Who pwns the watchmen? Maybe Russians selling the source code for three US antivirus vendors A Russian hacking outfit says it has stolen confidential data from a trio of US antivirus companies. Security firm Advanced Intelligence (AdvIntel) has "high confidence" in the legitimacy of a posting from hacking group calling itself Fxmsp, which is advertising data and source code from the three unnamed AV companies. …
More interestingly, the data that reveals the NSA spy.
Who's going to reverse engineer the protocol for communicating with a clandestine messenger in a router, to phone nsahome without making an IP connection that would soon be spotted as suspicious? Resolve the question of all the sound and fury over Huawei?
How does that perv in the photo relate to the story? I cannot imagine any self-respecting cracker to use a tablet to do cracking and to wear such apparel while penetrating AV vendors. There is a time and place for masked penetration, but I believe it doesn’t usually involve computers. One zipper on the mask is missing too.
Anyway, it’s a big loss for the companies breached. I just cannot believe them to be techinally that incompetent, but there has to be a human factor involved in those breaches. Then again, I could be wrong.
Most accurate successful "hacker" there is.
The human aspect and physical access. Nick the device with valid logins. This the location and the ipad.
The mask? Not to hide while stealing the device but so the mark does not recognize you when you threaten them to get the pin. As who needs to hack the secure enclave when they can give you the pin?
Though in reality I'd never want any data worth that much to attack me for!
It's kind of worrying if these companies don't have source code air gapped. In my naive innocent mind I'd always, if I'd thought about it at all, imagined that the key coding and design work would be in a top security location with absolutely no contact to the public (or any external) network whatsoever.
Now we'll probably find out that they work from their local branch of Costa using a mate's laptop.
Having worked briefly with a organisation that (allegedly) are extremely strict about security it came as a surprise to discover the actual route for transferring patches to the secure networks was briefly switch cables between computers and then do a file transfer using a certain well-known database port because the IDS didn't monitor it.
That's muddying the water a bit.....the group is international (like a lot of modern development groups) and their membership includes Russians (because they're a) cheap and b) well educated).
The big story that wasn't mentioned in this article is that the hackers got in through spearfishing. You would have thought that anti-virus companies of all organizations would know better, they'd have extensive precautions against hostile mail scripts and they'd have their source code well guarded. But then I expect they're like any other enterprise (see the WSL article and thread) .... the front office does its Office thing its way and doesn't really take any notice of those troglodytes around the back who are doing the development work.
Seriously, as someone in the industry that has to recommend AV software to customers - I think I am going to tell them all to switch to Windows Defender or unplug from the internet. But then again, if sales bonuses weren't so dependent on maxing out add ons to basic hardware that there are no margins on, and of course why would they buy the basic hardware if they can't use it on the internet to watch "kitty" videos.
https://www.ft.com/content/e1a4e3c2-729d-11e9-bf5c-6eeb837566c5
Symantec on Thursday said Greg Clark, its president and chief executive, had stepped down, sending shares in the US cyber security company tumbling as much as 15 per cent in after-hours trade.
The Norton antivirus maker said Mr Clark’s resignation was “effective immediately” and that it had appointed Richard Hill, a Symantec director and the former chief executive of Novellus Systems, as interim president and chief executive. Symantec said it would now search for a replacement.
"AdvIntel says that late last month the group began advertising in various darknet forums that it had obtained network access and source code for the three companies and was selling its purloined loot for the sum of $300,000."
meh,
From what I know of AV products the source code is is probably identical to most Android apps...
Packed full of SDK's from Facebook and Google that slurp up users data to be served up ads and exploit users fears with scary warnings that push users to install even more "security" products from their affiliates.
This is when security through obscurity actually has a chance, because security for an antivirus is very different than security for an operating system. The difference is this:
OS security: Malware can't get in, malware can't escalate, etc.
AV security: malware can't evade
In other words, malware wants to break into and exploit things in the operating system, but just wants to hide from antivirus. So the operating system components need to be audited by a lot of people to understand how they work and try to identify any holes before the malware people find them, but the antivirus system needs to prevent the malware writers from doing the same kind of thing to its code.
It might, if attackers couldn't easily acquire AV products and do the same sort of reverse engineering on them that researchers do on malware.
Reverse engineering a large software package is resource-intensive and so very, very boring,1 but as with most software a majority of the code in an AV product is UI and infrastructure, and can be ignored. It's not especially hard for attackers to find the interesting stuff - OS hooks, ALPCs, logic for behavioral heuristics, etc - and gain a useful understanding of what it's doing.
For that matter, once they have the AV running in a controlled environment, ambitious attackers could use instrumentation and automated-fuzzing techniques (similar to what American Fuzzy Lop does, for example) to "evolve" malware variants that evade particular AV packages in a largely-unsupervised fashion.
I don't think confidential source code represents a significant security benefit to AV and other anti-malware products. Motivated attackers can derive the information they need regardless. The source would mostly be of benefit to competitors - and even then not a lot of benefit - and to users who want to break the licensing mechanism or fork the source.
1But then attention is a resource too.
If you like your virus checker to randomly pick a handful of files every few months to mark as 'Suspect', then Clam is the one for you!
(A few years ago it started flagging busybox as a trojan [/bin/busybox: Unix.Trojan.Mirai-5607459-1 FOUND], it's also got upset about wireless card drivers in a standard Ubuntu install too)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
