IT experts not losing sleep over code theft

Days after Cisco acknowledged someone may have stolen source code from its network, IT experts said they doubt it will amount to anything catastrophic. After all, source code has made it onto the Internet before, and there's no proof it has ever led to an attack. For them, the bigger question is how to prevent such a thing from happening to their organization.

"I'm not losing sleep over this," said Rick Forno, an Internet security consultant and former chief security officer for Network Solutions of Herndon, Va. "Keep in mind that bits of Cisco IOS have been floating around out there for years, and it hasn't brought on a big attack. The security people I speak to are not particularly worried."

Some worry the theft -- up to 800 MB of code, according to reports but not confirmed by Cisco -- could cause big problems for the entire Internet because a large volume of Web traffic passes through routers produced by the San Jose, Calif.-based networking giant.

Radia Perlman, an engineer at one of Cisco's rivals, Santa Clara, Calif.-based Sun Microsystems, isn't so sure. "You'll have to speak with Cisco on their specific situation, but what I can tell you is that the size of the code stolen is not really significant," Perlman said. Regardless, she added, "It is possible to find security flaws without source code, and it isn't necessarily much easier with the source code."

Nevertheless, she said, "It is troubling for any company's computers to be broken into and information of any kind stolen."

While it's impossible to make networks 100% theft-proof, Perlman said Sun's philosophy is that "security through obscurity" is not the way to protect against attackers. "In my opinion, code that is available for inspection to a variety of people is most likely to be secure," she said. "The world is worse off if buggy code is widely deployed and the attackers discover a vulnerability and exploit it at the worse possible time. Security of protocols cannot depend on secrecy of code."

IT experts are reluctant to speculate on whether Cisco's code theft was an inside job or the work of a clever hacker. But some have their theories on how an outsider could pull it off.

Jonathan Bingham is president of Intrusic Inc. of Waltham, Mass., which specializes in preventing network break-ins from within a company. He said an attacker could steal code after accessing a network through an infected company laptop. Once inside the network, an attacker can access the system as a legitimate user.

"They could be accessing the system for months, sitting there mapping out the network and finding the most important areas," Bingham said. "This is what's known as the reconnaissance phase. They do it right under the noses of IT managers."

After finding what they want, Bingham said an attacker can pull off the theft disguised as an employee surfing the Web.

"A popular technique is called the http reverse tunnel," he said. "It takes advantage of the security that's in place and allows data to move out through port 80. Any company that allows workers to surf the Internet uses port 80. In this case, an attacker has what he wants. So he masks himself as a Web surfer by disguising the data as a normal Internet session. To the network security system, the activity looks like a normal Internet session, when in fact it's [data] being transferred from the system. It's extremely difficult to detect."

Cisco and the FBI continue to investigate the theft.