Cisco lawyers gag flaw disclosure

Ex-Internet Security Systems (ISS) researcher Michael Lynn’s presentation outlined how a known security flaw in Cisco’s Internetwork Operating System (IOS) could be exploited to run attack code.

Lynn gave the presentation shortly after resigning from ISS, and argued that the information is in the public interest. Cisco and ISS have been granted an injunction preventing Lynn from further discussing the issue.

Other researchers also used the event to highlight current risks. Staff from eEye Digital Security demonstrated a Windows kernel buffer overflow and a trojan that could load itself onto a computer before the operating system start-up process.

Marc Maiffret, co-founder of eEye, said the event gave firms a good opportunity to learn how to protect themselves. “Black Hat is a way for businesses and security experts to share information in the same way that hackers do. We find a lot of flaws, discovery and exploitation techniques, and warn people about them,” Maiffret said.

Elsewhere, security vendor TippingPoint tried to drum up support for its scheme that offers payments to people who provide details of new vulnerabilities. Phil Zimmerman, the creator of PGP encryption, also unveiled Zfone, an application for encrypting VoIP calls.

‹ Rewards for flaws, p5 ‹ Network security, p23

‹ Fighting e-crime, p28 ‹ www.tinyurl.com/bmjdr