Security

Symantec says to disable pcAnywhere after source code exposure by Anonymous

Symantec acknowledges a breach that exposed the source code for pcAnywhere. Users are advised to disable it immediately until software updates are available to resolve vulnerabilities.

In August 2011, CNET reported the claims by Anonymous that they had breached servers of  Symantec (among others) and now, Symantec has acknowledged that their own investigation reveals that the source code for pcAnywhere was stolen...in 2006! Symantec issued a technical white paper with security recommendations and a message on their website about the serious breach -- surely an embarrassing situation for the maker of Internet security-related products, including the Norton suite of antivirus software. pcAnywhere is a software program from Symantec that many enterprises use to manage corporate PCs.

Here is an excerpt from the white paper (PDF):

Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.

Security recommendations include:

  • Symantec recommends disabling pcAnywhere until they release software updates that resolve "currently known vulnerability risks."
  • As far as the other source code exposure related to the 2006 versions of the Norton products as detailed in their statement above, Symantec says that the "code in question represents a small percentage of the pre-release source for the Symantec AntiVirus 10.2 product, accounting for less than 5% of the product." They recommend only that customers update their AV definitions and follow general best practices.

Here is the page on Symantec's site that they will update with further information if anything changes: Claims by Anonymous about Symantec Source Code.

Here is a further summary of the risks posed by pcAnywhere users, according to the Symantec white paper:

Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.

So there you have it. How would you characterize this disclosure? How is it that we seem to be talking about a theft that occurred five or six years ago? The sequence of events is kind of weird. According to a report in The Register:

A hacker calling himself "Yama Tough", acting as a spokesperson for the group, claims the source code had been pulled from insecure Indian government servers, implying that Symantec was required to supply their source code to Indian authorities. In a series of Twitter updates, Yama Tough talked about various plans to release the source code before committing to release the secret sauce of pcAnywhere.

The Yama Tough tweeting occurred on Monday.

Was the 2006 theft perpetrated by someone now affiliated with Anonymous? Was there a secondary breach last year? If so, we should find out about it in roughly 2017. Feel free to offer your comments and speculation below.

About

Selena has been at TechRepublic since 2002. She is currently a Senior Editor with a background in technical writing, editing, and research. She edits Data Center, Linux and Open Source, Apple in the Enterprise, The Enterprise Cloud, Web Designer, and...

57 comments
nylentone
nylentone

My decision to stop endorsing Symantec products about 10 years ago was clearly the right move.

Brian Doe
Brian Doe

And here we have perhaps the most compelling reason why open-source is the way to go. Had this software been open-source to begin with, all of its vulnerabilities would have been fleshed out a long time ago, and its exposure would have been a complete non-issue.

BALTHOR
BALTHOR

The weakest part of any computer is software.I think that the Windows XP that we have is a copy of a copy of a copy and so on.These operating systems actually make the rounds in industry.Each corporation uses their tricks to the OS and we get something that at least works.I don't want to watch the country drift away on TV without a fight.

realvarezm
realvarezm

I mean i have never trusted this brand for some reason i had issues with my clients. Since i use Kaspersky 4 years ago i can say that is one thought AV. For some reason i've always mistrusted mccafee and Norton, and all that BS about a 5% you have to add a zero after that number. This is the begining of their downfall. Rest in peace Norton.

codepoke
codepoke

I concur with the sentiments regarding Anonymous' revelations. Symantec evidently had an explicit back door in their "secret" code, and Anonymous' little "service" has exposed Symantec's irresponsibility. Symantec failed. That doesn't mean Anonymous agents are angels. In comics books, the superheroes always have to outsmart the police force to keep fighting evil. That's the feel I get from Anonymous. They see evil in governments, and they're using their super powers to resist injustice in all it's identifiable forms. If they have to dodge the police to make life better for the police, they're willing to bear the white man's burden. But this isn't the comics, and Anonymous is full of normal people with superior skills. Normal people guess wrong about what's unjust, they get tempted by power in all its forms, they even make all the right judgments and accidentally break things they never meant to touch. Anonymous, should they get what they wish for, will break much more than they fix.

