Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Tells Customers To Stop Using pcAnywhere

Posted by timothy on from the but-I-gotta-use-it-somewhere dept.

Orome1 writes "In a perhaps not wholly unexpected move, Symantec has advised the customers of its pcAnywhere remote control application to stop using it until patches for a slew of vulnerabilities are issued. If the attackers place a network sniffer on a customer's internal network and have access to the encryption details, the pcAnywhere traffic — including exchanged user login credentials — could be intercepted and decoded. If the attackers get their hands on the cryptographic key they can launch remote control sessions and, thus, access to systems and sensitive data. If the cryptographic key itself is using Active Directory credentials, they can also carry out other malicious activities on the network."

34 of 149 comments (clear)

  1. Way ahead of you, Symantec by elrous0 · · Score: 5, Funny

    Most /.er's stopped using your products a long time ago.

    Next up, Intel CEO admits "McAfee is just bloatware that doesn't actually do anything. To be honest, most of it just runs loops that eat up CPU, so people think it's doing something and want to buy a faster Intel CPU. It hasn't stopped an actual virus since the mid-90's."

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:Way ahead of you, Symantec by Baloroth · · Score: 5, Funny

      t hasn't stopped an actual virus since the mid-90's."

      I wouldn't say that, it seems to do a pretty good job shutting down Windows.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    2. Re:Way ahead of you, Symantec by cusco · · Score: 2

      DriveImage used to be a great product, blew away Ghost in almost all respects. Then Symantec bought them with the supposed intention of rolling the technology into Ghost. Instead Ghost just got slower and buggier and the interface got even worse. Oh, and the price was twice what DriveImage used to be, for half the utility.

      Years ago I used to use Delrina WinFax. Nice product, installed off of two floppies. Nothing fancy, just did exactly what I wanted it to and nothing else. Then Symantec bought it. I made the mistake of recommending WinFax to my employer and we installed it throughout the Claims department. Took up over 100 mb of hard drive (when a 500 mb hard drive was considered large) before even receiving any faxes. Buggy, slow, and a CPU hog. Then machines in the department started to blue screen at least once a week. Symantec tech support said, "Yes, that's a known issue." Huh? Is there going to be a fix coming out? "None is planned at this time." WTF? We installed the next version of WinFax when it came out and the blue screen issue was still there. Another call to tech support, and another repetition of "Yes, that's a known issue, and we don't have any sort of fix for it planned. Just reboot your PC and you'll be fine."

      That last call presented me with the best music on hold that I've ever experienced, though. Their hold music machine had gone down that morning, so someone ran out and grabbed their Walkman out of the car and plugged it in. The CD that was in it was Bill Cosby's 'Wonderfullness'. By the time they picked up the phone a half hour later I was in a pretty good mood.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  2. Come on by jayhawk88 · · Score: 5, Insightful

    If the attackers place a network sniffer on a customer's internal network...

    You've got a hell of a lot bigger problems than pcAnywhere.

    1. Re:Come on by cduffy · · Score: 5, Insightful

      If the attackers place a network sniffer on a customer's internal network...

      You've got a hell of a lot bigger problems than pcAnywhere.

      Au contraire -- if your infrastructure isn't robust against this class of attack (all internal traffic authenticated and encrypted, particularly during password exchange), you're Doing It Wrong.

      Moreover, the concept of "defense in depth" applies -- a hard outer shell with a soft inner core means that when the eventual successful attack does happen (and it will!), the damage is that much worse. You can't have decent security if you design all the internal components assuming that the outer layer will protect them.

    2. Re:Come on by SpanglerIsAGod · · Score: 3, Insightful

      I find it interesting how many enterprise software companies don't understand that. When we run scans against their software and tell them we need them to fix vulnerabilities it's amazing how often they come back with, "This product is designed to be used internally." Like that matters, if your company is bigger then 10 people you shouldn't be surprised to have internal users trying to hack your system.

