Cisco 'unnaturally quiet' on code theft

The paucity of information released by Cisco Systems after last week's theft of proprietary operating system source code is...

The paucity of information released by Cisco Systems after last week's theft of proprietary operating system source code is raising troubling questions among users and analysts about what exactly happened and the real extent of the compromise. 

"We are all waiting to hear what Cisco has to say," said network manager Stephen Smith. 

Cisco has been "unnaturally and unproductively quiet", said Gartner analyst John Pescatore. "That gives the impression that they are still unsure about the scope of the breach. Or they are sure, and it's much worse than has come out so far." 

Unidentified attackers stole an unspecified amount of source code for Cisco's Internetworking Operating System 12.3 and 12.3T software, which is widely used in switches and other networking equipment. A Russian website posted about 13MB of what it claimed was the stolen code, saying that as much as 800MB of code appeared to have been stolen. 

Alexander Antipov, a security expert at Moscow-based Positive Technologies, which owns the website that posted the stolen code, claimed that the company downloaded it via a link provided over an Internet Relay Chat channel by someone using the online name Franz. 

The supposed Cisco code samples were removed from the website at Cisco's request on 18 May, Antipov said. 

Cisco confirmed on its own website that a "portion" of IOS code had been illegally copied and publicly posted for several days. It appeared that the occurrence was not the result of flaw in any Cisco product or service. It also was unlikely that the action was taken by a Cisco employee or contractor. 

The company refused to provide further details, citing an investigation into the matter, but said it believed that "the improper publication of this information does not create increased risk to customers' Cisco equipment". 

"We will continue to closely monitor this matter and provide updates as appropriate to customers," a company spokesman said. 

The theft raises security concerns, especially since Cisco's technology is widely used on corporate networks, users said. 

"Now that the code is available to scrutinise, it will be easier to find holes to exploit," said Jon Duren, chief technology officer at a provider of electrification services.

"This issue has caused [us] to re-evaluate our access control lists on the routers, and on devices surrounding our routers, to ensure that they are solid." 

A similar incident involving the theft of Microsoft source code for Windows NT and Windows 2000 in February led to the discovery of a remotely executable flaw in the company's Internet Explorer browser software. 

The stolen Cisco code could be investigated for similar flaws or somehow exploited to create back doors or to fool users into downloading malicious patches or Trojan horse programs, security experts said. 

In the Microsoft incident, the stolen code was freely available for download. In contrast, the Cisco source code has not resurfaced following its brief public airing on the Russian website. 

Another difference between the two incidents is that the Cisco source code could be far more difficult to exploit than the Microsoft code, which was "complete and reasonably easy to work with",said Johannes Ullrich, chief technology officer at the Sans Internet Storm Center. 

"Just the same, we still have to be aware of the possibility of a security issue arising as a result of the theft," said chief technology officer Edward York, CTO at an application service provider. 

This is especially true given the lack of information coming from Cisco, users and analysts said. Gartner's Pescatore noted that the question that always gets raised when incidents such as this occur is, "If this got out, what else was going on?"

Jaikumar Vijayan writes for Computerworld

Read more on IT risk management