Cisco source code leak: No need to sweat yet

The leak of a significant amount of Cisco's source code for its latest network devices will not result in a large number of discovered vulnerabilities, security experts said.

Cisco confirmed the authenticity of two source code files that appeared on a Russian security site over the weekend but could not say whether a network breach led to the unauthorised release of its proprietary code. Cisco scrambled to discover the source of the leak but security experts said attackers won't be able to use the code easily.

Johannes Ullrich, chief technology officer of the Internet Storm Center, an online service that monitors threats on the internet, said: "I don't think it is too worrisome." Comparing the leak with Microsoft's loss of its code earlier this year, Ullrich said Cisco is in a better situation. "If you have the Windows source code, you can build it on your PC at home, where the Cisco code needs specialised hardware, so most people aren't going to be able to compile the files."

A Cisco representative could not confirm the amount of code that was leaked. Claims posted in internet chat rooms and on websites put the loss at some 800 MB of the networking giant's source code, essentially the crown jewels.

Cisco ruled out some potential sources of the code.

Company spokeswoman Mojgan Khalili said in a statement: "It appears that this occurrence was not the result of any exploitation or a vulnerability in any product or service offered by Cisco to its customers, nor do we have any reason to believe that it was the result of any malicious action by any Cisco employee or contractor."

This is the second time this year that a major technology company's product source code has been made public without authorisation. In February, source code for parts of Microsoft's Windows 2000 and Windows NT were leaked to the internet. One security researcher claimed that he had discovered a minor Internet Explorer flaw by analysing that source code.

Security researchers said Cisco's leaked code likely won't affect the company's security. Alfred Huger, senior director of antivirus firm Symantec's security response centre, pointed to the fact that so far, the leak of Windows source code has not significantly hurt the security of Microsoft's operating systems.

"If there is risk, it is mid- to long-term," he said. "There have been a couple of vulnerabilities that resulted out of [the Windows code leak], but none of them have been that significant."

Moreover, it is harder to find major vulnerabilities in networking hardware. Attackers tend not to target such devices. A denial-of-service flaw that Cisco warned customers about in July never materialised as a threat.

News of Cisco's source code leak appeared on Russian security site SecurityLab.ru on Saturday, two days after its administrators received the leaked source code. The site posted two files of source code written in the C programming language, which apparently enables some next-generation Internet Protocol version 6 functionality. One file was copyrighted in 1996 and the other in 2003.

According to SecurityLab.ru, online vandals had compromised Cisco's corporate network and stolen about 800MB of source code. A person with the alias "Franz" bragged about the intrusion and posted about 2.5MB of code on the internet relay chat system not long after the alleged break-in.

The excerpts posted by the Russian website named Ole Troan and Kirk Lougheed as the authors of the code. Both programmers appear to be Cisco employees.

While Cisco would not comment on whether the FBI had been brought in to investigate the source code leak as a crime, the FBI's national office confirmed Monday afternoon that its agents were involved.

"We are aware of the potential theft of proprietary information and are working with Cisco," said FBI spokesman Paul Bresson.

Robert Lemos writes for CNET News.com