      --
      War doesn't show who is right - just who is left.
    3. Re:Come on by Dishevel · · Score: 4, Insightful

      On the other hand your hard inner shell can cost the company massive amounts in lost productivity. The harder the core is the more people hate to go to work.
      You really need specific defenses set up. We have a mostly open wifi network connected to the internet. (Personal Devices, Visitors and the like) We also have a highly filtered connection to the internet for company systems. Servers are set on the local network behind a firewall that drops anything not expected and also drops anything that is expected if it is not coming from the place that it is expected to come from. Really critically confidential stuff is (Credit card data, personnel crap and the like are set nested behind an even more secure firewall.
      You can not expect everything to be secure. You have to pick and choose your battles. Workers must have some freedoms. Most of the stuff they do should be easy. Difficulty should be reserved for where it is really needed. I hate seeing a system that has 54 character passwords that are reset every 28 days and must include lower case, uppercase, numbers and punctuation so that a call taker can log into the system to take calls. That is stupid shit.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    4. Re:Come on by NotBorg · · Score: 2

      It's worse than that. You don't have to have a "guy on the inside" for many sites. There's this myth that if you throw up a big firewall then all the applications behind it are protected. It doesn't take a genius to see that a single compromised machine on the "secured" side of the wall (not uncommon) effectively exposes all those "protected" (internal) applications to risk. Unless you're sure you can keep all your user's workstations free from compromise (good luck with that), you should just start with the assumption that your "protected" (internal) applications are exposed.

      --
      I want this account deleted.
    5. Re:Come on by cduffy · · Score: 2

      You can not expect everything to be secure. You have to pick and choose your battles. Workers must have some freedoms. Most of the stuff they do should be easy. Difficulty should be reserved for where it is really needed.

      I'm talking about end-to-end encryption -- your jump into password policies is just bringing up the Mordok the Preventer strawman.

      Using TLS for your internal services doesn't make users' lives worse; for that matter, a number of technologies offering end-to-end encryption and authentication make users' lives better by offering single-sign-on capabilities (see: Kerberos) while doing host- and service-level authentication and encryption in the background. Having your hard core kerberized means no additional hoops to jump through on login, but ensures that your backend services are able to determine that their access is eventually tied back to an active and valid session.

      Fighting any and all attempts at defense-in-depth because some people do it horribly wrong is simply misguided.

    6. Re:Come on by jimicus · · Score: 4, Insightful

      You can not expect everything to be secure. You have to pick and choose your battles. Workers must have some freedoms. Most of the stuff they do should be easy. Difficulty should be reserved for where it is really needed. I hate seeing a system that has 54 character passwords that are reset every 28 days and must include lower case, uppercase, numbers and punctuation so that a call taker can log into the system to take calls. That is stupid shit.

      You're not talking about security, you're talking about policies that are thrown together piecemeal in the form of a constantly-updated list of "Things that have been described as insecure in the latest issue of "IT Security for - and written by - PHBs Magazine"". You know how it goes:

      Month 1: "Are your users using passwords that are too short?"
      EEKS! PANIC! From now all, all passwords must be at least 8 characters long!

      Month 2: "Are your users using easily guessable passwords?"
      PANIC! From now on, all passwords must be at least 8 characters long and consist of letters and numbers!

      Month 3: "Are your users using passwords that are too long? Yes, it's possible. Read our article..."
      SHIT! SHIT! SHIT! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers!

      Month 4: "Do you change your passwords often enough?"
      PANIC! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers, and must change every 30 days!

      Month 5: "Are your users abusing your policy by typing in the same password every time they're prompted to change it? Read our exclusive report...."
      ACTION STATIONS! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

      Month 6: "Are you secure against dictionary attacks? Read our article about this SHOCKING new attack method!"
      AAARGH! Right, from now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

      Month 7: "Did you know? 70% of people use a simple password like 'aaaaaaaaa' or '1234567890123' (not particularly surprising if you've been following everything we've said) Turn to page 12 for our exclusive report!"
      DAMN! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must not contain the same character repeated more than twice, must not contain sequential letters or numbers, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

      Month 8: "New research suggests 30% of people use their own telephone number as a password!"
      OH NO YOU DON'T! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must not contain the same character repeated more than twice, must not contain sequential letters or numbers, will be checked against the phone number we have on record for you to ensure it's not that, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

      I think you've got the idea by now....

    7. Re:Come on by Dadoo · · Score: 2

      As usual, XKCD to the rescue:

      http://www.xkcd.com/936/

      Possibly the best advice I've ever heard about passwords. The problem is that people are so concerned about following the rules you discussed, they're actually making their networks less secure.

