Did the 2006 Symantec Breach Expose RSA's SecurID?

Friday, February 10, 2012

Kevin McAleavey


Author's note: This article is based on significant speculation on my part. I am writing this reluctantly as I had expected others more directly involved in the industry to have raised the issues I'm about to given its gravity.

This is an invitation for both Symantec and EMC to clarify whether or not any of the code contained in public leaks of Symantec source code has been remediated in order to protect current customers since I see it as a liability for EMC's RSA division unless there's a valid explanation for what I've discovered, and that I'm wrong about the potential impact.

I sure hope so.

There are, to my mind, some serious concerns that the Symantec leak could pose a risk to RSA's "SecurID" product, but only EMC can set people's minds at ease. That is the purpose of this article.

I've been involved in the Symantec story since it first appeared here on Infosec Island after "Yamatough" contacted our publication with reputed source code for numerous Symantec products.

In my capacity as a coder and antimalware researcher, I was asked to independently download and examine the contents of Symantec code which was publicly available, including snippets of code released in early January, as well as the Norton Utilities source code released on January 13.

In both cases, after reviewing various portions of the source code in question and my awareness of major changes to the Windows operating system since 2006, it was my determination that the majority of source code was rendered largely obsolete and inert as the result of both 64 bit versions of Windows as well as changes required for Vista and therefore unlikely to have remained intact currently.

This past Tuesday, source code for PCAnywhere was released and as before, I downloaded the torrent and examined some of its contents.

The PCAnywhere code was of a similar vintage, however there was evidence here of code created for both 64 bits as well as Vista which meant that it's entirely possible that much of this code might still be in use in current versions of the PCAnywhere product.

Symantec also acted to patch PCAnywhere quickly after the announcement of the potential release of the source code which suggests to me that there were indeed pieces of the 2006 source code still in use in their current product.

We can assume therefore that Symantec took reasonable steps to redesign these portions of code in their patch updates which would likely render vulnerable portions of their own code safe to use as they indicated in communications to their customers. I'll take them at their word that they have.

However, further examination of the source code for PCAnywhere turned up something that is disturbing to me at least and is the basis for the questions I'm raising in this article.

The source code which fell into the hands of "Yamatough" contains numerous header files and several libraries belonging to RSA, and indeed SecurID code is a part of the PCAnywhere product contained in the purloined source code.

(click image to enlarge)


What is particularly interesting about the files in the source is that Symantec clearly removed all of the code pertaining to the Windows version of RSA's sources and libraries, leaving numerous directories for Windows RSA code empty, yet the directories intact. But they left in Linux headers and libraries designed to be compiled against "RedHat 7" Linux and therein is what I see as a risk to EMC's RSA product.

I did not make the effort to examine the code fully, but did examine a good number of various header declarations through several files and they appear to be sufficiently complete to compile malware against RSA's library code contained in Symantec's sources.

(click images to enlarge)




It should be noted that the files in question date back to May of 2003, but RSA's encryption dates back into 1999 and is likely to be sufficiently valid enough to abuse today. The document named "RSA SecurID Ready Implementation Guide.doc" is harmless and is intended to explain to Symantec users how to configure the SecurID components inside PCAnywhere.

It is those header files and more significantly the "libbsafe.a" library which is of concern here since ".a" files are compiled, but not linked which would make them linkable to any code including potential malware. And the headers would provide the information necessary to call into this library file for anyone who linked the headers and library to their code.

I did not attempt to discover what is actually inside the "libbsafe.a" library nor attempt to reverse engineer the library because there are legal issues in doing so that I did not want to step in. So perhaps Symantec and/or EMC can tell us what that library is actually about.

And given the RSA break in last year to obtain valid "keys" to use to infiltrate so many government and corporate systems using SecurID, I can't help but wondering if this code was stolen back in 2006 or thereabouts, could this possibly be the reason why the attackers had such widespread success?

Having the source code headers for the libbsafe library would certainly give them everything they'd need as long as they could gather enough keys to figure out the rest of the algorithm given the sources in my estimation.

And while the Windows libraries were absent along with the Windows header files, the Linux header files would still be useful for generating Windows malware and in the ".a" format, the compiled Linux libraries could easily be reverse-engineered in order to reconstruct valid Windows libraries to go along with the headers.

