Symantec: We Didn’t Know in 2006 Source Code Was Stolen

Anti-virus giant Symantec says it did not know back in 2006 that source code for its software was stolen when it experienced a breach at that time.

The company surprised the public last week when it disclosed that hackers had obtained source code for its pcAnywhere software and other products, and that the code had likely been stolen in a six-year-old breach that Symantec had never disclosed.

Symantec said in its announcement that users should disable pcAnywhere until the company had time to update the software to ensure that hackers are unable to exploit holes they might find in the code.

The pcAnywhere software is a popular remote access program that lets administrators get into computers to troubleshoot and also allows mobile users on the road to access content on their office desktop. It’s also installed on point-of-sale terminals in stores and restaurants to allow administrators to update software that’s used to process the information on credit and debit cards as they’re scanned at a register check-out.

What was unclear from Symantec’s disclosure, however, was just how long Symantec had known its source code had been breached. The statement left open the question of whether Symantec knew in 2006 that its source code was taken and only disclosed it this month after hackers claimed to have it.

But Symantec spokesman Cris Paden told Threat Level that the company did not know before this month that the pcAnywhere source code had been stolen.

“We knew there was an incident in 2006,” he told Threat Level. “But it was inconclusive at the time as to whether or not actual code was taken or that someone had actual code in their hands.”

Following the public claim of hackers earlier this month that they had source code for pcAnywhere, Norton Utilities and other products, Paden said the company went back through its logs and records and “put 2 and 2 together that there was a source code theft.”

Asked to clarify that the company indeed maintained six-year-old server logs that it could go back and examine, Paden said, “We keep logs as far back, as long as we have had software to keep logs.”

Paden said he did not know how the company missed signs in 2006 that source code was stolen.

“We’re still gathering information on that,” he said. “All of those people who were [here] in 2006 are gone. There is no institutional memory, so we are having to rely on data and logs to piece together what happened and what was going on. So you can imagine it’s difficult to reach back six years to figure out what happened.”

Earlier this month, someone calling himself “Yama Tough” from the “Lords of Dharmaraja” posted online that he possessed the pcAnywhere source code and was distributing it to other hackers.

A Twitter user named “anonymouSabu,” who is associated with online vigilante group Anonymous, tweeted that “Lords of Dharmaraja has sent #antisec Symantec source codes for 0day-plundering. All your NU+PCAnywhere base are belong to us. Release soon.”

He then tweeted: “They’re upset we reverse engineered their client to bypass authentication and are taking over corp pcanywhere servers.”

This was not the first time that “Lords of Dharmaraja” claimed to have Symantec code. Previously the group claimed it had uncovered source code for several Symantec products on servers belonging to India’s military intelligence agency. The group published a memo purporting to reveal that Symantec had provided the Indian government with its source code for surveillance purposes, though the memo was later shown to be fraudulent.

Symantec acknowledged at the time that segments of source code the hackers posted online and passed to reporters belonged to two of its products, but said the code was from old versions of two enterprise programs. Its consumer products did not appear to have been touched and the company noted that the breach had been at a third-party entity, and did not involve Symantec’s own servers.

The company had to revise that statement once the hackers made their new claims about pcAnywhere. That’s when Symantec went back through records of its 2006 breach to see if there was a connection.

“We believe that source code for the 2006-era versions of the following products was exposed,” the company subsequently wrote in a statement. The programs that were compromised included pcAnywhere as well as Norton Internet Security and Norton System Works (Norton Utilities and Norton Go Back) and Norton Antivirus Corporate Edition.

Paden said the company doesn’t know if the “Lords of Dharmaraja” stole the code from its servers in 2006 or obtained the code from someone else who stole it. One thing is certain, he said, Symantec never gave the Indian government its source code.

“We looked over our records and there is nothing that indicates that we ever shared any kind of code with the Indian government, ever,” he said. “It would be a big deal if we did. That is usually a long process that takes weeks if not months. It involves the CIO officer, the CTO, legal, and government relations. And they would have to come to one of our secure facilities in the U.S. So that has never happened. . . . If [the Indian government] had it, we don’t know how they got hold of it.”

Photo: cytech/flickr