[ISN] Arrest made in Cisco source code theft

InfoSec News isn at c4i.org
Mon Sep 20 05:12:48 EDT 2004


By Paul Roberts
IDG News Service

Police in the U.K. have arrested a man in connection with the theft of
source code from networking equipment maker Cisco in May, a Scotland
Yard spokeswoman confirmed Friday.

The Metropolitan Police Computer Crime Unit searched residences in
Manchester, U.K. and Darbyshire, U.K. on Sept. 3., confiscated
computer equipment and arrested a 20 year-old man suspected of
committing "hacking offenses" under that country's Computer Misuse Act
of 1990. While authorities could not discuss the specifics of the
case, the arrest was linked to the Cisco source code, according to
Julie Prinsep, a Yard spokeswoman.

The suspect has since been released on bail and is scheduled to appear
before authorities at a London police station again in November,
Prinsep said. Computer equipment seized in the searches is being
forensically examined, she said.

Cisco did not immediately respond to requests for comment.

The arrest marks a major breakthrough in the case, which involves the
posting of more than 800M bytes of source code from Cisco's
Internetwork Operating System (IOS) to a Russian Web site in May.

IOS is a proprietary operating system that runs on much of the
networking hardware that Cisco makes.

Malicious hackers made off with code for Versions 12.3 of IOS after
the thief compromised a Sun Microsystems Inc. server on Cisco's
network, then briefly posted a link to the source code files on a file
server belonging to the University of Utrecht in the Netherlands,
according to Alexander Antipov, a security expert at Positive
Technologies, a security consulting company in Moscow.

Antipov said he downloaded more than 15M bytes of the stolen code
after an individual using the online name "Franz" briefly posted a
link to a 3M-byte compressed version of the files in a private
Internet Relay Chat forum on in May.

The link provided was only available for approximately ten minutes and
pointed to a file on an FTP server, ftp://ftp.phys.uu.nl, which
belongs to the University of Utrecht in the Netherlands. That server
is open to the public for hosting files of files smaller than 5M
bytes, according to the University's Web page.

Antipov subsequently posted some of that code on a Russian security
Web site, www.securitylab.ru, to call attention to the reported theft,
but denied knowing Franz.

At the time, Cisco said it was working with the FBI to pursue the
hackers. The FBI was not able to comment on the arrest Friday.

The arrest in the Cisco theft follows other recent successes in
cybercrime cases. In June, the FBI announced arrests in the source
code theft for a much-anticipated version of the popular computer game
Half-Life from the network of game maker Valve.

In May, German police arrested men in connection with creating the
Sasser Internet worm and a Trojan horse program called Agobot. On
Sept. 9, prosecutors in Verden, Germany, indicted an 18-year-old
student in the Sasser worm case.

More information about the ISN mailing list