Wednesday, January 25, 2012

The 2006 Theft of Symantec's Source Code - Response and Repercussions

If 2011 was the year of the RSA breach, 2012 may well be the year of the Symantec breach (NASDAQ:SYMC). Symantec has recently acknowledged that its source code for multiple products was stolen in 2006 after "Yama Tough", a member of a hacker crew called "The Lords of Dharmaraja", posted a portion of it on Pastebin. It's unlikely in my opinion that the Lords of Dharmaraja were responsible for the original breach. They don't appear to know exactly what they have yet since YT posted that he's delaying the release of the rest of the code until they create some Zero-days for it. If they had it for six years, he wouldn't need the extra time to find ways to exploit it. So some of the questions yet to be answered are who breached Symantec's network in 2006 and how did Yama Tough gain access to it? His claim about stealing it from Indian government servers was clearly a lie.

The worst part is that Symantec, the world's largest security software company, was clueless about the theft of its own source code for almost six years; which means that its thousands of customers were clueless as well. A software company's source code is its crown jewels; both because it's the "brains" behind the company's proprietary software line and because if an adversary had access to it, they could quickly write new malware (known as a "Zero-Day") that would silently compromise any protections that the software offered to its legitimate customers. If the compromised application is security software, like it is in this case, then the impact of the stolen source code is much worse. Since the malware author is writing exploits for heretofor unknown weaknesses in the code, the Symantec customer will probably never know that he's been compromised. If Symantec is this careless about securing and monitoring their Norton code repository, how can they state with confidence that any of their products are safe from compromise? It appears that they can't. Notice the wording in their latest posting at their website (January 24, 2012, 22:50 PST) which refers to a non-Norton product: "The Symantec Endpoint Protection 11 product – which was initially released in the fall of 2007 – was based upon a separate code branch that we do not believe was exposed." (emphasis added)

If my company was a Symantec customer, and we aren't, I wouldn't want to know what Symantec "believes". I'd want to know what Symantec "knows". If they can't say definitively that Symantec Endpoint Protection is safe to use, then my advice to Taia Global clients and others is to not use it. The products that Symantec has acknowledged are compromised in the afore-mentioned notice on its website are:
  • Norton Antivirus Corporate Edition
  • Norton Internet Security
  • Norton SystemWorks (Norton Utilities and Norton GoBack)
  • Norton pcAnywhere
However, in a non-published letter to partners from Randy Cochran (VP, Americas Channel Sales), Symantec expanded the list of affected products to include:
  • Norton Antivirus Corporate Edition
  • Norton Internet Security
  • Norton SystemWorks (Norton Utilities and Norton GoBack)
  • pcAnywhere 12.0, 12.1 and 12.5
  • Symantec Endpoint Protection v11.0, which is four years old
  • Symantec AntiVirus v10.2, which is five years old code (discontinued)
To date, Symantec's handling of this incident has been poor. The company has never addressed why it took  six years to uncover a breach of their source code, nor how it happened in the first place, nor what steps the company is taking to determine whether a further breach of its network has occurred in the succeeding years, nor how they're going to prevent this from happening in the future. Further, how many of Symantec's corporate and government customers have been unknowingly compromised through zero-day attacks because of Symantec's poor network security practices? And finally, how many past breaches that have been publicized were also using these specific Symantec products? I'll be speaking to that last question at the upcoming Suits and Spooks conference on Feb 8th. 

No comments:

Post a Comment