[ISN] How Dangerous Was The Cisco Code Theft?

InfoSec News isn at c4i.org
Fri May 20 01:12:24 EDT 2005


By Michael Cohn
Courtesy of InternetWeek  
May 18, 2005 

A recent hacker attack that compromised some of the crucial equipment
powering the Internet has sparked a debate on whether the stolen Cisco
Systems code used to penetrate the complex systems still poses a
threat to the web.

Experts have argued for years whether software that has its source
code freely distributed is more, or less, secure than proprietary
applications. Code for the open-source Linux operating system, for
example, is available to anyone, and many experts argue that makes it
more secure than Microsoft's proprietary Windows.

"The availability of source code is a long discussed, unanswered
question," said Art Manion, Internet security analyst at the CERT
Coordination Center at Carnegie Mellon University, which provides
incident response services to sites that have been attacked. "There
are arguments for having source code available that, whether
intentionally or by misappropriation, may allow someone to break into
a system, or it could allow the good guys to find problems and fix

The debate was rekindled last week when The New York Times reported
the arrest of a Swedish teenager suspected of boring into the critical
aerospace and academic systems at NASA's Jet Propulsion Laboratory,
the Patuxent River Naval Air Station, the White Sands Missile Range,
the University of Minnesota, University of California at Berkeley, and
other facilities.

The teenager allegedly used stolen source code from the operating
system of Cisco routers to reach into the supercomputing network known
as the TeraGrid. Once there, the suspect allegedly gained access to at
least 50 systems throughout the Internet. The teen was arrested by the
FBI and Swedish police, and later released to his parents.

Johannes Ullrich, chief technology officer for the SANS Internet Storm
Center, an analysis service that publishes warnings about security
vulnerabilities and bugs, believes it's unlikely a hacker with stolen
code could find flaws that Cisco hasn't already found.

"It's not easy to analyze that code if you don't know the hardware
it's running on," Ullrich said. "It's harder to analyze the Cisco IOS
(Internetwork Operating System) than a Linux application that runs on
standard hardware."

Authorities believe Cisco's stolen code was uploaded to a Russian
website, where it may have been distributed to people who would use it
to discover more vulnerabilities in Cisco-powered computer systems.

"The hackers will find more vulnerabilities with that source code out
there," said Jack Koziol, a senior instructor at the Infosec Institute
and author of "The Shellcoder's Handbook: Discovering and Exploiting
Security Holes." [1]

"This kid got into the TeraGrid," Koziol said. "This is supposedly one
of the most secure systems in the world and a 16 year old got in.  
...It shows just how bad security is in government and in industry all
around the world."

Koziol investigated a similar break-in at the University of California
at Davis, where a hacker also used a publicly known vulnerability to
compromise the school's systems. As in the Cisco incident, the hacker
inserted a virus that recorded the password whenever someone logged
into a university's server. The hacker then used the same password to
break into another system. The technique works because people
frequently use the same login information on different servers.

"He would find one chink in the armor," Koziol said. "If you have just
one system or desktop vulnerable, they can really leverage their
access to penetrate the organization."

A Cisco spokeswoman directed inquiries to a statement on the Cisco
website that said in part, "Cisco IOS source code is both copyrighted
and protected as proprietary material. It is illegal to post it, make
it available to others, download it or use it. Cisco will take all
appropriate legal actions to protect its intellectual property."

Nevertheless, large companies, even security-minded ones like Cisco,
can often have trouble keeping all their intellectual property and
potential loopholes buttoned up.

"The larger an organization, the harder it is to secure it, with so
many sub-companies, external consultants, and former employees still
keeping access with their accounts after they quit," said Van Hauser,
president of The Hacker's Choice, [2] a website devoted to
investigating and analyzing security vulnerabilities. "You have so
many systems to secure. It is therefore very hard to defend a company
as complexity rises."

Hauser pointed out that many prominent technology companies have had
their systems compromised and source code stolen, including Microsoft,
Sun Microsystems, and Hewlett-Packard. He expects the latest incident
won't be the last.

"The stance of companies saying, 'We are secure, nobody has our source
code' is not true anymore," Hauser said. "Hackers get better and
better at reverse engineering software."

[1] http://www.amazon.com/exec/obidos/ASIN/0764544683/c4iorg 
[2] http://www.thc.org

More information about the ISN mailing list