Endpoint Protection

I am looking forward to further information from Symantec regarding the SEP code breach:

http://www.securityweek.com/symantec-confirms-hackers-accessed-source-code-two-enterprise-security-products

http://bits.blogs.nytimes.com/2012/01/06/symantec-confirms-segment-of-source-code-stolen/ 

I differ a little bit with Robert Rachwald's comments in the SecurityWeek article. The severity of the breach really depends on what code was lost, how much of the code is still used, and how much the code reveals about Symantec's internal architecture (which could be sigificant, even if the specific code in question is no longer in use.)

Yes, AV is signature based, but access to the source code provides a great opportunity not just for signature evasion, but understanding the Symantec internals, and determining how to bypass the software or hijack it.  For a rootkit creator, it would be invaluable.  I also think the point about it being an older version is largely moot – the internal program structure is likely largely the same in the latest version, so what an attacker learns from v11 is likely applicable to V12.

Mr. Paul

Data was stolen from the Indian Military.  At this point, it's hard to say how/when this will be distributed and how it will be used.  

All that can be said is conjecture at this point, and anything Symantec will say will be marketing spin or require you to be a decently large customer with an NDA in place.

I am not able to find answer how Symantec source code could store in Indian military server?

Maybe some of these government agencies want to do a code review, before they install it on their highly sensitive systems?

Remember, these companies don't operate in a FOSS manner. How can India, Israel and others really believe that Symantec is no relaying info back to US Government or any other bad boy for that matter?

I'm sure India is also not the only one doing this type of code review to a software vendor.

Source code which is leaked is quite old...It has undergone many revision after that...there is nothing to worry about...that source code can not be used for any man-in-middle attack...and other mischievous deeds. Symantec is taking utmost precaution and will not let any of its customers impacted.

Code brach is accepted by Symantec, obviously it's an older one.

But it may help rivals....

Normally Any Govt. Intelligence always ask for source code of any s/w they use to verify if they are using is not a spyware or malicious one.

And this brach was major one, as this was from Military server & they claim to have access to 20 other company's software code.

Lets hope for the positive node for others too!!

Here is a link to Symantec's official information on the subject:  http://go.symantec.com/sourcecode

That page is updated regularly with new information as it becomes available.  At the moment, here are the contents:

Symantec can confirm that a segment of its source code has been accessed. Symantec’s own network was not breached, but rather that of a third party entity. Based on our current analysis, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time.

What products were impacted?

Our analysis shows that only portions of the source code for Symantec Endpoint Protection (SEP) 11.0 and Symantec AntiVirus 10.2 were exposed. The exposed source code is very old (from 2006 and 2007) and has undergone many updates since that time. To the best of our knowledge, no active Norton products are affected.

What new risks could result from this disclosure?

Our threat response team has examined this issue in some detail. Given the limited scope of disclosure and the extensive protection mechanisms in-built to Symantec software, we believe the risk to our customers from this unfortunate incident is negligible.

What should I do if my organization uses one of these products?

There is nothing additional that customers need to do beyond adhering to best practices. The code that has been exposed is so old that current security settings will suffice against any possible threats that might materialize as a result of this incident.

Our recommended best practices include:

• Making sure your AV definitions are up to date
• Making sure your software is upgraded to the latest maintenance version
• As it makes sense for your organization, upgrade to the latest version of Symantec Endpoint Protection, which is SEP 12.1 RU1

 

Hope this helps clear up any misinformation! &: )

Symantec is investigating this situation seriously.  I suggest contacting your sales rep who will be able to share any updates on the situation. 

Our analysis shows that only portions of the source code for Symantec Endpoint Protection (SEP) 11.0 and Symantec AntiVirus 10.2 were exposed. The exposed source code is very old (from 2006 and 2007) and has undergone many updates since that time. To the best of our knowledge, no active Norton products are affected.

Until 2011 Q4, we were still using Symantec AV 10.x. I am sure we are not they only ones, as a work around was created for the expired security certificate in SAV 9.x

PS How many Windows NT install are still in active use today? Just goes to show you that the vendor might say they no longer support it & therefore it's not active, but it still is in production use.
 

Hello followers of this thread,

Just letting you know that the link above (which now forwards to http://www.symantec.com/theme.jsp?themeid=anonymous-code-claims) will soon be updated with a new statement.

“Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006.  We believe that source code for the 2006-era versions of the following products was exposed:  Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere. 

 

Due to the age of the exposed source code, except as specifically noted below, Symantec customers – including those running Norton products -- should not be in any increased danger of cyber attacks resulting from this incident. 

 

Customers of Symantec’s pcAnywhere product may face a slightly increased security risk as a result of this exposure if they do not follow general best practices.  Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information.  Since 2006, Symantec has instituted a number of policies and procedures to prevent a similar incident from occurring.”

May i know which version of SEP exactly being exposed?

I would imagine something lower than 11.0.3 (MR3) ?

Thanks.

Hi Cus000,

There shouldn't be any need to change any settings, etc for any version of SEP.  This incident does not impact the functionality or safety of Symantec's current line of AV solutions.

Understood.

Just want to know which SEP version has been 'looked' into by those guys.

I know the most possible impact would be on PcAnywhere?

Still unclear for me if the exposed source code is something that was stolen back in 2006 or if it is something really new.

Symantec had previously described a completely different scenario regarding the attack in 2006.....

I have no idea what happened in 2006.. but i still want to know which SEP version taken by those haxors..

Why not we pin this topic anyway?

New information is available on http://www.symantec.com/theme.jsp?themeid=anonymous-code-claims

An extract.....

 

 

What should I do if my organization uses Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack), Symantec Endpoint Protection (SEP) 11.0, or Symantec AntiVirus 10.2?

There is nothing additional that customers of these products need to do beyond adhering to best practices. The code that has been exposed is so old that current out-of-the-box security settings will suffice against any possible threats that might materialize as a result of this incident.

Our recommended best practices include:

• Making sure your AV definitions are up to date
• Making sure your software is upgraded to the latest maintenance version
• As it makes sense for your organization, upgrade to the latest version of Symantec Endpoint Protection, which is SEP 12.1 RU1. Our analysis shows that the code theft does not require organizations to accelerate an upgrade to SEP 12.1.

And now the code has been published.

pcAnywhere and Norton Utilities 2006 affected. Possibly more to come.