHS, Other Agencies About Software Security Flaw

["Travis () Vitalisec com" <Travis () Vitalisec com>]

By Justin Rood, CQ Staff

If you learn of a security hole that could bring down a nuclear power plant,
a bank, major corporate networks - or all of the above - do you have to tell
the Department of Homeland Security?

According to at least one company, the answer appears to be no.

Despite knowing since at least April of a security flaw in the software that
runs on its computers, Cisco Systems did not tell DHS, one of its customers.
But with more than 37,000 employees and annual revenues topping $20 billion,
the San Jose, Calif.-based company is much more than a vendor to DHS. It is
the world's largest maker of networking hardware and software - including
the routers that keep most of the Internet and corporate and government
networks humming.

The company did not alert anyone about the flaw. Instead, it made a software
update available to fix the problem - but did not tell its customers the
update was urgently needed to fix a hole that could allow hackers to gain
control of their computers and wreak malicious havoc.

"They deliberately kept this from their customers, and now everyone is
scrambling to patch [it]," said Raven Alder, a Seattle-based computer
security expert who consults for several government agencies and private
companies, in an interview. "By keeping the seriousness of the threat away
from paying customers - that has outraged a lot of people."

Alder declined to name the government agencies for which she consulted or to
say if she had worked for DHS. "They may not want that to be public," she
said by telephone Tuesday.

Cisco's actions outraged Michael Lynn, a 24-year-old computer security
expert who worked for a Cisco contractor, Atlanta-based Internet Security
Systems (ISS), and who had worked on the problem quietly for months.

Before a crowd of fellow computer security experts assembled at the Black
Hat hacker conference in Las Vegas last week, Lynn demonstrated how the flaw
could be exploited. It was the first public announcement of the security
hole Cisco and its contractor discovered at least four months earlier.

Cisco and ISS filed for an injunction to prevent Lynn from talking about the
flaw. The parties reached an out-of-court agreement the next day that simply
prevented him from giving the same presentation elsewhere. A subsequent FBI
investigation has led Lynn to decline further press interviews, his
attorney, Jennifer Granick, said Aug. 1.

Possibilities for Hackers

The possibilities the security hole presents to a sophisticated hacker are
significant, according to several experts.

If the conditions were right, hackers "can mess with a bank . . . [or] a
nuclear power plant," said Alder. "They would be able to take [a network]
over, and do anything they want."

"It could allow criminals to . . . steal identity information, engage in
[network] attacks and blackmail," said Bruce Schneier of Mountain View,
Calif.-based Counterpane Internet Security. "It's a major vulnerability."
His company does not compete with ISS, Schneier said, but offers
complementary security services.

Despite the seriousness of the flaw, Lynn's presentation at Black Hat last
week was the first the department heard of the problem.

"We just found out about it at Black Hat," DHS spokesman Kirk Whitworth told
CQ Homeland Security July 28.

Jeff Moss, founder and president of the Black Hat conference, said he spoke
to several representatives from DHS and other government agencies at his
event. All were surprised by Lynn's presentation, he said - and none was
particularly pleased with Cisco.

"They seemed kind of unhappy that Cisco never gave them a heads up that any
of this was possible," Moss said Tuesday by phone. "This huge thing got
dropped in their lap, and they had to learn about it [by] coming to Black
Hat."

DHS Coordination

The Homeland Security Department coordinates the federal government's
infrastructure protection efforts. It has established a complex web of
information-sharing systems to pass along critical information on
vulnerabilities such as the Cisco security hole.

The department has also worked to create legal shields for such "critical
infrastructure information," which exempts it from public release under
federal law. That protection is meant to ease companies' fears that handing
the government such delicate information means it could be widely shared.

"This sort of thing is a pretty strong argument for eliminating that
exemption," said David McGuire of a Washington-based think tank, the Center
for Democracy and Technology. "Not only do we not know what information
they're sharing, we now know they're not sharing any information at all."

For its part, Cisco declined to confirm it did not tell DHS of the flaw
before Lynn's presentation. "Because of the number of touch points between
Cisco and any of its customers, there is no way for Cisco to determine when
any one customer organization became aware" of the flaw, wrote company
spokesman Robert Barlow in an e-mail Tuesday to CQ Homeland Security.

"What we can state," wrote Barlow, "is that we did issue a security advisory
on July 29th" - which was two days after Lynn's presentation in Las Vegas.

In a phone interview Tuesday, Barlow downplayed the seriousness of the flaw.
It only affects a portion of Cisco customers who have their machines set a
particular way - a "very small" number of users, he said, although he did
not have statistics to demonstrate that.

Some observers expressed disbelief at Cisco's failure to notify DHS of its
problem.

"I'm really surprised they didn't disclose [the flaw] earlier," said Michael
Wendy, spokesman for the Washington policy office of the Computing
Technology Industry Association. "It's in their best interests to head this
off at the pass."

Justin Rood can be reached at jrood () cq com.
Copyright 2005 Congressional Quarterly. All Rights Reserved. Reprinted with
permission. Reproduction without the express written consent of
Congressional Quarterly is prohibited.

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave