Symantec 'fesses up: 'Code theft worse than we thought'
pcAnywhere users - batten down the hatches
Symantec has backtracked on its previous assurances about a recent source code theft, admitting its network was breached and code for a larger number of products than previously thought was swiped.
Two weeks ago the security giant confessed that a blackhat crew had made off with source code for older versions of some of its enterprise anti-virus products. THe miscreants got hold of the software blueprints after raiding the network of an unnamed "third party entity".
On Tuesday, Symantec issued a revised statement admitting that the code to consumer security packages had also been exposed and warning that users of its remote software product pcAnywhere in particular might be at heightened risk of attack.
It reckons the consumer source code leak is the result of a previously unreported hack on its own systems back in 2006, involving the theft of source code for its consumer products of that vintage.
Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.
Due to the age of the exposed source code, except as specifically noted below, Symantec customers – including those running Norton products - should not be in any increased danger of cyber attacks resulting from this incident.
Customers of Symantec’s pcAnywhere product may face a slightly increased security risk as a result of this exposure if they do not follow general best practices.
Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information. Since 2006, Symantec has instituted a number of policies and procedures to prevent a similar incident from occurring.
Previously Symantec said the leak involved only Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2, enterprise products of similar 2006-07 vintage. Now it admits the leak includes older versions of its flagship Norton Internet Security software as well as the secret source code for pcAnywhere, a widely used brand of remote control software.
Although Symantec refers to Anonymous in its statement, the rag-tag hacktivist group has only been involved in enthusiastically promoting the fruits of the hack attack. Credit for the attack was claimed by an Indian group that call themselves the Lords of Dharmaraja, an Anonymous affiliate. The Lords of Dharmaraja have threatened to publicly disclose the source code of Symantec's products in order to facilitate the hunt for unpatched vulnerabilities in the software that might be used to hack into systems protected by Symantec's technology.
A hacker calling himself "Yama Tough", acting as a spokesperson for the group, claims the source code had been pulled from insecure Indian government servers, implying that Symantec was required to supply their source code to Indian authorities. In a series of Twitter updates, Yama Tough talked about various plans to release the source code before committing to release the secret sauce of pcAnywhere.
"PCAnywhere code is being released to blackhat community for 0d expltin!," he said on Monday, shortly after saying the group had postponed plans to release the Norton Antivirus source code.
"We've decided not to release code to the public until we get full of it =) 1st we'll own evrthn we can by 0din' the sym code & pour mayhem," the earlier tweet stated.
The boasts helps to explain Symantec's admission that the source code of consumer - and not just enterprise - products may have been exposed by the breach, as well as the particular warning to pcAnywhere users. An exploit which allows hackers to turn remote control software against its users would be particularly nasty if successful, so LoC's decision to focus on this makes sense, as evil plans go.
Security watchers have speculated that even the source code for six-year-old versions of Symantec products shares a great many similarities with that of its current line-up. Even if that's true, it is still unclear whether hackers will be able to successfully abuse the code they have. Pouring through thousands of lines of code looking for holes sounds like quite a chore, unless you are very well paid. Looking for holes in pcAnywhere is also potentially labour-intensive.
So, unless black hats do manage to come up with exploits, the whole embarrassing leak will in all probability, remain a "trophy scalp" – albeit a bigger trophy than it earlier seemed.
Even so the whole Symantec hack soap opera/pantomime ('You've been hacked!", "Oh no we haven't"... "Oh maybe we have") raises serious questions about the security of Symantec's ecosystem as well as turning the security giant into the punchline for jokes. For example, famed Apple hacker Charlie Miller quipped: "How could Symantec have gotten hacked? Don't they use AV?" ®