Today @ PC World
News, opinion, and links from the PC World staff.

Black Hat, Lynn Settle with Cisco, ISS

Posted by Andrew Brandt | Friday, July 29, 2005 4:04 PM PT

michael lynn and jeff moss At the conclusion of the Black Hat Briefings yesterday, embattled security researcher Michael Lynn diclosed the agreement he and the conference made with Cisco Systems and Internet Security Systems concerning his presentation on Cisco software vulnerabilities.

Lynn defended in a press conference his controversial decision to make a presentation Wednesday morning on what Lynn calls a very serious security loophole in Cisco's router software. Neither Cisco nor ISS participated in the press conference, but Cisco has released a brief statement describing Lynn's presentation an "irresponsible public disclosure of illegally obtained proprietary information."

Under the terms of a permanent injunction, sought by both Cisco and Lynn's former employer, ISS, Lynn must give the companies all of his research materials, including the presentation slides, his notes, and proof-of-concept software Lynn wrote that he used during his presentation. Black Hat must give Cisco the videotape of the presentation made by the conference's audio-visual contractor. Parts of the presentation have already been posted on security Web sites.

The resolution capped a tense day of negotiations between lawyers representing Cisco, ISS, Lynn, and the conference. Here are a few other memorable moments from the conference that the Cisco story overshadowed:

USB Hardware Hacker

darrin barrall


Darrin Barrall, an R&D Engineer with SPI Dynamics, shows off his custom-built USB hacking device. In a session Wednesday titled "Plug and Root: The USB Keys to the Kingdom," Barrall, along with colleagues David Dewey and Caleb Sima, described and demonstrated how malicious hackers could install keylogging software, steal information, or crash computers by inserting custom-built USB devices into computers.

Radio, Radio

kevin mahaffey


Security researcher Kevin Mahaffey makes a final adjustment to a series of radio antennas; Mahaffey used the directional antennas in a demonstration during his presentation, "Long Range RFID and its Security Implications." Mahaffey and two of his colleagues demonstrated how he could increase the "read range" of radio frequency identification (RF) tags from the typical four to six inches to approximately 50 feet. Mahaffey said the tags could be read at a longer distance, but he wanted to perform the demonstration in the room where he gave the presentation, and that was the greatest distance within the room that he could demonstrate. RFID tags such as the one Mahaffey tested will begin to appear in U.S. passports later this year or next year.

Caught in the Middle

jeff moss


Black Hat Briefings CEO Jeff Moss takes a moment to relax during the Michael Lynn press conference. Moss' company was caught in the middle of the dispute between Cisco, ISS, and Lynn. One day before the conference was set to begin, Cisco hired temps to tear pages out of the conference proceedings book, and Moss had to scramble to press new proceedings CDs that lacked Lynn's presentation slides.

Comments (17)

very good stuff..if possible would like to see more information reg blackhat presentation...anyway thx for the info..
http://srikrishnak.blogspot.com

srikrishnak
July 29, 2005
6:05 PM PT

RFID Tags will be everywhere.
Big Brother is Watching.
The tide of history can not be stopped.
Catch the Fire - The Fear of God is the Beginning of Wisdom

tov
July 29, 2005
8:04 PM PT

Big corps had better get use to this, they had better start listening and stop suing everytime THEIR product has a flaw.

The guy
July 29, 2005
8:05 PM PT

Amen, The Guy. What's next, MS suing for consumers discussing Windows security flaws. Corporate America has yet to develop an understanding of hacking...wonder if they ever will?

bob dango
July 30, 2005
11:50 AM PT

what rubbish. No new flaw was disclosed, Cisco posted an alert & fix months ago and all major SPs would have taken action. What Cisco didn't do was tell every hack how to exploit it. Lynn wasn't hurting Cisco with this, but the ordinary network admins who for whatever reason haven't patched their net. And with this being an ipv6 flaw they probably aren't exposed anyway. Lynn's message wasn't "update your patches", it was flagrant self-promotion.

