Symantec confirmed that hackers have obtained source code to two enterprise security products, but third-party experts said the impact on users will be minimal to none.
has confirmed that a group of hackers has stolen source code to two Symantec
products, but downplayed the possible impact on users as a result of the theft.
attackers stole source code for two older Symantec products for enterprise
customers, and not on the consumer-focused Norton product line as had been
previously reported, according to Cris Paden, senior manager of corporate
communications at Symantec.
code segments are from Symantec Endpoint Protection 11 and Symantec Antivirus
10.2. SAV 10.2 has already been discontinued, and SEP 11 came out four to five
years ago. Symantec currently offers SEP 12 and 12.1 to enterprises.
group of hackers, named Lords
a, claimed to have breached an Indian military server and stolen
several documents and files, according to a Jan. 5 post on Pastebin. The post
is no longer available on the text-sharing site, but a copy can be accessed
via Google Cache
we have no indication that the code disclosure impacts the functionality or
security of Symantec's solutions. Furthermore, there are no indications that
customer information has been impacted or exposed at this time," according
security experts have told eWEEK
didn't think criminals would examine the leaked code to find vulnerabilities
that could be used to exploit the security products directly. While it
"clearly is undesirable" for any antivirus vendor or software vendor
to have their source code made public, attackers are not likely to gain "any
miracle insights" needed to defeat the product, Chester Wisniewski,
security adviser at Sophos, told eWEEK
writers don't need to learn from the source code, since they don't need to know
how the engine works in order to defeat it, Rob Rachwald, director of security
strategy at Imperva, told eWEEK
Antivirus software relies on signatures, and developers have been effectively
creating malware that can evade detection for quite some time, Rachwald said.
Antivirus software tend to have a poor rate of detection, as low as 20 percent
to 30 percent, because criminals are testing their code against security
products and using encryption and other methods to ensure they slip through, he
they could theoretically find a vulnerability that would allow them to disable
the software, it seems unnecessary when they are already creating malware that
can't be detected, according to Rachwald.
do criminals trying to create a fake antivirus need access to the source code
to create a convincing looking scareware, David Harley, senior research fellow
at ESET, told eWEEK
. "Fake AV
doesn't have to have the core functionality of the real thing. It just has to
look genuine to a potential victim," Harley said.
distributed 10 million updates to its products in 2010 alone, according to a
Symantec spokesperson. Extrapolating to four and five years shows how much the
code has evolved over that period of time. "It doesn't minimize the
situation, but it helps as far as a perspective on how old this code is,"
the spokesperson said.
it's possible Symantec competitors would be able to look at how the company
built its antivirus engine, that seems unlikely, considering the age of the
stolen code. The information is likely to be of interest only to "software
historians" such as computer science students looking at legacy code,
Aryeh Goretsky, a researcher for ESET, told eWEEK
It takes roughly two years to create a new antivirus engine, and although
certain elements may still stay the same, there will be enough changes to make
the software outdated, he said.
scanning software and modules tend to change fairly rapidly compared to some
other security products," Harley said.
an actual source code leak could turn out to be embarrassing for Symantec, it
won't impact Symantec that much in the market, according to Goretsky. "It
happened to both Kaspersky a year ago and Microsoft in 2004, and neither seemed
to suffer any ill effects, economically," Goretsky said.
confirmed that the breach occurred on a third-party network and not on Symantec
servers. The Pastebin post claimed to have compromised servers belonging to
Indian intelligence agencies.
fact that the group managed to breach military servers should be of bigger
concern than the possibility of leaked source code, Stephen Cobb, a security
evangelist for ESET, told eWEEK
breach on sensitive servers could "prove harmful to cooperation between
public and private sectors," Cobb said.
incident highlights that corporations that follow best practices to secure
their infrastructure and data can still be impacted because someone else did
not, Mike Lloyd, CTO of RedSeal Networks, told eWEEK
. As enterprises lose control over their own assets,
regulatory requirements and compliance standards become more important in order
to create a baseline that allows organizations to verify their partners are
taking necessary steps to be secure, according to Lloyd.
partners and strategic customers may be friendly, but they are not going to
expose specifics to you about how well they protect themselves," Lloyd
group Lords of Dharmaraja has not yet posted the code, claiming it needs time
to set up some mirror sites. "We are working out mirrors as of now since
we experience extreme pressure and censorship from U.S. and India government
agencies," the group wrote.