Attacks/Breaches
2/7/2012
01:09 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Hackers Post Symantec Source Code After Failed Extortion Attempt

Symantec is warning customers to upgrade pcAnywhere and apply available patches to stay safe after source code for the product was posted online

Hackers have posted source code for Symantec’s pcAnywhere software online after an attempt to extort money from the company fell through.

The extortion try is chronicled in a chain of emails that began in January and culminated with a $50,000 offer to hacker YamaTough in exchange for the code. Everything was not as it seemed, however, according to the company: The hacker was actually communicating with law enforcement.

“The e-mail string posted by Anonymous was actually between them and a fake e-mail address set up by law enforcement,” a Symantec spokesman said. “Anonymous actually reached out to us, first, saying that if we provided them with money, they would not post any more source code. At that point, given that it was a clear-cut case of extortion, we contacted law enforcement and turned the investigation over to them. All subsequent communications were actually between Anonymous and law enforcement agents – not Symantec.”

When negotiations failed to produce profit, the hacker posted the source code for pcAnywhere on The Pirate Bay. The incident is the latest twist in a story that began when YamaTough, part of Anonymous-affiliated hacking group Lords of Dharmaraja, made the news earlier this year when he claimed to be in possession of source code for numerous Symantec products.

The company subsequently revealed that source code had been stolen for 2006-era versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack), and pcAnywhere back in 2006.

In the case of pcAnywhere, this revelation prompted a warning from the company to use the most up-to-date version of the product.

“We can confirm that the source code has been posted and is legitimate,” the Symantec spokesman said. “It is part of the original cache of code for 2006 versions of the products that Anonymous has claimed to been in possession [of] during the last few weeks.

“Symantec was prepared for the code to be posted at some point, and has developed and distributed a series of patches since Jan. 23rd to protect our users against attacks that might transpire as a result of the code being made public. “We have been conducting direct outreach to our customers since Jan. 23rd to reiterate that, in addition to applying all relevant patches that have been released, we’ve also counseled customers to ensure that pcAnywhere version 12.5 is installed, and follow general security best practices.”

[Symantec issued an advisory and released a white paper warning its customers to stop running its pcAnywhere software altogether for now in the wake of the theft of its source code. See Six-Year-Old Breach Comes Back To Haunt Symantec.]

Eric Ogren, principal analyst at the Ogren Group, said he was surprised by the extortion attempt, as the hacker was potentially setting up a trackable money trail as well as evidence of communication.

“This is difficult for security vendors to spin,” he said. "Much like with RSA, Symantec has to tell their base about the security risk of the breach. There are some that believe a vulnerability should not be announced until there is an actionable correction, but in this case [Symantec] cannot let customers proceed without knowing the risk ... It truly speaks to how difficult cyber security is if leading vendors RSA and Symantec cannot protect their own intellectual property.”

Paden said the company expects the hackers to post the rest of the code in their possession. However, both products -- Norton SymantecWorks and Norton Antivirus Corporate Edition -- no longer exist.

YamaTough promised on Twitter that the source code for Norton Antivirus was forthcoming.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web