Slashdot Mirror
Symantec Looks Into Claims of Stolen Source Code
wiredmikey writes "A group of hackers claim to have stolen source code for Symantec's Norton Antivirus software. The group is operating under the name Dharmaraja, and claims it found the data after compromising Indian military intelligence servers. So far it's unclear if the claims are a significant threat, as the information posted thus far by the hackers includes a document dated April 28, 1999, that Symantec describes as defining the application programming interface (API) for the virus Definition Generation Service. However, a second post entitled 'Norton AV source code file list' includes a list of file names reputedly contained within Norton AntiVirus source code package. Symantec said it is still in the process of analyzing the data in the second post."
Update: 01/06 07:05 GMT by S : In a post to their Facebook page, Symantec has now said some of their source code was indeed accessed, but it was four or five years old.
Who would want anything they make?
Hrm, I didn't know hackers even needed to look at the source code in order to make viruses that get around Symantec AV....
...on Facebook (yeah, I dunno). http://www.facebook.com/Symantec/posts/10150465997682876
Wow, so the Indian military works with major US vendors like Norton to spy on their own people (and I assume other countries people since it will be the same source????)
I assume they have the source code so they can insert extra bits and dispatch spyware the next time Norton auto-updates?
You get an auto-update, they get a spyware app into your PC. Is that it?
I don't think the scandal here is that the source code was stolen, it is a scandal that Norton cooperates will military spyware!!
Stealing source code from Symantec is like stealing your neighbor's garbage.
Unless their newer antivirus programs are nothing more than updated virus definitions, it shouldn't really bother Symantec.
At least we will get some great versions of Norton Total Internet Security 2013 floating about now.
All cows eat grass!
This is yet another reason why reliance on closed-source security software is risky.
Since the original source code wasn't destroyed and is still in the hands of Symantec, and the hackers merely made an identical copy without permission...
then it's not theft, it's copyright infringement.
Does the code include the keys that would be needed to inject bad/malware virus definitions, causing user's machines to delete files that weren't viruses? Does this open up some sort of command-and-control channel over users machines aside from that risk?
I do not fail; I succeed at finding out what does not work.
>>The group is operating under the name Dharmaraja
>>...compromising Indian military intelligence servers.
Dear Corporations, "Investors", and CEOs,
Please do not hesitate to keep offshoring every bit of information and technology to the third world. The things you've seen so far are mosquito bites compared to the crap that will hit the fan if you keep "enhancing profits" for another decade or even less.
Respectfully,
Software Developer, a.k.a. the guy who actually has to work for a living.
Indeed, a lot of people seem to missing the bombshell here.
It may still the same code base that makes Norton run real slow it in.
Bloat would merely mean an inconvenience, possibly the need to install a larger and faster hard-drive. However, my favorite independent computer shop informed me that Norton Anti-Virus was the cause of overall performance degrading on my Windows XP along with too-frequent "blue screens of death".
The computer shop advised me to obtain the freeware versions of AVG Anti-Virus and Malwarebytes. They install both on all new PCs they sell. They assert that no one anti-virus package can detect all threats.
The freeware version of AVG Anti-Virus runs continuously and automatically in the background and updates daily. The freeware version of Malwarebytes requires manual launching for each scan; you need the purchase-ware version for automation.
Just like watching adds for "My Clean PC" the whole computer virus industry is a scam in the first place. It all originates from the fact that someone tried to sue the pants of Microsoft about file system maintenance utilities...and in return for not going all the way and taking Microsoft to the cleaners the folks just shook hands and made a deal to leave some security crumbs for the offended corporation.
The end result was the scam about operating system security, when in reality the solution was to lock down modifications to the core system in the first place. The same way Unix does. That way all that would ever run when installed by a user would be sandboxed away from the system. The whole Windows registry policy setup and binaries having the ability to splatter dlls in \system is just plain stupid and every one with a brain knows this. Yes weld the hood shut and just allow access to functions...if the user installs malware then no problem just off the crap.
Windows has been ever so slowly coming around to this but there is still the need to appease the A/V industry ...I wonder when the gentleman's agreement will finally end. Windows could have become a secure operating system a long ago but there is a very good reason why Win98 and XP were Swiss Cheese ..it was completely deliberate!