MyopicOne
MyopicOne

..and as far as I'm concerned reason enough to never voluntarily use a Symantec product again.

robertbrown
robertbrown

Did the breach occur against Symantec servers or against Indian government servers?

info
info

In reply to FAST!!!, that's like asking why anyone should bother with Citrix when all it is is Microsoft Remote Desktop. One feature PCAnywhere has that others lack is incremental file transfer. You copy a file a few times with RDP, and it copies the whole file, every time. Copy it with PCAnywhere, and it only copies what's changed, saving a lot of time. Although with modern high-speed connections, this is becoming less relevant, it's still one of many nice features about the software.

FAST!!!
FAST!!!

With all the web and IP based desktop sharing apps both free and paid-for I'm surprised pcAnywhere is still being sold...

boboswin
boboswin

They actually didn't have to announce this on the Net. The guy who discovered it could have just phoned the guy using it. I wish I had a nickle for every hour I spent in the 90's trying to communicate with their vaporware support unit or reinstall the software dozens of times.

Neon Samurai
Neon Samurai

In your version, Symantec would have had to spend more money supporting the software and managing the community submissions. Now how are the C level executives going to afford those second yacht payments if we go and do things your way!

Sterling chip Camden
Sterling chip Camden

That's quotable. And if "Call the FBI" is meant to be sarcastic, well played.

AnsuGisalas
AnsuGisalas

And didn't bother to get up, it seems. Only now someone has taken a pic of them there on the floor, in their own filth. :D

kgross
kgross

Most appear to be really brilliant people when it comes to how computers, networks and the internet function. I suspect that many of them do what they do simply because they can rather than for any really organized sense of justice or protest against evil. I would also suspect that some are actually playing both sides and are engaging in their activities for personal gain rather than out of altruism. Overall, I think that hacking corporate or government systems and then publicizing the insecurities is wrong. I don't know whether these individuals make any attempt to notify the owners of the systems they hack about the vulnerabilities they found to give them opportunity to improve them. If they do and the owners don't respond or care, then perhaps the publicity forces the issue. But if they don't, then they needlessly expose anyone who uses the systems to risk they might not otherwise face and perhaps cost the system owner more to repair the damage than they might otherwise incur. Even more troubling is the potential for backlash and more government regulation or interference that may arise because of their illegal activities. We all know how government has to "protect" everyone.

apotheon
apotheon

In essence, Anonymous is the bleeding edge of 21st Century public protest, and its methods are rapidly becoming the only effective means of protest by anything less than a general, widespread public awakening that has any chance of making a dent in establishment oppression. It may be far from perfect, but it's also apparently the only generally effective means anyone has found that doesn't directly target innocents. Don't forget, as well, that some Anonymous "agents" probably are basically angels. Anonymous is not a hierarchical organization. It's basically the emergent property of discontent. When parts of that mass of amorphous discontent in technically proficient society coalesce (mostly by chance) with a general consensus, action happens. You might think of Anonymous not as an organization or movement, but merely as a method, where organizations or movements rise and fade away as "needed". To try to characterize Anonymous as a whole in terms of things like specific associated motives -- apart from a general desire for anonymity -- is misguided.

echo9
echo9

I really don't have the confirmation about Symantec's systems and/or networks (Symantec do submits that their own servers were penetrated some "years" back.. and the source code exposed is from that data..which was stolen). I still feel that Symantec's systems were hacked.."when" I could not comment :D

apotheon
apotheon

The point is not that it duplicates what you can get from Microsoft; it's that pcAnywhere is only one out of dozens of third-party options to do the same thing, many of which have features that put pcAnywhere to shame, and most of which cost less (if anything at all; many are free). Besides . . . there are better ways to get copies by delta than pcAnywhere.

