Cisco Source Code Leaks Onto Web(FEDS Also Investigate Burglary at Manhattan CO Verizon)

CNET News.com ^ | May 17, 2004 | Robert Lemos

[fight_truth_decay]

The networking company is investigating whether a security breach has led to some of its source code appearing on the Internet.

An unspecified amount of the proprietary source code that drives Cisco Systems' networking hardware has appeared on the Internet, the technology giant acknowledged early on Monday.

While the company was investigating whether a breach had lead to the leak, a representative could not confirm whether that network intruders had made off with the software equivalent of the crown jewels: some 800 megabytes of the networking giant's source code.

"Cisco is aware that a potential compromise of its proprietary information occurred and was reported on a public Web site just prior to the weekend," said Jim Brady, spokesman for the company. "The Cisco information security team is looking into this matter and investigating what happened."

Brady could give no further details on the matter.

The leak is the second time this year that a major technology company's product source code has been made public without authorisation. In February, Microsoft's source code for parts of Windows 2000 and Windows NT were leaked to the Internet. One security researcher claimed that he had discovered a minor Internet Explorer flaw by analysing that source code.

It's uncertain to what degree the leaked code will affect Cisco security. The security of Microsoft's operating systems has not significantly suffered from the hundreds of megabytes of source code leaked to the public. Moreover, attackers tend not to focus on vulnerabilities in networking hardware. A major flaw that Cisco warned customers about in July never materialised as a threat.

News of the latest source code leak appeared on a Russian security site Securitylabs.ru on Saturday, two days after its administrators received the leaked source code. The site posted two files of source code written in the C programming language, which apparently enables some next-generation Internet protocol version 6 (IPv6) functionality. One file was copyrighted in 1996 and the other in 2003.

According to the security site, online vandals were able to compromise Cisco's corporate network and steal about 800MB of source code. A person with the alias "Franz" bragged about the intrusion and posted about 2.5 megabytes of code on the Internet relay chat (IRC) system not long after the alleged break-in. By Sunday evening, the code could not be located by CNET News.com, however, and members of the IRC channel were speculating about the authenticity of the two brief excerpts posted on the Russian site.

One participant suggested that they might be a hoax because Cisco was not capitalised in the source code. Yet, others quickly grew tired of the discussion, changing the channel's title temporarily to "do not keep commercial code on online computers... when are people gonna learn."

The excerpts of the code posted by SecurityLab.ru named Ole Troan and Kirk Lougheed as the authors. Both programmers appear to be Cisco employees.

CNET News.com's Declan McCullagh contributed to this report.

[fight_truth_decay]

Today eWEEK (where I originally discovered this story, but found I cannot post stories via eWEEK per eWEEK) reports that last week the New York City Police Department and the federal terrorist taskforce were both called in to investigate a burglary at the New York Manhattan CO (central office) of Verizon Communications Inc. This central office, eWEEK reports, is a co-location office housing competing carriers' equipment; and is one of the many hubs for the country's voice and data networks and a key component of the nation's critical infrastructure.

On May 2, three DS-3 networking cards were stolen leaving several corporate customers without Internet service for a full business day. Major questions have been raised eWeek reports," about the security of the nation's critical infrastructure, as well as the curious relationships among competing service providers that share space in hundreds of similar facilities across the country".

Automatically, the burglary brought in FBI terrorism investigators and this ongoing "investigation has been shrouded in secrecy," claims eWEEK. "As of late last week," they add, "no arrests had been made"; and the investigation continues.

[eno_]

"investigation has been shrouded in secrecy,

Verizon left a CLEC's tech unattended, or a pissed-off Verizon employee did it. There are lots of games played by ILECs and CLECs in COs.

[InABunkerUnderSF]

One wonders if this is an example of "cyber terrorism" at work or some disgruntled former employees taking revenge. The later is a problem when you engage in the wholesale dismissal of technically capable people, which Cisco has been known to do.

While having Cisco's IPv6 code may tell competitors how Cisco has "tweaked" the standards and make it possible, if they want to make their products more interoperable. I can think of better ways to attack the Internet (there's this bridge in Saint Louis that carries both Sprint and MCI's fiber... :o)

As for Verizon, I'm not sure how terrorists could benefit from lifting some DS-3 cards (unless they were building their own switch for training purposes?) A terrorist would be better off lifting a 5ESS manual or getting one of Verizon's switch tech's drunk. Sounds more like one of their colo's wanted some spares.

[freedomtrail]

Im sure that just about anyone can get their hands on a 5E manual. I have a few. Its the lightspan manuals and cards that i would be worried about.

[eno_]

Anyone have any idea why the other thread on the Cisco source code theft was removed?