[ISN] New evidence points to Cisco network hack

InfoSec News isn at c4i.org
Wed May 19 08:17:07 EDT 2004


By Paul Roberts
IDG News Service

More details about the computer code stolen from Cisco surfaced on
Tuesday, including new samples of the source code and information on
how the code was distributed, four days after a Russian Web site
reported news of the theft and posted sample code files to support the

Additional copies of Cisco code files for the Internetwork Operating
System (IOS) may be circulating on the Internet, after the thief
compromised a Sun server on Cisco's network, then briefly posted a
link to the source code files on a file server belonging to the
University of Utrecht in the Netherlands, according to Alexander
Antipov, a security expert at Positive Technologies, a security
consulting company in Moscow, who was interviewed by e-mail and
instant messaging service.

A Cisco spokesman declined to comment on the new information, citing
the ongoing investigation, but the company is working with the FBI,
according to Robert Barlow, a company spokesman.

"Cisco will continue to take every measure to protect our intellectual
property, employee and customer information. In this case, Cisco is
working with the FBI on this matter," the company said in a statement.

Antipov downloaded more than 15M bytes of the stolen code, which is
estimated to be around 800M bytes, after an individual using the
online name "Franz" briefly posted a link to a 3M-byte compressed
version of the files in a private Internet Relay Chat (IRC) forum on
Friday, he said.

Antipov denied knowing Franz and said he wants to return the code to
Cisco and has been communicating with a Cisco employee about the
leaked source code.

The link provided was only available around ten minutes and pointed to
a file on an FTP (File Transfer Protocol) server,
ftp://ftp.phys.uu.nl, which belongs to the University of Utrecht in
the Netherlands. That server is open to the public for hosting files
of files smaller than 5M bytes, according to the University's Web

Examples of the additional source code files viewed by IDG News
Service are different from the two code files posted on
www.securitylab.ru, and appear to be written in the C programming
language. One, named snmp_chain.c dates to 1993 and is credited to
Robert Widmer. Another, named http_auth.c and containing a module for
HTTP authentication routines is dated March, 2002 and credited to
Saravanan Agasaveeran.

Another source code file, also credited to Agasaveeran, contains code
for a public API for HTTP client and server applications, and Antipov
said the source code he obtained also includes IOS modules covering

A Cisco source confirmed that Agasaveeran is a Cisco employee in San
Jose, Calif. No information was immediately available on Widmer.

A computer directory listing purported to be of the stolen IOS modules
was also shown to IDG News Service. The listing identifies a Sun Sparc
server named iwan-view3.cisco.com and a list of directories, but no
specific information on the contents of those directories. Still, the
listing of directories does give some indication of when the leak may
have occurred. Most of the directories were last updated in 2002 and
2003, with one changed as late as November 2003.

That information could be vital in determining the "when" of the
crime, said Mark Rasch, senior vice president and chief security
counsel of Solutionary.

"By going up the (revision) dates, you know which versions they got
and have a good idea of when they obtained the code," he said.

The apparent theft from a Sun server also supports the idea that the
code was stolen directly from Cisco's corporate network, rather than
from a developer's laptop or a worker connecting to Cisco over a
remote connection, he said.

"People aren't typically [using VPN connections] into Sun boxes. The
Solaris stations tend to be on site, that's where you'd use them," he

Regardless, Cisco is facing a "huge" forensic investigation, and
should assume that other parts of its network and all of its source
code have been compromised, he said.

The stolen code could be a bonanza for malicious hackers looking to
compromise Cisco devices, even if the stolen code isn't from critical
IOS modules, Rasch said.

Unlike open source software products, the security of Cisco's systems,
like those of other proprietary software vendors, depends on the
source code being kept out of public view, he said.

"When your security depends, in large measure, on keeping source code
private, a breach can be significant," he said.

More information about the ISN mailing list