More source code stolen, says Symantec

Share this article:
Symantec acknowledged this week that in addition to theft of source code for past versions of some if its security software, its own servers were breached in 2006. Previously, Symantec had claimed the theft of its source code had come only from third-party servers, but the company modified that statement after an internal investigation showed the company's own network was breached.

The latest announcement said that source code for Norton Antivirus Corporate Edition, Norton Internet Security, pcAnywhere, and Norton GoBack had been taken. This is in addition to the Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2 that the company acknowledged two weeks ago. The two enterprise-class products were more than five years old, the company said. It did not indicate why some of the code was made public six years after the alleged theft took place.

However, Scott Crawford, research director for security and risk management at the research and consulting firm Enterprise Management Associates, cautioned that just because a product is a few years old, it does not mean the code has not been repurposed for current products. While Symantec has indicated that much of the code was old, he said, it has not said if any of the old code is part of current offerings. In fact, it is very common to repurpose code, particularly when the code is designed to solve a specific problem, he said.

An issue that is becoming more of a concern with the attacks on data security companies is whether they are doing an adequate job of managing their own risk, Crawford said, particularly since their risk can relate directly to their customers' risk. Security companies have the unenviable position of not only being expected to be impenetrable, but also these are the companies with the largest targets on their backs. Their particular area of technological expertise, Crawford said, makes them attractive targets for attackers.

But companies like Symantec are not immune from attack simply because they're "security companies,” said Kevin Beaver, an Atlanta-based security consultant and author. “These businesses are complex entities with people who are bound to make mistakes, and processes that will ultimately be exploited.”

As was the case with the RSA attack, Crawford added, sometimes the customers of the security companies are the real targets, with the security company simply being the means to reaching that end.

“The ramifications associated with downstream liability will no doubt work themselves out in the legal process,” said Beaver. “The real concern is, will businesses learn from these breaches and become better as a result? Given the complexities, egos and politics involved, I suspect we'll face these problems for decades to come.”

Symantec did not immediately respond to a request for comment.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.