When a young information security researcher made the bold claim this summer that he could do the unthinkable to the world's networking infrastructure, security professionals took notice. Michael Lynn's July presentation at the Black Hat security conference proved that hackers could exercise control over Cisco Systems' once-impenetrable Internetwork Operating System.

Cisco was not amused. The company had Lynn and Black Hat sign a permanent injunction forbidding them from disclosing or disseminating Lynn's presentation, titled "Cisco IOS Shellcode And Exploitation Techniques," although slides as well as digital photos of the presentation still are available on the Web. Lynn, who had been studying IOS code as an employee of security vendor Internet Security Systems Inc., also is barred from making further presentations at conferences for hackers. Other stipulations prevent Lynn, who quit his job, from decompiling Cisco code currently in his possession and required that he return all ISS-owned materials to the company.

Lynn's case was unique because of the seriousness of the flaw he exposed, says Jennifer Granick, executive director of the Stanford Law School Center for Internet and Society and Lynn's lawyer. "Cisco routers make up so much of the backbone of the Internet, and people don't really update routers like they do their desktops," she says.

Reactions to Lynn's bravado are mixed. "What he did was a service," says George Roettger, Internet security specialist for Internet service provider NetLink Services Inc., which serves Ohio and surrounding areas. "Lynn didn't give out information that nobody knew before; he just proved it was possible."

The resulting awareness that Lynn's presentation created wasn't a bad thing, says Dan Lukas, lead security architect for Aurora Health Care in Wisconsin, a not-for-profit health-care network. And he believes companies should be just as concerned with internal security threats. Says Lukas, "I'm more worried about an internal user who knows how your servers are named than someone trying to hack in from the outside."

Return to the story:
The Next Big Target