pcAnywhere Source from 2006 Still Alive and Kicking

Thursday, January 26, 2012

Keith Mendoza


Symatec announced that users should stop using pcAnywhere until a patch is released. Lisa Vaas summarized the risks from the white paper in this "Naked Security" post.

A few weeks back there we learned that parts of the source code for Symatec’s Norton Anti-virus, and pcAnywhere, were leaked out by a group called Lords of Dharmaraja. They claim that they took the source from India’s Military intelligence servers.

I'm not going to rehash what she wrote here because that's not what I want to focus on. Instead, I want to focus on the lifetime of certain chunks of source code--particularly to enterprise-class source code. The second paragraph of the white paper is the key here:

We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere. With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits.

Admittedly, I think the first sentence of this paper wasn't worded correctly because it gave the impression that the source was stolen way back in 2006; honestly, highly doubtful or I wouldn't be discussing this on my blog today.

Here's the real hard truth about software: the source code evolves, as long as that software is being developed. A software is being developed as long as new versions are being released--whether it be to add or remove features (well, mostly add), or to patch bugs in them.

However, the core functionality will never change. Even if a complete software rewrite is done, it's not really a complete rewrite. Someone in the development team--usually the person who was working on the last version before the so-called rewrite--will copy parts of code from the old source code.

The issue with pcAnywhere is "the encoding and encryption elements within pcAnywhere are vulnerable." This shows that the encryption system within pcAnywhere is pretty solid since what finally broke it is when the code was released.

The pcAnywhere team has been using the same encoding and encryption source code for 6 years. Not only that, it went along when pcAnywhere was integrated to three other products. Whoever designed and coded those did a really good job.

So, what is the lesson learned here: First, core functionalities rarely ever change. The implementation may change, but the logic flow will pretty much be the same especially if it's optimized.

Second, code reuse done right is a good thing; even if it leads to a security risk. In this case, this is counter-intuitive; however, once the encoding and encryption module is redone (I think they'll be switching to a different algorithm for this one) all supported versions of pcAnywhere, included the bundled ones, are fixed too.

As for the encoding and encryption modules from 2006: well the final curtain has finally come down on it. I think it's safe to say that Symatec is proud of them and they have left a lasting legacy in the revision history of pcAnywhere.

Cros-posted from Home+Power

Possibly Related Articles:
Information Security
Software Symantec Development breach Source Code Consumers India The Lords of Dharmaraja YamaTough PCAnywhere Keith Mendoza
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.