Consequences of Cisco source code theft unclear

Cisco Systems confirmed Monday it's investigating the apparent theft of source code from its network, but won't say how much may have been taken or what the consequences could be for customers.

Some IT security experts say this could cause big problems not just for those who use Cisco products but for the entire Internet, since a large volume of Web traffic passes through routers produced by the San Jose, Calif.-based network giant. Others aren't so sure, noting that source code stolen from Microsoft Corp. a couple months ago has yet to produce the chaos some were worried about.

"Cisco is aware that a potential compromise of its proprietary information occurred and was reported on a public Web site just prior to the weekend," the company said in a statement yesterday. "Cisco is fully investigating what happened. As a matter of policy, we take security very seriously and we continue to take every measure to protect our intellectual property, employee and customer information. Cisco will remain focused on its customers and their success and will continue to monitor the situation."

While the company has offered few details on how much code intruders may have lifted, several Internet sources have repeated details initially posted on Russian security Web site SecurityLab, which reported that hackers broke into the company's network and lifted 800MB of source code for IOS 12.3 and 12.3t. One news source, eWEEK, reported that a 2.5MB sample of what is supposedly IOS code was released on the Internet Relay Chat channel as proof of the theft.

So how worried should people be? It depends on who you talk to.

Jonathan Bingham, president and founder of Waltham, Mass.-based Intrusic Inc., which specializes in network intrusions from within a company, said as a Cisco customer, he is concerned.

"Whenever source code is leaked, it's a problem," he said. "This has the potential to become quite a nuisance for customers."

Bingham believes the code may have been stolen from an outside hacker who was able to get access inside the network through remote sources like a company laptop. The hacker could have gained access to a legitimate user code and slipped through Cisco's defense perimeter.

Gary McGraw, chief technology officer for software company Citigal Inc. of northern Virginia is less concerned. He noted that nothing has happened since the code theft at Microsoft and that "you don't need source code to attack a system."

"During the Microsoft theft, people cried that the sky was falling," McGraw said. "Source code makes it easier for an attacker to find flaws. But they don't really need it."