Security threats Toolkit

Analysts downplay Cisco code leak

Tags:
Cisco,
Source Code Leak,
Networking Hardware

Published: 18 May 2004 08:20 BST

The leak of a significant amount of Cisco Systems' source code for its latest network devices will not result in a large number of discovered vulnerabilities, security experts said on Monday.

Cisco confirmed the authenticity of two source code files that appeared on a Russian security site over the weekend but could not say whether a network breach led to the unauthorised release of its proprietary code. Cisco scrambled to discover the source of the leak, but security experts said attackers won't be able to use the code easily.

"I don't think it is too worrisome," said Johannes Ullrich, chief technology officer of the Internet Storm Centre, an online service that monitors threats on the Internet. Comparing the leak with Microsoft's loss of its code earlier this year, Ullrich said Cisco is in a better situation. "If you have the Windows source code, you can build it on your PC at home, where the Cisco code needs specialised hardware, so most people aren't going to be able to compile the files."

A Cisco representative could not confirm the amount of code that was leaked. Claims posted in Internet chatrooms and on Web sites put the loss at some 800 megabytes of the networking giant's source code, essentially the crown jewels.

Cisco ruled out some potential sources of the code.

"It appears that this occurrence was not the result of any exploitation or a vulnerability in any product or service offered by Cisco to its customers, nor do we have any reason to believe that it was the result of any malicious action by any Cisco employee or contractor," company spokeswoman Mojgan Khalili said in a statement.

This is the second time this year that a major technology company's product source code has been made public without authorisation. In February, source code for parts of Microsoft's Windows 2000 and Windows NT were leaked to the Internet. One security researcher claimed that he had discovered a minor Internet Explorer flaw by analysing that source code.

Security researchers said Cisco's leaked code probably won't affect the company's security. Alfred Huger, senior director of antivirus firm Symantec's security response centre, pointed to the fact that so far, the leak of Windows source code has not significantly hurt the security of Microsoft's operating systems.

"If there is risk, it is mid- to long-term," he said. "There have been a couple of vulnerabilities that resulted out of [the Windows code leak], but none of them have been that significant."

Moreover, it is harder to find major vulnerabilities in networking hardware. Attackers tend not to target such devices. A denial-of-service flaw that Cisco warned customers about in July never materialised as a threat.

News of Cisco's source code leak appeared on Russian security site SecurityLab.ru on Saturday, two days after its administrators received the leaked source code. The site posted two files of source code written in the C programming language, which apparently enables some next-generation Internet Protocol version 6 functionality. One file was copyrighted in 1996 and the other in 2003.

According to SecurityLab.ru, online vandals had compromised Cisco's corporate network and stolen about 800MB of source code. A person with the alias "Franz" bragged about the intrusion and posted about 2.5MB of code on the Internet relay chat system not long after the alleged break-in.

The excerpts posted by the Russian Web site named Ole Troan and Kirk Lougheed as the authors of the code. Both programmers appear to be Cisco employees.

While Cisco would not comment on whether the FBI had been brought in to investigate the source code leak as a crime, the FBI's national office confirmed on Monday afternoon that its agents were involved.

"We are aware of the potential theft of proprietary information and are working with Cisco," said FBI spokesman Paul Bresson.