Industry: Code Theft's Real Sting is a Black Eye for CiscoBy Sean Gallagher | Posted 2004-05-21 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
It's unlikely that hackers will glean vulnerabilities from the stolen source code of Cisco's IOS softwareat least anytime soon. But the theft is a blow to Cisco in other ways, those in the industry say.When hackers allegedly broke into Cisco's corporate network and stole source code for the company's IOS router software, some feared that malcontents would soon be able to find and exploit flaws in the code to wreak havoc on the Internet. And certainly, the risk of such an attack still remains.
But the biggest damage may end up being that dealt to Cisco's image. "I would guess that Cisco [Systems Inc.] is more concerned about their loss of intellectual property and the compromises of their security that allowed it," said Jeff Huegel, director of security at USinternetworking Inc., a hosting and application services provider.
"I would hope that Cisco is also reviewing the lost code to see if they can identify any vulnerabilities and determine if any patches are required."
The task of finding vulnerabilities within the 800MB of source code allegedly downloaded by hackers off Cisco's servers is no small matter; it would take a thorough, line-by-line review of the programming code and an extensive knowledge of Cisco router hardware to be able to identify potential vulnerabilities to exploitones that were not found by the Cisco developers who wrote the software.
Unless comments were embedded in the code identifying issues that had been left unattended to, it could take months to find such a gap in Cisco's armor.
Even if a vulnerability is found, it would have to be one that a hacker could execute remotely to pose any sort of threat to Cisco's customers. And there's little in the source code that could easily be leveraged, said Jerry Brady, chief services officer at VeriSign Inc.'s managed security services unit, formerly called Guardent.
"Unlike Windows source code, where there are a lot of arcane proprietary protocols and implementations of protocols that have never seen the light of day before," Brady said, "the Cisco code uses respected, well-known protocols, and there are lots of people that have already seen the source codeat universities and Cisco partners who need access to the code."
As a result, Brady said, it's improbable that hackers will be able to find anything that hasn't already been addressed by other code reviews. The real damage, he said, is to Cisco's credibility.
"At the end of the day, how the source code got out originally and whether it indicates a larger security problem at Cisco is the real concern."
But Brady and others said they doubt that the code was stolen from Cisco's own network. Because the source is so widely shared, Brady said, it's more likely that the software was obtained from one of Cisco's partners' networks.
Regardless of where the code came from, it's a black eye for Cisco, right on the heels of the announcement of its strongest quarterly financial performance in years.
And if the code is widely circulated, it could pose even more significant legal concernsespecially if parts of the code leak into open-source projects.
"The big fear is that some curious Linux or other open-source developer is going to get a hold of this code and contaminate a project," Brady said.
He added that the result could be the kind of ongoing legal conflict that The SCO Group Inc. has been embroiled in over alleged infringements in Linux code.