Did the 2006 Symantec Breach Expose RSA's SecurID?

Friday, February 10, 2012

Kevin McAleavey

Ba829a6cb97f554ffb0272cd3d6c18a7

Author's note: This article is based on significant speculation on my part. I am writing this reluctantly as I had expected others more directly involved in the industry to have raised the issues I'm about to given its gravity.

This is an invitation for both Symantec and EMC to clarify whether or not any of the code contained in public leaks of Symantec source code has been remediated in order to protect current customers since I see it as a liability for EMC's RSA division unless there's a valid explanation for what I've discovered, and that I'm wrong about the potential impact.

I sure hope so.

There are, to my mind, some serious concerns that the Symantec leak could pose a risk to RSA's "SecurID" product, but only EMC can set people's minds at ease. That is the purpose of this article.

I've been involved in the Symantec story since it first appeared here on Infosec Island after "Yamatough" contacted our publication with reputed source code for numerous Symantec products.

In my capacity as a coder and antimalware researcher, I was asked to independently download and examine the contents of Symantec code which was publicly available, including snippets of code released in early January, as well as the Norton Utilities source code released on January 13.

In both cases, after reviewing various portions of the source code in question and my awareness of major changes to the Windows operating system since 2006, it was my determination that the majority of source code was rendered largely obsolete and inert as the result of both 64 bit versions of Windows as well as changes required for Vista and therefore unlikely to have remained intact currently.

This past Tuesday, source code for PCAnywhere was released and as before, I downloaded the torrent and examined some of its contents.

The PCAnywhere code was of a similar vintage, however there was evidence here of code created for both 64 bits as well as Vista which meant that it's entirely possible that much of this code might still be in use in current versions of the PCAnywhere product.

Symantec also acted to patch PCAnywhere quickly after the announcement of the potential release of the source code which suggests to me that there were indeed pieces of the 2006 source code still in use in their current product.

We can assume therefore that Symantec took reasonable steps to redesign these portions of code in their patch updates which would likely render vulnerable portions of their own code safe to use as they indicated in communications to their customers. I'll take them at their word that they have.

However, further examination of the source code for PCAnywhere turned up something that is disturbing to me at least and is the basis for the questions I'm raising in this article.

The source code which fell into the hands of "Yamatough" contains numerous header files and several libraries belonging to RSA, and indeed SecurID code is a part of the PCAnywhere product contained in the purloined source code.

(click image to enlarge)

KevinRSA1



What is particularly interesting about the files in the source is that Symantec clearly removed all of the code pertaining to the Windows version of RSA's sources and libraries, leaving numerous directories for Windows RSA code empty, yet the directories intact. But they left in Linux headers and libraries designed to be compiled against "RedHat 7" Linux and therein is what I see as a risk to EMC's RSA product.

I did not make the effort to examine the code fully, but did examine a good number of various header declarations through several files and they appear to be sufficiently complete to compile malware against RSA's library code contained in Symantec's sources.

(click images to enlarge)

KevinRSA2

KevinRSA3

KevinRSA4


It should be noted that the files in question date back to May of 2003, but RSA's encryption dates back into 1999 and is likely to be sufficiently valid enough to abuse today. The document named "RSA SecurID Ready Implementation Guide.doc" is harmless and is intended to explain to Symantec users how to configure the SecurID components inside PCAnywhere.

It is those header files and more significantly the "libbsafe.a" library which is of concern here since ".a" files are compiled, but not linked which would make them linkable to any code including potential malware. And the headers would provide the information necessary to call into this library file for anyone who linked the headers and library to their code.

I did not attempt to discover what is actually inside the "libbsafe.a" library nor attempt to reverse engineer the library because there are legal issues in doing so that I did not want to step in. So perhaps Symantec and/or EMC can tell us what that library is actually about.

And given the RSA break in last year to obtain valid "keys" to use to infiltrate so many government and corporate systems using SecurID, I can't help but wondering if this code was stolen back in 2006 or thereabouts, could this possibly be the reason why the attackers had such widespread success?

Having the source code headers for the libbsafe library would certainly give them everything they'd need as long as they could gather enough keys to figure out the rest of the algorithm given the sources in my estimation.

And while the Windows libraries were absent along with the Windows header files, the Linux header files would still be useful for generating Windows malware and in the ".a" format, the compiled Linux libraries could easily be reverse-engineered in order to reconstruct valid Windows libraries to go along with the headers.

And it is this which gives me a serious case of the willies if I were using SecurID and my utter surprise that these sources could be "out there" in the hands of any untrusted third party, much less script kiddies, for so long without alarms going off immediately from Symantec. And I don't know if EMC was even aware of this.

I seriously believe that the security community deserves some answers, and some better disclosure about what exactly happened here.

