India has had some serious issues dealing with technology over the past decade, the country has gone from a potential tech behemoth to an open joke. An Indian hacking group, calling itself the Lords of Dharmaraja, has threatened to publicly disclose the source code on the internet. So far, there have been two claims related to Symantec’s source code. A document claiming to be confidential information related to Norton AntiVirus’s source code was posted on Pastebin. Symantec says it has investigated the claim, and rather than source code, most of the hackers booty seems to have been documentation dated April 1999, the documentation is related to an API – application programming interface – used by the product.
In a later posting to Pastebin, the hacking group shared what it said was source code. However, it seems the code is related to what appears to have been the 2006 version of Symantec’s Norton AntiVirus. Almost as quickly as the Hackers post documents, accounts are closed, documents removed and the smoke and mirror game goes no-place. The hacking group claim that they are working on creating mirror sites for their content, though nothing of any real substance has come through. The group are claiming that they have been “pressured and censored by US and Indian government agencies.” It’s important to underline that there is presently no reason to believe that Symantec’s own servers have been compromised in any way.
It appears that the data leak has occurred on Indian government servers, which are notoriously unsecured, the implication is that Symantec, and perhaps other software companies, may have been required to supply their source code to the Indian authorities. The source code the hackers have released is NOT relevant to ANY of Symantec’s current anti-virus products, the source code is 6 years old. This is very likely a case of over-excited Indian Hackers.
The serious question now is: Has Symantec misled the Indaina government by feeding it old, redundant code, or are Indian Hackers truly going the way of Indian call center operators?
A hacker going by the Twitter handle “Yama Tough”, who appears to be acting as a spokesperson for the group, on January 5, 2012, posted the content to PasteBin and subsequently published messages on Google+ about the alleged breach, both the Google+ and Pastebin accounts have been removed. Yama Tough said via twitter that “Our accounts and mirrors have been locked” and that their “Symantic owned Pastebin vanished”
Infosec reported that they had been provided with a file by an unidentified hacker going by the handle YamaTough which after preliminary analysis appeared to contain source code for the 2006 version of Symantec’s Norton antivirus product.
Cris Paden, Senior Manager for Corporate Communications at Symantec emailed Infosec Island editors with the following statement concerning the exposure of source code for the company’s Norton antivirus product:
“Symantec can confirm that a segment of its source code has been accessed. Symantec’s own network was not breached, but rather that of a third party entity.”
“We are still gathering information on the details and are not in a position to provide specifics on the third party involved.”
“Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time.”
“However, Symantec is working to develop remediation process to ensure long-term protection for our customers’ information. We will communicate that process once the steps have been finalized.”
“Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts.”
Though the code is for an older version of the Norton antivirus product, the impact of the exposure is still as of yet undetermined, and several questions remain:
As the file provided to Infosec Island and passed on to Symantec was merely a sample of the material YamTough claimed to be in possession of, does that mean that code for more recent editions have not been compromised as well?
What was the “third party” – presumably some entity related to the Indian government – doing in possession of the source code for the Symantec product?
How much information would source code from 2006 provide to malware authors assuming that the entire product has not been reinvented from scratch since the time this code was produced?
Symantec officials have indicated they will be providing more information as they continue their investigation, and certainly more will be known if the entirety of the compromised data YamaTough claims to be in possession of is finally released to the public as has been threatened.
UPDATE: January 14, 2012. A hacker who goes by the name of ‘Yama Tough’ threatened Saturday to release next week the full source code for Symantec Corp’s flagship Norton Antivirus software. ”This coming Tuesday behold the full Norton Antivirus 1,7Gb src, the rest will follow,” Yama Tough posted via Twitter.
In the past week Yama Tough has released fragments of source code from Symantec products along with a cache of emails. The hacker says all the data was taken from Indian government servers. Symantec, the makers of Norton AntiVirus, have confirmed that a hacking group has gained access to some of the security product’s source code.