The "January Effect" - An Annual Phenomenon Since 2009

I was recently interviewed for a feature in Discover magazine's Top 100 Stories of 2012 (January 2013 issue - on newsstands now). I'm #62 "Defender of the Digital Domain". During the interview, I was asked about a future forecast for 2013. I mentioned a phenomenon that I've noticed each year since 2009 - a major breach or act of cyber warfare that kicks off the New Year. It may start in December and then get publicized in January, or happen in January and get publicized a bit later but it has happened four years in a row now so I fully expect it to occur once again.

December 2008 - January 2009: Operation Cast Lead (a land war w/ thousands of simultaneous cyber attacks between Israel and Hamas)
December 2009 - January 2010: Google and 20+ companies are breached
January 2011 (approximate) - March 2011: RSA was breached sometime early in 2011 with the announcement being made on March 17, 2011.
January 2012: A hacker announces that he has Symantec's source code for Norton and other products.

What will occur or be announced in December 2012 - January 2013? I have no idea but I'm confident that it'll be something impressive.

Add to Cart View detail

Did Symantec's 2006 Breach Impact These High Risk Customers?

The fact that Symantec (NYSE: SYMC) never knew that its 2006 source code had been compromised until the Lords of Dharmaraja announced it was astoundingly bad news. As the world's largest vendor of security software, it's more than just an embarrassment; it puts all of its corporate and government customers at risk because if Symantec didn't know the extent of its breach back then, how do Symantec's customers know that their current product line is safe to use? Nothing that Symantec has said since it acknowledged the loss of its Norton source code has addressed this core issue of why they didn't know their that source code had been breached and what they're doing differently to be sure that it doesn't happen again. Until they answer those critical questions, the security of their entire product line should be considered at risk.

I've begun looking at who their customers were post-2006 that have been attacked for a talk that I'm giving next week at Suits and Spooks DC. This doesn't mean that their customers' breaches were the result of Symantec's own poor network practices, nor does it rule out the possibility that other breaches may have occurred that were never discovered. I hope, however, that it will illustrate the potential scope of this problem and encourage Symantec's customers to put pressure on the company to fully disclose what happened and put its own house in order. Here's a small sampling of what I've found so far:

NASDAQ OMX Group Inc.
NASDAQ suffered a breach of its network in early 2010 which wasn't discovered until February 2011. It's been blamed in part on NASDAQ's use of out-of-date software and uninstalled security patches. As a Symantec customer, NASDAQ used Endpoint Protection, which was included in the list of products affected by the 2006 source code breach.

U.S. Department of Energy
The Energy Dept and its many agencies and national labs have been Symantec customers since before 2006. The number of cyber security breaches that have occurred during those years and up to the present (five last summer alone) are too numerous to recount however this GAO report describes some of the security problems at Los Alamos National Laboratory's unclassified network including weaknesses in its remote access policies. It'd be interesting to know if pcAnywhere was used to facilitate that remote access.

Other U.S. Government Departments
Symantec's government customers include every major department including:

• Department of Justice
• Department of Homeland Security
• Department of Treasury
• Department of Defense
• Department of Commerce
• Department of Energy
• Department of Health and Human Services
• Department of Agriculture
• Department of Veterans Affairs
• Department of the Interior
• General Services Administration
• Executive Office of the President
• Federal Trade Commission

All of these departments (and this is not a complete list) have used Symantec products during the years from 2006 forward which means that any of them could have been victims of a person or group who exploited their knowledge of Symantec's stolen source code to successfully breach their network at will. This isn't limited to its U.S. customers either. The British government's entire email system has been managed and secured by a Symantec subsidiary since 2008. I'll be addressing that in more detail on Feb 8th. In the mean time, which is more likely - that someone acquired Symantec's source code and did nothing with it or that they did?

Add to Cart View detail

Symantec Sells Its Stake In Huawei-Symantec Joint Venture

Huawei just announced that it's buying Symantec's interest in their joint venture Huawei-Symantec (HS). This is a very interesting turn of developments for a joint venture that I've been railing against for most of 2011. Six months ago, Symantec CEO Enrique Salem said he either wanted to increase Symantec's stake in HS or sell shares to the public via an IPO. Then in October, he added the additional option that Huawei may buy Symantec's shares. Today, that's precisely what happened. My question is, what happened between May and October to make CEO Salem change his mind?

Could it have been this Washington Times article last August about how four Senators and a Congressman were asking the Departments of Defense and Energy to look into the sale of H-S parts to a government research lab at the University of Tennessee? Or perhaps it was the release of an Open Source Center report on Huawei's Chairwoman Sun YaFang's past with the equivalent of China's CIA, the Ministry of State Security?

Or perhaps it was that the ludicrous nature of the relationship between a Chinese company with State affiliations and a security company who's supposed to protect their customers from espionage activities from that same State finally sunk in to Salem's brain?  No, it probably wasn't that.

Add to Cart View detail

Et Tu, DuQu?

If Symantec and F-Secure are correct and DuQu was written by the same people who created Stuxnet, then that means that the U.S. government is behind it. But Idaho National Lab, who some people think created the Stuxnet virus and which hosts ICS-CERT's Security Operations Center didn't have a copy of the malware. They had to ask Symantec and McAfee to share their sample. The key question to ask in this puzzle is who has access to the Stuxnet source code? This post claims that Anonymous released the Stuxnet source code back in February however according to Mikko Hyponnen's latest post on DuQu that's not correct. Binaries were released into the wild but not the source code. Ralph Langner, who has done some of the best work on Stuxnet to date, has also told me privately that the source code has never been released. At best, some work has been done in reverse-engineering it. Knowing Ralph's singular focus on Stuxnet, if the source code was in the wild, he'd be the first person to grab a copy.

So if you believe the party line (which I don't) that the U.S. with the help of Israel created Stuxnet, then the U.S. is also the creator of DuQu. If we stay with that chain of reasoning, then as we learn more about DuQu and its use, an entirely different conclusion may be reached which points to an actor other than the U.S. DuQu was apparently involved in stealing information from an ICS manufacturer. Why would the U.S. use the Stuxnet source code to create a RAT to steal information from Industrial Control System (ICS) manufacturers? It already has access to most of the corporations who develop these systems through the National SCADA Testbed Project run by 3 U.S. national labs, including INL. At least one Command & Control server was hosted in India. Why would the U.S. pick India and not China, our favorite cyber adversary?

It's too early to know what DuQu is for, and no one knows where it came from, but facts are facts. The source code for Stuxnet isn't available in the wild, and if the same group is responsible for both pieces of malware, and you believe that the U.S. is behind Stuxnet, then you need to own the logical conclusion of that belief. If the facts around DuQu, now or in the future, point away from the U.S. then you need to re-consider whether the U.S. was ever involved in Stuxnet at all. After all, take a look at the part of the world that McAfee has identified as being DuQu's target area.

There are lots of nation states for whom this part of the world has significant appeal and who would benefit from a sophisticated info-stealing virus; in some cases much more than the U.S.

Add to Cart View detail