Snake oil plain and simple and the average joe user doesn't even realize how much of a scam the Windows A/V industry really is, and how it has held back many advancements in web computing. The computer security scam will be the final nail in the coffin of the home PC industry. Hell they are all trying to get in on the tablet industry and claiming that you can infect Android ...what a bunch of scam artists! If a user installs malware then so what...who the hell needs a utility to remove cruft other than when using Windows? And even now Windows 7 is still better at keeping the /system free of nasty binaries. But this does not matter because the home pc is in reality suffering a horrible death. My prediction is that within 3 years Apple will outsell HP, Dell, and everybody else in the home computer market. And I am certainly no fan of Apple and their hyped up crap OS.
They're going to release norton as a virus! It'll be the worst one yet!
Hell just installing it now is worse than most viruses! And way harder to actually get rid of!
The world is gonna grind to a halt!
The bombshell is that Norton has been creating viruses all along... Shit, I've been watching too much X-Files.
Update: It wasn't Norton, it was older versions of their Enterprise protection:
http://www.securityweek.com/symantec-confirms-hackers-accessed-source-code-two-enterprise-security-products
Computers all over the world will be infected with Norton by December and human civilization as we know it will cease to exist!
Stealing Symantec's source code is like stealing Typhoid Mary's soup.
Help stamp out iliturcy.
Wow, so the Indian military works with major US vendors like Norton to spy on their own people (and I assume other countries people since it will be the same source????)
I assume they have the source code so they can insert extra bits and dispatch spyware the next time Norton auto-updates?
You get an auto-update, they get a spyware app into your PC. Is that it?
I don't think the scandal here is that the source code was stolen, it is a scandal that Norton cooperates will military spyware!!
Wow, +4 already? The tinfoils must be up and about today.
Believe it or not, most major software vendors have licenses and policies in place (e.g., Microsoft) to allow sensitive institutions (governments, defense contractors, etc) access to their source code. The primary reason is actually the opposite of what you say. Customers such as the Indian government want to be able to see what's actually in the code before they agree to buy and install it on their own systems and network.
Think of it as the 1% always getting to run open-source software because they have the clout to demand it (and under strict a NDA).
Occupy Microsoft!
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
Wow... so many assumptions in one post.
Don't you think the Indian military needs anti-virus software? Don't you think they would need to examine the source code before running software from an American company on potentially sensitive systems? And don't you think Symantec would give it to them to secure the contract?
Actually, they probably want to audit the code for backdoors and other security vulnerabilities before deploying the software on their systems. A whole bunch of governments got snookered when Cryto AG sold closed-source encryption software with a backdoor that allowed the US government to easily break their communications. In particular, the NSA was rumored to have backdoored Crypto AG systems since the fifties, allowing the US government to spy on communications from such warm and fuzzy countries as Iran.
A NYC lawyer blogs. http://www.chuangblog.com/
http://articles.timesofindia.indiatimes.com/2010-07-19/internet/28273582_1_cyber-security-cyber-warfare-cryptographic-controls
You can claim "trust us, we're the military and we don't do this", but in the next breath they are declaring cyber-war.
So no, I would have to be an idiot not to see the connection, and the original story of the hack was very careful to point out that the hack had revealed several US corporations had provided the source code to their products to the Indian military.
You can say they needed to do that to make the sale, however in doing so, they've opened their products to an unnecessary attack, which means they've opened my PC to an unnecessary attack. I don't trust the Indian military not to misuse Symantec's source code against other Symantec customers. As a professional network admin, I'd be a fool to.
If cyberwarfare is real then Symantec works for the enemy. They made that choice.
Just hope they didn't get any more sensitive data
I've always wondered about the efficacy of such programs. Yes they do have a license, but for obvious reasons the # of people that have access to it are much less than the number of developers, and not only that, the different organizations that have access to it are probably very limited in their ability to communicate, which means that you have a large number of people who each have to analyze large amounts of source, so their ability to really get a deep understanding of any individual part of the code is probably somewhat limited.
Now compare this with open source, even though the # of eyes may be about the same(and yes I'm realistic, only a very, very tiny % of people actually comb through the source of an open source project, even a project like Linux), the ability to coordinate and specialize is much greater. I doubt there are very many people who pore through every change in the Linux kernel(aside from Linus of course), instead what you get is people who are very familiar with certain parts of the source and thus are more aware(and may have even been consulted on) changes in the code. Not to mention they can actually submit code themselves.
