A group of hackers has released the source code for Symantec's PCAnywhere product.
The public release of the code yesterday came as no surprise as the hackers had been threatening such an action in a series of e-mail negotiations with what they thought were representatives of Symantec. The group, known as Yamatough but operating under the umbrella of Anonymous, had been demanding a $50,000 payoff from Symantec to keep the source code private.
Yamatough was actually negotiating with law enforcement officials posing as Symantec representatives in an attempt to draw out the group. But a "spokesperson" for Yamatough told Reuters that it never intended to take the money and just wanted to humiliate Symantec and still release the code.
Symantec spokesman Cris Paden confirmed to CNET that the posted source code was for PCAnywhere. But he reiterated that the stolen code was from 2006 and said that the company prepared for its release with a series of patches to update the software.
"Symantec was prepared for the code to be posted at some point, and has developed and distributed a series of patches since January 23 to protect our users against known vulnerabilities," Paden said. "We have been conducting direct outreach to our customers since January 23 to reiterate that in addition to applying all relevant patches that have been released, customers should also ensure that PCAnywhere version 12.5 is installed, and follow general security best practices."
On January 23, Symantec released a patch to secure PCAnywhere 12.5. And then on January 27, the company rolled out another patch directed toward PCAnywhere versions 12.0 and 12.1.
The hackers, who call themselves The Lords of Dharmaraja, originally claimed they found the code after breaking into servers run by Indian military intelligence. But Symantec later revealed that the group had captured the code for PCAnywhere and other products by breaking into the security vendor's own network in 2006.
Symantec had initially warned PCAnywhere customers to disable the software but then declared the product safe again after it released the security patches.
Yet the story is far from over.
The hackers also managed to grab code for other Symantec software, including Norton Antivirus Corporate Edition, Norton Internet Security, and Norton SystemWorks. So the company is expecting a few more public source code unveilings.
"We anticipate that Anonymous will post the rest of the code they have claimed to have in their possession," Paden told CNET. "So far, they have posted code for the 2006 versions of Norton Utilities and PCAnywhere. We also anticipate that at some point, they will post the code for the 2006 versions of Norton Antivirus Corporate Edition and Norton Internet Security."
But Symantec has insisted that since all the source code dates back to 2006, customers of the current versions of these products are at no risk. Though that may be true, the entire incident does raise the question of how a security vendor, of all companies, would be so vulnerable that its key source code could be stolen.
Paden told CNET that Symantec is still investigating the incident and has no information to provide.
"As the extortion attempt by Anonymous indicates, we're working with law enforcement right now," he said. "Therefore, given the active investigation, we're not in a position to provide specifics on the incident at this time."
But he outlined a series of steps the company has since taken to shore up its defenses as part of an ongoing effort and not necessarily in response to the source code theft.
- Improved Network Defenses. This includes enhanced network monitoring, improved endpoint security, and additional data loss protection strategy and controls.
- Compartmentalized Access to Information. Specific controls were introduced to help ensure that employees were only able to access the resources associated with their roles and responsibilities.
- Improved Source Code Security. We have significantly strengthened/hardened our network and server defenses around our source code repository.
- Improved Process Controls. We also removed many non-essential legacy domains to help ensure our overall network security and redeveloped additional processes with respect to development and security controls.
- Employee Education. Symantec redeveloped our internal security awareness and training processes to help employees recognize and respond to suspicious behavior.
Of course, customers won't know if the new security methods are bulletproof unless another security breach happens. But it sounds like the company has beefed up its defenses since 2006, hopefully reducing the chance of a similar code theft occuring again.
Updated 10:30 a.m. PT with response from Symantec.