IOS theft highlights need to patch flaws quickly

It's unclear whether future exploits resulting from last year's Cisco IOS source code theft will eventually disrupt networks worldwide, but experts agree that any IOS-related flaws must be patched quickly.

Once seen as an isolated event, last year's breach of networking giant Cisco Systems Inc.'s network now appears

to be part of a much larger operation that could eventually result in the disruption of networks worldwide.

Industry observers disagree on the significance of the security breach, but they do believe it should serve as a wake-up call for businesses that have delayed the implementation of IOS-related patches.

Though the extent of data taken or destroyed is not known, it is believed that perpetrators stole source code from Cisco's Internetworking Operating System, which is the software that controls the Cisco hardware used commonly to direct traffic over the Internet and private networks.

Several sources have relayed details initially posted on Russian security Web site SecurityLab that reported that hackers lifted 800 MB of source code for IOS versions 12.3 and 12.3t. It was also reported that a 2.5 MB sample of what is supposedly IOS code was released on the Internet Relay Chat (IRC) network as proof of the theft.

The IOS code theft is believed to be the efforts of a single intruder or small group in Europe, which could be intent on disrupting thousands of computer networks.

Authorities in Sweden have detained a 16-year-old suspect, who in March was charged with breaking into the computer network at Uppsala University. According to a statement from Cisco, it plans to "take all appropriate legal actions to protect its intellectual property."

Gary McGraw, chief technology officer of Cigital Inc., a Dulles-Va., software security consulting firm, said the intruders most likely used the source code with a local copy of Cisco's router software and found ways to break it by exploiting known security gaps.

According to Chey Cobb, a Certified Information Systems Security Professional (CISSP) and author of Network Security for Dummies, learning how to break one Cisco router in that manner essentially provides hackers with a sure-fire method to access any number of networks around the world.

"That master key is the Cisco router," Cobb said. "So now these hackers have a master key to a large quantity of networks inherently because of Cisco's large customer base."

The original break-ins exploited network security holes in Cisco's perimeter that have since been plugged, the New York Times reported. However, according to network security professionals, it's no time to breathe a sigh of relief.

Daniel Golding, a senior analyst with Midvale, Utah-based Burton Group, said organizations must immediately apply any relevant security fixes because the stolen code could be used to exploit unpatched Cisco networks.

Golding said even though there is typically plenty of time between the discovery of a network security flaw and an exploitation of that flaw, organizations usually don't make an effort to implement the proper patches.

"This should serve as a wake-up call," Golding said, "because unless you've made efforts to secure yourself, all your Cisco products are unsecured."

Golding said users should go to Cisco's Web site, read the security advisory and promptly fix any security gaps that may compromise their networks.

Cobb said an unsecured corporate network not only puts users and information at risk, it also puts other Internet users at risk.

For more information

Get expert advice on Cisco router security.

Learn more about improving security on Cisco routers.

"If you don't put the patches or fixes in place, you present a danger to everyone else on the Internet," Cobb added. "Say you hacked into General Motors' system, somewhere in the network they have an Internet connection, and you [could then] continue doing attacks with that outward connection."

Authorities said the case demonstrates how easily attackers can break into Internet-connected computers, regardless of sophistication. It also shows how difficult it can be to find the perpetrators, they said, as the case is still under investigation.

McGraw deemed this case "par for the course" and said it's not any more alarming than other hacking incidents.

McGraw said, "A lot of the security code information has been available in the underground for quite some time. So, I agree with Cisco's assessment that there is a risk that already exists but that doesn't make it any worse."

McGraw said ultimately, this is a warning to those engineering and implementing systems to build better software that can't be so easily attacked.

Dig deeper on Network Security Monitoring and Analysis

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close