Earlier this month an Indian hacking group published source code for two of Symantec’s enterprise security programs, which the company claimed was stolen from a third-party source. Tuesday the plot thickened to a point of near-total confusion as Symantec admitted A) it was their network that was hacked, B) a lot of other code – including Norton Antivirus – got stolen, and C) it all happened in 2006.
It now turns out that not only was code was stolen for enterprise security programs Endpoint Protection 11.0 and Antivirus 10.2, but also Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere.
The company says the code was taken in a previously unreported 2006 infiltration of its systems. Not to worry, though. Symantec has assured the world that that the code is old and thus cannot hurt us. “Due to the age of the exposed source code … Symantec customers – including those running Norton products – should not be in any increased danger of cyber attacks resulting from this incident.”
Others beg to differ. Not just any others but John Viega who used to work at McAffee as CTO and VP of engineering for the software-as-a-service business unit and before that was McAfee’s chief security architect.
“The fact of the matter is it’s highly unlikely that Symantec completely rebuilt its AV product in six years and deployed a new, ground-up version to all of its customers – especially when trying to maintain compatibility with old signatures,” says Viega, now executive vice president of products and engineering at Perimeter E-Security. “If there is any lingering code from the 2006 version at all, there is significant risk of a security threat by people accessing the source code. The unfortunate reality is that security flaws can stay in products for decades without detection, despite frequent security reviews and product enhancements.”
Viega calls Symantec’s explanation for the events “implausible” and it’s hard for anyone to argue with that. If the company’s account is true it means that either the company didn’t know about the break-in for six years or it knew about the break-in but didn’t know what got taken. Either version is more believable than what we’ve been told and raise even more questions about the security company’s own security and trustworthiness.