Stolen Symantec source code posted online by hacker

7 views
Skip to first unread message

Its from Onion

unread,
Feb 10, 2012, 5:50:23 AM2/10/12
to tscm-l2006

Stolen Symantec source code posted online by hacker

David Sarno, Los Angeles Times

LOS ANGELES -- A hacker has released stolen source code from Symantec Corp., one of the largest computer security firms, after a phony set of ransom negotiations failed, according to the company. 

The source code is part of a Symantec product called pcAnywhere, which enables users to log into and control home or work computers from remote locations. Access to the code could in theory give hackers insight into how to seize computers that use the software. 

Symantec said the source code was for 2006 products that had since been updated with newer code. Even so, the company said, it had contacted customers in recent weeks to get them to apply software upgrades that could address known security problems. 

The hacker, going by the name Yamatough, appeared to release a tranche of the code onto the controversial file-sharing site Pirate Bay on Tuesday, just as Symantec disclosed that ransom talks with the hacker were conducted by law enforcement personnel posing as a Symantec employee. 

On Tuesday, a series of emails apparently between Yamatough and a Symantec employee were posted on the website Pastebin.com. The emails were a back-and-forth over how to arrange an alleged $50,000 ransom payment in return for the hacker's agreement to return the code without publishing it. 

Symantec says the negotiations were a ruse conducted by law enforcement after the company contacted authorities. 

"Symantec conducted an internal investigation into this incident and also contacted law enforcement given the attempted extortion and apparent theft of intellectual property," spokesman Cris Paden said in a statement. 

The email subterfuge was "all part of their investigative techniques for these types of incidents," he added, noting that the company could not disclose which law enforcement agency was involved while the investigation was ongoing. 

Symantec said the code was stolen in a 2006 hacking and affected four products: Norton Antivirus Corporate Edition, Norton SystemWorks, Norton Internet Security and pcAnywhere. 

"Of those four products, only pcAnywhere is still sold," Paden wrote. "All of the others have been phased out and discontinued -- or, in the case of Norton Internet Security, it has been completely, totally rebuilt." 

The company urged users of its pcAnywhere product to apply the security fixes immediately. 

======== 

(c)2012 the Los Angeles Times. Visit the Los Angeles Times at www.latimes.com. Distributed by MCT Information Services

d...@geer.org

unread,
Feb 10, 2012, 8:39:33 AM2/10/12
to tscm-...@googlegroups.com

Point of information:

> Symantec said the source code was for 2006 products that had
> since been updated with newer code.

That is likely true, but "updated" and "rewritten using no libraries
of the era or anything else" are pretty different.

The paper listed below was a thorough review of bug lifetime in
OpenBSD which, as you may know, is driven by folks who see security
of their code as Job 1, not a necessary nuisance. As such, the
persistence (half-life) of bugs, the fraction of them that are
security-related, the version-to-version forward propagation of
existing code-base problems, etc., are, with OpenBSD, quite likely
as good as it gets. One thus can plausibly conclude that other
code-bases are no better than the OpenBSD code-base when one's
metric is the probability of carry-forward security bugs.

This is written not to diverge this list into a thread on software
security, merely to contextualize the Symantec claim. As with so
much in software security, many things which are true are also
irrelevant. Symantec's statement falls in that category.

--dan

See
http://www.usenix.org/events/sec06/tech/ozment.html

Reply all
Reply to author
Forward
0 new messages