To paraphrase your comment:
"If you think the Military attacks, then you're wearing a tin-foil hat. Military only defends."
I think I pretty much summed up your comment. They have been given something they can use as a weapon. You assert that they would never use that as a weapon, only as defense. The rest of your comment tries to paint anyone that thinks otherwise as the fringe (tinfoil hat) view of, erm, the 99% of the population.
You might want to draft that last part better, since 99% of people probably do think Military machines attack using any weapons given to them.
Finally someone can write a working uninstaller!
that's what happens when you outsource your programmers to India.
The Indian military outsources to India? Impressive.
Hope these hackers can turn the source code into something useful.
-- Chaos, panic, pandemonium... My job here is done!
The funny thing is, it doesn't really matter, if the source code is clean. Software can still be bugged, unless they compile it with their compilers:
http://cm.bell-labs.com/who/ken/trust.html
Some local long term http://en.wikipedia.org/wiki/Magic_Lantern_(software) ?
i.e. keystroke logging software that was safe from some anti-virus companies.
Domestic spying is now "Benign Information Gathering"
More likely the reason they have the source code is to satify themsekves that US government has not inserted malware/trapdoor software in the code.
A lot of Symantec haters out there. Funny
Lets put some things in to perspective here.
1. Norton is a consumer product. SEP is the enterprise product - Two very different products with very different code and both have been re-written a couple of years ago. (Works a lot better than before and is less "bloated")
2. I would very much doubt that a government defense organization would be purchasing a consumer product like Norton.
3. The segments of code found are from SAV (last rolled out apporximatley 5 years ago and does not exist anymore ) and SEP 11 (released 4 years ago and is no longer sold as SEP 12.1 is the current version and this was re-written to include new technology)
There isn't actually anything like closed source, the source code for almost everything is available at a fee, even the windows source code.
You got it all wrong! The Indian military writes the code for Symantec. Doesn't that explain everything?
They also ask for the source code of the compiler, which compiles itself, which compiles the AV source...
Search RapidShare and MegaUpload!
Yes, no, and no, in that order. Truly sensitive data should be on air gapped machines protected from careless media insertion and you don't need AV there.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Yeah, even if they did it wouldn't help. When the binary is infected, you no longer need the "infecting part" in the source code. Recompiling the compiler whith bugged compiler would readd the stuff without it being in the source code of the compiler anymore.
Believe it or not, most major software vendors have licenses and policies in place (e.g., Microsoft) to allow sensitive institutions (governments, defense contractors, etc) access to their source code. The primary reason is actually the opposite of what you say. Customers such as the Indian government want to be able to see what's actually in the code before they agree to buy and install it on their own systems and network.
Yes, this explanation is valid and almost certainly the main reason why this happens. But the fact that any institution can then exploit any bugs they do find is hardly something that can be ignored.
Ok, so they can audit the source code. Do they actually build the whole thing from this code themselves? With what compiler? I don't think having the code helps them much in this regard...If a hidden compiler trojan were to truly exist, THIS is where I'd expect to find it. It would be simple for MS to include a trojan in the compiler they give, or give binaries that don't match the source code...
Recent versions allow quarenting on behaviors, like flashxxx.ocx tries to write to c:\windows\.... Figure out the function hook, and you can bypass these actions before they occur.
In addition, any encryption keys embedded would be fair game. possibly allowing to impersonate a live update server.
Reasons it's not relevant:
Any decent virus writer has disassembled it more than a Jetta in your average chop shop.
Corporate IT departments rarely read Vendor best practices and miss the boat on writing to system directories, registries, and other common ways to infect a machine.
Impersonating/Man in the middle attempts with encryption keys are a PITA to employe, more effort than anyone skimming account numbers would care to carry out. Now targeted attacks are another story.
Source sharing is essentially public knowledge, it has been around for a long time. Long enough to assume that's why they have the code.
What the recipients do with the source has not been disclosed to my knowledge.
I would assume it's up to the recipient to figure out what to do with it, and make sure that is allowed in their contract (Microsoft allegedly tries to negotiate a "come and read it yourself" kind of access so you can't build or copy it, or leak it, after Mainsoft's reported partial leak). Hopefully they do exactly what you describe. But I doubt anyone from any group that has source code is going to tell you what security measures they use.