      --
      Sit, Ubuntu, sit. Good dog.
  3. Security through obscurity? by Sockatume · · Score: 5, Insightful

    What the story doesn't mention is that the pcAnywhere source was nicked. It sounds like Symantec was aware of the weaknesses, and chose not to act until the source was stolen and the security weaknesses became public.

    http://www.channelregister.co.uk/2012/01/18/symantec_leak_latest/

    --
    No kidding!!! What do you say at this point?
    1. Re:Security through obscurity? by jesseck · · Score: 5, Interesting

      The source was stole in 2006. This means that they corrected the problems in their other products which had stolen source, but not pcAnywhere. For 5-6 years, Symantec has been selling software which was potentially compromised.

      The current reported theft happened recently, but that source code came from a theft (unreported by Symantec, but known) back in 2006. That means, since 2006, Symantec has known the pcAnywhere source was stolen, knew of vulnerabilities, and chose not to fix that product. It sounds like they patched the rest of their products, though.

    2. Re:Security through obscurity? by knarf · · Score: 2

      There is another possibility here: pcAnywhere, being closed-source commercial software made by a vendor who is keen to sell as many copies to as many countries as possible, might contain one or more backdoors to enable Those_Who_Make_The_Rules (or those who pay enough) to access any pcAnywhere installation out there. These backdoors might not have changed since 2006, especially if they are based on some 'secret' certificate or another 'secret' sauce. With the source leaked, these secrets might not be so secret anymore - and might have not been so for the past 6 years. This being pcAnywhere, made by a commercial vendor who is keen to sell as much as possible while doing as little as possible, the fact that they knew the secret to be out there might not have bothered them all that much as long as it was not published in CEO magazine.
      Is this tin foil territory? It might sound like it, until you contemplate what mobile communications vendors regularly do to get access to controlled markets.

      --
      --frank[at]unternet.org
  4. Symantec white paper by Azarman · · Score: 2

    Had to deal with this issue this morning

    Extra information http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf

    Presently if you use PCanywhere for WAN access disable now, if you use it in a closed network should be ok, unless someone is already on the network but if that is the case, you already have a problem better than this.

    I think Symantec handled this ok, when Anon stated they had the source code last week Symantec issued a statement about what they had, mainly 2006 code. Anon yesterday declared they had a few zero days Symantec issued a statement dealing with it last night.

  5. Re:But of course by Anonymous Coward · · Score: 4, Informative

    I'm pretty sure that they made this clear in their disclosure?

    http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf

    First two paragraphs from their Introduction:

    Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.

    With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.

  6. Who still uses PCAnywhere? by ArcherB · · Score: 5, Informative

    I remember the first time I used it. It was a Godsend. It was so nice to simply take control and do it rather than sit there on the phone saying, "Click Start. Start. It's on the bottom left. S-T-A-R-T! No, don't type it. Click the button labeled 'Start'. No, it's not on your keyboard. No, wait. Hit CTRL-ESC. Control Escape. It's on your keyboard. Press and hold control and then press and release escape. Keyboard. It's on your keyboard. Nevermind. Do you see Start on your screen?" Even though we were connecting via dialup, it was lightyears better than trying to imagine the screen the use was describing and then describing elements of it it back to them.

    But those days are long gone. Now we have RDP, VNC, WebEx, and a host of other remote desktop utilities and protocols. There is no longer a need for PCAW.

    --
    There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
    1. Re:Who still uses PCAnywhere? by Zocalo · · Score: 2, Funny

      "Click Start. Start. It's on the bottom left. S-T-A-R-T! No, don't type it. Click the button labeled 'Start'. No, it's not on your keyboard. No, wait. ...

      And that's where you went wrong. The correct procedure for any self respecting BOFH at this point would be:

      "Turn off the PC at the power switch, turn it back on and call back when you have logged back in. Bye." *Hang up phone* "I'm going on my coffee/cigarette break guys. See you in twenty!

      --
      UNIX? They're not even circumcised! Savages!
  7. Good Job Symantec by rudy_wayne · · Score: 4, Interesting

    According to this article, the source code for PCANywhere was stolen from Symantec's network in 2006. That's right . . . . 2006. Good work Symantec. It only took you 6 years.

    1. Re:Good Job Symantec by elrous0 · · Score: 5, Funny

      It only took you 6 years.

      They would have gotten an email out sooner, but Norton was REALLY slowing their computers down.

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
    2. Re:Good Job Symantec by L4t3r4lu5 · · Score: 2

      The disclosure of the breach was drafted in 2006, but the tech at the time decided to start a virus scan before sending it.