And it is this which gives me a serious case of the willies if I were using SecurID and my utter surprise that these sources could be "out there" in the hands of any untrusted third party, much less script kiddies, for so long without alarms going off immediately from Symantec. And I don't know if EMC was even aware of this.

I seriously believe that the security community deserves some answers, and some better disclosure about what exactly happened here.

My apologies in advance for ruining people's Friday.

About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( http://www.knosproject.com ) in Albany, NY and has been in antimalware research and security product development since 1996.

Possibly Related Articles:
Information Security
Antivirus RSA Vulnerabilities Symantec Linux Anonymous Hacktivist hackers Norton breach Source Code SecurID Red Hat The Lords of Dharmaraja YamaTough Kevin McAleavey PCAnywhere Norton Utilities libbsafe library
Post Rating I Like this!
Krypt3ia Groove, It feels like it is you who have it in for me over the comments on Symantec I have made really. Let me put you straight on a few things.

First, I am not a journalist.

Second, my comments are just that, commentary which I have just as much a right to put out there as you do here and now.

Third, I made my comments on Symantec because I interface with it in an enterprise setting managing it and I find it mostly useless. It is not an implelentation issue, it is a root issue with the console and the system. I do not need to drag all of that out just to satisfy you so you won't chide me for being narrow minded or a meanie.

So, there you have it Collective, you commented much the same on my blog and I approved them for all to see. Had I been trying to censor your feelings then I would have deleted them or shouted you down, neither of which I did. As to not adding to dialogue, you mention the Symantec post alone, have you had this issue wiith other posts or are you just fixated with managiing Symantecs image here?

Collective Grooves Krypt3ia I do not have it in for you personally. What I have found since this story broke is people such as yourself judging an entire organization for one product that they had some issues with. It pollutes the actual issue at hand with nonsense and does not offer any value whatsoever.

People such as yourself have gone out of their way to "comment" on how they hate the product or how useless it is, and turning a chance to add value to a serious story in to a witch hunt.

Specifically for this story, I believe Symantec have done well considering the circumstances. They have been forthcoming with information to their customers and have identified the steps needed to remidiate the situation.

Exactly how the source code got out there, we will never know the true story and we can only ever speculate. However given the code is a number of years old and newer versions have been developed, I do not see any heightened risk and am confident that customers using Symantec products will be protected and looked after by Symantec.

In my experience, the failure of a product in an environment has never been down to the product itself. I have found that it always comes down to the following:

- Poor Product Choice - The product was chosen for the environment without being 100% confident that it will meet its intended use. This is not the fault of the product, the features and functions are set out in black and white, it is matching the right product with the right use.

- Poor Architectural Design - Again this is a combination of the above and the architect not understanding the products capability's or understanding the issues which need to be solved.

- Poor Implementation - This can sometimes be the result of the above two points I have mentioned or it can be simply someone who does not have the experience with a product. Either way, it always ends badly and causes administrative headaches and overhead and leads to endless frustration.

- Poor Training - This I have found to be the cause of poor implementation. I have found that some administrators are either too proud to say that they need help and training because they don't want to be seen as being incapable. This is the fault of the organization that they work for as they do not generally have a career development program in place or they have a poor manager who does not understand that EVERYBODY has limitations.

I myself have never come across this with Symantec or any other product that I have implemented.

If I know what issues I need to address both current and future state and I understand the products capabilities both current and future state and the products that I evaluate meet and exceed my requirements. Then I look at the design and the implementation of the product with the assistance of the vendor to ensure that I am following best practices.

The easy part is training on the product to enable confidence in the use of the product and then a confident implementation follows naturally. (yes there will always be hiccups, but being confident in the product and the vendor ensure me that a good outcome is never too far away)

We as human beings tend to mock what we don't know or understand. It is human nature.

In your case if you have an issue with the product, then ensure that you involve the vendor to help get the issues resolved. Rather than mock them and tell the world how they suck or are useless give the vendor the opportunity to fix the issue and advise accordingly. Perhaps the product may not do what you are trying to achieve. If that is the case, find a product that can meet your requirements.

