Sophos Cloud Optix
Symantec has admitted that blueprints for current versions of its pcAnywhere software were stolen in 2006 and that all users are at risk of attack and should pull the plug.
That includes users of both current and past iterations as well as those bundled with Altiris and the pcAnywhere Thin Host packaged with backup and security products.
The theft came to light when an Indian hacking group calling itself the Lords of Dharmaraja threatened to publish the source code.
The gang’s apparent spokesperson, who goes by the name of “Yama Tough,” posted code from the 2006 version of Symantec’s Norton AntiVirus to PasteBin and subsequently wrote about the breach on Google+.
It was originally unclear whether the breached source code was relevant to up-to-date installations of Symantec’s anti-virus products.
The confusion has lifted, showing that the danger to users of current products is all too real.
Symantec revealed the news in a white paper [PDF] published on Wednesday, along with a customer advisory on its website.
Symantec’s investigation so far hasn’t found increased risk of exposure to customers using any product, with the marked exception of pcAnywhere, which allows for direct PC to PC communication.
Here’s what the security firm had to say about the pcAnywhere-specific risks, as paraphrased from its white paper:
- The encoding and encryption elements within pcAnywhere are vulnerable, making users susceptible to man-in-the-middle attacks, depending on the configuration and use of the product. If a man-in-the-middle attack should occur, the malicious user could steal session data or credentials.
- A secondary risk: If a malicious user obtains the cryptographic key, they can launch unauthorized remote control sessions and thus access systems and sensitive data.
- If the cryptographic key itself is using Active Directory credentials, it is also possible for attackers to perpetrate other malicious activities on the network.
- In an internal pcAnywhere environment, if a network sniffer was in place on a customer’s internal network and the attacker had access to the encryption details, the pcAnywhere traffic could be intercepted and decoded. This implies that a customer either has a malicious insider who planted the network sniffer or has an unknown Botnet operating in their environment. As always, security best practices are encouraged to mitigate this risk.
- Since pcAnywhere exchanges user login credentials, the risk exists that a network sniffer or Botnet could intercept this exchange of information, though it would still be difficult to actually interpret the data even if the pcAnywhere source code is released.
- For environments with remote users, this credential exchange introduces an additional level of exposure to external attacks.
Company spokesman Cris Paden told Reuters that Symantec has fewer than 50,000 customers using the stand-alone version of pcAnywhere, which, Reuters reported, was still on sale on its website for $100 and $200 as of early Wednesday afternoon.
Symantec recommends in the white paper that customers disable the product until the company can release a set of updates to deal with the currently known vulnerability risks.
One of the first questions that comes to mind, of course, is whether Symantec is only now learning about the 2006 code leak or whether the company has known about it for six years and is only now admitting that they were hacked.
I think we can safely assume that a security company of Symantec’s size and reputation would shun that type of irresponsible behavior in any way, shape or form. Knowingly selling security software with breached code would be professional suicide and ethically unforgivable.
I only bring it up because, well, the question popped into my head when in the last couple of weeks I first heard about the 2006 theft. I know I’m not alone, since our readers have pondered that same question in the comments sections.
No, I feel confident that Symantec is blameless of suppressing the breach, particularly given how forthcoming they’re being with risks and investigation results.
So, at whom should we point the finger of blame?
Not to get all marketing promotional, here, but I can’t say it any better than Sophos’s Paul Ducklin did when he wrote that he is pointing fingers not at the victimized Symantec but at the criminals who perpetrated the crime:
Yes, I am pointing fingers - at the crooks. Not at "the hackers;" at the crooks. That's what they are. This is a cybercrime. Symantec is the victim.
Good luck cleaning up this undeserved mess, Symantec and pcAnywhere customers, and Godspeed with the patch set.
Update:Symantec has now released a patch that the firm says eliminates known vulnerabilities affecting customers using pcAnywhere. More information can be found on Symantec’s website.
I’m confused — aren’t you basically saying that there are gigantic and undiscovered security holes in Symantec’s product that have not been fixed or corrected since 2006, and we only now know that because a hacker group has identified them through their knowledge of the source code? If that’s the case, doesn’t it imply that Symantec itself is entirely to blame for selling insecure software and never identifying the flaws?
It’s really not surprising — Symantec only updates their products when they are absolutely forced to. They have no credibility with me either as a security company or as a software company, and these events reinforce that.
What I'm saying is it would be truly evil if Symantec had known about this for 6 years. If they didn't know about it for 6 years, which I surmise they didn't, it still amounts to, well, a scary scenario, given that we'd prefer our security vendors to be locked down well enough to avoid being breached.
I don't think we know enough, given what Symantec's told us, to say whether these would be huge gaping holes in the software if the code were never to be released.
“Yes, I am pointing fingers – at the crooks. Not at “the hackers;” at the crooks. That’s what they are. This is a cybercrime. Symantec is the victim.”
The entire computer anti-virus, malware, duct tape industry is a scam that capitalizes from an intentionally flawed Microsoft operating system. Apple and Linux have proven that a stable and secure system is possible and MS is more than capable of providing the same but they must now feed the industry created by their incompetence.
