Thursday, January 26, 2012

Oops: pcAnywhere, Symantec's 2006 Norton Antivirus Hacked

"Norton users warned: Disable pcAnywhere"
New Zealand Herald (January 27, 2012) (it's 'tomorrow' there: International Dateline)

"Symantec is recommending that users of its pcAnywhere software disable the product following the theft of source code from the US computer security firm.

" 'At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks,' the Mountain View, California-based company said.

"Symantec, in a technical white paper posted on the firm's website, said the vulnerability to pcAnywhere, which allows for remote PC to PC connections, is the result of a 2006 theft of source code by hackers.

" 'We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere,' Symantec said...."

That's no typo: It's the 2006 versions of Symantec products that got hacked. Apparently Symantec learned about the lapse in security recently. And - incredibly - didn't acknowledge that it was a major issue until very recently.

After last year's multiple high-profile hacks of commercial accounts, you'd think Symantec would have been a bit less diffident about telling customers what was going on.

Maybe they didn't realize how serious the problem was, themselves.

Hacks Happen

"Don't use our software, security firm Symantec warns customers" (January 26, 2012)

"Symantec is advising customers to disable one of its products, after hackers revealed the theft of the underlying code powering the software earlier this month.

The security firm said the theft occurred in 2006, compromising 2006-era version of Norton Antivirus Corporate Edition, Norton Internet Security and Norton SystemWorks. More important was the theft of the code behind the remote access package pcAnywhere, which could allow malicious users to gain complete access to systems and data, experts warn.

" 'Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks,' the company wrote in an online statement about the hacking...."

Here's how the Lemming sees this news:
Last year, Sony tried - and failed - to placate customers by telling them that a little hack had happened, and that Sony would tell their customers if it was important.

25,000,000 compromised accounts later, Sony started acknowledging that maybe customers might care about their credit card information being in the hands of whoever had broken into Sony's databases. Not, in the Lemming's opinion, smart customer relations.

Back to that article:


"...The new advice is a marked change from earlier comments from the company, which at first downplayed the significance of the hacking, said Ira Victor, a security expert with Data Clone Labs in Nevada.

" 'At first, Symantec said that customers do not need to take additional actions in light of the breach,' Victor told 'Now Symantec has changed their tune.'

"Indeed, experts queried by in January labeled the incident more of a business risk than anything else -- one that may lead to a loss of confidence in Symantec and potential loss of market share for the publicly traded firm...."

"Business risk?" "Loss of confidence?" Yeah, the Lemming sees how that might be the case. Maybe Symantec's techs really thought that compromised source code for antivirus software wasn't reason for concern. Maybe they even had good reason for thinking so.

Or, maybe we're looking at a company that made a major boo-boo, and whose executives are desperately hoping that no major catastrophe happens. Or has already happened.

Right now, it looks like a best-case situation for Symantec is that they've got a really big public relations problem on their hands. More seriously, Symantec's initial 'don't worry' advice turning to 'unplug our product' suggests that someone goofed: big time.

Back to that article, again:

"Embarrassing?" It Could Get Worse

"...'The headline is very embarrassing to Symantec,' Anup Ghosh, founder and CEO of Virginian security firm Invincea, told at the time. 'But this has now become the normal in securities. Every single corporation is susceptible to threats.'...

"...'It's possible that Symantec "hardcoded" encryption keys into PCAnywhere,' [security expert with Data Clone Labs in Nevada, Ira] Victor said. 'If true, that would be a serious security mis-step.'..."
( ends with a four-point list from Ira Victor. It sounds like pretty good advice. Here's a summary:
  1. Don't use a single company's "suite" of security protection
    • Use 'best of' from several
  2. Remote access security should be more than 'username and password'
  3. Don't run computers in "Administrator" mode
  4. Application "whitelisting" is a good idea
Bear in mind that the Lemming isn't a 'security expert.' Please: do your own research.

And remember that "password" isn't a good password.

Related posts:


Brigid said...

Missing an end single quote: "should be more than 'username and password"

The Friendly Neighborhood Proofreader

Brian Gill said...

Found, fixed, and thanks!

Unique, innovative candles

Visit us online:
Spiral Light CandleFind a Retailer
Spiral Light Candle online store

Pinterest: From the Man Behind the Lemming

Top 10 Most-Viewed Posts

Today's News! Some of it, anyway

Actually, some of yesterday's news may be here. Or maybe last week's.
The software and science stuff might still be interesting, though. Or not.
The Lemming thinks it's interesting: Your experience may vary.
("Following" list moved here, after Blogger changed formats)

Who Follows the Lemming?


Family Blogs - Blog Catalog Blog Directory