HAL 9000
HAL 9000

Because the Makers of the software that is used in the Medical Offices particularly Specialists is updated through PC Anywhere by it's makers. There is another big chunk of the industry who has to use it. ;) Col

Jeff Adams
Jeff Adams

Client management, server management, asset management, deployment, etc. Acquired by Symantec in 2007? Guess what they embed in the Altlris agent now, for remote viewing/shadowing? Yep...pcAnywhere. Those corporations on Altiris 7.x+, with thousands and thousands of agents deployed, also have thousands and thousands of copies of pcAnywhere running on their corporate networks.

JJFitz
JJFitz

I have not used it since the early 90's and I don't allow it on corporate devices.

SKDTech
SKDTech

Some businesses have no wish to put access to their network in the hands of a third party, and some can not due to security obligations such as those that are required of a military or government contractor. And then of course there may be bandwidth concerns to take into account.

Sterling chip Camden
Sterling chip Camden

The business model suddenly becomes clear: keep product development opaque, so we can sell it as something incomprehensibly complex, requiring research and expertise commensurate with the price we charge -- while keeping costs low by not actually paying much attention to what we produce.

AnsuGisalas
AnsuGisalas

but then, I believe in the establishment even less. This monkeywrenching is simply a part of renegotiating the role of the people in general. The people have been defined by market and government forces as a passive vessel for trade, and now a part of the people is saying "Beg to differ!" on behalf of the whole. It's a battle about whether or not the people should be consulted about what it is fed.

codepoke
codepoke

After Anonymous embedded LOICs in ostensibly informational links? Curious bystanders were tricked into committing felonies. Anon is bad news. They are proud of having unaccountable power. They can't be voted out. They can't be touched. Their names and addresses can't even be exposed like they're doing to police they don't like. Ossification is bad, but see the French Revolution for a cure worse than the disease.

MyopicOne
MyopicOne

I banned their stuff from my home network well before they got hacked. I mean that now I will actively work in the Corporate environment to see that their crap isn't used, either.

echo9
echo9

I came to mine a few years back :D

jdclyde
jdclyde

Once someone has a package loaded in their network, they need a very good reason to even consider a different package. "don't fix what isn't broke", but managers often have no idea if something is broke or not until it completely stops. People forget how fluid technology is. Just because a package is great today doesn't mean it will still be "the package" in a few years. Years ago I had moved exclusively to FF for my network and it saved me a ton of time in keeping systems from becoming infected. Now I have moved to Chrome for most of my browsing. Who knows what tomorrow will bring?

HAL 9000
HAL 9000

The people who I deal with who use it are mandated by their Software Suppliers. For instance Medical Software here is managed by it's Developer and updated Via PC Anywhere on a very regular basis. The Company rings the Doctors Office/s gets the Secretary/Receptionist/Nurse to enable PC Anywhere and updates the Program. Currently all Software used by the Medical Industry requires PC Anywhere and it's part of the Medical Program Package, I'm not even sure which version they are currently using as it's not a separate application it's installed with the Medical Program and incorporated into it. In other words they don't have a choice to use anything else. ;) Col

nylentone
nylentone

Symantec has gone on a spree for years buying decent companies with useful products and then completely destroying them.

jdclyde
jdclyde

Loading someones software directly on your system vs on a web server, both are opening your world to someone else.

Sterling chip Camden
Sterling chip Camden

Yes, there are dedicated developers, even in closed-source software companies. There are probably some at Symantec, but the "economies of scale" of that corporation work to nullify their efforts.

MyopicOne
MyopicOne

Applications development the modern way! (with apologies to the dedicated ones because I know you're out there)

apotheon
apotheon

I still call it good, as long as it doesn't do anything to violate the rights of the innocent. (Let's not get into a discussion of "innocent" now; I think you know what I mean.)

