How Dangerous Was The Cisco Code Theft?

A recent hacker attack that compromised some of the crucial equipment powering the Internet has sparked a debate on whether the stolen Cisco Systems code used to penetrate the complex systems still poses a threat to the web.

Experts have argued for years whether software that has its source code freely distributed is more, or less, secure than proprietary applications. Code for the open-source Linux operating system, for example, is available to anyone, and many experts argue that makes it more secure than Microsoft's proprietary Windows.

"The availability of source code is a long discussed, unanswered question," said Art Manion, Internet security analyst at the CERT Coordination Center at Carnegie Mellon University, which provides incident response services to sites that have been attacked. "There are arguments for having source code available that, whether intentionally or by misappropriation, may allow someone to break into a system, or it could allow the good guys to find problems and fix them."

The debate was rekindled last week when The New York Times reported the arrest of a Swedish teenager suspected of boring into the critical aerospace and academic systems at NASA's Jet Propulsion Laboratory, the Patuxent River Naval Air Station, the White Sands Missile Range, the University of Minnesota, University of California at Berkeley, and other facilities.

The teenager allegedly used stolen source code from the operating system of Cisco routers to reach into the supercomputing network known as the TeraGrid. Once there, the suspect allegedly gained access to at least 50 systems throughout the Internet. The teen was arrested by the FBI and Swedish police, and later released to his parents.Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, an analysis service that publishes warnings about security vulnerabilities and bugs, believes it's unlikely a hacker with stolen code could find flaws that Cisco hasn't already found.

"It's not easy to analyze that code if you don't know the hardware it's running on," Ullrich said. "It's harder to analyze the Cisco IOS (Internetwork Operating System) than a Linux application that runs on standard hardware."

Authorities believe Cisco's stolen code was uploaded to a Russian website, where it may have been distributed to people who would use it to discover more vulnerabilities in Cisco-powered computer systems.

"The hackers will find more vulnerabilities with that source code out there," said Jack Koziol, a senior instructor at the Infosec Institute and author of "The Shellcoder's Handbook: Discovering and Exploiting Security Holes."

"This kid got into the TeraGrid," Koziol said. "This is supposedly one of the most secure systems in the world and a 16 year old got in. ...It shows just how bad security is in government and in industry all around the world."Koziol investigated a similar break-in at the University of California at Davis, where a hacker also used a publicly known vulnerability to compromise the school's systems. As in the Cisco incident, the hacker inserted a virus that recorded the password whenever someone logged into a university's server. The hacker then used the same password to break into another system. The technique works because people frequently use the same login information on different servers.

"He would find one chink in the armor," Koziol said. "If you have just one system or desktop vulnerable, they can really leverage their access to penetrate the organization."

A Cisco spokeswoman directed inquiries to a statement on the Cisco website that said in part, "Cisco IOS source code is both copyrighted and protected as proprietary material. It is illegal to post it, make it available to others, download it or use it. Cisco will take all appropriate legal actions to protect its intellectual property."

Nevertheless, large companies, even security-minded ones like Cisco, can often have trouble keeping all their intellectual property and potential loopholes buttoned up.

"The larger an organization, the harder it is to secure it, with so many sub-companies, external consultants, and former employees still keeping access with their accounts after they quit," said Van Hauser, president of The Hacker's Choice, a website devoted to investigating and analyzing security vulnerabilities. "You have so many systems to secure. It is therefore very hard to defend a company as complexity rises."Hauser pointed out that many prominent technology companies have had their systems compromised and source code stolen, including Microsoft, Sun Microsystems, and Hewlett-Packard. He expects the latest incident won't be the last.

"The stance of companies saying, 'We are secure, nobody has our source code' is not true anymore," Hauser said. "Hackers get better and better at reverse engineering software."