Symantec's New Explanation of Source Code Theft Doesn't Make Sense
Company now says code -- including Norton Antivirus -- was stolen from them in 2006 but we shouldn't worry. Right.
Earlier this month an Indian hacking group published source code for two of Symantec’s enterprise security programs, which the company claimed was stolen from a third-party source. Tuesday the plot thickened to a point of near-total confusion as Symantec admitted A) it was their network that was hacked, B) a lot of other code – including Norton Antivirus – got stolen, and C) it all happened in 2006.
It now turns out that not only was code was stolen for enterprise security programs Endpoint Protection 11.0 and Antivirus 10.2, but also Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere.
The company says the code was taken in a previously unreported 2006 infiltration of its systems. Not to worry, though. Symantec has assured the world that that the code is old and thus cannot hurt us. “Due to the age of the exposed source code … Symantec customers – including those running Norton products – should not be in any increased danger of cyber attacks resulting from this incident.”
Others beg to differ. Not just any others but John Viega who used to work at McAffee as CTO and VP of engineering for the software-as-a-service business unit and before that was McAfee’s chief security architect.
“The fact of the matter is it’s highly unlikely that Symantec completely rebuilt its AV product in six years and deployed a new, ground-up version to all of its customers – especially when trying to maintain compatibility with old signatures,” says Viega, now executive vice president of products and engineering at Perimeter E-Security. “If there is any lingering code from the 2006 version at all, there is significant risk of a security threat by people accessing the source code. The unfortunate reality is that security flaws can stay in products for decades without detection, despite frequent security reviews and product enhancements.”
Viega calls Symantec’s explanation for the events “implausible” and it’s hard for anyone to argue with that. If the company’s account is true it means that either the company didn’t know about the break-in for six years or it knew about the break-in but didn’t know what got taken. Either version is more believable than what we’ve been told and raise even more questions about the security company’s own security and trustworthiness.
Previous Post: Zappos' hack can be used to gain marketing's support for security effortsNext Post: House and Senate Shelve SOPA, MegaUpLoad MegaShutDown and Other Big Stories...
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Most Discussed Posts
Cloud computing has emerged as one of the most significant game changers to hit the technology landscape in the past 20 years. With this massive expansion of the cloud, the perception of the IT organization is shifting from a utility player to a change agent. This eBook breaks down five ways progressive organizations are using cloud-based IT Management solutions to help drive innovation and become more strategic, including: adding visibility and analytics, speeding up time-to-value, lowering costs, improving prioritization, and providing a blueprint for future cloud deployments.
Read the white paper to see how IBM helped Citigroup deliver new services and enhancements to their 200 million customers faster.
There are 3 ways to modernize legacy applications: rewrite completely, acquire packaged solutions or migrate existing code. This paper explains why it's best to migrate and how IBM® Rational® software can help.
Accommodating specific lines of business can result in a hybrid ecosystem of applications and servers. The resulting complexity of this architecture makes for an environment that is costly to maintain and difficult to change when addressing new challenges.
This whitepaper will help you to define a mobile device passcode policy. Security managers must attempt to reconcile two opposing goals. They must: 1) create a passcode policy that is strong enough to protect the device if it is lost or stolen, while: 2) not annoying users with needless length or complexity.
This whitepaper, authored by The Radicati Group, looks at the key reasons organizations should consider moving to a cloud-based archiving solution. Email archiving solutions enable organizations to store, monitor, and collect electronic data exchanged by their users to comply with internal policies and regulations.
ATERNITY will showcase a 30-minute demo on how Fortune 500 companies are leveraging its award-winning FPI Platform to deliver a user-centric approach to Proactive IT Management.
For businesses to move forward and tap into the ever-expanding universe of Internet users and network-enabled devices, it's critical to learn how to make the transition to IPv6. Learn the critical steps your organization must take to make a seamless transition-and keep your business world connected.
Learn how IT teams can protect against spear phishing tactics. Harry Sverdlove, chief technology officer of Bit9 offers a frank discussion about spear phishing - the most common technique used in today's advanced attacks.
Learn how to build a solid business case for your migration to Red Hat Enterprise Linux so you can run leaner, innovate faster, be more flexible and own the New Now.
Social media isn't about you; it's about everything around you. As you consider how your customers want to communicate with you, social media is something that can't be ignored. But what should your strategy be? Is social media "just another channel?" What kind of a plan makes sense for your contact center and for your customers? Join our experts as they share their insight and research results.
Hardware tokens were a popular method of strong authentication in past years but the cumbersome provisioning and distribution tasks, high support requirements and replacement costs have limited their growth. The additional log-in steps that hardware tokens require and the resulting user frustrations have limited adoption and make them impractical for larger scale partner and customer applications.
Sponsored Links
