Black Hat - Leaked Cisco slides pulled after legal threats

Internet Security Systems pushes to suppress information about a security vulnerability in Cisco's routers

SAN FRANCISCO - Security research company Internet Security Systems Inc. (ISS) is continuing its legal fight to suppress information relating to a security vulnerability in Cisco Systems Inc.'s routers. On Friday, the Atlanta-based research company sent a cease-and-desist letter to Richard Forno, a security researcher who just hours earlier had posted presentation slides that ISS had at one point planned to present at the Black Hat USA security conference in Las Vegas.

The letter accused Forno of publishing stolen proprietary information and threatened legal action if he did not remove the ISS material. It further claimed that the "unlawful distribution of this information is the subject of a federal investigation." It was sent Friday by the East Palo Alto, California, law firm of DLA Piper Gray Cary US LLP on behalf of ISS.

In an e-mail message to press, Forno said that he decided to pull the slides after receiving the letter, and he had harsh words for Cisco and ISS. "Had the two companies involved ... said nothing about this briefing, it's quite likely that few if any people or news outlets would've given it more than a passing thought," he wrote. "But as a result of their heavy-handed tactics this week, both Cisco and ISS have ended up publicizing a serious vulnerability quite significantly and thusly re-ignited the discussion over

how the Internet security community handles vulnerability disclosure and product updates."

A Cisco spokesman downplayed his company's involvement in the cease-and-desist letters. "We're not sending out those letters. ISS is doing that through their law firms," he said. ISS declined to comment for this story.

The legal threats are the latest move in what has become a highly controversial attempt to squelch the contents of a talk that former ISS Research Analyst Michael Lynn gave at the Black Hat USA conference in Las Vegas last week. ISS had planned to sponsor a presentation entitled "The Holy Grail: Cisco IOS Shellcode and Remote Execution," at the annual hacker and security expert conference, but the Atlanta-based security research company decided to pull the talk at the last moment, and materials relating to it were pulled from the show's proceedings.

The talk was pulled because of objections from Cisco, according to Lynn.

On Wednesday morning, Lynn quit his ISS job and gave the presentation anyway. In it, he described a now-patched flaw in the Internetwork Operating System (IOS) software used to power Cisco's routers, and demonstrated a buffer-overflow attack in which he took control of a router.

Although Cisco was informed of the flaw by ISS and patched its firmware in April, users running certain versions of the company's software are at risk, according to Cisco.

Black Hat and Lynn were then sued by Cisco and ISS in an attempt to prevent the details of Lynn's talk from being circulated. On Thursday, the parties came to an agreement, with Lynn agreeing to silence on the matter.

Within a few hours of that agreement, slides that appear to contain an earlier version of the Lynn presentation appeared on the Web site and were posted to the Full Disclosure e-mail discussion list. The information in these slides "relates to a presentation that ISS decided not to give at the Black Hat 2005 USA conference," the DLA Piper Gray Cary letter states.

On Monday, the slides were still available on the Cryptome Web site, and photographs of Lynn's actual Black Hat presentation began to circulate on the Internet.

Cryptome, a clearinghouse for secret information, said it has no plans to remove the documents. "I never comply with e-mailed demands like that, based on legal advice that most e-mailed demands are bluffs," said John Young, administrator of the Cryptome Web site.

The controversy has ignited debate within the security community about the limits of responsible disclosure and whether companies such as Cisco are helping hackers or users through the public discussion of security flaws. To most Black Hat attendees interviewed last week, Cisco and ISS's actions clearly went too far.

One attendee said that companies such as Cisco should embrace this type of disclosure. "I look at it this way: It's free research," said Robert Gregory, an Information Assurance Engineer with Northrop Grumman Corp.'s TASC division. "You've got the entire IT community doing research for you, and it's not costing you a dime"

The ISS slides and photos of Lynn's Black Hat presentation can be found at

Copyright © 2005 IDG Communications, Inc.