Symantec acknowledges a breach that exposed the source code for pcAnywhere. Users are advised to disable it immediately until software updates are available to resolve vulnerabilities.
In August 2011, CNET reported the claims by Anonymous that they had breached servers of Symantec (among others) and now, Symantec has acknowledged that their own investigation reveals that the source code for pcAnywhere was stolen...in 2006! Symantec issued a technical white paper with security recommendations and a message on their website about the serious breach — surely an embarrassing situation for the maker of Internet security-related products, including the Norton suite of antivirus software. pcAnywhere is a software program from Symantec that many enterprises use to manage corporate PCs.
Here is an excerpt from the white paper (PDF):
Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.
Security recommendations include:
- Symantec recommends disabling pcAnywhere until they release software updates that resolve "currently known vulnerability risks."
- As far as the other source code exposure related to the 2006 versions of the Norton products as detailed in their statement above, Symantec says that the "code in question represents a small percentage of the pre-release source for the Symantec AntiVirus 10.2 product, accounting for less than 5% of the product." They recommend only that customers update their AV definitions and follow general best practices.
Here is the page on Symantec's site that they will update with further information if anything changes: Claims by Anonymous about Symantec Source Code.
Here is a further summary of the risks posed by pcAnywhere users, according to the Symantec white paper:
Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.
So there you have it. How would you characterize this disclosure? How is it that we seem to be talking about a theft that occurred five or six years ago? The sequence of events is kind of weird. According to a report in The Register:
A hacker calling himself "Yama Tough", acting as a spokesperson for the group, claims the source code had been pulled from insecure Indian government servers, implying that Symantec was required to supply their source code to Indian authorities. In a series of Twitter updates, Yama Tough talked about various plans to release the source code before committing to release the secret sauce of pcAnywhere.
The Yama Tough tweeting occurred on Monday.
Was the 2006 theft perpetrated by someone now affiliated with Anonymous? Was there a secondary breach last year? If so, we should find out about it in roughly 2017. Feel free to offer your comments and speculation below.