Symantec (NSDQ:SYMC) told customers Thursday not to use pcAnywhere until the company can secure the PC remote control software following the theft of its underlying code by hacker collective Anonymous.
Symantec issued the warning after completing an analysis of the source code taken by an Indian chapter of Anonymous from an unidentified third party. Samples of the code were given to Infosec Island, an online community of security professionals that handed the code to Symantec, the vendor reported about two weeks ago.
Symantec found that the code came from 2006 versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks and pcAnywhere. Only the latter software contained vulnerabilities exposed as a result of the theft.
“At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks,” Symantec said in the advisory.
PcAnywhere enables someone to remotely manage another computer. The discovered vulnerabilities affect the latest and older versions of the software, which was also bundled with other Symantec products, including Altiris Client Management Suite, Altiris IT Management Suite and Altiris Deployment Solution with Remote v7.1. The vendor advised customers to disable the pcAnywhere components.
Symantec found that the encoding and encryption elements of pcAnywhere are vulnerable to a cybercriminal launching a man-in-the-middle attack, which involves a hacker intercepting data moving between computers. If the hacker was able to steal the cryptographic key while eavesdropping, he could use it to access the computers and steal data. If the key was also used with Microsoft Active Directory credentials, then a cybercriminal could gain access to other computers on a network, Symantec said.
Darrel Bowman, chief executive of Tacoma, Wash.-based reseller mynetwork.com, said in his 25 years of selling Symantec products, he could “count on one hand” the number of businesses that bought pcAnywhere. “It’s of minimal concern from our perspective,” he said.
Bowman didn’t believe Symantec’s reputation would be tarnished by the theft, given how the vendor has openly acknowledge the problem and has published an advisory in a reasonable amount of time. “Security isn’t perfect, and your reputation is how you react (to a breach),” he said. “In my opinion, this is a great way to react. You need to go out there and tell people.”
When the code theft was first reported, Symantec played down the potential problems. “It would be very difficult to do anything with (the code), because it is so old,” Symantec spokesman Cris Paden had said.
Experts have warned for years that security software, like any other application, contains vulnerabilities. In a 2008 Black Hat conference presentation, Feng Xue, technical lead for security vendor Nevis Networks, said data taken from the U.S. national vulnerability database showed that 165 vulnerabilities in AV software had been reported from 2004 to 2007.
Symantec (NSDQ:SYMC) confirmed Friday that an India-based chapter of hacker collective Anonymous had accessed the network of an unidentified third party and had taken source code from two of its corporate security products.
The vendor said code samples provided Thursday to an online community of security professionals called Infosec Island were from two products: Symantec Endpoint Protection 11 and Symantec AntiVirus 10.2. The vendor supports the latter, but no longer sells it, while the former is currently on version 12.1. The code was four or five years old, according to Symantec.
“It would be very difficult to do anything with (the code), because it is so old,” Symantec spokesman Cris Paden said.
Malware designed to take advantage of the code would only work on the older products. Therefore, hackers would have to find a company that had not updated its security software in years, an unlikely scenario. “They would have been annihilated a long time ago from cyber threats,” Paden said.
Symantec claimed the theft did not indicate that source code in its current products could be taken. The software today is architected differently, so the techniques used to take code from the older products won’t work, Paden said. “It’s not possible that they would be able to access current-day code.”
Infosec reported Friday that a hacker going by the alias YamaTough gave it a file that appeared to contain source code of the 2006 version of Symantec’s consumer product Norton Antivirus. After analyzing the file, Symantec said it contained 1999 documentation describing how Norton Antivirus worked. There was no source code. “Hence, the claim was false,” Paden said. Symantec identified the same Anonymous chapter as the source of the file, and said it was given to Infosec on Wednesday.