Incensed by the networking company’s hostile treatment of former ISS researcher Michael Lynn, several hackers now seek to find new flaws in Cisco’s software.
Maybe Cisco shouldn’t have spent all that time ripping pages out of the Black Hat conference book. Instead of keeping a critical potential weakness from being discussed publicly, Cisco managed to motivate the speaker to seize his fifteen minutes of fame and give the talk anyway.
Now, Cisco may reap a whirlwind of motivated hacker activity, as several security researchers attending the Defcon conference have begun work in earnest to find new flaws in the Cisco IOS.
Should a flaw be found similar to the one used in Mr. Lynn’s talk, hackers could recreate the steps in his talk to gain control of a Cisco device. According to a CNET News report, many hackers want to find a new flaw in order to illustrate the urgency customers should feel in patching their Cisco devices.
No one working on finding a new flaw claims to have any interest in using that knowledge maliciously. But while the report mentions a few researchers working over the past weekend, there are certainly many more throughout the world who would like to exploit Cisco’s flaws for criminal game.
Cisco has contended it was only protecting its intellectual property by going to court with ISS to seek an injunction against the presentation. The resulting attention has made Cisco look bad, and the situation could have been avoided.
Cisco blames Mr. Lynn for going outside the usual channels for addressing security problems. The company had patched the specific flaw used in the unauthorized demonstration in April. However, the conditions that would let a flaw become an exploit, via the steps Mr. Lynn demonstrated, still exist. He felt that Cisco wasn’t doing enough to publicize the fix for those conditions.
David Utter is a staff writer for Murdok covering technology and business. Email him here.
