The Symantec source code exposure saga has become even more convoluted with the latest statements attributed to the company's spokesman.
According to an article by Reuters, Symantec is now asserting that the company was hacked in 2006 and source code for several of their leading commercial and enterprise products was stolen.
"Unknown hackers obtained the source code, or blueprint for its software, to Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere, company spokesman Cris Paden told Reuters on Tuesday," the Reuters article states.
As previously reported, a hacktivist group called the “The Lords of Dharmaraja” had claimed to have breached Indian government servers and obtained the source code for Symantec's products, as well as those of several mobile device manufacturers.
Infosec Island was provided with a sample of Symantec's Norton antivirus code by hacktivist YamaTough, which was passed on to Symantec for analysis.
Cris Paden, Sr. Manager for Corporate Communications at Symantec confirmed that the sample was from a 2006 version of the company's Norton antivirus product, but maintained that the code was not stolen from Symantec's networks, which aligned with the hacktivist's claims.
"Symantec can confirm that a segment of its source code has been accessed. Symantec’s own network was not breached, but rather that of a third party entity. We are still gathering information on the details and are not in a position to provide specifics on the third party involved," Paden told Infosec Island.
Symantec and several other companies refuted the hacktivist's assertions that the source code had been voluntarily provided to the Indian government to assist with civil monitoring activities in exchange for guarenteed market share.
According to the Reuters report, Symantec now claims that the company's own networks were in fact breached back in 2006, leading to the loss of the proprietary product data.
"Paden said in an email on Tuesday that an investigation into the matter had revealed that the company's networks had indeed been compromised," Reuters reports.
The new claim still leaves many elements of the dataloss event unanswered, as well as raising some other serious questions.
First, Symantec's explantion does not explain how the hacktivists would have come into possession of the source code for several other companies, as they have claimed, nor does it shed any light on why the revelations about the exposure of the Symantec source code did not materialize until six years later.
It also would not explain why the same group of hacktivists were in possession of dozens of usernames and passwords for highly sensitive US government networks. Infosec Island provided that information to the proper authorities and are fully cooperating with the investigation.
And, assuming Symantec employs their own enterprise network security solutions to protect the company's own systems, why did it take so long to uncover an intrusion event of this magnitude?
Does this not imply that Symantec's customers who were using the same security products were equally at risk of a serious network breach event in 2006? What about customers who used the products for which the source code was stolen in the event? Were they not at risk for the last six years?
Symantec is a good company, but any way these scenarios eventually play out, they will have a long term impact on the company's viability.