      The mail server only just started responding again.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    3. Re:Good Job Symantec by GrBear · · Score: 2

      Parent modded "Funny", but exasperates why Slashdot needs a "Sad But True" mod tag.

  8. Re:Best: stop using Symantec and MS-Windows produc by Jeng · · Score: 2

    Not immune.

    http://en.wikipedia.org/wiki/Linux_malware

    --
    Don't know something? Look it up. Still don't know? Then ask.
  9. Symantec is a little slow on the uptake here by IGnatius+T+Foobar · · Score: 2

    Most of us have been advising people not to use pcAnywhere for more than a decade now. :)

    --
    Tired of FB/Google censorship? Visit UNCENSORED!
  10. Re:There was never a need anyway if you used unix by Sockatume · · Score: 4, Insightful

    It's not exactly relevant to the subject at hand, is it? His point is that it was really, really handy to be able to do that with Windows. Nobody even brought up Unix, or who did it first.

    --
    No kidding!!! What do you say at this point?
  11. Re:Best: stop using Symantec and MS-Windows produc by jeremyjo · · Score: 2

    Are you kidding? If we're supposed to stop using pcAnywhere because the source code is out there, just think how unsecure Linux is! It's source code has been out there way longer.

  12. Re:Symantec AV will kill your PC by couchslug · · Score: 3, Insightful

    Because they don't know how the magic box works, that's why.

    Yes, really.

    --
    "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  13. Re:Symantec AV will kill your PC by jason777 · · Score: 2

    I'm required to at work. And yes it brings the system to a crawl.

  14. Re:Symantec AV will kill your PC by lwriemen · · Score: 2

    This is the same reason Windows has a monopoly on the PC. (Along with the illegal use of monopoly power, natch.)

  15. Re:There was never a need anyway if you used unix by pak9rabid · · Score: 2

    This isn't another juvenile does-it-run-on-linux rant, but I think its reasonable to point out that remote full screen GUI access via X windows has been around since the mid 80s. A LONG time before any remote GUI windows app or even Windows itself existed.

    Yeah, and unless you're connecting over a LAN connection, it's 100% terrible. That's why projects like FreeNX and x2go exist...to clean up the massive bloat and waste the X11 protocol introduces.

  16. Re:Finish that sentence! by alittle158 · · Score: 5, Funny

    ...you might as well consider Ethernet cables to be inherently insecure...

    Shh...don't let the people at monster cable know that. They might find a new source of revenue in "encrypted ethernet cables"

    --
    If it's not on fire, it's a software problem
  17. Re:There was never a need anyway if you used unix by Skuld-Chan · · Score: 2

    Scraping what someone actually see's on their X-Serv for support reasons is a bit different problem - one that most people solve with VNC oddly enough.

    PC-Anywhere had support for modem's too - I remember using it to support backwater glass shops on MS-Dos applications...

  18. Re:There was never a need anyway if you used unix by ArcherB · · Score: 2

    The OP was saying that people no longer have to use PCAW these days because of VNC etc. My point is we never had to use PCAW anyway if we used unix or linux on a PC. If that explanation still isn't simple enough for you let me know and I'll mail you one drawn in crayon.

    The problem was that I was working for a digital imaging company that installed photo imaging kiosks in photo labs. Now, this was before digital cameras became popular so the majority of our business was from customers scanning images using flatbed scanner or negative scanner. Our software allowed for customers to manipulate their images in a number of ways and reprint them in minutes using the dye sublimation printer.

    Now, I would have loved to used Linux or Unix but we had some issues. First, was finding drivers for the scanners we used. SANE sucked at the time. Next was finding drivers for the dye sub printers. The drivers simply didn't exist. Finally, there would have been issues finding drivers for the touchscreen interface for the CRT monitors we used at the time. Again, none were available.

    So, yeah. It would have been nice to use a *n?x solution, but it simply was not an option.

    Oh, and this was before most businesses had an Internet connection, so throw in modem drivers as well. Remember in 1999, Winmodems were all the rage and Linux drivers, again, did not exist.

    Finally, Kodak, our competition, did use Sun machines that ran a version of Unix, but they had millions to throw at the project and had the machines, drivers and software custom designed by Sun. We had 30 employees and had to use off the shelf components and modify them ourselves if need be.

    --
    There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
  19. Re:Typical for the Windows world by dave420 · · Score: 2

    Microsoft's terminal services are pretty decent. It seems you've not used them.