From a security perspective, you need to take a layered approach. You can not rely on a single layer to protect an environment. With your issue with Symantec Antivirus product and the increase of malware in your environment. I have found the simplest way to help reduce the spread of malware is to provide user training. Set up a workshop at lunch time for the employees, create an initiative with your manager or the CIO to help users better understand the dangers that lurk out there.

Non computer savvy people will open anything and everything because that's how they have been trained in the past. If you can help them understand the dangers that are lurking behind some emails and some webpages then you can potentially help reduce the spread of malware within your environment. They will then take that good practice home and it will end up becoming second nature. A good mail and web security product also adds that second layer of protection.

At the end of the day, an antivirus product should be the LAST line in your defense. Your Firewall, Mail & Web Security, User training should be at the higher layers of your defense strategy. Your users are your strongest and your weakest link. Help them help you.

Now that I have rambled on for some time, I will address the reason why I am following Symantec code leak story so diligently.

I am specifically following this for business and personal reasons.

From a business perspective, it does concern me that so many high profile organizations are being targeted. Only yesterday there was a post on Infosec Island saying that Intel was breached. From this information, I look to see what I can do to better protect the information that is stored in my companies environment.

I have resigned to the fact it is almost impossible to stop a breach/hack from occurring. It is my job to advise on how we can mitigate the risk even further to make it as hard as possible for hackers to breach my environment.

From a personal perspective, I mentioned this on your blog. I am looking at the bigger picture and the worst case scenario. The bigger picture is (according to the information on the internet) the Indian Military was hacked. Now as state based hacking has increased over the years (depending on who you believe) what does this mean for us the end user?

Are these hackers associated with terrorist organizations? Call me melodramatic, but what world are we living in where now everybody wants to stab everybody in the back? Why are people so consumed with chasing money and fame?

Hypothetically speaking, say that source code is not the only thing they took, what is they took information pertaining to nuclear facilities. Given that there is news that these hackers tried to extort money (depending on who you believe). Who is to say that they wont sell this information to a terrorist organization. So that is one side of the story ff that's not the case and no money was ever going to change hands, what is their motive. In this instance the motive for this hack has not been made clear. What are they trying to achieve?, what are they trying to prove?

These are the questions I want to try and answer. What I don't want is people polluting the story with their own agenda because they don't like a product or a particular vendor.

From here on I wont be making any further comments. I think I have said my piece and I don't think I could add any further value to this conversation. Out of all of this, I hope your blogs and your comments are less one sided and you are open to looking at the broader landscape rather than focusing on negative experiences.

Goodbye and Good Luck
Collective Grooves
Krypt3ia Still sounds to me like turd polishing on your part but ok, lets go with it. I actually ask the question that no one was really talking about. How long has there been a compromise at Symantec other than the 2006 attack and code leak? This is a valid question and to you asking the question is comingled with my comments on personal experience with the tool at hand (SEP)

Aside from this, the questions being asked have not been redressed and you seem ill informed as to much of what is going on out there with regard to YamaTougher and the incident.

First off, the documents he/they provided were not real per study of others out there. The Indian government like others is likely leaking data but in this case, there was an ulterior motive to this incident. Whether that be just making a name for him/themselves or other is yet to be really determined. The upshot though is that YT has it in for Symantec for whatever reason they have and made this incident more than it should have been to begin with. The media only picked up on it because it was perceived as a "if it bleeds it leads" story and they would get play. So, while you contemplate the navel here, you have little understanding of the whole picture, so you go on a tangent and strike a blow (perceived)against me as being biased and misinforming.

You want questions answered, do some research for yourself. Don't just whine about my commentary or my questioning of what is going on with Symantec, the company with the larger of the market share of AV and a product I feel is way over rated by the masses as a prophylaxis against malware. You mentioned the fact that it should be the third tier of protection and finally I agree with something you are whining about. AV is not the answer, but neither is the ol' "I have a firewall" argument either. It's all about defense in depth so good on you there.

Otherwise, you just seem to be wallowing in questions and want answers. I say to you go find those answers for yourself and if you don't agree with what I have to say, great, take it with a grain of salt and move on. Or for that matter, you see my name attached, move on. It's all good Grooves. What I take umbrage to is your lack of ability to do anything here but decry comments and information that I post as being one sided.

Sorry, but, that's the world.

Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.