Symantec source code stolen: the extortion, investigation, and release

After a number of threats, hacker collective Anonymous has released what it claims is the source code for Symantec's Norton AntiVirus 2006. The code was allegedly stolen, along with the source for several other Symantec products, after a security breach back in 2006. A hacker group called "YamaTough" attempted to extort money from Symantec in exchange for destroying the code back in February, and the alleged code for the company's pcAnywhere software was released on The Pirate Bay soon thereafter.

Now AntiSec, an Anonymous affiliate, has released a 1.07GB file on TPB titled "Symantec Norton AntiVirus 2006 All Platform Source Code." As with the previous release, Symantec says that it is currently analyzing the code to determine its authenticity, and has told The Inquirer that it expects the code for Norton Internet Security 2006 to be released at some point as well. However, the company has also said that users shouldn't worry, as the stolen source was "old code" and that customers "will not be at an increased risk as a result of any further disclosure related to these 2006 products."

Protracted extortion negotiations with a hacker threatening to release stolen source code for several Symantec products ended yesterday with the code for pcAnywhere surfacing on The Pirate Bay. While Symantec has claimed it never had any intention of paying the $50,000 fee, and that the negotiations were part of a law-enforcement operation, the hacker in question has now told Reuters that he was always going to release the code. "We tricked them into offering us a bribe so we could humiliate them," said YumaTough, thought to be part of the Anonymous-affiliated Lords of Dharamaja group.

According to the report, Symantec is already expecting the source code for additional programs to be released by the group as well — Norton AntiVirus was one application mentioned in email exchanges between YumaTough and a law-enforcement official posing as a Symantec employee — but the company again reiterated that any such leaks wouldn't put their customers in danger. "As we have already stated publicly, this is old code," company spokesperson Cris Paden said, "and Symantec and Norton customers will not be at an increased risk as a result of any disclosure." The code was originally stolen in a network breach in 2006, but Symantec claims all current versions of its software will be immune to any attacks based upon vulnerabilities discovered in the 2006 versions.

Symantec has told Forbes that the "Sam Thomas" in the email exchanges isn't a real employee of Symantec at all, but rather a fictional persona used by an unnamed law-enforcement agency that has been conducting the negotiations as part of a sting operation. "When they came to us with what was for all intents and purposes extortion, we went to law enforcement," said Symantec spokesperson Cris Paden. "From that point on, we turned over the investigation to them." No matter what the strategy, it would appear that things have not gone as planned: a 1.27GB file purporting to be the pcAnywhere source code surfaced Monday on The Pirate Bay. Symantec is still analyzing the code to verify its authenticity, but claims that even in a worst case scenario any attacks based upon the 2006 source code would be easily avoided by current versions of its software. The stolen source code for Norton AntiVirus has yet to be spotted in the wild.

Symantec has been scrambling to address a security breach from 2006 that revealed some of its source code, and now it is addressing concerns over how it originally handled the incident. At issue is whether or not the company should have realized back in 2006 that its source code had been stolen.

Symantec originally said that the stolen code only concerned four and five-year-old versions of some business-centric software, and since then the company admitted that corporate users of the company's pcAnywhere remote-access software should stop use of the program to minimize the possibility of a cyberattack. While the software vulnerabilities appear to be handled, some of the company's statements have made it sound like it was aware of the incident back in 2006 — and opted to cover it up.

Several years after the theft of source code for several of its security products, Symantec has recommended that users of pcAnywhere, which allows users to remotely connect to another computer, disable the software until further notice. In a security white paper (PDF), the company said it believes a 2006 security breach exposed source code for several programs, including the corporate version of its popular Norton Antivirus software. However, only pcAnywhere is considered at risk of someone finding and exploiting vulnerabilities in the software. Symantec says that unless pcAnywhere use is absolutely vital, customers should block the ports that accept pcAnywhere connections and avoid using the software until "until Symantec releases a final set of software updates that resolve currently known vulnerability risks."

This information isn't completely new — early this month, Symantec admitted that code for some older versions of its products had been stolen. At that time, however, the company said that since the products had been updated several times since, there was "no indication that the code disclosure impacts the functionality or security of Symantec's solutions." Then, last week, hackers who associate themselves with Anonymous began threatening to release source code for a number of Symantec products. Customers using most products should still be fine, but it looks like the source code hack has made Symantec more vulnerable than it previously believed.