[ISN] Theft of Cisco Source Code Stirs Fears of Security Threat

From: InfoSec News (isn@private)
Date: Mon May 24 2004 - 23:15:04 PDT

  • Next message: InfoSec News: "[ISN] Former cybersecurity chief opposes new regulations"

    http://www.computerworld.com/securitytopics/security/story/0,10801,93352,00.html
    
    News Story by Jaikumar Vijayan 
    MAY 24, 2004 
    COMPUTERWORLD
    
    The theft of proprietary operating system source code from Cisco
    Systems Inc. poses a potentially serious security threat to corporate
    networks that use the company's technology, users and analysts said.
    
    And the paucity of information released by the networking giant in the
    wake of last week's disclosure that the code had been stolen is
    raising troubling questions about what exactly happened and the real
    extent of the compromise, they added.
    
    "We are all waiting to hear what Cisco has to say," said Stephen
    Smith, network manager at Keystone Mercy Health Plan in Philadelphia.
    
    Cisco has been "unnaturally and unproductively quiet," added John
    Pescatore, an analyst at Gartner Inc. "That gives the impression that
    they are still unsure about the scope of the breach. Or they are sure,
    and it's much worse than has come out so far," he said.
    
    Unidentified attackers last week stole an unspecified amount of source
    code for Cisco's Internetworking Operating System 12.3 and 12.3T
    software, which is widely used in switches and other networking
    equipment. A Russian Web site posted about 13MB of what it claimed was
    the stolen code on May 15, saying that as much as 800MB of code
    appeared to have been stolen.
    
    Alexander Antipov, a security expert at Moscow-based Positive
    Technologies, which owns the Web site that posted the code, claimed
    that the company downloaded it via a link provided over an Internet
    Relay Chat channel by someone using the online name Franz.
    
    The supposed Cisco code samples, a copy of which was sent to
    Computerworld, were removed from Positive Technologies' site at
    Cisco's request on May 18, Antipov said.
    
    In a prepared statement posted on its Web site last week, Cisco
    confirmed that a "portion" of IOS code had been illegally copied and
    publicly posted for several days. It appeared that the occurrence was
    not the result of flaw in any Cisco product or service, the note said.  
    It is also unlikely that the action was taken by a Cisco employee or
    contractor, it added. The company refused to provide any further
    details, citing an ongoing investigation into the matter, but said it
    believed that "the improper publication of this information does not
    create increased risk to customers' Cisco equipment."
    
    "We will continue to closely monitor this matter and provide updates
    as appropriate to customers," a company spokesman said.
    
    The theft raises security concerns, especially since Cisco's
    technology is widely used on corporate networks, users said.
    
    "Now that the code is available to scrutinize, it will be easier to
    find holes to exploit," said Jon Duren, chief technology officer at
    IdleAire Technologies Corp., a Knoxville, Tenn.-based provider of
    electrification services.
    
    "This issue has caused [us] to re-evaluate our access control lists on
    the routers, and on devices surrounding our routers, to ensure that
    they are solid," Duren said.
    
    A similar incident involving the theft of Microsoft Corp. source code
    for Windows NT and Windows 2000 in February led to the discovery of a
    remotely executable flaw in the company's Internet Explorer browser
    software [QuickLink 44787].
    
    The stolen Cisco code could be investigated for similar flaws or
    somehow exploited to create back doors or to fool users into
    downloading malicious patches or Trojan horse programs, security
    experts said.
    
    In the Microsoft incident, the stolen code was freely available for
    download. In contrast, the Cisco source code hasn't resurfaced
    following its brief public airing on the Russian Web site.
    
    Another difference between the two incidents is that the Cisco source
    code could be a lot more difficult to exploit than the Microsoft code,
    which was "complete and reasonably easy to work with," said Johannes
    Ullrich, chief technology officer at the SANS Internet Storm Center in
    Quincy, Mass.
    
    "Just the same, we still have to be aware of the possibility of a
    security issue arising as a result of the theft," said Edward York,
    CTO at 724 Inc., an application service provider in Lompoc, Calif.
    
    This is especially true given the lack of information coming from
    Cisco, users and analysts said. Gartner's Pescatore noted that the
    question that always gets raised when incidents such as this occur is,
    "If this got out, what else was going on?"
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Tue May 25 2004 - 03:00:57 PDT