A company that’s part of a scam industry calling themselves victims is laughable.
You seem to forget about the wonderful Apple malware that is out there. Apple and Linux are not magically immune. It is a very simple case of numbers. If I’m going to sit down and write some malware I want it to have the most effect. The simple way to do this is to target the largest number of people possible. Just so happens the way you do that is you target Windows.
As people shift to operating systems other than Windows the malware authors will follow. It is not that they can’t crack these other systems, it is that they don’t see as much to be gained.
Symantec released a hotfix, though they do not know of any publiclly available exploits, So there could still be a threat.
http://clientui-kb.symantec.com/kb/index?page=content&pmv=print&impressions=&viewlocale=&id=TECH179526
Let’s stay safe out there
So if their recent acquisition: verisign.com; gets hacked, do you think they’ll not find out about it/release information about it for SIX YEARS?
Both should be blamed. The hackers for breaking in and Symantec for not bothering to fix/maintain PC Anywhere and getting rid of old waknesses.
It shouldn’t really matter for software-products’ security if if the source-code is lost. The product should be secure anyway. It’s clear that this is a badly coded product.
Symantec also tried to blame third-parties for the break-in at first. Later, after preassure, they admitted that the break-in was against their own network.
Not only that, but the claim that revealing the source code has any real effect on the ability of malicious people to "identify vulnerabilities and build new exploits" suggests that Symantec has failed (or never taken) Cryptography 101.
how does anyone know the code was actually stolen? Isn't it possible a developer could have been doing work on a home computer or work laptop that at some point maybe got repurposed, sold on ebay, the hard drive formatted but not wiped, etc. So many possibilities of how code could have gotten out of the "building"
It’s time to switch to gitso, virtual private networks and/or something else vendor-neutral (depending what you’re trying to do). It’s a little bit more work to set up, but a lot more secure.
I too think this hurts verisign.
That is quite a bit of flaws with one program to not be blaming Symantec. They are a Security company with no security.
@jwane – All OS have their flaws, and its not Microsoft that is the issue, it's uneducated people who are pirating music, and clicking on links that they think are good for stealing content. Then believe that the fake/free AV programs are going to fix their issue. Half the PCs I fix have frostwire on them, and I can't stress enough that this is the #1 source of virus and malware that these people are getting, but they keep installing it and downloading the same viruses over and over again.
Also you never see a novice user running apple or linux to be causing these same issues, because they don't know how to use them. There is also Malware for Apple and linux systems, just finding these systems are not a norm.
''One of the first questions that comes to mind, of course, is whether Symantec is only now learning about the 2006 code leak or whether the company has known about it for six years and is only now admitting that they were hacked'' (Sophos)
''Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. Since 2006, Symantec has instituted a number of policies and procedures to prevent a similar incident from occurring.'' (Symantec)
Why would Symantec have instituted such measures since 2006 if they had NOT known about the breach?
And has Sophos' Lisa Vaas merely asked the question and played dumb in order for readers (like me) to provide the answer? Surely not.
no, I wasn't playing dumb to bait anybody. as tspedw remarked, we don't actually know how the code got out of the building. Look, Symantec could be guilty as sin, could have dismissed a breach that showed up on logs, could have lost a laptop, etc. If they didn't address the problem fully (and this data breach would point to the fact that they didn't), does that mean they willfully, knowingly sold breached software for six years? I'm not sure one translates to the other, and sure, maybe I'm being Pollyanna-ish here, and maybe more facts will come out that make me regret giving them the benefit of the doubt, but as it now stands, I'm just saying that I doubt they'd knowingly sell insecure software. Criminey, I hope I'm not wrong.
@tspedw Log files could show what someone was doing and it could be a case where it was clear that someone hacked into their systems and stole data.
This is not surprising to me. With increased number of outsourced software development. Code is open to wide range of development shops with different security environments. Both physical and virtual secure lock down of source code become very chanllenging. With every company focusing on profitability, it would not be too surprise to me that there are many this type of security bleech out there. As a security vendor itself, Symantec failed misearablely in protecting its asset. Symantec should be the leader in setting those security standards and controls. It is very disapointing. This is a DISASTER for a security company. I hope Symantec can pull itself out of this gigantic mess, help itself and us defining a new standard for security controls. This is a true lesson that we all have to look back on our own control to secure our own backdoor. Of all, the most important lesson I learn, is, "OPEN SOURCE is the BEST!!!" — Never afraid of source code being stonen :).
Good thing I don'T use pcAnywhere anymore then. I can't even remember when was the last time I used it, probably around 8-9 years ago. It is, indeed, disappointing, especially if this issue first emerged in 2006, clearly they could've been more careful and done something to prevent this to happen now.
Either way, I guess there are alternatives out there, speaking of which, anyone have any idea if Audials Anywhere is similar to pcAnywhere? I heard it's like the next major trend in file sharing and streaming but I don't really know how it works.