[ISN] New evidence points to Cisco network hack

From: InfoSec News (isn@private)
Date: Wed May 19 2004 - 05:17:07 PDT

  • Next message: InfoSec News: "[ISN] Embracing the Art of Hacking"

    http://www.nwfusion.com/news/2004/0518moredetai.html
    
    By Paul Roberts
    IDG News Service
    05/18/04
    
    More details about the computer code stolen from Cisco surfaced on
    Tuesday, including new samples of the source code and information on
    how the code was distributed, four days after a Russian Web site
    reported news of the theft and posted sample code files to support the
    claim.
    
    Additional copies of Cisco code files for the Internetwork Operating
    System (IOS) may be circulating on the Internet, after the thief
    compromised a Sun server on Cisco's network, then briefly posted a
    link to the source code files on a file server belonging to the
    University of Utrecht in the Netherlands, according to Alexander
    Antipov, a security expert at Positive Technologies, a security
    consulting company in Moscow, who was interviewed by e-mail and
    instant messaging service.
    
    A Cisco spokesman declined to comment on the new information, citing
    the ongoing investigation, but the company is working with the FBI,
    according to Robert Barlow, a company spokesman.
    
    "Cisco will continue to take every measure to protect our intellectual
    property, employee and customer information. In this case, Cisco is
    working with the FBI on this matter," the company said in a statement.
    
    Antipov downloaded more than 15M bytes of the stolen code, which is
    estimated to be around 800M bytes, after an individual using the
    online name "Franz" briefly posted a link to a 3M-byte compressed
    version of the files in a private Internet Relay Chat (IRC) forum on
    Friday, he said.
    
    Antipov denied knowing Franz and said he wants to return the code to
    Cisco and has been communicating with a Cisco employee about the
    leaked source code.
    
    The link provided was only available around ten minutes and pointed to
    a file on an FTP (File Transfer Protocol) server,
    ftp://ftp.phys.uu.nl, which belongs to the University of Utrecht in
    the Netherlands. That server is open to the public for hosting files
    of files smaller than 5M bytes, according to the University's Web
    page.
    
    Examples of the additional source code files viewed by IDG News
    Service are different from the two code files posted on
    www.securitylab.ru, and appear to be written in the C programming
    language. One, named snmp_chain.c dates to 1993 and is credited to
    Robert Widmer. Another, named http_auth.c and containing a module for
    HTTP authentication routines is dated March, 2002 and credited to
    Saravanan Agasaveeran.
    
    Another source code file, also credited to Agasaveeran, contains code
    for a public API for HTTP client and server applications, and Antipov
    said the source code he obtained also includes IOS modules covering
    IPv6.
    
    A Cisco source confirmed that Agasaveeran is a Cisco employee in San
    Jose, Calif. No information was immediately available on Widmer.
    
    A computer directory listing purported to be of the stolen IOS modules
    was also shown to IDG News Service. The listing identifies a Sun Sparc
    server named iwan-view3.cisco.com and a list of directories, but no
    specific information on the contents of those directories. Still, the
    listing of directories does give some indication of when the leak may
    have occurred. Most of the directories were last updated in 2002 and
    2003, with one changed as late as November 2003.
    
    That information could be vital in determining the "when" of the
    crime, said Mark Rasch, senior vice president and chief security
    counsel of Solutionary.
    
    "By going up the (revision) dates, you know which versions they got
    and have a good idea of when they obtained the code," he said.
    
    The apparent theft from a Sun server also supports the idea that the
    code was stolen directly from Cisco's corporate network, rather than
    from a developer's laptop or a worker connecting to Cisco over a
    remote connection, he said.
    
    "People aren't typically [using VPN connections] into Sun boxes. The
    Solaris stations tend to be on site, that's where you'd use them," he
    said.
    
    Regardless, Cisco is facing a "huge" forensic investigation, and
    should assume that other parts of its network and all of its source
    code have been compromised, he said.
    
    The stolen code could be a bonanza for malicious hackers looking to
    compromise Cisco devices, even if the stolen code isn't from critical
    IOS modules, Rasch said.
    
    Unlike open source software products, the security of Cisco's systems,
    like those of other proprietary software vendors, depends on the
    source code being kept out of public view, he said.
    
    "When your security depends, in large measure, on keeping source code
    private, a breach can be significant," he said.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Wed May 19 2004 - 06:03:45 PDT