News that Symantec lost some of the Norton AV source code is not new – the story gained credence in early January when some of the source code was sent to Infosec Island. The story has never gone away since. At the end of January, Symantec warned that additional lost code could compromise the use of pcAnywhere, and it should not be used. Last week news of an apparent extortion attempt emerged, with the supposed hacker apparently attempting to extort $50,000 from Symantec; leading to pcAnywhere code being published on the Pirate Bay and the Symantec/hacker correspondence on Pastebin. But one thing has been consistent – direct information from Symantec, for whatever reason, has been sparse.
This has intrigued Australian broadcaster Patrick Gray. He quotes an article in PC Magazine in which Symantec comments: “The code is so old that even if there were attempts to generate a cyber attack, it would take on the characteristics of a 2006 attack. The age of the code inherently limits what can be done with it. It is, essentially, worthless code. At this point, Anonymous would be releasing it for PR purposes and that's it.”
But Gray isn’t satisfied. He wonders what characteristics ‘2006 attacks’ possess. And how does the ‘age of the code’ limit what can be done with it? “That whole statement,” he concludes, “is just weird and until we get more information out of the big yellow S it just raises more questions that [sic] it answers.”
On Friday last week, in an unrelated post, malware researcher Kevin McAleavey, asked a new question: Did the 2006 Symantec Breach Expose RSA's SecurID? He has been analyzing the leaked source code, and concluded that Symantec’s comments about the Norton code are probably accurate, largely because of changes to the operating system and the move to 64-bit computing. However, the pcAnywhere code shows evidence of Vista and 64-bit computing. Couple this with the speed with which Symantec patched pcAnywhere, and the conclusion he comes to is “that there were indeed pieces of the 2006 source code still in use in their current product.”
The problem, according to McAleavey, however, is that the same “source code which fell into the hands of ‘Yamatough’ contains numerous header files and several libraries belonging to RSA, and indeed SecurID code is a part of the PCAnywhere product contained in the purloined source code.” Since the RSA encryption algorithms go back to 1999, 2006 code would not be invalidated. Part of the code includes header files and the ‘libbsafe.a’ library, which would give hackers all they need “as long as they could gather enough keys to figure out the rest of the algorithm given the sources.” It was, he notes, specifically the keys that were stolen in the RSA break-in.
I can't help but wonder, he speculates, “if this code was stolen back in 2006 or thereabouts, could this possibly be the reason why the attackers had such widespread success” against the SecurID-protected sites?
We have asked both Symantec and EMC/RSA for their comments on this speculation.