Thursday, July 28, 2005

MIchael Lynn's Black Hat presentation: What's the big deal?

In case you haven't heard, there's a big controversy over one of yesterday's Black Hat presentations. I frankly don't see what all the fuss is about.

According to Cisco, Lynn reverse engineered parts of IOS while working for ISS. This allowed him to discover methods to make use of existing vulnerabilities to gain shell access or execute arbitrary code on a Cisco router.

People, this is a big technical step forward, but it's just not news. First, Mr. Lynn has not created or publicized new Cisco vulnerabilities, he's merely come up with some more creative ways to make use of existing vulnerabilities. Second, I don't think any security professional should be surprised that it's possible to use a stack or heap vulnerability to execute code. It's been done to death on every other platform, why not IOS too? My hat's off to Mr. Lynn for what is definitely some masterful coding on his part, but we've seen this before elsewhere.

What really puzzles me, though, is why anyone is surprised that he's apparently going to be sued by both Cisco and ISS. I'm not privy to the agreements he may have signed with ISS when he was employed there, nor do I know any details about any NDAs that might be in place between ISS and Cisco. However, if he was paid by ISS to work on this project, the work belongs to ISS and not to Mr. Lynn. That alone could be sufficient grounds for ISS to complain, especially because by outing the work, he has also probably opened ISS itself to lawsuits from Cisco.

So please everyone, let's get over this teacup imbroglio. This just isn't the story everyone thinks it is.

Monday, July 11, 2005

Tor is a double-edged sword

Yes, this article's conclusions are a little obvious. An anonymizing network protects the privacy of normal users and evildoers alike. That was just about my second thought on hearing about Tor (the first was, "Cool!").

I like this article, though, because it has a step-by-step guide to running some simple Nessus scans through Tor. I haven't been using Tor in my penetration tests, partly because being anonymous isn't much of an issue, but mostly because I don't know that I trust it to work well for all the various Nessus tests. I might give this guy's method a try, though, and see how it goes.