Did the 2006 Symantec Breach Expose RSA's SecurID?

Friday, February 10, 2012

Kevin McAleavey


Author's note: This article is based on significant speculation on my part. I am writing this reluctantly as I had expected others more directly involved in the industry to have raised the issues I'm about to given its gravity.

This is an invitation for both Symantec and EMC to clarify whether or not any of the code contained in public leaks of Symantec source code has been remediated in order to protect current customers since I see it as a liability for EMC's RSA division unless there's a valid explanation for what I've discovered, and that I'm wrong about the potential impact.

I sure hope so.

There are, to my mind, some serious concerns that the Symantec leak could pose a risk to RSA's "SecurID" product, but only EMC can set people's minds at ease. That is the purpose of this article.

I've been involved in the Symantec story since it first appeared here on Infosec Island after "Yamatough" contacted our publication with reputed source code for numerous Symantec products.

In my capacity as a coder and antimalware researcher, I was asked to independently download and examine the contents of Symantec code which was publicly available, including snippets of code released in early January, as well as the Norton Utilities source code released on January 13.

In both cases, after reviewing various portions of the source code in question and my awareness of major changes to the Windows operating system since 2006, it was my determination that the majority of source code was rendered largely obsolete and inert as the result of both 64 bit versions of Windows as well as changes required for Vista and therefore unlikely to have remained intact currently.

This past Tuesday, source code for PCAnywhere was released and as before, I downloaded the torrent and examined some of its contents.

The PCAnywhere code was of a similar vintage, however there was evidence here of code created for both 64 bits as well as Vista which meant that it's entirely possible that much of this code might still be in use in current versions of the PCAnywhere product.

Symantec also acted to patch PCAnywhere quickly after the announcement of the potential release of the source code which suggests to me that there were indeed pieces of the 2006 source code still in use in their current product.

We can assume therefore that Symantec took reasonable steps to redesign these portions of code in their patch updates which would likely render vulnerable portions of their own code safe to use as they indicated in communications to their customers. I'll take them at their word that they have.

However, further examination of the source code for PCAnywhere turned up something that is disturbing to me at least and is the basis for the questions I'm raising in this article.

The source code which fell into the hands of "Yamatough" contains numerous header files and several libraries belonging to RSA, and indeed SecurID code is a part of the PCAnywhere product contained in the purloined source code.

(click image to enlarge)


What is particularly interesting about the files in the source is that Symantec clearly removed all of the code pertaining to the Windows version of RSA's sources and libraries, leaving numerous directories for Windows RSA code empty, yet the directories intact. But they left in Linux headers and libraries designed to be compiled against "RedHat 7" Linux and therein is what I see as a risk to EMC's RSA product.

I did not make the effort to examine the code fully, but did examine a good number of various header declarations through several files and they appear to be sufficiently complete to compile malware against RSA's library code contained in Symantec's sources.

(click images to enlarge)




It should be noted that the files in question date back to May of 2003, but RSA's encryption dates back into 1999 and is likely to be sufficiently valid enough to abuse today. The document named "RSA SecurID Ready Implementation Guide.doc" is harmless and is intended to explain to Symantec users how to configure the SecurID components inside PCAnywhere.

It is those header files and more significantly the "libbsafe.a" library which is of concern here since ".a" files are compiled, but not linked which would make them linkable to any code including potential malware. And the headers would provide the information necessary to call into this library file for anyone who linked the headers and library to their code.

I did not attempt to discover what is actually inside the "libbsafe.a" library nor attempt to reverse engineer the library because there are legal issues in doing so that I did not want to step in. So perhaps Symantec and/or EMC can tell us what that library is actually about.

And given the RSA break in last year to obtain valid "keys" to use to infiltrate so many government and corporate systems using SecurID, I can't help but wondering if this code was stolen back in 2006 or thereabouts, could this possibly be the reason why the attackers had such widespread success?

Having the source code headers for the libbsafe library would certainly give them everything they'd need as long as they could gather enough keys to figure out the rest of the algorithm given the sources in my estimation.

And while the Windows libraries were absent along with the Windows header files, the Linux header files would still be useful for generating Windows malware and in the ".a" format, the compiled Linux libraries could easily be reverse-engineered in order to reconstruct valid Windows libraries to go along with the headers.

And it is this which gives me a serious case of the willies if I were using SecurID and my utter surprise that these sources could be "out there" in the hands of any untrusted third party, much less script kiddies, for so long without alarms going off immediately from Symantec. And I don't know if EMC was even aware of this.

I seriously believe that the security community deserves some answers, and some better disclosure about what exactly happened here.

My apologies in advance for ruining people's Friday.

About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( http://www.knosproject.com ) in Albany, NY and has been in antimalware research and security product development since 1996.

Possibly Related Articles:
Information Security
Antivirus RSA Vulnerabilities Symantec Linux Anonymous Hacktivist hackers Norton breach Source Code SecurID Red Hat The Lords of Dharmaraja YamaTough Kevin McAleavey PCAnywhere Norton Utilities libbsafe library
Post Rating I Like this!
Krypt3ia Still sounds to me like turd polishing on your part but ok, lets go with it. I actually ask the question that no one was really talking about. How long has there been a compromise at Symantec other than the 2006 attack and code leak? This is a valid question and to you asking the question is comingled with my comments on personal experience with the tool at hand (SEP)

Aside from this, the questions being asked have not been redressed and you seem ill informed as to much of what is going on out there with regard to YamaTougher and the incident.

First off, the documents he/they provided were not real per study of others out there. The Indian government like others is likely leaking data but in this case, there was an ulterior motive to this incident. Whether that be just making a name for him/themselves or other is yet to be really determined. The upshot though is that YT has it in for Symantec for whatever reason they have and made this incident more than it should have been to begin with. The media only picked up on it because it was perceived as a "if it bleeds it leads" story and they would get play. So, while you contemplate the navel here, you have little understanding of the whole picture, so you go on a tangent and strike a blow (perceived)against me as being biased and misinforming.

You want questions answered, do some research for yourself. Don't just whine about my commentary or my questioning of what is going on with Symantec, the company with the larger of the market share of AV and a product I feel is way over rated by the masses as a prophylaxis against malware. You mentioned the fact that it should be the third tier of protection and finally I agree with something you are whining about. AV is not the answer, but neither is the ol' "I have a firewall" argument either. It's all about defense in depth so good on you there.

Otherwise, you just seem to be wallowing in questions and want answers. I say to you go find those answers for yourself and if you don't agree with what I have to say, great, take it with a grain of salt and move on. Or for that matter, you see my name attached, move on. It's all good Grooves. What I take umbrage to is your lack of ability to do anything here but decry comments and information that I post as being one sided.

Sorry, but, that's the world.

Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.