This week Symantec's tussle with a hacker went public.
The company admitted that it had been breached in 2006 when the source code for its Norton software was stolen. According to Reuters, this was specifically the source code to Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere.
Symantec initially denied this, saying the application programming interface for Symantec's virus definition generation service was stolen and not the source code.
Then the story fell silent for a time; hacktivists such as Anonymous revelled in the attack and breach, and Symantec encouraged pcAnywhere users to disable the software, saying that customers were at increased risk of being hacked since the blueprints to the software were stolen.
However, it seemed that while the story fell silent, the reality was that Symantec was locked in ‘negotiations' with a hacker over a ransom demand. Posted here, the hacker who calls himself ‘YamaTough' and claims to be a member of the Anonymous affiliate ‘Lords of Dhamaraja', attempted to get $50,000 from Symantec, whose employee Sam Thomas seemed to be the point of contact for the security company.
Thomas asked for assurances from YamaTough on the code; there were problems transferring samples of code (apparently to prove its authenticity), to which YamaTough said: “If we detect any malevolent tracing action we cancel the deal.”
An exchange of words occurred on 25 January, the same date that pcAnywhere users were warned to disable the software, when YamaTough said: “If we dont [sic] hear from you in 30 [minutes] we make an official announcement and put your code on sale at auction terms. We have many people who are willing to get your code”; to which Thomas said: “We are not trying to trick you. You said you had the pcAnywhere code and we were just being cautious. What would you have us do? We really don't want our code out there. How do you want to proceed?”
The conversation then moved on to money, with YamaTough saying on 30 January that he could offer no guarantee that he wouldn't come back for more.
He said: “We are afraid if you can not comply we proceed with the release. You have to trust us on this one, if we were really bad guys we would have already released or sold your code at the time of exchanging emails with you which is almost a month – and we kept silent all that time and stuck to our word given to you. So – no guarantees – trust us – we won't come back and won't manipulate the code.
“At least it is worth a try and we assure you we are man of honour we keep our promise. What you are going to get if no agreement reached? We both know. Partial release of code – official auction bidding on some of it – zero-day exploitation. That happens as soon as we understand your negative call. As of files sent to you partially – we are getting tired of all this please do not make us more angry than we already are you know we got the full line so please nothing is going to be send to you once again [sic].”
What would you do? Symantec began offering an initial $1,000 and said "you threatening to release the code is not helping the situation". Another message sent on 1 February offered $50,000 but requested "assurances that you are not going to release the code after payment".
Thomas offered $2,500 a month for the first three months and, after that, wanted proof that the code had been destroyed before the remainder of the balance would be paid.
The next day YamaTough said: “I am afraid we have to cancel the whole deal because our offshore people won't let us securely get the money because they wont [sic] process amounts less than 50k a shot. Therefore we are afraid we can not proceed with you on the conditions offered.” Next YamaTough demanded a reaction within ten minutes at the start of this week, and said the next action would be a code release on Pirate Bay; Symantec later confirmed to ZDNet that the code was genuine.
In a statement, Symantec confirmed that the source code for pcAnywhere was posted publicly and said it was part of the original cache of code for 2006 versions of the products that Anonymous has claimed to possess in the past few weeks.
It also said that it anticipated Anonymous will post the rest of the code, including the code for the 2006 versions of Norton Antivirus Corporate Edition and Norton Internet Security.
“As we have already stated publicly, this is old code and Symantec and Norton customers will not be at an increased risk as a result of any further disclosure related to these 2006 products,” he said.
Symantec also said that it worked closely with law enforcement given the attempted extortion and apparent theft of intellectual property and denied that it ever made any offer to meet the hackers' extortion demands.
Graham Cluley, senior technology consultant at Sophos, said he suspected that ‘Sam Thomas' wasn't a Symantec employee at all, but instead working for the FBI.
He said: “With customers reassured by Symantec that the illegal theft and distribution of the source code poses no increased risk, the company will be keen to put this episode behind it and move on.
“Symantec seems to have done the right thing throughout this incident – investigating what occurred, and openly sharing with its users what it discovered about a security breach from years before. Furthermore, they recognise that they have been victims of a criminal act and have called in the authorities to investigate and (one hopes) bring the culprits to justice.”
I spoke to cyber security analyst Jeffrey Carr and asked him if he felt this episode had been a PR disaster for Symantec – or did they come out well by not bowing to a hacker's ransom?
He said it will continue to be a fiasco for Symantec. He said: “Symantec shouldn't have offered a penny for their code. It's the equivalent of Obama asking if Iran would return our drone to us, it's demeaning and weak. It's gone.
“Evaluate how much damage can be done and start re-writing your code to circumvent possible exploits. Be open and honest with the public and your customers. Acknowledge how badly you screwed up and tell us what changes you're making to ensure that it never happens again.”
So I asked if Symantec had any choice but to meet the ransom demands in this matter; Carr said: “Yes, of course they did! They can't buy it back with any confidence that a copy of the code wouldn't be kept or that zero-day exploits weren't being written during the negotiations to be saved for later use.
“To even think that's possible is completely naive on Symantec's part. Once source code is stolen, you have to consider it completely compromised. You cannot recover from that breach without doing what I said earlier. Evaluate the potential for future zero-day attacks against that product or products and re-write your code to anticipate and circumvent it.”
I spoke to black hat 'Pr0f', who was behind the attack on the SCADA-based system at the Houston water plant last year; I asked whether he had heard of using source code for extortion, and he said he had not, but it was "not really that surprising".
He said: “I can't say I approve of the extortion itself, though, that's just sheer blackmail.”
He also said getting source code is not particularly easy and it would almost be too valuable to release immediately, as an attacker had time to look for exploits without having to fuzz the application. “I'm not surprised that the source code here is actually half a decade old,” he said.
I also asked both Carr and 'Pr0f' about the possibility of Sam Thomas being an FBI agent rather than an employee. Carr said this is believable as he could not find anyone by that name related to Symantec on LinkedIn.
'Pr0f' said there is no guaranteed way to know if you're talking to an FBI agent or a real employee in that situation, but all it takes is a Google search.
For the future, Carr said he would not be surprised to see new zero-day attacks mounted against Symantec products as a result of this major breach, but I am sure this security giant will have protections against such efforts. Yet with RSA and VeriSign attacks in recent memory, nothing is certain.