Want CNET to notify you of price drops and the latest stories?

Security experts play down Cisco leak

The leak of a significant amount of the company's latest source code will not result in a large number of vulnerabilities being found, security researchers say.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
The leak of a significant amount of Cisco Systems' source code for its latest network devices will not result in a large number of discovered vulnerabilities, security experts said Monday.

Cisco confirmed the authenticity of two source code files that appeared on a Russian security site over the weekend but could not say whether a network breach led to the unauthorized release of its proprietary code. Cisco scrambled to discover the source of the leak, but security experts said attackers won't be able to use the code easily.


What's new:
Some of the proprietary source code that drives Cisco's networking hardware has appeared on the Internet.

Bottom line:
It's uncertain to what degree the leaked code will affect Cisco security. In a comparable case, Windows security has not significantly suffered from a leak of Microsoft's code in February.

More stories on this topic

"I don't think it is too worrisome," said Johannes Ullrich, chief technology officer of the Internet Storm Center, an online service that monitors threats on the Internet. Comparing the leak with Microsoft's loss of its code earlier this year, Ullrich said Cisco is in a better situation. "If you have the Windows source code, you can build it on your PC at home, where the Cisco code needs specialized hardware, so most people aren't going to be able to compile the files."

A Cisco representative could not confirm the amount of code that was leaked. Claims posted in Internet chat rooms and on Web sites put the loss at some 800 megabytes of the networking giant's source code, essentially the crown jewels.

Cisco ruled out some potential sources of the code.

"It appears that this occurrence was not the result of any exploitation or a vulnerability in any product or service offered by Cisco to its customers, nor do we have any reason to believe that it was the result of any malicious action by any Cisco employee or contractor," company spokeswoman Mojgan Khalili said in a statement.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

This is the second time this year that a major technology company's product source code has been made public without authorization. In February, source code for parts of Microsoft's Windows 2000 and Windows NT were leaked to the Internet. One security researcher claimed that he had discovered a minor Internet Explorer flaw by analyzing that source code.

Security researchers said Cisco's leaked code likely won't affect the company's security. Alfred Huger, senior director of antivirus firm Symantec's security response center, pointed to the fact that so far, the leak of Windows source code has not significantly hurt the security of Microsoft's operating systems.

"If there is risk, it is mid- to long-term," he said. "There have been a couple of vulnerabilities that resulted out of (the Windows code leak), but none of them have been that significant."

Moreover, it is harder to find major vulnerabilities in networking hardware. Attackers tend not to target such devices. A denial-of-service flaw that Cisco warned customers about in July never materialized as a threat.

News of Cisco's source code leak appeared on Russian security site SecurityLab.ru, owned by information protection specialist Positive Technologies, on Saturday, two days after its administrators received the leaked source code. The site posted two files of source code written in the C programming language, which apparently enables some next-generation Internet Protocol version 6 functionality. One file was copyrighted in 1996 and the other in 2003.

According to SecurityLab, online vandals had compromised Cisco's corporate network and stolen about 800MB of source code. A person with the alias "Franz" bragged about the intrusion and posted about 2.5MB of code on the Internet relay chat system not long after the alleged break-in.

The excerpts posted by the Russian Web site named Ole Troan and Kirk Lougheed as the authors of the code. Both programmers appear to be Cisco employees.

While Cisco would not comment on whether the FBI had been brought in to investigate the source code leak as a crime, the FBI's national office confirmed Monday afternoon that its agents were involved.

"We are aware of the potential theft of proprietary information and are working with Cisco," said FBI spokesman Paul Bresson.