More information released on Cisco code theft

More details about the computer code stolen from Cisco Systems were revealed yesterday, including new samples of the source code...

More details about the computer code stolen from Cisco Systems were revealed yesterday, including new samples of the source code and information on how the code was distributed, four days after a Russian website reported news of the theft and posted sample code files to support the claim.

Additional copies of Cisco code files for the Internetwork Operating System (IOS) may be circulating on the internet after the thief compromised a Sun Microsystems server on Cisco's network, then briefly posted a link to the source code files on a file server belonging to the University of Utrecht in the Netherlands, according to Alexander Antipov, a security expert at Moscow security firm Positive Technologies.

Antipov downloaded more than 15Mbytes of the stolen code, which is estimated to be around 800Mbytes, after an individual using the online name "Franz" briefly posted a link to a 3Mbyte compressed version of the files in a private Internet Relay Chat (IRC) forum on Friday.

Antipov denied knowing Franz and he has been communicating with a Cisco employee about returning the leaked source code.

The link provided was only available around 10 minutes and pointed to a file on an FTP (File Transfer Protocol) server,, which belongs to the University of Utrecht. That server is open to the public for hosting files of files smaller than 5Mbytes, according to the university's web page.

Examples of the additional source code files viewed by IDG News Service are different from the two code files posted on, and appear to be written in the C programming language.

One, named snmp_chain.c dates to 1993 and is credited to Robert Widmer. Another, named  http_auth.c and containing a module for HTTP authentication routines is dated March 2002 and credited to Saravanan Agasaveeran.

Another source code file, also credited to Agasaveeran, contains code for a public API (application program interface) for HTTP client and server applications. Antipov said the source code he obtained also includes IOS modules covering Internet Protocol Version 6 (IPv6).

A Cisco source confirmed that Agasaveeran is a Cisco employee. No information was immediately available on Widmer.

A computer directory listing purported to be of the stolen IOS modules was also shown to IDG News Service. The listing identifies a Sun Sparc server named and a list of directories, but no specific information on the contents of those directories.

Still, the listing of directories does give some indication of when the leak may have occurred. Most of the directories were last updated in 2002 and 2003, with one changed as late as November 2003.

That information could be vital in determining the "when" of the crime, said Mark Rasch, senior vice president and chief security counsel of Solutionary.

"By going up the [revision] dates, you know which versions they got and have a good idea of when they obtained the code," he said.

The apparent theft from a Sun server also supports the idea that the code was stolen directly from Cisco's corporate network, rather than from a developer's laptop or a worker connecting to Cisco over a remote connection.

"People aren't typically [using VPN connections] into Sun boxes. The Solaris stations tend to be on site, that's where you'd use them," he said.

Regardless, Cisco is facing a "huge" forensic investigation, and should assume that other parts of its network and all of its source code have been compromised, he said. 

The stolen code could be a bonanza for malicious hackers looking to compromise Cisco devices, even if the stolen code isn't from critical IOS modules, Rasch said.

Unlike open-source software products, the security of Cisco's systems, like those of other proprietary software suppliers, depends on the source code being kept out of public view, he added. 
The FBI is working with Cisco to investigate the theft, said FBI spokesman Paul Bresson, although he would give no further details.

The theft parallels a similar crime from February, when thieves made off with source code for Microsoft Windows NT and Windows 2000 operating systems.

That code's leak is believed to have led to the discovery of at least one security hole in the company's Internet Explorer 5 web browser, which could allow an attacker to gain control of a computer by using a specially crafted bitmap file.

The theft of the IOS code could, potentially, be more serious, because Cisco's products frequently connect directly to the internet and are not protected by firewalls and other security products, said Ken Dunham, director of malicious code at iDefense.

"With access to the source code, hackers could compile and test it rigorously, just like developer, and find new vulnerabilities or attack points," he said.

However, the malicious hackers who made off with the IOS code have, so far, taken a different route than those who stole the Microsoft code, Dunham said.

In the Microsoft theft, copies of the leaked code quickly appeared on peer-to-peer file sharing networks and was being swapped and discussed in online forums such as discussion lists and IRC channels.

With the Cisco code, however, the culprits have not released all the code they claim to have stolen, and little information about the stolen code was available on the internet on Monday.

The lack of information may mean that the criminals behind the theft are more interested in selling the stolen code, rather than receiving accolades from the malicious hacker community, Dunham said.

"It seems like they're making a legitimate attempt to maintain control of the code and maybe try to make some money from it," he said.

A Cisco spokesman declined to comment on the new information.

"Cisco will continue to take every measure to protect our intellectual property, employee and customer information. In this case, Cisco is working with the FBI on this matter," the company said.

Paul Roberts writes for IDG News Service

Read more on IT risk management