Did Symantec's 2006 Breach Impact These High Risk Customers?

The fact that Symantec (NYSE: SYMC) never knew that its 2006 source code had been compromised until the Lords of Dharmaraja announced it was astoundingly bad news. As the world's largest vendor of security software, it's more than just an embarrassment; it puts all of its corporate and government customers at risk because if Symantec didn't know the extent of its breach back then, how do Symantec's customers know that their current product line is safe to use? Nothing that Symantec has said since it acknowledged the loss of its Norton source code has addressed this core issue of why they didn't know their that source code had been breached and what they're doing differently to be sure that it doesn't happen again. Until they answer those critical questions, the security of their entire product line should be considered at risk.

I've begun looking at who their customers were post-2006 that have been attacked for a talk that I'm giving next week at Suits and Spooks DC. This doesn't mean that their customers' breaches were the result of Symantec's own poor network practices, nor does it rule out the possibility that other breaches may have occurred that were never discovered. I hope, however, that it will illustrate the potential scope of this problem and encourage Symantec's customers to put pressure on the company to fully disclose what happened and put its own house in order. Here's a small sampling of what I've found so far:

NASDAQ suffered a breach of its network in early 2010 which wasn't discovered until February 2011. It's been blamed in part on NASDAQ's use of out-of-date software and uninstalled security patches. As a Symantec customer, NASDAQ used Endpoint Protection, which was included in the list of products affected by the 2006 source code breach.

U.S. Department of Energy
The Energy Dept and its many agencies and national labs have been Symantec customers since before 2006. The number of cyber security breaches that have occurred during those years and up to the present (five last summer alone) are too numerous to recount however this GAO report describes some of the security problems at Los Alamos National Laboratory's unclassified network including weaknesses in its remote access policies. It'd be interesting to know if pcAnywhere was used to facilitate that remote access.

Other U.S. Government Departments
Symantec's government customers include every major department including:
  • Department of Justice
  • Department of Homeland Security
  • Department of Treasury
  • Department of Defense
  • Department of Commerce
  • Department of Energy
  • Department of Health and Human Services
  • Department of Agriculture
  • Department of Veterans Affairs
  • Department of the Interior
  • General Services Administration
  • Executive Office of the President
  • Federal Trade Commission
All of these departments (and this is not a complete list) have used Symantec products during the years from 2006 forward which means that any of them could have been victims of a person or group who exploited their knowledge of Symantec's stolen source code to successfully breach their network at will. This isn't limited to its U.S. customers either. The British government's entire email system has been managed and secured by a Symantec subsidiary since 2008. I'll be addressing that in more detail on Feb 8th. In the mean time, which is more likely - that someone acquired Symantec's source code and did nothing with it or that they did?