Black Hat - Leaked Cisco slides pulled after legal threats

SAN FRANCISCO - Security research company Internet Security Systems Inc. (ISS) is continuing its legal fight to suppress information relating to a security vulnerability in Cisco Systems Inc.'s routers. On Friday, the Atlanta-based research company sent a cease-and-desist letter to Richard Forno, a security researcher who just hours earlier had posted presentation slides that ISS had at one point planned to present at the Black Hat USA security conference in Las Vegas.

The letter accused Forno of publishing stolen proprietary information and threatened legal action if he did not remove the ISS material. It further claimed that the "unlawful distribution of this information is the subject of a federal investigation." It was sent Friday by the East Palo Alto, California, law firm of DLA Piper Gray Cary US LLP on behalf of ISS.

In an e-mail message to press, Forno said that he decided to pull the slides after receiving the letter, and he had harsh words for Cisco and ISS. "Had the two companies involved ... said nothing about this briefing, it's quite likely that few if any people or news outlets would've given it more than a passing thought," he wrote. "But as a result of their heavy-handed tactics this week, both Cisco and ISS have ended up publicizing a serious vulnerability quite significantly and thusly re-ignited the discussion over

how the Internet security community handles vulnerability disclosure and product updates."

A Cisco spokesman downplayed his company's involvement in the cease-and-desist letters. "We're not sending out those letters. ISS is doing that through their law firms," he said. ISS declined to comment for this story.

The legal threats are the latest move in what has become a highly controversial attempt to squelch the contents of a talk that former ISS Research Analyst Michael Lynn gave at the Black Hat USA conference in Las Vegas last week. ISS had planned to sponsor a presentation entitled "The Holy Grail: Cisco IOS Shellcode and Remote Execution," at the annual hacker and security expert conference, but the Atlanta-based security research company decided to pull the talk at the last moment, and materials relating to it were pulled from the show's proceedings.

The talk was pulled because of objections from Cisco, according to Lynn.

On Wednesday morning, Lynn quit his ISS job and gave the presentation anyway. In it, he described a now-patched flaw in the Internetwork Operating System (IOS) software used to power Cisco's routers, and demonstrated a buffer-overflow attack in which he took control of a router.

Although Cisco was informed of the flaw by ISS and patched its firmware in April, users running certain versions of the company's software are at risk, according to Cisco.

Black Hat and Lynn were then sued by Cisco and ISS in an attempt to prevent the details of Lynn's talk from being circulated. On Thursday, the parties came to an agreement, with Lynn agreeing to silence on the matter.

Within a few hours of that agreement, slides that appear to contain an earlier version of the Lynn presentation appeared on the Cryptome.org Web site and were posted to the Full Disclosure e-mail discussion list. The information in these slides "relates to a presentation that ISS decided not to give at the Black Hat 2005 USA conference," the DLA Piper Gray Cary letter states.