Sophos Cloud Optix
Symantec, the makers of Norton AntiVirus, has confirmed that a hacking group has gained access to some of the security product’s source code.
An Indian hacking group, calling itself the Lords of Dharmaraja, has threatened to publicly disclose the source code on the internet.
So far, there have been two claims related to Symantec’s source code.
First, a document claiming to be confidential information related to Norton AntiVirus’s source code was posted on Pastebin. Symantec says it has investigated the claim, and that – rather than source code – it was documentation dated from April 1999 related to an API (application programming interface) used by the product.
And secondly, the hacking group shared source code related to what appears to have been the 2006 version of Symantec’s Norton AntiVirus product with journalists from Infosec Island.
A hacker called “Yama Tough”, who appears to be acting as a spokesperson for the gang, posted the content to PasteBin and subsequently published messages on Google+ about the alleged breach:
@Symantecjobfeed you guys r in trouble http://t.co/HGKXIuLU Symantec source code owneed like shit
— LoD (@YamaTough) January 4, 2012
The content on PasteBin has since been removed, and Yama Tough’s Google+ posts deleted. The hackers claim that it is working on creating mirror sites for its content, as it has felt pressured and censored by US and Indian government agencies.
It’s important to underline that there is presently no reason to believe that Symantec’s own servers have been breached.
Instead, it appears that the data leak may have occurred on Indian government servers – and the implication is that Symantec, and perhaps other software companies, may have been required to supply their source code to the Indian authorities.
Furthermore, it is not clear if the source code which was accessed is relevant to up-to-date installations of Symantec’s anti-virus products and thus customers may not be at risk.
Even if it was up-to-date source code, it may be of limited use to hackers and be used more as a “trophy scalp” for a hacking group intending to generate publicity for its grievances with the Indian authorities.
Chris Paden, a Symantec spokesperson, confirmed to InfoSec Island that some of the firm’s source code had been accessed:
"Symantec can confirm that a segment of its source code has been accessed. Symantec’s own network was not breached, but rather that of a third party entity."
"We are still gathering information on the details and are not in a position to provide specifics on the third party involved."
"Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time."
There are some other details in a statement Symantec has posted on Facebook:
"Symantec can confirm that a segment of its source code used in two of our older enterprise products has been accessed, one of which has been discontinued. The code involved is four and five years old. This does not affect Symantec's Norton products for our consumer customers. Symantec's own network was not breached, but rather that of a third party entity."
"We are still gathering information on the details and are not in a position to provide specifics on the third party involved. Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time."
"However, Symantec is working to develop remediation process to ensure long-term protection for our customers' information. We will communicate that process once the steps have been finalized. Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts."
It’s hard not to feel sympathy for Symantec – who appear to have been caught in the crossfire between a hacking gang and the Indian authorities.
Although Symantec customers may not be at risk, it’s easy to see how the software company will feel bruised by the publicity that the Lords of Dharmaraja have generated through their hack.
trophy scalp? piss on that analogy
This certainly does point out why no third party should EVER have source code for something like security software. Hopefully Symantec, and others, can use this example the next time someone tries to strong arm them for source code as a condition of purchasing the software.
Wrong!
Reqiring security software to have it's source code secret violates Kerckhoffs's principle. To quote The United States National Institute of Standards and Technology (NIST): "System security should not depend on the secrecy of the implementation or its components."
To give a specific example, anyone who cares to search the web can find source code for the AES Cipher. and that fact makes it more secure than less, because it means that it has been subject to hostile peer review. On the other hand closed ciphers such as CSS used on DVDs have repeatedly been shown to be weak and full of holes.
Companies who have to allow access to their source code for review can do so within a controlled environment such as virtual desktops or onsite. It is important for some clients to satisfy themselves that a security product does not implement a backdoor into their systems (intentionally or otherwise).
Stopped using Norton for Mac 10 years ago.
So you use Sophos or is leaving your Mac undefended?
Graham,
I just wanted to extend a personal thank you for being one of the few journalists out there with enough integrity to cite Infosec Island in your coverage of the Symantec NAV affair.
We have already identified numerous large publications who summarized or outright pilfered our material and provided no attribution whatsoever (some statements we published were exclusive, though similar to others released, so it was easy to spot).
We appreciate your efforts to maintain a quality publication with impeccable ethics – yours is a daily read for my staff and I.
Thank you again,
Antony M. Freed
Managing Editor, Infosec Island
Couldn't the hackers reverse engineer the Symantec product?
Also, Symantec says that the code leak only affects old Symantec (enterprise) products and NOT the consumer Norton branch.
I wonder how many other governments, besides the chinese and middle east of course, require knowledge of surce code for virus vendors.. Its like that whole "we want a master key" thing for encryption.. Governments cant stand the idea of not being able to control or infiltrate something..
Down with the state
One more thing. If the Indian military servers were having the source code, they are obviously using Symantec technology to protect the servers. I think Symantec should better worry about how the hackers were able to access the servers instead of worrying about the source code.
There is no magical silver bullet to protect you in cyber space. In my experience it is people who are the weakest link.
The hackers could have used some type of social engineer to get malware installed on one machine which could have bypassed detection.
RSA's breech was from what I understand initiated through social engineering
AV/Security software products have traditionally focused on signature based protection which means that a piece of malware would have to have been known to the software vendor creating the signatures. If it is not known, it cant be detected.
Now days security companies are being more pro-active in their approach to detect malware, especially with zero day threats which are hurting the most.
It appears that Symantec is being used as a pawn in the hackers chess game to make their point, which is very unfortunate.
I just hope that no innocent jobs are lost as a result of this given the current economic climate.