SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

Paul Ducklin, Sophos: Symantec source code breach saga continues

January 19, 2012

Two weeks ago, we wrote about the wrangle between Indian cybercrew The Lords of Dhamaraja and Symantec, in which the theft of some of Symantec's source code was revealed.

At the time, Infosec Island, which describes itself as an "online community, infosec portal and a social network all-in-one," quoted a Symantec spokesman as saying:

Symantec can confirm that a segment of its source code has been accessed. Symantec's own network was not breached, but rather that of a third party entity.

The newswires are again abuzz with updates to this story, with Infosec Island now saying that Reuters is saying that:

Symantec is now asserting that the company was hacked in 2006 and source code for several of their leading commercial and enterprise products was stolen.

(I guess that makes this an article in which Naked Security is saying that Infosec Island is saying that Reuters is saying that Symantec is asserting that this was, after all, a break-in on its own network.)

So, with all this 'he-said-she-said' going on, why am I writing this?

The reason is that I've already had a couple of enquiries wondering what I think of all of this.

Am I secretly gloating that a competitor got breached? Am I ready to start pointing fingers? Whose side am I on?

And here are the answers: No, Yes, the Good Guys.

No, I am not gloating that a competitor got breached. I'm sure Symantec is kicking itself that this happened. The company doesn't need me to put the boot in too.

Yes, I am pointing fingers - at the crooks. Not at "the hackers"; at the crooks. That's what they are. This is a cybercrime. Symantec is the victim.

And I'm on Symantec's side in that I hope the company can work out what happened, collect some usable evidence, and help law enforcement to identify, locate, charge, prosecute and convict those responsible.

I accept that's unlikely. But it's not impossible. So let's live in hope.

By the way, if ever you're tempted to look at stolen source code, my recommendation is: don't do it. Here are my reasons:

 * If you're interested in learning from source code, there's plenty of good open source software which you can study freely and lawfully.

* Great lumps of five-year-old commercial source code aren't, for the most part, terribly interesting. Granted, you'll probably find a couple of comic comments, and perhaps even an AWOOGAH! or two. That's about as riveting as it gets.

* It's unlawfully acquired. You wouldn't knowingly buy a stolen car. So don't grab stolen code.

As one reader, Collective Grooves, commented on our earlier article:

It appears that Symantec is being used as a pawn in the hackers' chess game to make their point, which is very unfortunate.

Nicely said.

Paul Ducklin is Sophos's Head of Technology, Asia Pacific. He won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter at @duckblog.

Terms of Use | Copyright © 2002 - 2012 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement