Symantec: Too Many Doubts - Disable pcAnywhere Software

Thursday, January 26, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

Remember the sensational theft of the source code for Symantec products that was reported in the last weeks?

On that occasion the company, with impeccable timing, immediately sought distance from the event claiming that its customers could remain calm because the source code stolen was older, and in any case the data breach did not affect their systems.

The data was reported to have been stolen from networks of the Indian Government which may have possessed the code through an agreement with the company.

The news of course is sensational: one of the leading players in the field of computer security may have been mocked by a group of Indian hackers. But of course, until there is a direct fallout on the end user, every event remains confined to the web.

Immediately the situation was complicated, because on the web some rumors indicated that the source code, dating back to 2006, had been stolen directly from Symantec's network, aggravating the position the company had taken.

Why had the company not declared the rumors false, and why had no one asked about the Indian government that was accused of being hacked, and had not publicly denied the story.

Another disturbing fact is the absurd claim by management that there would be no impact on customers. Instead Reuters news agency yesterday announced that Symanec has asked its users to disable the pcAnywhere software.

The situation is obviously serious and may be hiding other truths. Like me, you're probably wondering which truths, but I can only venture a few hypotheses.

  • First, the theft of source code is a major event for the developer. I have experience as an expert developer, and in all certainty I can say that the source code can be a gold mine for those who study it, particularly for applications developed in areas such as security and industry. Inside source code are always available notes and comments of the developers, a mine of information that provides details on the design of the system and also about those on who have made their contribution. This information makes it anything but a dated system!
  • Another consideration, those who have developed code know that there is a great deal of reuse of programming libraries, patterns and modules developed in the past years that are used like Lego building blocks in the composition of new products. Do not reinvent the wheel! Just reuse and modularity are the cornerstones of programming. The question is how many and which of those bricks were stolen.
  • But what I find most disturbing is the silence of the Indian Military as a result of Symantec's initial prosecution. It is obvious that there are other reasons, far more serious, like the reputation of the security of Indian network. But what is more important is the integrity of a military network. It is reasonable to think that between government and the company there are other agreements underground, maybe a backdoor installed on the products available in the country, which is as fanciful a hypotheses as possible. The silence of the Indian authorities could also be tied to the fact that the agreement with the Symantec is just one of many, and that the kept source code is just a small slice of what is available. Have you wondered if on the same network were stored components of Apple IOS software or RIM OS? Does the term RINOA SUR tell you nothing? Likely that the Indian government has kept secrets to avoid having to provide additional explanations that could reveal uncomfortable truths.

Let's return then to the announcement made yesterday by Symantec, the most direct acknowledgement to date that the stolen source code put customers at risk of an attack, that is why the company has requested they uninstall PcAnywhere, a software present in many Symantec bundles used to manage remote access connection.

The decision was made, however, only after the announcement that an attacker named YamaTough released the source code for Norton Utilities and after he have threatened to publish the widely used anti-virus program. The company has published a white paper that indicates the situation is more serious.

"At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks," it said in the white paper. (bit.ly/wPzX7v).

"The code that has been exposed is so old that current out-of-the-box security settings will suffice against any possible threats that might materialize as a result of this incident," it said on its website. (bit.ly/wqtxTI)

I conclude by raising serious doubts about the way in which Symantec is managing the event by issuing a series of contradictory announcements that tend to hide the truth to the customer.

The questions remain, what has already been exposed and what are the consequences for those who have used the products. A company likes Symantec should handle the matter in quite another way, no doubt giving greater transparency about the events.

Better the silence than lies.

References

http://www.reuters.com/article/2012/01/25/us-symantec-hacking-idUSTRE80O1UY20120125

Cross-posted from Security Affairs

Possibly Related Articles:
6085
Breaches
Information Security
Antivirus Software Symantec Norton breach Source Code Consumers The Lords of Dharmaraja YamaTough RINOA SUR Pierluigi Paganini PCAnywhere Norton Utilities
Post Rating I Like this!
296634767383f056e82787fcb3b94864
Jeffrey Carr Thanks for relating your experience as a programmer and the value of an application's source code. Not enough people appreciate that.

However, your facts about the origin of the theft are incorrect. Symantec acknowledged that the source code was stolen from its own network in a breach that occurred in 2006. They knew about the breach back then but didn't know that the source code had been compromised as well until recently. See Kim Zetter's recent article about that in Wired.
1327668543
03b2ceb73723f8b53cd533e4fba898ee
Pierluigi Paganini Hi Jeff, how are you? Always thanks.
That it what I reported
<<Immediately the situation was complicated, because on the web some rumors indicated that the source code, dating back to 2006, had been stolen directly from Symantec's network, aggravating the position the company had taken.>>
Regarding the fact they didn't know that the source code had been compromised ... well I have to much doubts in this moment, and that is an effect of the menagement of the info regarding the incident.
Regards
PL

1327670279
296634767383f056e82787fcb3b94864
Jeffrey Carr Sorry for misinterpreting what you wrote. It sounded to me like you believed that the Indian gov't possessed a copy of the source code rather than it being taken from Symantec's own servers.
1327671618
03b2ceb73723f8b53cd533e4fba898ee
Pierluigi Paganini Thank you! I always follow your post, I really appreciate them
Regards
PL
1327672894
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.