Symantec leak: Minor security threat but questions remain

Breach of third-party network unlikely to create security threat, but could impact how software companies let governments vet their source code

A group of purported Indian hackers claimed this week to have stolen the source code to Symantec's Norton AntiVirus software and allegedly are preparing to release it publicly. The security company refuted specifics of the incident, but acknowledged that two sets of older source code had been taken from a third party.

If Symantec's account is accurate, the leak is an embarrassment for the company but unlikely to be much of a security threat. Sure, vulnerability researchers may be able to gain some insight into the code -- which Symantec claims is four to five years old -- but bypassing antivirus is already a well-established service in the cyber criminal ecosystem.

"Getting the source code is not going to help them that much," Rob Rachwald, director of security strategy for Imperva, stated in a blog post. "It might give them a slight edge, but at the end of the day, it will not make that much of a difference in their ability to get by the scanner."

While the hack appears similar to last year's attack on security-infrastructure firms, such as authentication-token provider RSA and Internet-credential provider Comodo, the focus of the attack resembles the politically motivated antics of some Anonymous-related groups. The hackers -- using the name "The Lords of Dharmaraja" -- claim to be part of the Anonymous movement, whose membership have little in common except their dedication to hacking in the name of a cause.

Yet, Symantec may have to answer questions about why its code is on third-party servers and not better protected. In a post to Pastebin, since removed but still cached by Google, the hackers claimed to have stolen the files from the Indian military, but only posted an application programming interface for Norton created by Symantec and IBM from 1999. It's hardly a significant leak, though the group does claim to have "discovered within the Indian Spy Programme source codes of a dozen software companies."

The actual stolen source code, according to Symantec, belongs to the company's Endpoint Protection 11.0 and Antivirus 10.2 products. The company is still investigating the incident.

"Symantec's own network was not breached, but rather that of a third-party entity," spokesman Cris Paden said in an emailed statement. "We are still gathering information on the details and are not in a position to provide specifics on the third party involved."

The fact that the Indian government allegedly had access to the code is not surprising, said Rachwald. When companies do business with government agencies, they will often allow the government or an independent third party to review their code to ensure that it meets specifications, he said.

"If you are foreign company and are doing business with the government, there is a third-party independent audit ... but it respects the intellectual property," he said. "The real question, I'm wondering, is why did the Indian government retain the source code?"

While the leak may not change the security landscape, it could have an impact on how companies do business with governments abroad and how they protect their valuable data, Rachwald said.

"This incident will change how companies go about letting governments vet their source code," he said. "I don't think they will just hand it over anymore."

This story, "Symantec leak: Minor security threat but questions remain," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.