Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Tells Customers To Stop Using pcAnywhere

Posted by timothy on from the but-I-gotta-use-it-somewhere dept.

Orome1 writes "In a perhaps not wholly unexpected move, Symantec has advised the customers of its pcAnywhere remote control application to stop using it until patches for a slew of vulnerabilities are issued. If the attackers place a network sniffer on a customer's internal network and have access to the encryption details, the pcAnywhere traffic — including exchanged user login credentials — could be intercepted and decoded. If the attackers get their hands on the cryptographic key they can launch remote control sessions and, thus, access to systems and sensitive data. If the cryptographic key itself is using Active Directory credentials, they can also carry out other malicious activities on the network."

14 of 149 comments (clear)

  1. Way ahead of you, Symantec by elrous0 · · Score: 5, Funny

    Most /.er's stopped using your products a long time ago.

    Next up, Intel CEO admits "McAfee is just bloatware that doesn't actually do anything. To be honest, most of it just runs loops that eat up CPU, so people think it's doing something and want to buy a faster Intel CPU. It hasn't stopped an actual virus since the mid-90's."

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:Way ahead of you, Symantec by Baloroth · · Score: 5, Funny

      t hasn't stopped an actual virus since the mid-90's."

      I wouldn't say that, it seems to do a pretty good job shutting down Windows.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  2. Come on by jayhawk88 · · Score: 5, Insightful

    If the attackers place a network sniffer on a customer's internal network...

    You've got a hell of a lot bigger problems than pcAnywhere.

    1. Re:Come on by cduffy · · Score: 5, Insightful

      If the attackers place a network sniffer on a customer's internal network...

      You've got a hell of a lot bigger problems than pcAnywhere.

      Au contraire -- if your infrastructure isn't robust against this class of attack (all internal traffic authenticated and encrypted, particularly during password exchange), you're Doing It Wrong.

      Moreover, the concept of "defense in depth" applies -- a hard outer shell with a soft inner core means that when the eventual successful attack does happen (and it will!), the damage is that much worse. You can't have decent security if you design all the internal components assuming that the outer layer will protect them.

    2. Re:Come on by Dishevel · · Score: 4, Insightful

      On the other hand your hard inner shell can cost the company massive amounts in lost productivity. The harder the core is the more people hate to go to work.
      You really need specific defenses set up. We have a mostly open wifi network connected to the internet. (Personal Devices, Visitors and the like) We also have a highly filtered connection to the internet for company systems. Servers are set on the local network behind a firewall that drops anything not expected and also drops anything that is expected if it is not coming from the place that it is expected to come from. Really critically confidential stuff is (Credit card data, personnel crap and the like are set nested behind an even more secure firewall.
      You can not expect everything to be secure. You have to pick and choose your battles. Workers must have some freedoms. Most of the stuff they do should be easy. Difficulty should be reserved for where it is really needed. I hate seeing a system that has 54 character passwords that are reset every 28 days and must include lower case, uppercase, numbers and punctuation so that a call taker can log into the system to take calls. That is stupid shit.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    3. Re:Come on by jimicus · · Score: 4, Insightful

      You can not expect everything to be secure. You have to pick and choose your battles. Workers must have some freedoms. Most of the stuff they do should be easy. Difficulty should be reserved for where it is really needed. I hate seeing a system that has 54 character passwords that are reset every 28 days and must include lower case, uppercase, numbers and punctuation so that a call taker can log into the system to take calls. That is stupid shit.

      You're not talking about security, you're talking about policies that are thrown together piecemeal in the form of a constantly-updated list of "Things that have been described as insecure in the latest issue of "IT Security for - and written by - PHBs Magazine"". You know how it goes:

      Month 1: "Are your users using passwords that are too short?"
      EEKS! PANIC! From now all, all passwords must be at least 8 characters long!

      Month 2: "Are your users using easily guessable passwords?"
      PANIC! From now on, all passwords must be at least 8 characters long and consist of letters and numbers!

      Month 3: "Are your users using passwords that are too long? Yes, it's possible. Read our article..."
      SHIT! SHIT! SHIT! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers!