My apologies in advance for ruining people's Friday.

About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( http://www.knosproject.com ) in Albany, NY and has been in antimalware research and security product development since 1996.

Possibly Related Articles:
13999
Breaches
Information Security
Antivirus RSA Vulnerabilities Symantec Linux Anonymous Hacktivist hackers Norton breach Source Code SecurID Red Hat The Lords of Dharmaraja YamaTough Kevin McAleavey PCAnywhere Norton Utilities libbsafe library
Post Rating I Like this!
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia This would not surprise me.. But then again, now, post the RSA hack, people are still using old fobs and not much has happened with regard to RSA coughing up data and really fixing things..

So....
1328900151
Default-avatar
Bobby Mann Ok, you guys have no clue.
First, the code is publicly available code released as part of a development kit. Nobody needs to "analyze" Symantec's implementation of the RSA library as ANYONE can get a hold of this. Do some research before you spout off.
Second point, if you did actually analyze the code as the screenshots show, and you still have this code, you are in possession of STOLEN PROPERTY. This is a crime. Plain and simple. I would advise you to remove the code from your system as law enforcement is now involved. I, personally, would not want to be in possession of anything that could ultimately involve a legal investigation.
But, nice story.
1328905810
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia Bobby, troll much? Sure, the code may be available in escrow elsewhere and frankly my comment was much more about the fact RSA has done squat post their hack than anything to do with this alleged assessment of the YT release.
1328906680
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey Hey, Bobby.
Thanks for some idea of what that's about, and hopefully you're correct. It's a pity that so many questions linger though as to how long the code has been "in the wild" and whether or not the crypto is at risk. Since EMC's SDK's are likely disclosed under very tight NDA's with the expectation of being kept secure, I still see this being something that shouldn't be out there for the ne'er-do-wells to have access to. Doesn't take much information to create malware and its presence is of concern nonetheless.

As to the legal aspects, criminal law always comes down to "intent." I've been in the antimalware biz for more than a decade, the "spooks" know who I am, where I live and they even have my phone number. Samples come in all the time containing highly proprietary code as well as actual malware on a daily basis. As a professional, I know the rules. That's why I didn't take it upon myself to disassemble or otherwise reverse the code knowing those rules.

Rest assured no copies were kept, no disclosures have or will be made beyond a directory listing and speculation, that's just how I operate regardless of whose code I examine. I'm of the age where "straight and narrow" is how we were brought up, so don't sweat it. Hopefully the vendors will get around to answering the questions.

And thanks for the compliment!
1328914268
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia Kevin, truly a gentleman there in contrast to Bobby's douchey-ness. I am not so inclined. Bobby, you need to just back off on the trolling responses. I know you are affiliated with Symantec so bugger off. You and Symantec are a failure presently. Learn from it and become better.
K.
1328915355
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey Thanks ... that's just how I roll. Doing the right thing is all I care about even if it bothers some. The behavior of some of the big vendors that so many depend on is the reason why I'm doing what I'm doing now.
1328915880
Default-avatar
Bobby Mann Here's an example of how easy it is to obtain. By your comments Kevin, I see you really don't understand how SecurID works. Think of it as three parts. An algorithm that is top secret, a seed and a randomly generated number. There is also an interface that is needed to the algorithm. What Symantec uses in pcAnywhere is all public. The customer supplies the connector (interface) to the SecurID system, and the end user supplies the randomly generated PIN via a fob, soft token, etc. So, in essence it makes absolutely NO DIFFERENCE WHATSOEVER that there is part of the RSA SDK in the pcA code, as it's PUBLIC an ANYONE can get it. Get it?
What really steams me is when articles are written with these headlines that make the reader PANIC or think there's a bigger problem and you faltly have not done ANY homework. Shame on you, and your buddy Krypto. Whatever that hadle means.
Shoddy article, and frankly it's just written to make a bigger mountain out of a mole hill.
1328932888
Default-avatar
Bobby Mann Sorry, forgot to give you the example!
http://www.rsa.com/node.aspx?id=3662
1328932913
A762974cfbb0a2faea96f364d653cbc6
Michael Menefee Bobby,

I think your comments might be taken more seriously if you weren't such a blatant ass about your approach. Re-read the first paragraph in Kevin's article. Then, read the second paragraph, where he calls for Symantec and RSA to respond. You will clearly see his intent with this piece. There is no reason for the tone in your comments, which have been your M.O. on this site to date.

If you have something to contribute, or wish to correct an author on what you feel is a mistake, I would ask you to be a professional, take it out of band, or at least return courtesy with the like.

