(Translated from the original Italian)
Remember the sensational theft of the source code for Symantec products that was reported in the last weeks?
On that occasion the company, with impeccable timing, immediately sought distance from the event claiming that its customers could remain calm because the source code stolen was older, and in any case the data breach did not affect their systems.
The data was reported to have been stolen from networks of the Indian Government which may have possessed the code through an agreement with the company.
The news of course is sensational: one of the leading players in the field of computer security may have been mocked by a group of Indian hackers. But of course, until there is a direct fallout on the end user, every event remains confined to the web.
Immediately the situation was complicated, because on the web some rumors indicated that the source code, dating back to 2006, had been stolen directly from Symantec's network, aggravating the position the company had taken.
Why had the company not declared the rumors false, and why had no one asked about the Indian government that was accused of being hacked, and had not publicly denied the story.
Another disturbing fact is the absurd claim by management that there would be no impact on customers. Instead Reuters news agency yesterday announced that Symanec has asked its users to disable the pcAnywhere software.
The situation is obviously serious and may be hiding other truths. Like me, you're probably wondering which truths, but I can only venture a few hypotheses.
- First, the theft of source code is a major event for the developer. I have experience as an expert developer, and in all certainty I can say that the source code can be a gold mine for those who study it, particularly for applications developed in areas such as security and industry. Inside source code are always available notes and comments of the developers, a mine of information that provides details on the design of the system and also about those on who have made their contribution. This information makes it anything but a dated system!
- Another consideration, those who have developed code know that there is a great deal of reuse of programming libraries, patterns and modules developed in the past years that are used like Lego building blocks in the composition of new products. Do not reinvent the wheel! Just reuse and modularity are the cornerstones of programming. The question is how many and which of those bricks were stolen.
- But what I find most disturbing is the silence of the Indian Military as a result of Symantec's initial prosecution. It is obvious that there are other reasons, far more serious, like the reputation of the security of Indian network. But what is more important is the integrity of a military network. It is reasonable to think that between government and the company there are other agreements underground, maybe a backdoor installed on the products available in the country, which is as fanciful a hypotheses as possible. The silence of the Indian authorities could also be tied to the fact that the agreement with the Symantec is just one of many, and that the kept source code is just a small slice of what is available. Have you wondered if on the same network were stored components of Apple IOS software or RIM OS? Does the term RINOA SUR tell you nothing? Likely that the Indian government has kept secrets to avoid having to provide additional explanations that could reveal uncomfortable truths.
Let's return then to the announcement made yesterday by Symantec, the most direct acknowledgement to date that the stolen source code put customers at risk of an attack, that is why the company has requested they uninstall PcAnywhere, a software present in many Symantec bundles used to manage remote access connection.
The decision was made, however, only after the announcement that an attacker named YamaTough released the source code for Norton Utilities and after he have threatened to publish the widely used anti-virus program. The company has published a white paper that indicates the situation is more serious.
"At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks," it said in the white paper. (bit.ly/wPzX7v).
"The code that has been exposed is so old that current out-of-the-box security settings will suffice against any possible threats that might materialize as a result of this incident," it said on its website. (bit.ly/wqtxTI)
I conclude by raising serious doubts about the way in which Symantec is managing the event by issuing a series of contradictory announcements that tend to hide the truth to the customer.
The questions remain, what has already been exposed and what are the consequences for those who have used the products. A company likes Symantec should handle the matter in quite another way, no doubt giving greater transparency about the events.
Better the silence than lies.
Cross-posted from Security Affairs