Update: More details surface on Cisco's stolen code

More details about the computer code stolen from Cisco Systems Inc. surfaced on Tuesday, including new samples of the source code and information on how the code was distributed, four days after a Russian Web site reported news of the theft and posted sample code files to support the claim.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

Additional copies of Cisco code files for the Internetwork Operating System (IOS) may be circulating on the Internet, after the thief compromised a Sun Microsystems Inc. server on Cisco's network, then briefly posted a link to the source code files on a file server belonging to the University of Utrecht in the Netherlands, according to Alexander Antipov, a security expert at Positive Technologies, a security consulting company in Moscow, who was interviewed by e-mail and instant messaging service.

A Cisco spokesman declined to comment on the new information, citing the ongoing investigation, but the company is working with the U.S. Federal Bureau of Investigation (FBI), according to Robert Barlow, a company spokesman.

"Cisco will continue to take every measure to protect our intellectual property, employee and customer information. In this case, Cisco is working with the FBI on this matter," the company said in a statement.

Antipov downloaded more than 15M bytes of the stolen code, which is estimated to be around 800M bytes, after an individual using the online name "Franz" briefly posted a link to a 3M-byte compressed version of the files in a private Internet Relay Chat (IRC) forum on Friday, he said.

Antipov denied knowing Franz and said he wants to return the code to Cisco and has been communicating with a Cisco employee about the leaked source code.

The link provided was only available around ten minutes and pointed to a file on an FTP (File Transfer Protocol) server, ftp://ftp.phys.uu.nl, which belongs to the University of Utrecht in the Netherlands. That server is open to the public for hosting files of files smaller than 5M bytes, according to the University's Web page.

Examples of the additional source code files viewed by IDG News Service are different from the two code files posted on www.securitylab.ru, and appear to be written in the C programming language. One, named snmp_chain.c dates to 1993 and is credited to Robert Widmer. Another, named http_auth.c and containing a module for HTTP (Hypertext Transfer Protocol) authentication routines is dated March, 2002 and credited to Saravanan Agasaveeran.

Another source code file, also credited to Agasaveeran, contains code for a public API (application program interface) for HTTP client and server applications, and Antipov said the source code he obtained also includes IOS modules covering Internet Protocol Version 6 (IPv6).

A Cisco source confirmed that Agasaveeran is a Cisco employee in San Jose, California. No information was immediately available on Widmer.

A computer directory listing purported to be of the stolen IOS modules was also shown to IDG News Service. The listing identifies a Sun Sparc server named iwan-view3.cisco.com and a list of directories, but no specific information on the contents of those directories. Still, the listing of directories does give some indication of when the leak may have occurred. Most of the directories were last updated in 2002 and 2003, with one changed as late as November 2003.

That information could be vital in determining the "when" of the crime, said Mark Rasch, senior vice president and chief security counsel of Solutionary Inc.

"By going up the (revision) dates, you know which versions they got and have a good idea of when they obtained the code," he said.

The apparent theft from a Sun server also supports the idea that the code was stolen directly from Cisco's corporate network, rather than from a developer's laptop or a worker connecting to Cisco over a remote connection, he said.

"People aren't typically (using Virtual Private Network connections) into Sun boxes. The Solaris stations tend to be on site, that's where you'd use them," he said.

Regardless, Cisco is facing a "huge" forensic investigation, and should assume that other parts of its network and all of its source code have been compromised, he said.

The stolen code could be a bonanza for malicious hackers looking to compromise Cisco devices, even if the stolen code isn't from critical IOS modules, Rasch said.

Unlike open source software products, the security of Cisco's systems, like those of other proprietary software vendors, depends on the source code being kept out of public view, he said.

"When your security depends, in large measure, on keeping source code private, a breach can be significant," he said.