Symantec: Stop using pcAnywhere, right now

Stop using PcAnywhere

PcAnywhereSymantec has admitted that blueprints for current versions of its pcAnywhere software were stolen in 2006 and that all users are at risk of attack and should pull the plug.

That includes users of both current and past iterations as well as those bundled with Altiris and the pcAnywhere Thin Host packaged with backup and security products.

The theft came to light when an Indian hacking group calling itself the Lords of Dharmaraja threatened to publish the source code.

The gang’s apparent spokesperson, who goes by the name of “Yama Tough,” posted code from the 2006 version of Symantec’s Norton AntiVirus to PasteBin and subsequently wrote about the breach on Google+.

It was originally unclear whether the breached source code was relevant to up-to-date installations of Symantec’s anti-virus products.

The confusion has lifted, showing that the danger to users of current products is all too real.

Symantec white paperSymantec revealed the news in a white paper [PDF] published on Wednesday, along with a customer advisory on its website.

Symantec’s investigation so far hasn’t found increased risk of exposure to customers using any product, with the marked exception of pcAnywhere, which allows for direct PC to PC communication.

Here’s what the security firm had to say about the pcAnywhere-specific risks, as paraphrased from its white paper:

  • The encoding and encryption elements within pcAnywhere are vulnerable, making users susceptible to man-in-the-middle attacks, depending on the configuration and use of the product. If a man-in-the-middle attack should occur, the malicious user could steal session data or credentials.
  • A secondary risk: If a malicious user obtains the cryptographic key, they can launch unauthorized remote control sessions and thus access systems and sensitive data.
  • If the cryptographic key itself is using Active Directory credentials, it is also possible for attackers to perpetrate other malicious activities on the network.
  • In an internal pcAnywhere environment, if a network sniffer was in place on a customer’s internal network and the attacker had access to the encryption details, the pcAnywhere traffic could be intercepted and decoded. This implies that a customer either has a malicious insider who planted the network sniffer or has an unknown Botnet operating in their environment. As always, security best practices are encouraged to mitigate this risk.
  • Since pcAnywhere exchanges user login credentials, the risk exists that a network sniffer or Botnet could intercept this exchange of information, though it would still be difficult to actually interpret the data even if the pcAnywhere source code is released.
  • For environments with remote users, this credential exchange introduces an additional level of exposure to external attacks.

Company spokesman Cris Paden told Reuters that Symantec has fewer than 50,000 customers using the stand-alone version of pcAnywhere, which, Reuters reported, was still on sale on its website for $100 and $200 as of early Wednesday afternoon.

Symantec recommends in the white paper that customers disable the product until the company can release a set of updates to deal with the currently known vulnerability risks.

Symantec logoOne of the first questions that comes to mind, of course, is whether Symantec is only now learning about the 2006 code leak or whether the company has known about it for six years and is only now admitting that they were hacked.

I think we can safely assume that a security company of Symantec’s size and reputation would shun that type of irresponsible behavior in any way, shape or form. Knowingly selling security software with breached code would be professional suicide and ethically unforgivable.

I only bring it up because, well, the question popped into my head when in the last couple of weeks I first heard about the 2006 theft. I know I’m not alone, since our readers have pondered that same question in the comments sections.

No, I feel confident that Symantec is blameless of suppressing the breach, particularly given how forthcoming they’re being with risks and investigation results.

So, at whom should we point the finger of blame?

Not to get all marketing promotional, here, but I can’t say it any better than Sophos’s Paul Ducklin did when he wrote that he is pointing fingers not at the victimized Symantec but at the criminals who perpetrated the crime:

Yes, I am pointing fingers - at the crooks. Not at "the hackers;" at the crooks. That's what they are. This is a cybercrime. Symantec is the victim.

Good luck cleaning up this undeserved mess, Symantec and pcAnywhere customers, and Godspeed with the patch set.

Update:Symantec has now released a patch that the firm says eliminates known vulnerabilities affecting customers using pcAnywhere. More information can be found on Symantec’s website.