WebRTC Solutions Industry News

[July 28, 2005]

Cisco, Security Researcher Settle Dispute

(AP) Cisco, Security Researcher Settle Dispute
AP Technology Writer
SAN JOSE, Calif.
Cisco Systems Inc. and a network security firm reached a settlement Thursday with a researcher who quit his job so he could deliver a speech on a serious flaw in Cisco software that routes data over the Internet.

Michael Lynn, who left his job at Internet Security Systems Inc. hours before his speech, agreed never to repeat the information he gave at the Black Hat conference in Las Vegas on Wednesday.

He also must return any proprietary Cisco source code in his possession.

Cisco, the leading maker of Internet equipment, was supposed to join Lynn on stage. But the company and ISS changed course late last week and tried to cancel the session, going so far as to hire workers this week to yank pages from conference handouts and seek a court order.

The companies claimed the research was "premature" and would be presented at a later security conference. Lynn, however, said he felt obliged to report the problem before it was exploited in attacks that could endanger the Internet.

"Not to sensationalize, but it would be the digital Pearl Harbor we've heard about," Lynn said in an interview Thursday. "I felt it was the right thing to do for the country and for the national critical infrastructure."

The incident highlights the thorny issue of when to go public with a security problem. Security firms and computer vendors generally agree to do so when there's a patch -- or fix -- available.

But it's not always so simple. In the latest case, Lynn and other researchers at Atlanta-based Internet Security Systems discovered a technique that could allow someone to seize control of a Cisco router by exploiting a vulnerability in its operating system.

That flaw was patched in April, but it's possible that the same technique could be used to exploit other vulnerabilities in Cisco routers. Lynn said the technique also could lead to the creation of a worm that targets routers, particularly when coupled with an upcoming version of Cisco's operating system.

Cisco said it encourages independent security research but said in a statement that it felt Lynn's presentation "was presented prematurely and did not follow proper industry disclosure rules."

Chris Rouland, chief technology officer at ISS, said his company and Cisco agreed the research was premature. Rouland said Cisco did not pressure ISS.

But Lynn, who said it was never clear to him who was pressuring ISS, said it was important to get word out now.

Worms -- malicious programs that spread automatically -- are less likely in today's version of Cisco's operating system because the underlying software is different enough for each device. That will change in the next release, making it possible to attack a wide swath of routers without adjusting the malware for each unique configuration.

Such attacks, Lynn said, could modify routers en masse so that they cannot receive updates so they are always infected. Worse, attackers could erase instructions that tell the machine how to turn on.

"The purpose of doing this presentation was to prevent a worm from being made," he said.

His Las Vegas demonstration was stripped of any information that would lead anyone to figure out how the technique works, Lynn said.

He also said he decided to defy his employer because Cisco's operating system source code had been stolen and posted on a hacker Web site. Additionally, Lynn said, he has seen discussions of Cisco vulnerabilities posted on Web sites for Chinese hackers.

"Cisco has never told anybody that it was possible to take over one of their routers," Lynn said. "They fought that argument for a long time. You can see how far they're willing to go. I demonstrated it live on stage. That debate is over now."

Such information is one of the key points of the Black Hat conference, said organizer Jeff Moss. The event attracts thousands of computer security experts from business, academia and government.

"The point of the talk was to demonstrate there's a problem -- that you need to update all your software as soon as you can because of these types of problems," said Moss. "It wasn't a roadmap to world destruction."

As part of the settlement reached Thursday in San Francisco federal court, Black Hat also agreed to return any video of Lynn's presentation.

It's not clear why the decision to cancel the presentation was made only a few days before the conference was to begin. Moss said ISS first contacted Black Hat several weeks ago about the possibility of pulling presentation material from the handouts given to every attendee.

Until last week, ISS never followed through with a request to actually remove the material.

That changed when Cisco and ISS hired a team of temporary workers to yank about 20 pages from thousands of conference binders and replace compact discs with presentation materials.

"The speech had been vetted like two or three times through ISS's PR department. Everything was great, and ISS was contacting the media telling them to come see this talk," Moss said. "Then last Thursday or last Friday there was a total about-face on ISS's part."

[ Back To WebRTC Solutions's Homepage ]


Featured Podcasts

Oracle in Enterprise Communications

Most in the industry have heard of the acquisition of Acme Packet by Oracle. What you may not know is that Oracle has a number of telecommunications products including a UC suite, WebRTC Session Controller, and Operations monitoring tools. Oracle is pursuing both the enterprise and service provider.

Featured Whitepapers

WebRTC Security Concerns

This whitepaper covers two of the most relevant topics in communications industry today: WebRTC and security. We will introduce the problem of security in WebRTC including those traditional VoIP attacks that are going to be present in WebRTC services. Later we will mention ad-hoc WebRTC attacks and protection mechanisms, to close with an overview of identity management solutions.

Migrating Real Time Communications Services to the Web

In the Internet age, businesses that own fixed and mobile communication networks, including traditional Communications Service Providers (CSPs) of all kinds, are being challenged with some tough questions: How do we stay relevant to our customers?

Delivering Enterprise-Class Communications with WebRTC

WebRTC is an emerging industry standard for enabling Web browsers with real-time communications capabilities. It enables enterprises to enhance Web sites, empower BYOD users, and improve video collaboration and on-line meetings, to name but a few examples.

WebRTC Report Extract Reprint

This document examines the growing important of WebRTC, both generally and for telecom service providers. It considers the expanding range of use-cases, the multiple layers of interoperability likely to be desired by telcos, and some implications in terms of network integration and mobility.


Robust Enterprise Grade WebRTC Systems and Services

The emerging WebRTC standard has become one of the industry's hottest topics – and with good reason. Being able to "communications enable the web" has Communications Service Providers as well as Enterprises busily making plans for deployment. But, as these plans unfold, reality is starting to intrude on those plans. Our expectations of telephony services are much higher than web browsing. We expect the phone to connect instantly, operate with minimal disruption, and work seamless across any network, anywhere, at any time. There is also an understanding that phone service is inherently secure. With WebRTC, the expectation is for these applications to behave in the same manner.

This session looks at the user experience and expectations of a WebRTC Enterprise service. It will also cover how a WebRTC enterprise handles security, reliability, and interoperability within browsers and networks.


The Oracle Communications WebRTC Session Controller enables communications service providers (CSPs) and enterprises to offer WebRTC services – from virtually any device, across virtually any network – with carrier-grade reliability and security.

Sales Presentation: Oracle Communications WebRTC Session Controller

- WebRTC Market and Opportunities
- WebRTC Challenges
- Oracle Communication WebRTC Session   Controller
- Summary


Communication Service Provider (CSP) voice service revenues continue to face pressure due to shifts in communication preferences and competition from non-traditional service providers. Voice communications are now often embedded into applications outside the domain of traditional telephony voice usage. CSPs have been challenged to effectively leverage and monetize new web-oriented communications technologies.