Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/26/2012
06:51 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Six-Year-Old Breach Comes Back To Haunt Symantec

Security firm warns users to halt use of pcAnywhere until it finishes patching it, but says older Norton products not at risk from previously 'inconclusive' 2006 security incident

There are security advisories and there are patches, but rarely are there outright warnings from a software vendor -- much less a security vendor -- to its customers to stop running one of its products. That’s the latest twist in a recently revealed breach that exposed some source code in Symantec’s software.

In an unusual move, Symantec yesterday issued an advisory and released a white paper warning its customers to stop running its pcAnywhere software altogether for now. The company released a patch that fixes some vulnerabilities (PDF), including one that allows remote code execution, and says more patches are forthcoming.

The move was a drastic shift in Symantec’s reaction to the breach when it first came to light earlier this month: The security firm at that time confirmed that “a segment of its source code” had been exposed, but that it did not affect the Norton line of products, and that the breach had occurred via a third-party, not on Symantec’s own network.

Last week the company revealed it had indeed been hacked in 2006, and the source code for the software products was exposed.

The exposed source code specifically affects the older 2006 versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack), and pcAnywhere. The current versions of all of these products -- except for pcAnywhere -- are safe from any fallout of the breach, according to Symantec.

Why the lag time from the 2006 breach and today's warning?

Brian Modena, director of worldwide communications for Symantec, says the company’s findings of a security incident in 2006 at the time were “inconclusive.”

"Symantec was aware that an incident occurred in 2006. We investigated the incident, but our findings were inconclusive at the time," Modena says. It was when the company learned that the Anonymous hacktivist group had gotten hold of its source code that the company went back to reinvestigate the incident of six years ago.

“It was clear that Anonymous was in possession of the code that was stolen, and that was when it was confirmed to us that code had been stolen for sure. Having said that, we have yet to determine who stole the code in 2006,” Modena says. “Anonymous was in possession of it in 2012, but that does not mean they actually stole it; we think not, given that Anonymous didn’t exist in 2006, and we most assuredly would’ve heard about it during the preceding years.”

While an Anonymous-affiliated group has claimed to have stolen the source code from an Indian government agency, Symantec has no record of sharing any code with any government agencies in India, Modena says.

The so-called Lords of Dharmaraja hacking clan claims to have grabbed Symantec's Norton antivirus source code.

It's not unusual for a company to initially be unable to tell what was stolen in a breach or how one breach is connected to another. "Honestly, the toughest part of incident response is being able to tell what the bad guy took," says Richard Bejtlich, CSO at Mandiant. "It can be fairly difficult to connect the dots to say what happened at one point and how it related to something else ... [Symantec] probably took a second look at their forensic evidence," he says.

[Questions surround 'Lords of Dharmaraja' hackers behind attacks on Symantec and others. See China Not The U.S.'s Only Cyber-Adversary.]

It's the encoding and encryption pieces of pcAnywhere that are vulnerable in the wake of the breach: Attackers could wage man-in-the middle attacks and steal credentials or sniff session information, according to Symantec. Another side effect is the attacker being able to initiate malicious remote-control sessions to steal information or to access systems. "If the malicious user obtains the cryptographic key, they have the capability to launch unauthorized remote control sessions," according to Symantec's white paper.

The worst-case scenario for pcAnywhere is that the bad guys who have the source code can find new bugs and write new exploits. "Additionally, customers that are not following general security best practices may be susceptible to man-in-the-middle type attacks, which can reveal authentication and session information," Symantec's Modena says.

Security experts say Symantec's recommendation to halt use of its software is highly unusual and indicates that another shoe could drop.

“I can’t think of any other time a company has come outright and said, 'Stop using our product until we patch it,’” says Chris Eng, vice president of research at Veracode, who notes that the advisory reveals some interesting points when it comes to the remote code execution vulnerabilities. "It looks like it allows remote source code execution on the server without authentication. If so, that's a big deal.

"Those sorts of things -- remote command execution, remote code execution -- get reported all the time, but they never say, 'Discontinue use of the product.'" Eng says.

Meanwhile, Symantec says users should move to version 12.5 of pcAnywhere and install the latest patches, including the Jan. 24 patch for the Windows version. "Additional patches are planned for pcAnywhere 12.0, pcAnywhere 12.1, and pcAnywhere 12.5 in the coming weeks. Symantec will continue to issue patches as needed until a new version of pcAnywhere is released," Symantec's Modena says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
joes12
50%
50%
joes12,
User Rank: Apprentice
1/30/2012 | 4:45:17 AM
re: Six-Year-Old Breach Comes Back To Haunt Symantec
But this breach has created high risk for Symantec users,and symantec themselves has said their users to uninstall their products.
paparocks
50%
50%
paparocks,
User Rank: Apprentice
1/27/2012 | 2:11:26 PM
re: Six-Year-Old Breach Comes Back To Haunt Symantec
I recall reading in an article a few days ago, the statement that this was stolen from an India source came from Anonymous,- Anonymous's actions are concerning enough without misquoting the sources.- Lets remember this act is an attack on-people and who the bad guys are here please.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.