Theft of Cisco source code stirs fears of security threat

Computerworld - The theft of proprietary operating system source code from Cisco Systems Inc. poses a potentially serious security threat to corporate networks that use the company's technology, users and analysts said.
And the paucity of information released by the networking giant this week in the wake of the theft is raising troubling questions about what exactly happened and the real extent of the compromise, they said.
"We are all waiting to hear what Cisco has to say," said Stephen Smith, network manager at Keystone Mercy Health Plan in Philadelphia.
Cisco has been "unnaturally and unproductively quiet," said John Pescatore, an analyst at Gartner Inc. "That gives the impression that they are still unsure about the scope of the breach. Or they are sure, and it's much worse than has come out so far."
Unidentified attackers stole an unspecified amount of source code for Cisco's Internetworking Operating System 12.3 and 12.3T software, which is widely used in switches and other networking equipment (see story). A Russian Web site posted about 13MB of what it claimed was the stolen code last Saturday, saying that as much as 800MB of code appeared to have been stolen.
Alexander Antipov, a security expert at Moscow-based Positive Technologies, which owns the Web site that posted the stolen code, claimed that the company downloaded it via a link provided over an Internet Relay Chat channel by someone using the online name Franz.
The supposed Cisco code samples, a copy of which was sent to Computerworld, was removed from the Web site at Cisco's request on May 18, Antipov said.
In a statement posted on its Web site, Cisco confirmed that a "portion" of IOS code had been illegally copied and publicly posted for several days. It appeared that the occurrence wasn't the result of flaw in any Cisco product or service, the note said. It also was unlikely that the action was taken by a Cisco employee or contractor.
The company refused to provide further details, citing an ongoing investigation into the matter, but said it believed that "the improper publication of this information does not create increased risk to customers' Cisco equipment."
"We will continue to closely monitor this matter and provide updates as appropriate to customers," a company spokesman said.
The theft raises security concerns, especially since Cisco's technology is widely used on corporate networks, users said.
"Now that the code is available to scrutinize, it will be easier to find holes to exploit," said Jon Duren, chief technology officer at IdleAire Technologies Corp., a Knoxville,