6. Getting Rid of the Messenger and the Evidence

Michael Lynn faced two severe consequences for giving his talk. Literally just hours before the start of the talk, he was forced to resign from his employment at Internet Security Systems and he knew that a lawsuit was about to filed against him. Lynn said during the talk, "Up until two hours ago I had a job, and I'm about to be sued into oblivion."

Michael Lynn was supposed to speak to the press after finishing his talk, but he mysteriously disappeared for a few hours. A few hours after the talk, process servers caught up with Lynn and served him with a restraining order from Cisco and ISS. There are rumors that the Electronic Freedom Foundation may help in his defense.

In addition to trying to silence the messenger, Cisco and ISS tried to get rid of the message. Black Hat attendees usually receive copies of all the presentation slides in a massive three inch thick red book, but this conference was different. Someone obviously didn';t want Lynn's talk to be available, and just a few days before the start of the conference, people were sent in to cut and tear the offending pages out of all the books. This is quite a feat, considering that a few thousand people attend Black Hat.

In addition to the printed slides, attendees receive a CD-ROM of the talks. Some of the CDs were already printed, but it is unclear if any have reached the wild.

Is This The End of The World?

Michael Lynn doesn't think the end of the world is coming and that you are probably safe if you upgrade to the latest versions of Cisco IOS. But he also thinks routers are still vulnerable. Many people do not upgrade IOS out of fear or ignorance. In addition, network administrators will often hold off on newer versions in order to not compromise the stability of their routers.

End of the World?

Although Cisco says that the April update of IOS is patched against this attack, it is unclear if it is an actual patch or if the attack just doesn't work because of a different memory offset from previous versions. Since the attack depends on hitting the right memory addresses where certain functions reside, new IOS versions will prevent the attack - that is until a hacker finds the correct addresses. Cisco could be claiming that the new version is actually a patch, when in fact it may just be a change in memory addresses.

Lynn wanted to help people and the government secure their routers by presenting what he discovered at Black Hat. He says that the IOS source code has been stolen twice and that hackers around the world are now working to exploit IOS. He has seen evidence of this on Chinese bulletin boards where hackers talk about performing exploits on routers.

"I want to prove the threat is real," Lynn said during the talk.