By Kim Zetter
LAS VEGAS -- A bug discovered in an operating system that runs the
majority of the world's computer networks would, if exploited, allow
an attacker to bring down the nation's critical infrastructure, a
computer security researcher said Wednesday against threat of a
lawsuit.
Michael Lynn, a former research analyst with Internet Security
Systems, quit his job at ISS Tuesday morning before disclosing the
flaw at Black Hat Briefings, a conference for computer security
professionals held annually here.
The security hole in Cisco IOS, the company's "infrastructure
operating system" that controls its routers, was patched by Cisco in
April, Lynn said, and the flawed version is no longer available for
download. But Cisco didn't want the information disclosed until next
year when a new version of the operating system would be out of beta
testing and ready for distribution.
Routers are devices that direct information through a network. Cisco
products account for the majority of routers that operate the backbone
of the internet and many company networks.
Lynn likened IOS to Windows XP, for its ubiquity.
http://www.wired.com/news/privacy/0,1848,68328,00.html
Whistle-Blower Faces FBI Probe
By Kim Zetter
LAS VEGAS -- The FBI is investigating a computer security researcher
for criminal conduct after he revealed that critical routers
supporting the internet and many networks have a serious software
flaw that could allow someone to crash or take control of them.
Mike Lynn, a former researcher at Internet Security Systems, or ISS,
said he was tipped off late Thursday night that the FBI was
investigating him for violating trade secrets belonging to his former
employer.
Lynn resigned from ISS Wednesday morning after his company and Cisco
threatened to sue him if he spoke at the Black Hat security conference
in Las Vegas about a serious vulnerability he found while
reverse-engineering the operating system in Cisco routers. He said he
conducted the reverse-engineering at the request of his company, which
was concerned that Cisco wasn't being forthright about a recent fix it
had made to its operating system.
Lynn spoke anyway, discussing the flaw in Cisco IOS, the operating
system that runs on Cisco routers, which are responsible for
transferring data over much of the internet and private networks.
Although Lynn demonstrated for the audience what hackers could do to a
router if they exploited the flaw, he did not reveal technical details
that would allow anyone to exploit the bug without doing the same
research he did to discover it.
http://www.wired.com/news/privacy/0,1848,68356,00.html
Monty Solomon (monty@roscom.com)