Pierluigi Paganini January 26, 2012

Remember the sensational theft of the source code of the Symantec products occurred in the last weeks? On that occasion the company, with impeccable timing, immediately took the distance from the event claiming that its customers could remain calm because the souce code stolen were older and in any case the data breanch was not affected enterprise systems but the network of Indian Government that possesed the codes through an agreement with the company.

The news of course is one of those sensational, one of the leading players in the field of computer security may have been mocked by a group of Indian hackers, of course, until there isn’t a direct fallout on the end user every event remains confined to the web without some discussion lead to further problems.

Immediately, the situation was complicated, on the web some rumors indicated that the source code, even dating back to 2006, had been stolen directly from Symantec’s network, aggravating the position of the company.
Why in fact the company had declared the false, and no one has asked why the Indian government that was accused of being mocked has not publicly denied the Symantec.

Another disturbing fact absurd a management point of view of the event is the media claiming that the customers there would be no impact and instead the Reuters news agency yesterday announced that the Symanec asked to its users to disable its pcAnywhere software.

The situation is obviously serious and maybe hide other truths. Like me, you’re probably wondering which truths, but I can only venture a few hypotheses.

• First, the theft of a source is a major event in the developer. I have a past as a expert developer and in all certainty I can say that the source code can be a goldmine for those who study it, in a particular way for applications developed in areas such as security and industry. Inside source code are always available notes and comments of the developers, a mine of information that provides details on the design of the system and also on those on who have made their contribution. This information makes it anything but a dated system!
• Another consideration, who has developed a code knows that there is a great reuse of programming libraries, patterns and modules developed in the past years that are used as Lego building blocks in the composition of new products. Do not reinvent the wheel! Just reuse and modularity are the cornerstones of programming. Questionable how many and which of those bricks were stolen.
• But what I find most disturbing is the silence of the Indian Military as a result of Symantec’s initial prosecution. It ‘obvious that there are other reasons, far more serious of the reputation of the security of indian network. But what is more important of the integrity of a military network. Reasonable to think that between government and the company there are other agreements underground, maybe a backdoor installed on the products available in the country, fanciful hypotheses as possible. The silence of the Indian authorities could also be tied to the fact that the agreement with the Symantec is just one of many, and that the kept sources code just a small slice of what is available. Have you wondered if on the same network were stored components of Apple IOS software or RIM OS? Does the term RINOA tells you nothing? Likely that the Indian government has kept secret to avoid to provide additional explanations that could reveal uncomfortable truths.

Let’s return then the announcement made yesterday by Symantec, most direct acknowledgement to date that the stolen source code put customers at risk of attack, that is why the company has requested to uninstall PcAnywhere, a software present in many Symantec bundle used manage remote access connection.

The decision was taken, however, only after the announcement that an attacker named YamaTough released the source code of PC software and Norton Utilities and he after he have threatened to publish widely used anti-virus programs. The company has published a white paper that indicates the situation is more serious.

“At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks,” it said in the white paper. (bit.ly/wPzX7v).

“The code that has been exposed is so old that current out-of-the-box security settings will suffice against any possible threats that might materialize as a result of this incident,” it said on its website. (bit.ly/wqtxTI)

I conclude by raising serious doubts about the way in which Symantec is managing the event, a series of contradictory announcements that tend to hide the truth to the customer. Therefore what has already been exposed and what are the consequences for those who have used its products. A company likes Symantec should handle the matter in quite another way, no doubt giving greater transparency about the events.
Better the silence that lies.

Pierluigi Paganini

Refereces

http://www.reuters.com/article/2012/01/25/us-symantec-hacking-idUSTRE80O1UY20120125