Symantec has confirmed that a file made available on the internet for anyone to download, does contain the source code for an old version of its pcAnywhere product.
For a short while last month, before releasing a patch, Symantec advised customers to disable their pcAnywhere installations because of concern that hackers could exploit vulnerabilities.
In addition, the firm says that in January someone claiming to be the hacker responsible for the data theft tried to extort $50,000 from the firm in exchange for not releasing Symantec’s stolen source code.
Yama Tough, of the Anonymous-affiliated Lords of Dharmaraja hacking gang, posted what he claims was a chain of emails sent between himself and Symantec employee “Sam Thomas” negotiating the payment.
Symantec says that it never made any offers to meet the hackers’ extortion demands and worked with law enforcement agencies. It seems quite possible (if not downright likely) that “Sam Thomas” wasn’t a Symantec employee at all, but instead working for the FBI.
Eventually, Yama Tough lost patience and published the pcAnywhere source code.
As well as pcAnywhere’s source code being available for download from popular torrent websites, there could be further disclosures.
According to Symantec, hackers have so far posted code for the 2006 versions of Norton Utilities and pcAnywhere. The firm says that it is expecting source code to be published for other Symantec products:
"We also anticipate that at some point, they will post the code for the 2006 versions of Norton Antivirus Corporate Edition and Norton Internet Security. As we have already stated publicly, this is old code and Symantec and Norton customers will not be at an increased risk as a result of any further disclosure related to these 2006 products."
With customers reassured by Symantec that the illegal theft and distribution of the source code poses no increased risk, the company will be keen to put this episode behind it and move on.
Symantec seems to have done the right thing throughout this incident – investigating what occurred, and openly sharing with its users what it discovered about a security breach from years before.
Furthermore, they recognise that they have been victims of a criminal act and have called in the authorities to investigate and (one hopes) bring the culprits to justice.Follow @gcluley