Consequences of Cisco source code theft unclear

By Bill Brenner, News Writer 17 May 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Cisco Systems confirmed Monday it's investigating the apparent theft of source code from its network, but won't say how much may have been taken or what the consequences could be for customers.

Some IT security experts say this could cause big problems not just for those who use Cisco products but for the entire Internet, since a large volume of Web traffic passes through routers produced by the San Jose, Calif.-based network giant. Others aren't so sure, noting that source code stolen from Microsoft Corp. a couple months ago has yet to produce the chaos some were worried about.

"Cisco is aware that a potential compromise of its proprietary information occurred and was reported on a public Web site just prior to the weekend," the company said in a statement yesterday. "Cisco is fully investigating what happened. As a matter of policy, we take security very seriously and we continue to take every measure to protect our intellectual property, employee and customer information. Cisco will remain focused on its customers and their success and will continue to monitor the situation."

While the company has offered few details on how much code intruders may have lifted, several Internet sources have repeated details initially posted on Russian security Web site SecurityLab, which reported that hackers broke into the company's network and lifted 800MB of source code for IOS 12.3 and 12.3t. One news source, eWEEK, reported that a 2.5MB sample of what is supposedly IOS code was released on the Internet Relay Chat channel as proof of the theft.

So how worried should people be? It depends on who you talk to.

Jonathan Bingham, president and founder of Waltham, Mass.-based Intrusic Inc., which specializes in network intrusions from within a company, said as a Cisco customer, he is concerned.

"Whenever source code is leaked, it's a problem," he said. "This has the potential to become quite a nuisance for customers."

Bingham believes the code may have been stolen from an outside hacker who was able to get access inside the network through remote sources like a company laptop. The hacker could have gained access to a legitimate user code and slipped through Cisco's defense perimeter.

Gary McGraw, chief technology officer for software company Citigal Inc. of northern Virginia is less concerned. He noted that nothing has happened since the code theft at Microsoft and that "you don't need source code to attack a system."

"During the Microsoft theft, people cried that the sky was falling," McGraw said. "Source code makes it easier for an attacker to find flaws. But they don't really need it."

Tags: Information Security Laws, Investigations and Ethics,  Identity Theft and Data Security Breaches,  Enterprise Data Governance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds Enterprise Data Governance Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Compliance in the cloud How to write technology outsourcing contracts

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CALEA  (SearchSecurity.com) cyberstalking  (SearchSecurity.com) FERPA  (SearchSecurity.com) HSPD-7  (SearchSecurity.com) I-SPY Act  (SearchSecurity.com) Information Awareness Office  (SearchSecurity.com) intelligence community  (SearchSecurity.com) lawful interception  (SearchSecurity.com) lifestyle polygraph  (SearchSecurity.com) vulnerability disclosure  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary