Symantec's Security Slips

Why does bad news always travel fast unless it's something you could actually guard against?

Symantec put out the word Tuesday night that end users – consumers, not just enterprise customers as it had said before – were at risk from hackers who stole source code for its pcAnywhere remote-access software.

Symantec advised all pcAnywhere users to shut the software down until Symantec could patch it.

The company even put out a white paper (PDF) explaining the risk, how it happened, and why a vendor would take so drastic a step as recommending customers stop using a product that was hacked rather than just change passwords or use other security precautions.

Previously Symantec had said its more corporate products were the main ones affected– the 2006 versions of Norton Antivirus Corporate Edition, Norton Internet Security and Norton SystemWorks.

Later Symantec said the stolen code was so old the theft posed no risk to current customers.

Having the source code declared "old" should be real comfort to anyone still using the old versions. It should disturb those using more recent versions, too.

As with all modern commercial software, Symantec's recent apps share plenty of code, interfaces and other features that make the software more backward compatible with older versions for companies that don't upgrade everything all at once.

Those same features aimed at users, of course, also provide forward-compatibility for hackers using old source code to find back doors in new commercial apps.

Of course, Symantec also said that Symantec itself remained inviolate despite the theft.

The 2006 hack that got a group called the Lords of Dharmaraja the source code of its corporate products was at an Indian company that may have been sharing the code with the Indian government – a major security risk.

Later, of course, Symantec admitted its servers were the ones that got pwned, and by a good old-fashioned American enemy – Anonymous – not some far-off group of foreign hackers with a strange name who probably had magical powers, anyway.

In fact, the Lords of Dhamaraja are pretty well known in India, have worked with Anonymous in the past, and arejust as willing and able to scam Symantec with fake stories about corruption in the Indian military as Anonymous was to claim it was replacing its Low Orbit Ion Cannon DDOS-attack-automation software with something more effective.

(The "something more effective" wasn't a hacking tool, btw. It was the Occupy movement.)

Symantec: False Reassurances

Symantec gets credit for continuing to issue updates, even when the updates made it look worse than it did at first.

That minor credit pales in comparison to the demerit it gets for not realizing its own servers had been hacked five years before and the source code of its key products stolen.

It should also stand and explain why it followed the same pattern of response following the pcAnywhere hack that it did last fall, when SSL certificates from its VeriSign subsidiary were stolen and eventually used in attacks on a range of U.S.-based companies.

Together with certificates stolen from RSA and eventually used in attacks on Lockheed Martin and other defense contractors, the two certificate thefts seriously undermined the security of nearly every high-security facility, nearly all of which use public keys and SSL certificates as a primary way to authenticate users securely.

Anonymous may have been behind the pcAnywhere theft, but it appears the certificate thefts were from a more serious opponent.

That just makes it more important that Symantec or any other security company fess up right away to attacks and whatever the worst potential scenario might be, to allow customers to prepare their own defenses.

It's bad enough if you're Microsoft and a big security issue slows someone's productivity or makes it easier for snoops to read a stranger's email or documents.

It's much worse if that customer is counting on you to help keep a whole company secure.

That role puts a heavier responsibility on the vendor – the responsibility to admit up front how bad a problem could be and help ameliorate it, not just dribble out the bad news a bit at a time so customers don't get frightened for their safety and lose respect for the vendor.

Much better that they should feel safe for the few weeks it takes whoever stole the source code to get around to robbing them.

You can't underestimate the impact of bad news, or (apparently) the need for major vendors to ration the kind of news that helps customers but makes vendors look bad.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Subscribe to the Security Watch Newsletter

Comments