A hacker who was negotiating a ransom for stolen source code to a Symantec product released the data via peer-to-peer networks on Tuesday after negotiations fell through.
The code is for security vendor Symantec’s pcAnywhere remote access software.
Symantec had last month warned pcAnywhere users to observe best security practices and told them they might have to disable the application. The company launched its own investigation and called in law enforcement.
Publishing the source code for pcAnywhere could be very dangerous because “most pcAnywhere installations are at remote sites with no IT staff access,” Tan Sarihan, president of Kobil Technologies, told TechNewsWorld. “Some of them are running on critical systems.”
In January, the hacker group also posted code for Symantec’s End Point 11 (SEP 11) and Symantec Antivirus Corporate Edition (SAV) 10.2 on the Web.
No Money for Nothing
A data thief using the moniker “YamaTough” on Tuesday also posted emails he or she exchanged with a Symantec representative discussing a payment of US$50,000 in return for not publishing the code for pcAnywhere.
The negotiations ran from mid-January through Monday. However, they appeared to founder Feb. 1, when YamaTough apparently realized the other party, who purported to be a Symantec staffer by the name of “Sam Thomas,” might have some links to the FBI.
Sam Thomas’s email address, which was used in the negotiations, was actually a fake email address set up by law enforcement, Symantec spokesperson Cris Paden told TechNewsWorld.
The ransom was suggested during the exchange between law enforcement and YamaTough, and “No bribe attempt was made by Symantec,” Paden added.
Haggling With the Hacker
“Sam Thomas” asked YamaTough to send over sample files and the path where the hacker found the file to a Gmail address apparently belonging to Thomas.
The cat-and-mouse games then began, with law enforcement attempting to drag out the negotiations and YamaTough repeatedly issuing new deadlines.
Eventually, YamaTough suggested Symantec make payments through Liberty Reserve, a Costa Rica-based payment processor.
“Sam Thomas” countered by suggesting Paypal as an interim choice and offered US$1,000 upfront. After being rebuffed, “Thomas” offered US$50,000. YamaTough would get $2,500 a month for the first three months, and the rest after proving the code had been destroyed.
Shortly afterwards, YamaTough told Thomas to “say hi to the FBI.”
Negotiations broke off Monday, and the hacker then tweeted about the $50,000 offer.
Yesterday’s Techniques, Today’s Crooks
“Clearly this [approach] didn’t work because the hacker suspected he was being phished,” remarked Rob Enderle, principal analyst at the Enderle Group. “I doubt the approach taken would have ever worked.”
“[Law enforcement] should have set up a drop. Physical methods for catching a kidnapper or blackmailer are far more advanced with law enforcement,” Enderle told TechNewsWorld. “It’s likely the hacker would have known about most electronic tracking methods but would have been relatively inexperienced in more traditional tracking methods.”
Given that the stolen code was Symantec’s intellectual property and cybercriminals could use it to launch widespread attacks, should the law enforcement agents perhaps have offered more than $50,000? YamaTough appeared to sneer at this sum in one of the tweets.
“It’s hard to believe that a hacker wouldn’t think any offer a trap, as it’s very unlikely a security firm would ever pay a ransom for something so easily duplicated,” Enderle stated.
The Danger of the Stolen Code
The theft of Symantec’s source code “shows how important data loss prevention and third-party testing of software is,” Kobil’s Sarihan said. “It’s very important to only allow employees to access critical source code and intellectual property on a need-to-know basis.”
Third-party testing is important “because a company’s own testing teams might not be able to see the vulnerabilities [in their code],” Sarihan stated.
It seems nobody, including security and antivirus vendors, is secure.
“Whether it’s Sony, RSA, Stratfor or Symantec, no one is spared in the world of organized hacking,” Parvin Kothari, founder and CEO of CipherCloud, told TechNewsWorld.
“Organizations must protect their data at each layer using encryption and other controls,” Kothari remarked. “People expect such practices from a security company.”
Enterprises and consumers “should be constantly examining the level of risk in their data and infrastructure because their infrastructure is constantly changing,” Kothari suggested. “They should always protect their data at each layer using encryption and [other] controls.”
The hacker, or the FBI in this case? First off, this is like a 411 scam baiter. You know, the people that see how long they can string out the morons trying to trick them into sending them money, and how many dumb things they can get them to do in the mean time.
First – To hold a hostage you need a "tangle" and "unique" entity. This isn’t a movie. No one sends the original disk, cut up, in an envelope, to someone, as proof they destroyed it. Hell, you can’t even tell if its the 2nd, or 2,000th copy of the same files, or disk.
Second – Because you can’t tell, if some one has in fact been willing to send this guy money, and enough of it to matter, he would have been sitting on a beach some place, his money redirected some place they couldn’t find it, while half the planet was acquiring copies of the stuff he claimed he would, "destroy the only copies of", over what ever P2P networks haven’t closed down, or been targeted for take down.
So, again, either one, or both have to be complete idiots to try this sort of thing. And, more to the point, the whole idea of "holding code hostage" would be the equivalent, in something like the Star Wars universe, of holding one storm trooper hostage, on the theory that it would cause problems for the entire clone army manufacturing going on at Kamino. No one would give a flying F about one clone, or copy, nor would any sane, rational, or at least not completely stupid, person would imagine that getting rid of the copy/clone you know someone has would prevent them, somehow, retroactively, from making thousands of others.
Author fails to mention this was code from the 2006 edition that is no longer in use. Obsolete and discontinued. Thus making this not even news worthy.