New Zealand Herald (January 27, 2012) (it's 'tomorrow' there: International Dateline)
"Symantec is recommending that users of its pcAnywhere software disable the product following the theft of source code from the US computer security firm.
" 'At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks,' the Mountain View, California-based company said.
"Symantec, in a technical white paper posted on the firm's website, said the vulnerability to pcAnywhere, which allows for remote PC to PC connections, is the result of a 2006 theft of source code by hackers.
" 'We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere,' Symantec said...."
That's no typo: It's the 2006 versions of Symantec products that got hacked. Apparently Symantec learned about the lapse in security recently. And - incredibly - didn't acknowledge that it was a major issue until very recently.
After last year's multiple high-profile hacks of commercial accounts, you'd think Symantec would have been a bit less diffident about telling customers what was going on.
Maybe they didn't realize how serious the problem was, themselves.
Hacks Happen
"Don't use our software, security firm Symantec warns customers"FoxNews.com (January 26, 2012)
"Symantec is advising customers to disable one of its products, after hackers revealed the theft of the underlying code powering the software earlier this month.
The security firm said the theft occurred in 2006, compromising 2006-era version of Norton Antivirus Corporate Edition, Norton Internet Security and Norton SystemWorks. More important was the theft of the code behind the remote access package pcAnywhere, which could allow malicious users to gain complete access to systems and data, experts warn.
" 'Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks,' the company wrote in an online statement about the hacking...."
Here's how the Lemming sees this news:
- Hacks happen
- "King County Scam Email: The Lemming Got One, Too"
(December 18, 2011)
- "King County Scam Email: The Lemming Got One, Too"
- Ignoring the problem doesn't work
- "Lemming Tracks: Bad News From Sony; and Getting a Grip"
(May 3, 2011) - "Sony PlayStation: No Network, No Explanation; Big Trouble"
(April 26, 2011)
Particularly
- "Lemming Tracks: Bad News From Sony; and Getting a Grip"
- Hacks aren't always as bad as they seem
- "Citibank Card Data Hacked!! (but keep reading)"
(June 9, 2011)
- "Citibank Card Data Hacked!! (but keep reading)"
25,000,000 compromised accounts later, Sony started acknowledging that maybe customers might care about their credit card information being in the hands of whoever had broken into Sony's databases. Not, in the Lemming's opinion, smart customer relations.
Back to that FoxNews.com article:
From 'No Worries' to 'SHUT THEM DOWN! SHUT THEM ALL DOWN!!'
"...The new advice is a marked change from earlier comments from the company, which at first downplayed the significance of the hacking, said Ira Victor, a security expert with Data Clone Labs in Nevada." 'At first, Symantec said that customers do not need to take additional actions in light of the breach,' Victor told FoxNews.com. 'Now Symantec has changed their tune.'
"Indeed, experts queried by FoxNews.com in January labeled the incident more of a business risk than anything else -- one that may lead to a loss of confidence in Symantec and potential loss of market share for the publicly traded firm...."
(FoxNews.com)
"Business risk?" "Loss of confidence?" Yeah, the Lemming sees how that might be the case. Maybe Symantec's techs really thought that compromised source code for antivirus software wasn't reason for concern. Maybe they even had good reason for thinking so.
Or, maybe we're looking at a company that made a major boo-boo, and whose executives are desperately hoping that no major catastrophe happens. Or has already happened.
Right now, it looks like a best-case situation for Symantec is that they've got a really big public relations problem on their hands. More seriously, Symantec's initial 'don't worry' advice turning to 'unplug our product' suggests that someone goofed: big time.
Back to that article, again:
"Embarrassing?" It Could Get Worse
"...'The headline is very embarrassing to Symantec,' Anup Ghosh, founder and CEO of Virginian security firm Invincea, told FoxNews.com at the time. 'But this has now become the normal in securities. Every single corporation is susceptible to threats.'..."...'It's possible that Symantec "hardcoded" encryption keys into PCAnywhere,' [security expert with Data Clone Labs in Nevada, Ira] Victor said. 'If true, that would be a serious security mis-step.'..."
(FoxNews.com)
FoxNews.com ends with a four-point list from Ira Victor. It sounds like pretty good advice. Here's a summary:
- Don't use a single company's "suite" of security protection
- Use 'best of' from several
- Remote access security should be more than 'username and password'
- Don't run computers in "Administrator" mode
- Application "whitelisting" is a good idea
And remember that "password" isn't a good password.
Related posts:
- "Move Over, Sony: Sega Joins 'We Were Hacked' Club"
(June 19, 2011) - "Cloud Computing, Dropbox, and the Postcard Principle"
(May 13, 2011) - "Microsoft Windows Exploit Code Went Public"
(January 4, 2011) - " 'Here You Have' - Nitwits on the Net"
(September 12, 2010) - "Google Gmail Hack: a Followup"
(January 19, 2010)
2 comments:
Missing an end single quote: "should be more than 'username and password"
The Friendly Neighborhood Proofreader
Found, fixed, and thanks!
Post a Comment