More details about the computer code stolen from Cisco
Systems were revealed yesterday, including new samples of the
source code and information on how the code was distributed, four
days after a Russian website reported news of the theft and posted
sample code files to support the claim.
Additional copies of Cisco code files for the Internetwork
Operating System (IOS) may be circulating on the internet after the
thief compromised a Sun Microsystems server on Cisco's network,
then briefly posted a link to the source code files on a file
server belonging to the University of Utrecht in the Netherlands,
according to Alexander Antipov, a security expert at Moscow
security firm Positive Technologies.
Antipov downloaded more than 15Mbytes of the stolen code, which
is estimated to be around 800Mbytes, after an individual using the
online name "Franz" briefly posted a link to a 3Mbyte compressed
version of the files in a private Internet Relay Chat (IRC) forum
on Friday.
Antipov denied knowing Franz and he has been communicating with
a Cisco employee about returning the leaked source code.
The link provided was only available around 10 minutes and
pointed to a file on an FTP (File Transfer Protocol) server,
ftp://ftp.phys.uu.nl, which
belongs to the University of Utrecht. That server is open to the
public for hosting files of files smaller than 5Mbytes, according
to the university's web page.
Examples of the additional source code files viewed by IDG News
Service are different from the two code files posted on
www.securitylab.ru, and
appear to be written in the C programming language.
One, named snmp_chain.c dates to 1993 and is credited to Robert
Widmer. Another, named http_auth.c and containing a module for
HTTP authentication routines is dated March 2002 and credited to
Saravanan Agasaveeran.
Another source code file, also credited to Agasaveeran, contains
code for a public API (application program interface) for HTTP
client and server applications. Antipov said the source code he
obtained also includes IOS modules covering Internet Protocol
Version 6 (IPv6).
A Cisco source confirmed that Agasaveeran is a Cisco employee.
No information was immediately available on Widmer.
A computer directory listing purported to be of the stolen IOS
modules was also shown to IDG News Service. The listing identifies
a Sun Sparc server named iwan-view3.cisco.com and a list of
directories, but no specific information on the contents of those
directories.
Still, the listing of directories does give some indication of
when the leak may have occurred. Most of the directories were last
updated in 2002 and 2003, with one changed as late as November
2003.
That information could be vital in determining the "when" of the
crime, said Mark Rasch, senior vice president and chief security
counsel of Solutionary.
"By going up the [revision] dates, you know which versions they
got and have a good idea of when they obtained the code," he
said.
The apparent theft from a Sun server also supports the idea that
the code was stolen directly from Cisco's corporate network, rather
than from a developer's laptop or a worker connecting to Cisco over
a remote connection.
"People aren't typically [using VPN connections] into Sun boxes.
The Solaris stations tend to be on site, that's where you'd use
them," he said.
Regardless, Cisco is facing a "huge" forensic investigation, and
should assume that other parts of its network and all of its source
code have been compromised, he said.
The stolen code could be a bonanza for malicious hackers looking
to compromise Cisco devices, even if the stolen code isn't from
critical IOS modules, Rasch said.
Unlike open-source software products, the security of Cisco's
systems, like those of other proprietary software suppliers,
depends on the source code being kept out of public view, he
added.
The FBI is working with Cisco to investigate the theft, said FBI
spokesman Paul Bresson, although he would give no further
details.
The theft parallels a similar crime from February, when thieves
made off with source code for Microsoft Windows NT and Windows 2000
operating systems.
That code's leak is believed to have led to the discovery of at
least one security hole in the company's Internet Explorer 5 web
browser, which could allow an attacker to gain control of a
computer by using a specially crafted bitmap file.
The theft of the IOS code could, potentially, be more serious,
because Cisco's products frequently connect directly to the
internet and are not protected by firewalls and other security
products, said Ken Dunham, director of malicious code at
iDefense.
"With access to the source code, hackers could compile and test
it rigorously, just like developer, and find new vulnerabilities or
attack points," he said.
However, the malicious hackers who made off with the IOS code
have, so far, taken a different route than those who stole the
Microsoft code, Dunham said.
In the Microsoft theft, copies of the leaked code quickly
appeared on peer-to-peer file sharing networks and was being
swapped and discussed in online forums such as discussion lists and
IRC channels.
With the Cisco code, however, the culprits have not released all
the code they claim to have stolen, and little information about
the stolen code was available on the internet on Monday.
The lack of information may mean that the criminals behind the
theft are more interested in selling the stolen code, rather than
receiving accolades from the malicious hacker community, Dunham
said.
"It seems like they're making a legitimate attempt to maintain
control of the code and maybe try to make some money from it," he
said.
A Cisco spokesman declined to comment on the new
information.
"Cisco will continue to take every measure to protect our
intellectual property, employee and customer information. In this
case, Cisco is working with the FBI on this matter," the company
said.
Paul Roberts writes for IDG News
Service