I bought Norton to go with my brand new copy of vista ultimate. I am short like close to 500.00 bucks when I leave the store.
Install Norton CD key dont work. fuck I am pissed someone key generator has used my key. Then Vista my hard drive fails are the two related was fine on XP.
So I have to get work done. Plug in a external hard drive Vista cant install to it. Put a copy of Kubuntu in the drive installs to external just fine.
Then I get a VM going and install Vista to it. Now vista running from external hard drive get my work done buy new hard drive install it boot up vista go to install key no longer works.
Now I have hundreds of dollars worth of no key software.
No problem dd my external to the new drive bam I am back in action.
Win 7 I am a no buy win 8 will be the same.
My Kubuntu is up to date and vista is still running after all this time.
My last new machine was 2005.
Untill Xmas now I have a race to the bottom Chiclets keyboard the sucks big wampum.
I am looking at you HP. Its falling apart already.
You know how all the keys are torn off at the store displays well they are not torn off they fall off all by themselves.
If it happens to the display it happens in real life.
Now they are under glass to prevent you from finding out not to stop the damage.
My rant pause.
Oh I bought another antivirus and it would not run at all. Their help was no help at all.
So If I pay for it and it don't work and I get it free and it does work.
Hey Microsoft really if your out there you really should include a gparted disk with your OS.
Are you afraid I might think you care about someone other than yourself?
Your partitioning software blows chunks.
Disk manager my arse.
Signed Humbly your home computer enthusiast.
I've never told anyone this before, because it's horrifically tragically sad but I had a picture of Peter Norton torn out of a magazine pinned up near my PC when I was a kid 20 years ago. Yeah I was a complete nerd / geek, especially for performance and hardware.
Back then Norton utilities 6 was the absoloute bees knees, speedisk for DOS is still the most thorough defragger I know of, full with file reorder was the option, it ensured 0 files were fragmented and this was in the days that exceedingly few files on the disk were set as read only / system. It genuinely improved performance significantly.
Their tools were good for maybe 3 or 4 years more, possibly the first one or two Windows tools for 95 had some useful features lacking in the core OS but after that, what a shambles. To me, any machine with Norton utilities (Norton utilities NOT "Nortons utilities" while I'm at it) should pretty much be wiped clean :/
The only bombshell here is that you fail to realize that Indian military wouldn't trust foreign companies like Norton, Symantec etc. without having access to source code, to ensure there is no key-logger style functionality etc. transmitting sensitive stuff to USA spy agencies.
That place in India you're outsourcing to? Yeah, about that... Seriously, what country to you expect an Indian citizen (at home or abroad) to have allegiance to? Even if he isn't being paid or otherwise coerced? The same goes for anybody from any country really, perhaps excluding people fleeing oppression.
Sounds more like a "group of finance officers" are trying to boost corporate revenue by using that old trick again. "Our old software has been compromised! Upgrade to the latest version of __________ to stay secure! As a loyal customer, here's a 20% off coupon code that we didn't accidentally print out and include in our retail box."
There's a wide range of sensitive data.
What about a Gerneral's laptop he uses to answer (work) emails? Maybe he doesn't read sensitive reports on the laptop, but would it be ok for a foreign power to read those emails? Absolute not.
You can't expect the Indian government to run software from an American company without checking. An American company that has contracts with the US government BTW.
If they followed your advice, everything except the most highly classified data would be open to a foreign government to sift through.
So, Kaspersky & Symantec source code was leaked... KAV code was on ed2k lately IIRC.
Recipes for USA bankrupt - http://tinypaste.com/0d66f dd = dollar deluge (printed in the infinity)
I've had a rootkit running around my home network for the last 3 months that is totally utilizing Symantec EPP as it's vehicle to re-infect my computers. It's doing strange things to the symantec executables and symantec specific folders that I think are only possible if somebody has gotten into the code and is able to leverage some inside knowledge to make this rootkit do what it's doing. Just my opinion but I believe this story and I think it's more wide spread than just NAV.
Who says that the Indian military legitimately had Symantec's source code? They too could have stolen it too, likely a result from Symantec outsourcing development work to India. That could easily explain why the source code they had was out of date - if they actually had an agreement with Symantec it would have been a lot more recent.