In Symantec's shoes

Analysis: What would you do, faced with ransom demands and code leak?

Last week, Symantec's tussle with a hacker went public.

The company made headlines in the past month after admitting to a 2006 breach, in which the source code for its Norton software was stolen.

All the while, Symantec was locked in ‘negotiations' with a hacker over a ransom demand.

The hacker who calls himself ‘YamaTough' and claims to be a member of the Anonymous affiliate ‘Lords of Dhamaraja', attempted to get $US50,000 from Symantec by corresponding Sam Thomas at a Symantec email address.

In a leaked transcript of the email conversation, Thomas asked for assurances from YamaTough on the code.

YamaTough warned: “If we detect any malevolent tracing action we cancel the deal.”

An exchange of words occurred on 25 January, the same date that pcAnywhere users were warned to disable the software, when YamaTough said: “If we dont [sic] hear from you in 30 [minutes] we make an official announcement and put your code on sale at auction terms. We have many people who are willing to get your code”.

Thomas replied: “We are not trying to trick you. You said you had the pcAnywhere code and we were just being cautious. What would you have us do? We really don't want our code out there. How do you want to proceed?”

The conversation then moved on to money, with YamaTough saying on 30 January that he could offer no guarantee that he wouldn't come back for more.

“We are afraid if you can not comply we proceed with the release," the hacker wrote.

"You have to trust us on this one, if we were really bad guys we would have already released or sold your code at the time of exchanging emails with you which is almost a month – and we kept silent all that time and stuck to our word given to you.

"So – no guarantees – trust us – we won't come back and won't manipulate the code.

“At least it is worth a try and we assure you we are man of honour we keep our promise. What you are going to get if no agreement reached? We both know.

"Partial release of code – official auction bidding on some of it – zero-day exploitation. That happens as soon as we understand your negative call.

"As of files sent to you partially – we are getting tired of all this please do not make us more angry than we already are you know we got the full line so please nothing is going to be send to you once again [sic].”

What would you do?

Symantec began offering an initial $US1000 and said "you threatening to release the code is not helping the situation".

Another message sent on 1 February offered $US50,000 but requested "assurances that you are not going to release the code after payment".

Thomas offered $US2500 a month for the first three months and, after that, wanted proof that the code had been destroyed before the remainder of the balance would be paid.

The next day YamaTough said: “I am afraid we have to cancel the whole deal because our offshore people won't let us securely get the money because they wont [sic] process amounts less than 50k a shot. Therefore we are afraid we can not proceed with you on the conditions offered.”

Next YamaTough demanded a reaction within ten minutes at the start of this week, and said the next action would be a code release on Pirate Bay; Symantec later confirmed that the code was genuine.

The vendor stated that the source code for pcAnywhere had been posted publicly and said it was part of the original cache of code for 2006 versions of the products that Anonymous claimed to possess.

It also said that it anticipated Anonymous would post the rest of the code, including the code for the 2006 versions of Norton Antivirus Corporate Edition and Norton Internet Security.

“As we have already stated publicly, this is old code and Symantec and Norton customers will not be at an increased risk as a result of any further disclosure related to these 2006 products,” Symantec said.

Symantec also said that it worked closely with law enforcement given the attempted extortion and apparent theft of intellectual property and denied that it ever made any offer to meet the hackers' extortion demands.

Graham Cluley, senior technology consultant at Sophos, said he suspected that ‘Sam Thomas' wasn't a Symantec employee at all, but instead working for the FBI.

He said: “With customers reassured by Symantec that the illegal theft and distribution of the source code poses no increased risk, the company will be keen to put this episode behind it and move on.

“Symantec seems to have done the right thing throughout this incident – investigating what occurred, and openly sharing with its users what it discovered about a security breach from years before.

"Furthermore, they recognise that they have been victims of a criminal act and have called in the authorities to investigate and (one hopes) bring the culprits to justice.”

Cyber security analyst Jeffrey Carr expected the episode to continue to be a fiasco for Symantec.

“Symantec shouldn't have offered a penny for their code," Carr said. "It's the equivalent of Obama asking if Iran would return our drone to us -- it's demeaning and weak. It's gone.

“Evaluate how much damage can be done and start re-writing your code to circumvent possible exploits. Be open and honest with the public and your customers.

"Acknowledge how badly you screwed up and tell us what changes you're making to ensure that it never happens again.”

Carr said Symantec should not have bowed to YamaTough's ransom demands, especially since the company had no guarantees that the hacker would not keep a copy of the code or any zero-day exploits that he had written during the negotiations.

Any stolen source code should be considered completely compromised, he said.

A hacker's perspective

According to black hat hacker 'Pr0f', who was behind the attack on the SCADA-based system at the Houston water plant last year, extortion attempts on source code were uncommon.

Pr0f said getting source code was not particularly easy and it would almost be too valuable to release immediately, so an attacker had time to look for exploits without having to fuzz the application.

“I'm not surprised that the source code here is actually half a decade old,” he said.

“I can't say I approve of the extortion itself, though, that's just sheer blackmail," he added.

Both Carr and Pr0f said it was possible that Sam Thomas was an FBI agent, instead of a Symantec employee.

Carr noted that he could not find anyone by that name related to Symantec on LinkedIn.

Pr0f said although there was no guaranteed way to know if one was talking to an FBI agent or an employee in that situation, all it took was a Google search.

Looking forward, Carr said he would not be surprised to see new zero-day attacks mounted against Symantec products as a result of this major breach.

With RSA and VeriSign attacks in recent memory, nothing is certain.

This article originally appeared at scmagazineuk.com