Symantec: What Went Wrong?

Thursday, January 19, 2012

Bill Mathews


Article by Bill Mathews

A little while ago some (allegedly) Indian based hackers (ref:, announced that they got their hands on some of Symantec’s source code (SEP 11 and AV 10.2 respectively).

Don’t worry though, according to Symantec it’s all cool because they weren’t breached (it was a third party/one-armed man) and only “older code” was exposed. This is an example of a vendor’s glaring ignorance about its client base and a sort of arrogance about their own product. Let’s examine some of their arguments.

The Third Party Issue

We hear this one a lot. “This is our vendor” or “We can’t fix this, it’s some third party’s problem.” This is purely an attitude problem and I wish this one would just go away. You have to take control of your supply chain and your vendors.

Surely a company of Symantec’s size has some sway over their suppliers and vendors? You would think so at least. I have customers who have larger upstream clients that demand they receive regular audits and tests to assure some level of security standard is being followed. It isn’t perfect but it’s better than nothing.

The bottom line is: When it’s your stuff you don’t get to blame a third party, it really is your problem and you need to own up to it. Complete disclosure of the breach is the only way to maintain your integrity at this point.  

Older Code? Not Our Problem!

The problem with this argument is that (and I’m PURELY guessing here) a lot of their customers, even enterprise users, haven’t upgraded lately. I know, I know, security evolves fast, etc.

But a lot of larger, more conservative places have a “stay one version behind” policy for all their critical or possibly production-killing software. This is for any sort of software, not just security products. If their defense for this is, “well it was just older stuff and everyone should be upgraded anyway,” and it appears it is, then they are not living in reality.

Upgrades, even with security software we like to think is critical, are neither automatic nor pervasive. In light of this release though, I would encourage clients to upgrade if this is software you are reliant upon.

Seeya Later Source Code

This is always where the rubber meets the road. I am a firm believer that security systems should be able to hold up to open scrutiny but often I’m alone in that. If this code leak really makes Symantec’s software useless for securing systems I would contend they’re doing it wrong.

That being said here’s a little homework, go Google “antivirus evasion techniques” and see what you find. The “bad guys” don’t actually need the source code to evade much of it so I doubt this leak really increases that risk much. I know this seems snarky and pessimistic but that’s the point I’m at with AV vendors.

I just don’t think most of it is quality code and liken much of it to snake oil. Obviously that’s my opinion but I’m sticking to it.  

Okay smarty-pants, what do I do now?

Obviously if you’re relying on this software for even an illusion of protection you should upgrade as soon as possible. At this point though I think you should start examining the levels of protection you have in place for malware/virus/phishing threats.

Do you have an internal honeypot that can help to detect an early outbreak? No? You should. Are you making effective use of DNS blackholes and other blacklisting methods? No? You should be.

Do you have a testable, useful user security awareness program in place? No? Why not? As the Google search hopefully convinced you, A/V by itself is no longer enough, you need layers to help protect you when something fails.

I hope this is the lesson that is taken away from this event and not “gee, Symantec should take better care of their code.”

Cross-posted from Hurricane Labs

Possibly Related Articles:
Information Security
Antivirus Enterprise Security Symantec Third Party hackers breach Source Code Security Solution Bill Mathews
Post Rating I Like this!
Bobby Mann Have we seen the code? No. We saw a snippett. I haven't seen a full archive of code for anything. Even Norton Utilities contains files mostly from 1995-2000. Great! that's a real find! Let's keep things in perspective. Symantec went full disclosure, right or wrong - I think it was a hand better played than that by RSA. BUT.. Who really knows how much code is out there? Until we see evidense, it's all speculation. I think Symantec's point is that they have investigated and determined the risks aren't high for a breach since much of the code has changed. So, customers have two options - believe them or don't. I can tell you, RSA was a much bigger issue and most customers didn't abandon RSA. I'm betting they won't abandon Symantec either. It's just too much work to comb through that much code and try and build something to tackle a program that has been significantly updated - and oh, by the way the definitions (or the system that builds and updates definitions) is really the keys to the castle. Decompilers have existed forever, and there are plently of tools to find vulnerabilities - bottom line: Faster and Easier ways. This is a theft, Symantec is a victim and this "so called Indian" group is using this to stir a political pot.
Bill Mathews Your comment is a little sarcastically toned but I'm not entirely sure we're in disagreement. My broader point was that folks should have defenses in addition to A/V regardless of the vendor. I actually think I did keep things in perspective (but my perspective is known to be skewed sometimes) but I find a lot of their revised "disclosure" a little fishy. They went back nearly 6 years in their logs? Doubtful. Also, they did not disclose the original hack in 2006 (but that was pretty common then). Also, no one really needs a decompilers to get around A/V or the source code, pretty sure I made that point too. Sorry my post caused you such consternation.

Bobby Mann Bill, your facts are wrong. Full disclosure started circa 2007 when many of the broader regulations started to get enforced. Actually, I'm not disagreeing that IF there was indeed a hack that they KNEW about in 2006, and I have my doubts they KNEW about it at THAT time, they should have disclosed. I know many companies that keep at least 7 years of logs - that would be more than enough to capture this and provide some detail - maybe, possibly. The reality is I don't think ANYBODY REALLY knows the whole story..yet.
Bill Mathews I am unclear how my "facts are wrong." I didn't say they HAD to disclose in 2006 just that they didn't. There is no speculation about if there was a hack, they've admitted it (see the article I linked to, it quote their spokesperson). Also congratulations you must work with some really together companies. I know of none that keep logs that long (save financial institutions but they even struggle with it). Of course no one knows the whole story but if we did it probably wouldn't be much fun. My post was more about additional steps that need to be taken aside from traditional A/V.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.