      Month 4: "Do you change your passwords often enough?"
      PANIC! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers, and must change every 30 days!

      Month 5: "Are your users abusing your policy by typing in the same password every time they're prompted to change it? Read our exclusive report...."
      ACTION STATIONS! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

      Month 6: "Are you secure against dictionary attacks? Read our article about this SHOCKING new attack method!"
      AAARGH! Right, from now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

      Month 7: "Did you know? 70% of people use a simple password like 'aaaaaaaaa' or '1234567890123' (not particularly surprising if you've been following everything we've said) Turn to page 12 for our exclusive report!"
      DAMN! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must not contain the same character repeated more than twice, must not contain sequential letters or numbers, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

      Month 8: "New research suggests 30% of people use their own telephone number as a password!"
      OH NO YOU DON'T! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must not contain the same character repeated more than twice, must not contain sequential letters or numbers, will be checked against the phone number we have on record for you to ensure it's not that, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

      I think you've got the idea by now....

  3. Security through obscurity? by Sockatume · · Score: 5, Insightful

    What the story doesn't mention is that the pcAnywhere source was nicked. It sounds like Symantec was aware of the weaknesses, and chose not to act until the source was stolen and the security weaknesses became public.

    http://www.channelregister.co.uk/2012/01/18/symantec_leak_latest/

    --
    No kidding!!! What do you say at this point?
    1. Re:Security through obscurity? by jesseck · · Score: 5, Interesting

      The source was stole in 2006. This means that they corrected the problems in their other products which had stolen source, but not pcAnywhere. For 5-6 years, Symantec has been selling software which was potentially compromised.

      The current reported theft happened recently, but that source code came from a theft (unreported by Symantec, but known) back in 2006. That means, since 2006, Symantec has known the pcAnywhere source was stolen, knew of vulnerabilities, and chose not to fix that product. It sounds like they patched the rest of their products, though.

  4. Re:But of course by Anonymous Coward · · Score: 4, Informative

    I'm pretty sure that they made this clear in their disclosure?

    http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf

    First two paragraphs from their Introduction:

    Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.

    With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.

  5. Who still uses PCAnywhere? by ArcherB · · Score: 5, Informative

    I remember the first time I used it. It was a Godsend. It was so nice to simply take control and do it rather than sit there on the phone saying, "Click Start. Start. It's on the bottom left. S-T-A-R-T! No, don't type it. Click the button labeled 'Start'. No, it's not on your keyboard. No, wait. Hit CTRL-ESC. Control Escape. It's on your keyboard. Press and hold control and then press and release escape. Keyboard. It's on your keyboard. Nevermind. Do you see Start on your screen?" Even though we were connecting via dialup, it was lightyears better than trying to imagine the screen the use was describing and then describing elements of it it back to them.

    But those days are long gone. Now we have RDP, VNC, WebEx, and a host of other remote desktop utilities and protocols. There is no longer a need for PCAW.

    --
    There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
  6. Good Job Symantec by rudy_wayne · · Score: 4, Interesting

    According to this article, the source code for PCANywhere was stolen from Symantec's network in 2006. That's right . . . . 2006. Good work Symantec. It only took you 6 years.

    1. Re:Good Job Symantec by elrous0 · · Score: 5, Funny

      It only took you 6 years.

      They would have gotten an email out sooner, but Norton was REALLY slowing their computers down.

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
  7. Re:There was never a need anyway if you used unix by Sockatume · · Score: 4, Insightful

    It's not exactly relevant to the subject at hand, is it? His point is that it was really, really handy to be able to do that with Windows. Nobody even brought up Unix, or who did it first.

    --
    No kidding!!! What do you say at this point?
  8. Re:Finish that sentence! by alittle158 · · Score: 5, Funny

    ...you might as well consider Ethernet cables to be inherently insecure...

    Shh...don't let the people at monster cable know that. They might find a new source of revenue in "encrypted ethernet cables"

    --
    If it's not on fire, it's a software problem