More details about the computer code stolen from Cisco have surfaced, including new samples of the source code and information on how the code was distributed, four days after a Russian website reported news of the theft and posted sample code files to support the claim.
Additional copies of Cisco code files for the Internetwork Operating System (IOS) may be circulating on the Internet, after the thief compromised a Sun server on Cisco's network, then briefly posted a link to the source code files on a file server belonging to the University of Utrecht in the Netherlands, according to Alexander Antipov, a security expert at Positive Technologies, a security consulting company in Moscow.
A Cisco spokesman declined to comment on the new information, citing the ongoing investigation, but the company is working with the FBI, according to Robert Barlow, a company spokesman. "Cisco will continue to take every measure to protect our intellectual property, employee and customer information. In this case, Cisco is working with the FBI on this matter," the company said in a statement.
Antipov downloaded more than 15MB of the stolen code, which is estimated to be around 800MB, after an individual using the online name "Franz" briefly posted a link to a 3MB compressed version of the files in a private Internet Relay Chat (IRC) forum on Friday, he said.
Antipov denied knowing Franz and said he wants to return the code to Cisco and has been communicating with a Cisco employee about the leaked source code.
The link provided was only available for around ten minutes and pointed to a file on an FTP (File Transfer Protocol) server, ftp://ftp.phys.uu.nl, which belongs to the University of Utrecht in the Netherlands. That server is open to the public for hosting files of files smaller than 5MB, according to the University's webpage.
Examples of the additional source code files are different from the two code files posted on www.securitylab.ru, and appear to be written in the C programming language. One, named snmp_chain.c dates to 1993 and is credited to Robert Widmer. Another, named http_auth.c and containing a module for authentication routines is dated March2002 and credited to Saravanan Agasaveeran.
Another source code file, also credited to Agasaveeran, contains code for a public API for HTTP client and server applications, and Antipov said the source code he obtained also includes IOS modules covering Internet Protocol Version 6 (IPv6).
A Cisco source confirmed that Agasaveeran is a Cisco employee in San Jose, California. No information was immediately available on Widmer.
A computer directory listing purported to be of the stolen IOS modules was also shown. The listing identifies a Sun Sparc server named iwan-view3.cisco.com and a list of directories, but no specific information on the contents of those directories. Still, the listing of directories does give some indication of when the leak may have occurred. Most of the directories were last updated in 2002 and 2003, with one changed as late as November 2003.
That information could be vital in determining the "when" of the crime, said Mark Rasch, senior vice president and chief security counsel of Solutionary. "By going up the revision dates, you know which versions they got and have a good idea of when they obtained the code," he said.
The apparent theft from a Sun server also supports the idea that the code was stolen directly from Cisco's corporate network, rather than from a developer's laptop or a worker connecting to Cisco over a remote connection, he said.
"People aren't typically using Virtual Private Network connections into Sun boxes. The Solaris stations tend to be on site, that's where you'd use them," he said. Regardless, Cisco is facing a "huge" forensic investigation and should assume that other parts of its network and all of its source code have been compromised, he said.
The stolen code could be a bonanza for malicious hackers looking to compromise Cisco devices, even if the stolen code isn't from critical IOS modules, Rasch said. Unlike open source software products, the security of Cisco's systems, like those of other proprietary software vendors, depends on the source code being kept out of public view, he said. "When your security depends, in large measure, on keeping source code private, a breach can be significant," he said.