Also, the link you provided references a current SDK that has no references whatsoever to the BSAFE library (which this article raises questions about specifically) so it's irrelevant. I am attempting to analyze the current RSA BSAFE public libraries to make a comparison (https://community.emc.com/community/edn/rsashare) but the questions raised by this article are valid, unless further analysis of the libbsafe.a library from the stolen Symantec code can be further performed and commented on by the software vendors.

Also, keep in mind that this happened in 2006, which is the code at question.

Mike
1328934934
Default-avatar
Bobby Mann Sorry Mike, I forgot, you prefer to give airtime to thieves and hackers..and wannabe journalists who do aboslutely no fact checking. You are correct, the first line does tell me something. It tells me the author is covering his ass and probably should have held onto his thoughts before publishing a pile of crap like that. I'll stand by by comments that this site is a collection of old geezers who band together to incite fear or spread propaganda. Write something useful. When 60 minutes does their story (and it's being worked on) you'll see what true journalism is all about.
Until then...
1328984510
29caf2d9c852c6936e9d8b256513d0bf
Lance Miller what is that saying about when people resort to name calling? I am too old to recall. :)

1328992993
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia Hey Booby,
I know you are probably following the thread and now cannot comment, but, I just have to say that your trolling is some of the most flaccid I have ever seen. That line about 60 Minutes was just hilarious!

I will check with my contact at 60 minutes though, they likely will get a chuckle out of it too.

Buh bye Booby.

K.
1329005695
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey Um ... guys?

This isn't really helping much.

Bobby ... are you responding on behalf of Symantec by any chance? Also not helping.
1329010604
Default-avatar
Todd Leetham I can provide you all with the answer from the EMC/RSA side. In a word, no. It was not related at all.
1329151162
Default-avatar
Made Up FYI RSA SecurID had been "reversed" over a decade ago... no need to go through PCAnyWhere to get this code... http://seclists.org/bugtraq/2001/Jan/293
The seeds are one needs, these are not easily obtained as they once were, and programs like Cain&Abel allow you to put in a seed file, the token's serial # and VIOLA! instant RSA token. This article is poor conjecture, I don't think anyone will need to set anything straight... your guess is not so good.
1329161826
C643eec6350152c6c3fbd1288578d98a
Terry Perkins Wow! I'm amazed at the responses. Good grief. Aren't you people professionals?
1329167979
6d117b57d55f63febe392e40a478011f
Anthony M. Freed Received an email from Symantec's Cris Paden on the issue which he said I was free to share:

“It’s typical in the software development industry for vendors to make available software development kits to ensure smooth interactivity between new software and existing programs or platforms. In this case, this represents no more than the client side libraries that are included in the publicly available SDK required to implement SecureID. Having said that, Symantec has investigated these claims and has confirmed there is not a link between the source code theft in 2006 and the RSA security breach in 2011. Anything beyond that is speculation and is not accurate.”
1329177207
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey Thanks, Anthony, Todd, and "Made up"!

*This* is what I was hoping for, some official word that would answer the question. A number of my colleagues asked me if I knew the answer to this, apparently in response to a tweet from one of the "antisec" crew who believed that this was some sort of Rosette stone for "hacking" upon the announcement of the release.

To those who heaped scorn on the question, I fully understand and apologize for being the one who went and asked the question.

I still feel that it was a valid question to be raised, but with the law being what it is, I was unable to answer it for myself.

Thanks!!! :)
1329177811
Default-avatar
Collective Grooves @Krypt3ia I see you are at it again. - Seriously, do you offer anything of value when you post your comments?

You sound like a very bitter person who needs to respect the opinions of others and not attack someone because they don't agree with your opinions and values.

I don't know why you have it in for Symantec, nor do I really care, but if someone wants to defend them, then let them. Don't tell them to bugger off and comment that they are being douche.

This site used to have some very useful information from some respected people. Now as Bobby has put it, this site gives airtime to thieves, hackers and wannabe journalists.

Post from people like Krypt3ia offer nothing in terms of offering any insight and do not spark conversation, it only sparks

A good story/post/article/journalist would always present both sides of the story/argument and then let the reader make a decision. The posts that I see from Krypt3ia on this site only seem to contain one person's view or opinion. (His own)

Either this is done on purpose to spark comments and conversation or it is done out of being so narrow minded that their opinion is the only opinion that matters and everyone else has to agree with it or else. (I ran in to Krypt3ia on his blog site and at this point in time, I am leaning towards him being very narrow minded)

Krypt3ia, the internet has given you a voice which you previously did not have, don't waste your time and resources and other peoples time and resources by filling it with trash. Look at the bigger picture and offer two sides to the story to give people the opportunity to think rather than react.

Collective Grooves

1329202815
6f11dfa37d387cd7c2099ebcd00bccdd
Laura Walker Wow, that was a refreshingly positive post demonstrating the merits of professionalism over personal attack.
1329211485
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.