Symantec servers were breached six years ago, and source code to several of its security products was stolen. What's more, the company is just now discovering the fact.
Symantec has
admitted that unknown perpetrators had breached its servers and stolen source
code to a number of its security products despite previous claims to the
contrary.
Earlier this
month, a group called
Lords of Dharmaraja claimed to have broken into
military intelligence servers belonging to the Indian government and obtained
source code to Symantec products. After an investigation, Symantec said the
group may have obtained the source code to Symantec Endpoint Protection 11 and
Symantec Antivirus 10.2 and assured customers there was no risk because the
software had either been discontinued or was too
old to be relevant.
At the time,
the security company declined to say which servers had been breached, but
claimed it was the computer systems of a "third party" that had been
compromised and that company systems remained secure.
That appears
to be incorrect, as Symantec admitted Jan. 17 that source code was stolen
during an attack against its own servers back in 2006. Source code for
"2006-era versions" of Norton Antivirus Corporate Edition, Norton
Internet Security, pcAnywhere and Norton SystemWorks, which include Norton
Utilities and Norton GoBack, a Symantec spokesperson told
eWEEK. The revelation came after a Twitter user
Yama Tough, a member of Lord of Dharmaraja, who
identifies with Anonymous, threatened on Jan. 13 to leak the source code for
Norton Utilities to "accompany" a class-action lawsuit that was filed
recently against Symantec in California.
The lawsuit
accused Symantec of using scareware tactics to bully users into buying its
products. The lawsuit claimed Symantec allegedly distributed a trial version of
its security products, which used a separate software scanner to alert users to
nonexistent problems, according to the lawsuit. These tactics are used by fake
antivirus and other scareware programs to trick users into buying products that
don't work.
Even though it
appears more code has been stolen than previously disclosed, Symantec
reiterated its claim that customers "should not be in any increased danger
of cyber-attacks resulting from this incident." The six-year-old code was
too old to be relevant, the company said.
There appears
to be a "slightly increased risk" for pcAnywhere customers, but only
if they aren't following "general best practices," the company said.
It is not clear what those best practices or risks are for this remote-access
application, but it's possible attackers would be able to take over computers
using the software, Melih Abdulhayoglu, president and CEO of Comodo, told
eWEEK.
"Symantec
is currently in the process of reaching out to our pcAnywhere customers to make
them aware of the situation and to provide remediation steps to maintain the
protection of their devices and information," the company said.
Since Symantec
has admitted to a risk, Abdulhayoglu recommended finding an alternative remote-access
product.
The fact that
Symantec did not know about the theft was also a matter of concern. "We
really had to dig way back to find out that this was actually part of a source-code
theft," Cris Paden, director of corporate communications at Symantec told
Reuters, adding, "We are still investigating exactly how it was
stolen."
Companies need
to invest in network forensics and related technology in order to be able to
collect information about what happened, how the attackers got in and what was
compromised, Jay Botelho, director of product management at WildPackets, told
experts told
eWEEK. "Network
forensics is like having an insurance policy," Botelho said, as it would
allow administrators to "piece together exactly what happened in the
breach."
Abdulhayoglu
also questioned Symantec's certainty that other products were not compromised.
"If they didn't know they were hacked for over five years, how can they
know and assure their customers that these were the only things that were
stolen? How do they know these are the only things?" he asked.
Whether or not
the fact that source code for Symantec security products are now in malicious
hands poses a risk to customers appears to be a source of confusion. Several
security companies have told
eWEEK
that it is highly unlikely that the older incarnations of the software and the
current versions have that much code in common to pose a security risk.
"There's enough of a generational gap here that even having the source
code available is not likely to allow potential attackers to do anything
potentially damaging," Aryeh Goretsky, an ESET researcher, told
eWEEK earlier this month.
Others noted
that attackers are regularly reverse-engineering antivirus software to figure
out how to evade detection. So seeing old versions would probably not be that
useful. AV software and associated modules tend to change more rapidly than
other types of security products, according to ESET's David Harley.
However, a
former McAfee executive felt Symantec was just trying to avoid responsibility.
"It's highly unlikely that Symantec completely rebuilt its AV product in
six years and deployed a new, ground-up version to all its customers,"
John Viega, an application security expert at Perimeter E-Security and former
McAfee CTO and head of McAfee's anti-virus product development team, told
eWEEK. Security flaws can stay in products for decades without detection, and
it is still possible for attackers to find vulnerabilities within current
versions based on what they know in the older software, Viega said.
Symantec needs
to "provide far more evidence" that its customers are safe, Viega
said.
It was
unlikely the company had made a "focused effort" to re-write the code
as it hadn't been aware of the breach, Abdulhayoglu said, adding that the
"basis for virus detection" hasn't changed in many years. Symantec's
assurances make sense only if they had made sure within the last few years to
change the code entirely, he said.
Despite
numerous "promises" from the group that claims to have stolen the
source code, the Lords of Dharmaraja, that it would publicly reveal the source
code, the software hasn't been leaked anywhere online.
Email
Print