My hat goes off to guys like Darrin Barrall and Kevin Mahaffey where their work shows corporations/govt the holes that still need fixing.

midnite
July 31, 2005
5:31 AM PT

I wonder about the usb device...how would someone get to my servers to put in the device? What a load of crock...
I do wireless internet, and in 3 years have only had one hacker on my network. I use Lucent routers tho.

Later

KingOfNod
July 31, 2005
9:32 AM PT

I couldn't believe my eyes when i was reading about the nonsense lawsuits against this highly inteligent and honest researcher who dedicate
their time to finding and declaring serious security flaws for these major network hardware providers. They should actually thank Lynn for making them aware of this loopholes in their switches.

rilind
July 31, 2005
1:35 PM PT

I couldn't believe my eyes when i was reading about the nonsense lawsuits against this highly inteligent and honest researcher who dedicates
the time to finding and declaring serious security flaws for these major network hardware providers. They should actually thank Lynn for making them aware of this loopholes in their switches.

rilind
July 31, 2005
1:36 PM PT

bob dango wrote:
"What's next, MS suing for consumers discussing Windows security flaws"

If discussing it can cause a security breach, then I hope so. Why are you all anti-security? My personal data could be accessed if holes are made public before they're pached.

Are all PC World readers liberal extremists, or are you just all hackers?

Barry
July 31, 2005
2:52 PM PT

my 2 cents worth... ANYONE who publicly posts a security breach should be not just sued, they should be charged the same as a hacker who purposely invades another computer. its the same as reaching in a window of a broken store front and grabbing. then telling everyone to go there and grab also. they dont do it in the name of security for the companies, they do it for bragging rights within the hacker community. ego, thats all it is.

unshaven
July 31, 2005
7:44 PM PT

I think this is all a joke it has to be come on!!! I can not believe that someone that is getting paid to do something like "security research" which involves finding vulnerabilities on routers, pcs, etc Now He is being sued because he is found something that he was supposed to do, and he has done it brilliantly. May be all this is just one of those advertisements that help the security community companies in one way, making the point that 1 person could bring half of the internet down so we need to buy more security products, software etc... and scares big companies like Cisco, honestly... it all sounds really weird for me....Confused!!!

Jose Bordetas
August 01, 2005
12:12 PM PT

I think this is a very nice development regarding the improvement in cisco system. A proactive approach will prevent loopholes in the system. The truth will set us free.

Joey sanchez
August 02, 2005
12:07 AM PT

Unshaven, you are missing the point. Until people started publicly posting security problems, most security problems went un fixed. Lynn has just blown the whistle, he is not the problem.

anonymous
August 02, 2005
11:54 AM PT

unshaven, you idiot. If Lynn hadn't blown the whistle Cisco would have sat back and let the exploit exist. Corporate America needs to embrace the "hacker" community. Who do you think fixes all of their mistakes?

Anonymous
August 02, 2005
10:47 PM PT

back in the day, mike and I use to have irc wars when we were highschoolers. memories of mike downloading a linux distribution on a 28.8! now i am off fighting in the GWOT and he is risking his career to protect our nations infrastructure. good on you mike, you've found your way to protect our freedom!

Dan
August 03, 2005
4:00 PM PT

Barry wrote:
> My personal data could be accessed if holes are made
> public before they're pached.

It is much more likely that your personal data will be accessed if security flaws are not made public.

Anonymous
November 05, 2005
6:34 PM PT

King of Nod asked how someone would attach a USB hack to one of his servers... Well... they don't have to get to a server, although this would be a rich target. A device culd be installed on a user PC that records keystrokes, the user then logs into the system, the USB device records all access information. Later that day the cleaning crew arrives and recovers the USB device. Now that user's login and PW just became compramised. Happens more then you think buddy! BTW - Think how many service techs access your server room in a typical year... do you watch them every minute?

ruderalis
December 27, 2005
11:21 AM PT