AnsuGisalas
AnsuGisalas

I don't call it "good", I call it "preferable". "Good" is a state, and an absolute state, at that : Boolean 1. "Better" is not absolute, so "better", or "preferable" can be applied to many things, without watering down or distracting from what the absolute is about. It's not a boolean, merely an assessment of "x > y", fuzzy almost by definition. I suppose there could be forces for improvement (forces for making things more better ;) ), but these things are directional, and directional forces never reach the absolute, only approach it. My stance on this is in parallel to my opinion of stuff like "Political movement" (which I deem to mean "aiming to go too far" - an exercise in futility at best). Often there will come a point where the force begins to pull away from the goal, leading it to become the opposite of what it set out to be, a force for detriment. But be aware that I don't recognize passive force. A force is a force only in its execution. Having a gun is not force. Using a gun is force. Using a gun can be preferable to not using a gun, but it's never going to be "Good" with a capital G. Force, by my definition, is short for "use of force" or "application of force", never "potential for force", which is often just the same as "strength".

apotheon
apotheon

. . . but the fact remains that sometimes resisting evil is necessary, and when undertaken out of necessity I call that "good".

AnsuGisalas
AnsuGisalas

But saving people from genocide by force is far less good than preventing said genocide by enlightenment. The latter is the only lasting way, and so, the only true good. The good that can be achieved by force of arms is not the true good, at best it is correcting a past oversight, at worst it is a selfish indulgence which will leave things worse than they were.

apotheon
apotheon

I guess victims of genocide should just lie down and die, then, so they don't distract from doing good.

AnsuGisalas
AnsuGisalas

It may enable good, but usually it only distracts from it: "We don't have the resources to do Good right now - we have a War on Evil to fight".

apotheon
apotheon

I guess whether "force for good" is a contradiction in terms depends on whether you define "good" such that it encompasses "resisting evil" as a reactive practice, and not solely doing good in a proactive manner.

AnsuGisalas
AnsuGisalas

A [i]force[/i] for [i]good[/i] is a contradiction in terms :) A force for a use can exist, though. Just like a tool for a purpose.

apotheon
apotheon

Your points are both well-framed and well-taken.

Sterling chip Camden
Sterling chip Camden

Anonymous isn't a force for good, it's a force for disruption. Out of that disruption may come some good -- or it might just force the establishment to show its hole card and tighten the screws further. That largely depends on how the majority of people respond to it -- or don't respond. Overall, though, I'm in favor of shaking things up rather than letting them stagnate.

echo9
echo9

and I agree with apotheon. What Anonymous has been doing is simply fine..considering what we will be dealing with SOPA, IP act etc.?..shite :/

apotheon
apotheon

Technically it wasn't the French Revolution that was a cure worse than the disease; it was the Reign of Terror and growth of an oppressive Party Line regime that followed the effective end of the French Revolution.

echo9
echo9

As far as I can remember it was the year 2004 that I banned them from my home network as well and I "stopped" recommending their products to my friends and also told them to say off it :D (except the "Ghost". Hey its a good product; does the work straight forward :))

apotheon
apotheon

Maybe a browser called xxxterm. I've been using it a fair bit lately, and it is much less aggravating than Firefox. It also offers capabilities that are lacking in Chromium.

HAL 9000
HAL 9000

The 2 major Medical Programs both use it and both include it in their Installation Package. So it's not so much a matter of them even thinking about it but being given no option. Here I think that PC Anywhere has been certified as Meeting Compliance by the Authorities is why it gets used and nothing else is considered. You just have to love Bureaucrats. ;) Col :0

apotheon
apotheon

I think it's that, for the most part, doctors are only as careful as anyone else given the same set of circumstances relative to their own personal needs. That is, they're mostly concerned about things like liability, their own convenience, and making money -- and not usually in that order.

apotheon
apotheon

I wasn't arguing FAST!!!'s point -- just explaining it to the person who completely missed it.

Sterling chip Camden
Sterling chip Camden

That anyone in the medical profession would be careless enough to use something like pcAnywhere makes me feel really confident about everything else they do. Or is this just a case of them assuming that technical professionals are just as careful about their work?

AnsuGisalas
AnsuGisalas

social engineering... "Hello, this is John McDoe from Medsoft Inc, I need you to enable PC Anywhere for the update, as usual. BTW this update is a bit intensive, so don't be alarmed if the system is a bit slower for a while. Thanks!"

Editor's Picks