Cisco/ISS go after websites in IOS spat

All the noice just turns more attention to the IOS flaw, security expert notes

Cisco and Internet Security Systems (ISS) are taking action against websites that provide too much detail about a presentation that security expert Michael Lynn gave on Wednesday at the Black Hat security conference about a vulnerability in Cisco's IOS operating system.

Lawyers for ISS have sent a cease and desist order to the internet provider where Richard Forno of Infowarrior.org posted a PDF document containing the slides of Lynn's presentation.

"My ISP has been contacted by attorneys," Forno told vnunet.com at 4 PM on Friday. "I'm waiting to see the legal document."

Later that day he removed the document from his website and replaced it with a fax from an ISS attorney, demanding that he took the document offline.

In an emailed statement to vnunet.com, Forno lashed out at Cisco and ISS for allowing to let things get out of hand. If the two companies had chosen to keep quiet about Lynn's presentation, few people and news outlets would have noticed, Forno argued. But by taking a heavy-handed approach and going through the courts, they turned the spotlight on an issue that they had wanted to cover up.

"Improvements to internet security will NOT become a reality as the result of
questionable secrecy or from commercial lawsuits that serve to mask the
more substantial and fundamental problems within the information security
industry and Internet community at large," Forno continued.

The document that Forno had made available provides a detailed description of a way to exploit a known issue in Cisco's IOS software that could allow hackers to bring down the router, and potentially much of the internet.

Cisco security spokesman John Noh declined to comment on the case of Infowarrior.org. The company agrues that Lynn's information offered too much detail and could allow hackers that exploit the flaw.

"We are going to take every reasonable measure to protect our customers and the integrity of the Internet," Noh told vnunet.com.

By going after websites that offer the slides from Lynn's presentation, Cisco and ISS are adding a new chapter to the case of an IOS flaw that Cisco desperately is trying to keep under wraps.

Security expert Michael Lynn was originally scheduled to give his presentation on the vulnerability as an ISS employee. After the security company made a last minute decision to cancel the talk, Lynn quit his job and proceeded to give the presentation.

Cisco and ISS responded by filing an injunction seeking to stop Lynn from revealing any additional information about the IOS flaw. The parties on Thursday came to an agreement and made the injunction permanent.

Among things, Lynn agreeded to provide ISS and Cisco with a list of websites where he posted information about the presentation or Cisco code, or websites where he is aware such information is disclosed.

In effect it meant that any website providing too much information about Lynn's presentation can expect to be contacted by Cisco's or ISS's lawyers, demanding that they remove the information, as happened to Forno.

Cisco alleges that Lynn violated Cisco's copyright by reverse engineering the IOS code to find the security vulnerability.

The FBI in the mean time has launched an investigation for any alleged criminal conduct by Lynn in revealing the IOS vulneratbility.

• The Lynn injunction is available for download here.
• The fax that Forno received can be found here here.