Consequences of Cisco source code theft unclear

By Bill Brenner, News Writer 17 May 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Cisco Systems confirmed Monday it's investigating the apparent theft of source code from its network, but won't say how much may have been taken or what the consequences could be for customers.

Some IT security experts say this could cause big problems not just for those who use Cisco products but for the entire Internet, since a large volume of Web traffic passes through routers produced by the San Jose, Calif.-based network giant. Others aren't so sure, noting that source code stolen from Microsoft Corp. a couple months ago has yet to produce the chaos some were worried about.

"Cisco is aware that a potential compromise of its proprietary information occurred and was reported on a public Web site just prior to the weekend," the company said in a statement yesterday. "Cisco is fully investigating what happened. As a matter of policy, we take security very seriously and we continue to take every measure to protect our intellectual property, employee and customer information. Cisco will remain focused on its customers and their success and will continue to monitor the situation."

While the company has offered few details on how much code intruders may have lifted, several Internet sources have repeated details initially posted on Russian security Web site SecurityLab, which reported that hackers broke into the company's network and lifted 800MB of source code for IOS 12.3 and 12.3t. One news source, eWEEK, reported that a 2.5MB sample of what is supposedly IOS code was released on the Internet Relay Chat channel as proof of the theft.

So how worried should people be? It depends on who you talk to.

Jonathan Bingham, president and founder of Waltham, Mass.-based Intrusic Inc., which specializes in network intrusions from within a company, said as a Cisco customer, he is concerned.

"Whenever source code is leaked, it's a problem," he said. "This has the potential to become quite a nuisance for customers."

Bingham believes the code may have been stolen from an outside hacker who was able to get access inside the network through remote sources like a company laptop. The hacker could have gained access to a legitimate user code and slipped through Cisco's defense perimeter.

Gary McGraw, chief technology officer for software company Citigal Inc. of northern Virginia is less concerned. He noted that nothing has happened since the code theft at Microsoft and that "you don't need source code to attack a system."

"During the Microsoft theft, people cried that the sky was falling," McGraw said. "Source code makes it easier for an attacker to find flaws. But they don't really need it."

Tags: Information Security Laws, Investigations and Ethics,  Identity Theft and Data Security Breaches,  Enterprise Data Governance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Laws, Investigations and Ethics Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Federal efforts to secure cyberinfrastrucure Identity Theft and Data Security Breaches Researchers predict SSNs, crack algorithm putting identities at risk TJX to pay $9.75 million for data breach investigations Man pleads guilty in online banking hacking scam White House cybersecurity czar faces major hurdles Heartland breach cost $12.6 million, CEO says An inside look at security log management forensics investigations LexisNexis investigates breach, notifies thousands Senators hear call for federal cybersecurity restructuring Former Federal Reserve Bank employee arrested Attackers cash in on fundamental data handling mistakes, Verizon finds Enterprise Data Governance Compliance in the cloud Risk management must include physical-logical security convergence Simple information security mistakes can cause data loss, says expert Organizations struggle with data leakage prevention, rights management Encryption in data management should never be ignored, expert says Attackers cash in on fundamental data handling mistakes, Verizon finds Data loss prevention benefits in the real world Mass., Nev. data protection laws wrong, ineffective Cybersecurity hearing highlights inadequacy of PCI DSS Enforcing a vendor risk assessment to avoid outsourcing security risks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CALEA  (SearchSecurity.com) cyberstalking  (SearchSecurity.com) cypherpunk  (SearchSecurity.com) HSPD-7  (SearchSecurity.com) I-SPY Act  (SearchSecurity.com) Information Awareness Office  (SearchSecurity.com) intelligence community  (SearchSecurity.com) lawful interception  (SearchSecurity.com) lifestyle polygraph  (SearchSecurity.com) vulnerability disclosure  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary