More source code stolen, says SymantecSymantec acknowledged this week that in addition to theft of source code for past versions of some if its security software, its own servers were breached in 2006. Previously, Symantec had claimed the theft of its source code had come only from third-party servers, but the company modified that statement after an internal investigation showed the company's own network was breached.
The latest announcement said that source code for Norton Antivirus Corporate Edition, Norton Internet Security, pcAnywhere, and Norton GoBack had been taken. This is in addition to the Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2 that the company acknowledged two weeks ago. The two enterprise-class products were more than five years old, the company said. It did not indicate why some of the code was made public six years after the alleged theft took place.
However, Scott Crawford, research director for security and risk management at the research and consulting firm Enterprise Management Associates, cautioned that just because a product is a few years old, it does not mean the code has not been repurposed for current products. While Symantec has indicated that much of the code was old, he said, it has not said if any of the old code is part of current offerings. In fact, it is very common to repurpose code, particularly when the code is designed to solve a specific problem, he said.
An issue that is becoming more of a concern with the attacks on data security companies is whether they are doing an adequate job of managing their own risk, Crawford said, particularly since their risk can relate directly to their customers' risk. Security companies have the unenviable position of not only being expected to be impenetrable, but also these are the companies with the largest targets on their backs. Their particular area of technological expertise, Crawford said, makes them attractive targets for attackers.
But companies like Symantec are not immune from attack simply because they're "security companies,” said Kevin Beaver, an Atlanta-based security consultant and author. “These businesses are complex entities with people who are bound to make mistakes, and processes that will ultimately be exploited.”
As was the case with the RSA attack, Crawford added, sometimes the customers of the security companies are the real targets, with the security company simply being the means to reaching that end.
“The ramifications associated with downstream liability will no doubt work themselves out in the legal process,” said Beaver. “The real concern is, will businesses learn from these breaches and become better as a result? Given the complexities, egos and politics involved, I suspect we'll face these problems for decades to come.”
Symantec did not immediately respond to a request for comment.