Home page logo

dataloss logo Data Loss mailing list archives

Six-Year-Old Breach Comes Back To Haunt Symantec
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Sun, 29 Jan 2012 02:53:47 -0500


Security firm warns users to halt use of pcAnywhere until it finishes
patching it, but says older Norton products not at risk from
previously 'inconclusive' 2006 security incident

There are security advisories and there are patches, but rarely are
there outright warnings from a software vendor -- much less a security
vendor -- to its customers to stop running one of its products. That’s
the latest twist in a recently revealed breach that exposed some
source code in Symantec’s software.
In an unusual move, Symantec yesterday issued an advisory and released
a white paper warning its customers to stop running its pcAnywhere
software altogether for now. The company released a patch that fixes
some vulnerabilities (PDF), including one that allows remote code
execution, and says more patches are forthcoming.

The move was a drastic shift in Symantec’s reaction to the breach when
it first came to light earlier this month: The security firm at that
time confirmed that “a segment of its source code” had been exposed,
but that it did not affect the Norton line of products, and that the
breach had occurred via a third-party, not on Symantec’s own network.

Last week the company revealed it had indeed been hacked in 2006, and
the source code for the software products was exposed.

The exposed source code specifically affects the older 2006 versions
of Norton Antivirus Corporate Edition, Norton Internet Security,
Norton SystemWorks (Norton Utilities and Norton GoBack), and
pcAnywhere. The current versions of all of these products -- except
for pcAnywhere -- are safe from any fallout of the breach, according
to Symantec.

Why the lag time from the 2006 breach and today's warning?

Brian Modena, director of worldwide communications for Symantec, says
the company’s findings of a security incident in 2006 at the time were

"Symantec was aware that an incident occurred in 2006. We investigated
the incident, but our findings were inconclusive at the time," Modena
says. It was when the company learned that the Anonymous hacktivist
group had gotten hold of its source code that the company went back to
reinvestigate the incident of six years ago.

“It was clear that Anonymous was in possession of the code that was
stolen, and that was when it was confirmed to us that code had been
stolen for sure. Having said that, we have yet to determine who stole
the code in 2006,” Modena says. “Anonymous was in possession of it in
2012, but that does not mean they actually stole it; we think not,
given that Anonymous didn’t exist in 2006, and we most assuredly
would’ve heard about it during the preceding years.”

While an Anonymous-affiliated group has claimed to have stolen the
source code from an Indian government agency, Symantec has no record
of sharing any code with any government agencies in India, Modena

The so-called Lords of Dharmaraja hacking clan claims to have grabbed
Symantec's Norton antivirus source code.

It's not unusual for a company to initially be unable to tell what was
stolen in a breach or how one breach is connected to another.
"Honestly, the toughest part of incident response is being able to
tell what the bad guy took," says Richard Bejtlich, CSO at Mandiant.
"It can be fairly difficult to connect the dots to say what happened
at one point and how it related to something else ... [Symantec]
probably took a second look at their forensic evidence," he says.

[Questions surround 'Lords of Dharmaraja' hackers behind attacks on
Symantec and others. See China Not The U.S.'s Only Cyber-Adversary.]

It's the encoding and encryption pieces of pcAnywhere that are
vulnerable in the wake of the breach: Attackers could wage man-in-the
middle attacks and steal credentials or sniff session information,
according to Symantec. Another side effect is the attacker being able
to initiate malicious remote-control sessions to steal information or
to access systems. "If the malicious user obtains the cryptographic
key, they have the capability to launch unauthorized remote control
sessions," according to Symantec's white paper.

The worst-case scenario for pcAnywhere is that the bad guys who have
the source code can find new bugs and write new exploits.
"Additionally, customers that are not following general security best
practices may be susceptible to man-in-the-middle type attacks, which
can reveal authentication and session information," Symantec's Modena

Security experts say Symantec's recommendation to halt use of its
software is highly unusual and indicates that another shoe could drop.

“I can’t think of any other time a company has come outright and said,
'Stop using our product until we patch it,’” says Chris Eng, vice
president of research at Veracode, who notes that the advisory reveals
some interesting points when it comes to the remote code execution
vulnerabilities. "It looks like it allows remote source code execution
on the server without authentication. If so, that's a big deal.

"Those sorts of things -- remote command execution, remote code
execution -- get reported all the time, but they never say,
'Discontinue use of the product.'" Eng says.

Meanwhile, Symantec says users should move to version 12.5 of
pcAnywhere and install the latest patches, including the Jan. 24 patch
for the Windows version. "Additional patches are planned for
pcAnywhere 12.0, pcAnywhere 12.1, and pcAnywhere 12.5 in the coming
weeks. Symantec will continue to issue patches as needed until a new
version of pcAnywhere is released," Symantec's Modena says.
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue

  By Date           By Thread  

Current thread:
  • Six-Year-Old Breach Comes Back To Haunt Symantec Jake Kouns (Jan 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]