14 DAY TRIAL // Cisco and ISS were on fire, after Mike Lynn has presented some details about the vulnerabilities in Cisco Systems routers at this week's Black Hat USA conference.
Until Wednesday morning, Mike Lynn was a researcher for Internet Security Systems, but he resigned after his company and Cisco threatened to sue him if he spoke at the Black Hat security conference in Las Vegas about a serious vulnerability that he found while reverse-engineering the operating system in Cisco routers.
Lynn conducted the reverse-engineering at the request of his company and at the Black Hat Conference he demonstrated for the audience what hackers could do to a router if they exploited the flaw. Although, he did not reveal technical details that would allow anyone to exploit the bug without doing the same research he did to discover it.
Cisco replaced the conference CD-ROM with a new disc that was absent the presentation. This hasn't stopped people from obtaining the presentation and a site on the internet has posted it for people to download.
Under the terms of a permanent injunction signed by a federal judge, Lynn will be forever barred from discussing the details about his research into the vulnerabilities he claimed to have discovered in the widely used Cisco hardware.
According to a copy of the injunction obtained by washingtonpost.com, the settlement also requires Lynn to "prepare complete mirror images of all computer data in his possession or control. ISS and Lynn shall appoint a third party forensic expert to verify, in the presence of ISS and Lynn (or his representative), on the mirror image, that Lynn has provided to ISS and/or Cisco any ISS- or Cisco-owned materials."
Cisco said the vulnerability was not new and that it had already patched the problem in April. Lynn said that Cisco did not tell customers exactly why the software was revised or indicate that the update was a critical patch. As a result, he said, system administrators didn't understand the urgency for patching their system. Cisco denied that the flaw was as critical as Lynn said it was.
It seems that FBI is conducting an investigation on Lynn, even if FBI spokesman Paul Bresson declined to comment this information.
"There's no arrest warrant for (Lynn) and there are no charges filed and no case pending," Jennifer Granick, Lynn's lawyer, said. "There may never be. But they got a complaint and as a result they were doing some investigation."