Biz & IT —

Symantec suspected source code breach back in 2006

Symantec suspected in 2006 that its network had been breached, but was unable …

Symantec suspected source code breach back in 2006

Symantec suspected in 2006 that its network had been breached, but the company was unable to confirm any data exfiltration until Anonymous started talking publicly about Symantec source code earlier this month.

We noted yesterday that Symantec confirmed the theft of source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool, and that Symantec is advising customers to disable pcAnywhere until a permanent fix is issued. We followed up with Symantec last night to learn some more details.

Symantec spokesperson Cris Paden tells Ars that Symantec "investigated the incident in 2006 but our results were inconclusive."

The investigation was apparently shelved until this month, when hackers related to Anonymous claimed to have possession of Symantec source code and threatened to release it, supposedly to accompany a lawsuit claiming that Symantec tricked users into buying products with trial software versions that wrongly report security problems.

Symantec tells us that "it was not until the source code showed up again via the claims and disclosure by Anonymous that we put two and two together and realized code was indeed stolen. All of the code Anonymous has was for 2006 versions of products. As such, we focused our investigation on the time period and went back through logs and data to confirm the two incidents were related."

"The code was indeed stolen from our network"

There have been some reports that code was stolen from servers maintained by India's military and intelligence departments, and that Symantec had provided the source code to India so the country's government could ensure that the software contained no malicious programs.

Symantec told Ars this isn't true, however; the theft occurred solely from Symantec's own network and servers.

"The code was indeed stolen from our network," Symantec told us. "Media reports that the code was stolen from the Indian government are based solely on the claims by Anonymous. Throughout our investigation, we have found no evidence that we ever turned over or shared any code with the Indian government. Furthermore, the documentation offered by Anonymous to back up their claims have since been shown to be faked. We're not sure how they got the code, but we've found no evidence the Indian government actually had it."

UPDATE: Symantec has sent us a further update to make clear that the original theft was not perpetrated by Anonymous, and it's not clear how Anonymous came into possession of the code. "Anonymous did NOT steal the code in 2006," Symantec tells us. "We're not sure who stole the code in 2006 and are re-investigating that incident. Furthermore, we're not sure how Anonymous came into possession of the code. They claim they stole it from the Indian government. The problem is, A) we never shared any code with the Indian government, and B), the memo Anonymous used to make the link subsequently was proven to be faked."

Symantec also tells us Anonymous did release some of the stolen code publicly, but only for the Norton Utilities product. Still, the release confirmed Anonymous did have real source code as it claimed.

Symantec has told users of pcAnywhere to disable the product for now unless they simply must use it for business purposes, in which case they should take recommended precautions to protect their systems. pcAnywhere, a remote access tool for diagnostics and helpdesk purposes, allows for PC-to-PC communication. It accounts for $20 million out of Symantec's $6.2 billion in annual revenue, the company said. The current version, 12.5, was released in November 2008.

No confirmed attacks so far

Symantec said its investigation has not uncovered any attacks resulting from the source code theft. However, a white paper the company released warned that the source code leak could lead to man-in-the-middle attacks, the launching of unauthorized remote control sessions, interception of pcAnywhere traffic in businesses that use a network sniffer, or to hackers obtaining cryptographic keys that use Active Directory credentials.

So, how exactly did Symantec's network get breached? The company is keeping those details private. "We're not disclosing details of the attack in 2006 so as not to tip our hand to other attackers," Symantec tells us. "We don't have any further information to disclose other than the code was indeed stolen from our network."

However, Symantec has taken numerous steps to prevent such a breach from occurring again. "The processes we put in place were not in response to the 2006 incident but as part of our overall efforts to continuously strengthen the security of our networks," the company said.

The specific improvements include enhanced network monitoring, improved endpoint security, additional data loss protection strategy and controls, compartmentalized access to information, and improved network and server defenses protecting the source code repository. Further, Symantec removed many non-essential legacy domains, created new processes for development and security controls, and improved employee security training.

As we noted yesterday, Symantec says the Norton security products are not at any increased risk because the stolen code is largely not in use anymore, and in cases where it is in use, the out-of-the-box security settings would protect against any attacks related to the source code theft. pcAnywhere is a different story, with increased risk to users of versions 12.0, 12.1, 12.5, and previous, unsupported versions. "Customers of earlier versions of pcAnywhere are entitled to upgrade to version 12.5 at no cost," Symantec tells us.

Symantec has already released some fixes for pcAnywhere in response to Anonymous's actions, and plans further patches this week. On its breach disclosure page, Symantec says it "will continue to issue patches as needed until a new version of pcAnywhere that addresses all currently known vulnerabilities is released."

Listing image by Photograph by Vincent Diamante

Channel Ars Technica