A hacker who was negotiating a ransom for stolen source code to a Symantec product released the data via peer-to-peer networks on Tuesday after negotiations fell through.
The code is for security vendor Symantec’s pcAnywhere remote access software.
Symantec had last month warned pcAnywhere users to observe best security practices and told them they might have to disable the application. The company launched its own investigation and called in law enforcement.
Publishing the source code for pcAnywhere could be very dangerous because “most pcAnywhere installations are at remote sites with no IT staff access,” Tan Sarihan, president of Kobil Technologies, told TechNewsWorld. “Some of them are running on critical systems.”
In January, the hacker group also posted code for Symantec’s End Point 11 (SEP 11) and Symantec Antivirus Corporate Edition (SAV) 10.2 on the Web.
No Money for Nothing
A data thief using the moniker “YamaTough” on Tuesday also posted emails he or she exchanged with a Symantec representative discussing a payment of US$50,000 in return for not publishing the code for pcAnywhere.
The negotiations ran from mid-January through Monday. However, they appeared to founder Feb. 1, when YamaTough apparently realized the other party, who purported to be a Symantec staffer by the name of “Sam Thomas,” might have some links to the FBI.
Sam Thomas’s email address, which was used in the negotiations, was actually a fake email address set up by law enforcement, Symantec spokesperson Cris Paden told TechNewsWorld.
The ransom was suggested during the exchange between law enforcement and YamaTough, and “No bribe attempt was made by Symantec,” Paden added.
Haggling With the Hacker
“Sam Thomas” asked YamaTough to send over sample files and the path where the hacker found the file to a Gmail address apparently belonging to Thomas.
The cat-and-mouse games then began, with law enforcement attempting to drag out the negotiations and YamaTough repeatedly issuing new deadlines.
Eventually, YamaTough suggested Symantec make payments through Liberty Reserve, a Costa Rica-based payment processor.
“Sam Thomas” countered by suggesting Paypal as an interim choice and offered US$1,000 upfront. After being rebuffed, “Thomas” offered US$50,000. YamaTough would get $2,500 a month for the first three months, and the rest after proving the code had been destroyed.
Shortly afterwards, YamaTough told Thomas to “say hi to the FBI.”
Negotiations broke off Monday, and the hacker then tweeted about the $50,000 offer.
Yesterday’s Techniques, Today’s Crooks
“Clearly this [approach] didn’t work because the hacker suspected he was being phished,” remarked Rob Enderle, principal analyst at the Enderle Group. “I doubt the approach taken would have ever worked.”
“[Law enforcement] should have set up a drop. Physical methods for catching a kidnapper or blackmailer are far more advanced with law enforcement,” Enderle told TechNewsWorld. “It’s likely the hacker would have known about most electronic tracking methods but would have been relatively inexperienced in more traditional tracking methods.”
Given that the stolen code was Symantec’s intellectual property and cybercriminals could use it to launch widespread attacks, should the law enforcement agents perhaps have offered more than $50,000? YamaTough appeared to sneer at this sum in one of the tweets.
“It’s hard to believe that a hacker wouldn’t think any offer a trap, as it’s very unlikely a security firm would ever pay a ransom for something so easily duplicated,” Enderle stated.
The Danger of the Stolen Code
The theft of Symantec’s source code “shows how important data loss prevention and third-party testing of software is,” Kobil’s Sarihan said. “It’s very important to only allow employees to access critical source code and intellectual property on a need-to-know basis.”
Third-party testing is important “because a company’s own testing teams might not be able to see the vulnerabilities [in their code],” Sarihan stated.
It seems nobody, including security and antivirus vendors, is secure.
“Organizations must protect their data at each layer using encryption and other controls,” Kothari remarked. “People expect such practices from a security company.”
Enterprises and consumers “should be constantly examining the level of risk in their data and infrastructure because their infrastructure is constantly changing,” Kothari suggested. “They should always protect their data at each layer using encryption and [other] controls.”