More details about the computer code stolen from Cisco Systems have surfaced, including new samples of the code and information on how it was distributed, four days after a Russian Web site reported news of the theft and posted sample files to support the claim.
More copies of Cisco code files for the Internetwork Operating System may be circulating on the Internet Tuesday. The thief apparently compromised a Sun Microsystems server on Cisco's network, then briefly posted a link to the source code files on a file server belonging to the University of Utrecht in the Netherlands, according to Alexander Antipov, a security expert at Positive Technologies, a security consulting company in Moscow.
A Cisco spokesperson declines to comment on the new information, citing the ongoing investigation. The company is working with the FBI, according to Robert Barlow, a company spokesperson.
"Cisco will continue to take every measure to protect our intellectual property, employee and customer information. In this case, Cisco is working with the FBI on this matter," the company says in a statement.
Antipov downloaded more than 15MB of the stolen code, which is estimated to be around 800MB, after an individual using the online name "Franz" briefly posted a link to a 3MB compressed version of the files in a private Internet Relay Chat forum on Friday, the Moscow security expert said via e-mail and instant messaging service.
Antipov denies knowing Franz. He says he wants to return the code to Cisco and has been communicating with a Cisco employee about the leaked source code.
The link provided was available for only about ten minutes. It pointed to a file on an FTP server that belongs to the University of Utrecht in the Netherlands. That server is open to the public for hosting files of files smaller than 5MB, according to the University.
Examples of the additional source code files viewed by IDG News Service differ from the two code files posted on www.securitylab.ru, and appear to be written in the C programming language. One, named snmp_chain.c dates to 1993 and is credited to Robert Widmer. Another, named http_auth.c and containing a module for HTTP authentication routines is dated March 2002 and credited to Saravanan Agasaveeran.
Another source code file, also credited to Agasaveeran, contains code for a public application program interface for HTTP client and server applications. Antipov says the source code he obtained also includes IOS modules covering Internet Protocol Version 6.
A Cisco source confirms Agasaveeran is a Cisco employee in San Jose, California. No information was immediately available on Widmer.
A computer directory listing purported to be of the stolen IOS modules was also recovered. The listing identifies a Sun Sparc server named iwan-view3.cisco.com and a list of directories, but no information on their contents. Still, the listing gives some indication of when the leak may have occurred. Most of the directories were last updated in 2002 and 2003, with one changed in November 2003.
That information could be vital in determining the crime's time frame, says Mark Rasch, senior vice president and chief security counsel of Solutionary.
"By going up the (revision) dates, you know which versions they got and have a good idea of when they obtained the code," he says.
That it was apparently taken from a Sun server also means the code may have been stolen directly from Cisco's corporate network, not from a developer's laptop or a remote worker, he adds.
"People aren't typically [using Virtual Private Network connections] into Sun boxes. The Solaris stations tend to be on site, that's where you'd use them," he says.
Regardless, Cisco faces a "huge" forensic investigation, and should assume that other parts of its network and all of its source code were compromised, he says.
The stolen code could be a bonanza for malicious hackers looking to compromise Cisco devices, even if the stolen code isn't from critical IOS modules, Rasch says. Unlike open source software products, the security of Cisco's systems and those of other proprietary software vendors depends on keeping source code out of public view, he notes.
"When your security depends, in large measure, on keeping source code private, a breach can be significant," he says.