A Symantec representative commented on the attempt:

“In January an individual claiming to be part of the ‘Anonymous’ group attempted to extort a payment from Symantec in exchange for not publicly posting stolen Symantec source code they claimed to have in their possession. Symantec conducted an internal investigation into this incident and also contacted law enforcement given the attempted extortion and apparent theft of intellectual property. The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation. Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved and have no additional information to provide”.

Here are some segments from the impatient ‘Anonymous’ @YamaTough hacker as he negotiates the $50,000 demanded payment from a Symantec employee:

“If you are trying to trace with the ftp trick it’s just worthless. If we detect any malevolent tracing action we cancel the deal. Is that clear? You’ve got the doc files and pathes [sic] to the files. what’s the problem? Explain.”

“If we dont hear from you in 30m we make an official announcement and put your code on sale at auction terms. We have many people who are willing to get your code. Dont f*** with us.”

Apparently, the Hackers were on to Symantec for contacting higher authorities but never the less continued in their negotiations until they finally cut contact with the Symantec employee who claimed they needed more time:

“Since no code yet being released and our email communication wasnt also released we give you 10 minutes to decide which way you go after that two of your codes fly to the moon PCAnywhere and Norton Antivirus totaling 2350MB in size (rar) 10 minutes if no reply from you we consider it a START this time we’ve made mirrors so it will be hard for you to get rid of it.”

Symantec insists that users of their products are not under any significantly higher risk of attack due to the theft however; Symantec asked its PCAnywhere users to disable the product until the company could issue a software update. They assure clients that this will protect them against attacks resulting from the theft of the source code.

The release of the source code had been trumpeted by Anonymous on January 4.

Symantec Norton Antivirus source code published by indian hackers pastebin.com/ciExRzr3“

— Anonymous (@YourAnonNews) January 4, 2012

Upon news of Symantec’s announcement, Anonymous did a victory dance on Twitter.

Yes #Anonymous has SymantecpcAnywhere source code. Yes we found 0days. Yes Symantec is panicking. Problem, officer? goo.gl/FhyPX

— Anonymous (@YourAnonNews) January 26, 2012

With middle-finger flourish, Symantec responded that Anonymous had not stolen their code. But, they did recognize that it was in the hands of Anonymous now.

Yesterday, Symantec announced a patch and free upgrade to all pcAnywhere customers, even those not normally eligible for an upgrade. This move effectively renders Anonymous’ possession of its code a moot point.

So, what is the purpose of grabbing and releasing code for a product when a quick patch release prevents its use? To make Symantec dance in public for a couple of days?

There has been a lawsuit filed against Symantec, alleging that the company scares people into buying its software by making misleading claims about the health of their computers. The lawsuit is filed by private parties, not affiliated with Anonymous.

We would love to hear from Anonymous about what purpose their actions serve. Is there something inherently evil about Symantec that they wish to highlight? About the (bloated) Norton Utilities software? Is it related to the lawsuit? What public statement does this make? If Symantec ends up being seen by the public as victims of unscrupulous hackers (as opposed to being seen as bumbling in its own security), does that mean the move backfired?

In contrast with all the laudable moves Anonymous has made in the past year or so (e.g. support of activists in Tahrir, support of Wikileaks, support of the #Occupy movement), why should the general public not see this as a mean-spirited adolescent prank?

Symantec Norton Antivirus source code published by indian hackers pastebin.com/ciExRzr3“

— Anonymous (@YourAnonNews) January 4, 2012

In response to this warning, Symantec has issued a security white paper (pdf) recommending that all users of pcAnyhwere disable the software until further notice.

“Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.”

pcAnywhere is a Norton product that allows for direct PC to PC communication.If the ctolen source code is actually released, the damage to networks that use pcAnywhere could be considerable.

More detailed information from the white paper:

Our current analysis shows that all pcAnywhere 12.0, 12.1 and 12.5 customers are at increased risk, as well as customers with prior, unsupported versions of the product. pcAnywhere is also bundled in three Symantec products, Altiris Client Management Suite and Altiris IT Management Suite versions 7.0 or later, and Altiris Deployment Solution with Remote v7.1. In addition, customers with earlier versions of Altiris suites may have opted to leverage pcAnywhere. The increased risk is isolated to the pcAnywhere components only. There are no known impacts to the rest of the components in the Altiris products or the pcAnywhere Solution component that provides integration between pcAnywhere and the Symantec Management Console. Customers should validate the remote control tools currently in use.

The solution, Symantec says, will enable organizations to “bridge the gap between business, legal and IT, reduce their risks and costs, and empower employees to work freely in a connected world.”

Customers will be able to choose between on-premise, cloud or hybrid delivery of such a solution. The company says that through the existing integrations between LiveOffice and the recently acquired Clearwell eDiscovery Platform, customers can export info from LiveOffice to the platform where it is collected along with info from Enterprise Vault and other data sources.

Symantec says the acquisition will also lead to tighter integration between archiving and Symantec.cloud’s email security and management features.

“What were once disparate issues — information management, eDiscovery, and data security — are rapidly coming together due to the explosion of electronically stored information and the on-premise and cloud-based technologies that deliver and disseminate it. Organizations are increasingly demanding that these issues be addressed in a unified way through information governance,” stated Brian Dye, VP, Information Intelligence Group at Symantec. “As a market leader for storage, eDiscovery and security, Symantec continues to enhance its offerings and deepen its commitment to provide the most comprehensive intelligent information governance solutions.”

The acquisition closed on Jan. 13.

Yama Tough has been tweeting about Norton and Symantec throughout the month. Here are some earlier tweets leading up to this one:

The Inquirer shares the following statement on the matter from Symantec:

“The code for Norton Utilities that was posted publicly is related to the 2006 version of Norton Utilities only. That version of the product is no longer sold or supported. The current version of Norton Utilities has been completely rebuilt and shares no common code with Norton Utilities 2006. The code that has been posted for the 2006 version poses no security threat to users of the current version of Norton Utilities.”

“Furthermore, we have no indications that the code disclosure impacts the functionality or security of any of Symantec’s other solutions. Lastly, there are no indications that customer information has been impacted or exposed at this time. As always, in general, Symantec recommends that users keep their solutions updated which will help ensure protection against any new possible threats.”

I guess we’ll find out this week if the statement is accurate.

“Symantec has discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access tokens to third parties like advertisers or analytic platforms,” says Symantec’s Nishant Doshi. “We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.”

“Access tokens are like ‘spare keys’ granted by you to the Facebook application,” Doshi explains. “Applications can use these tokens or keys to perform certain actions on behalf of the user or to access the user’s profile. Each token or ‘spare key’ is associated with a select set of permissions, like reading your wall, accessing your friend’s profile, posting to your wall, etc.”

According to the security firm, while Facebook currently uses OAuth 2.0 for authentication by default, older schemes that are still supported and used by “hundreds of thousands” of apps are where the problem begins.

“There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007,” says Doshi. “We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers. Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock” on your Facebook profile.”

Yesterday, Facebook issued an update to its Developer Roadmap, outlining plans requiring all sites and apps to migrate to OAuth 2.0. All apps must migrate to the format by September 1.

Facebook and privacy concerns are certainly not strangers. Time and time again, something happens that brings concerns back into the spotlight. Last month, Facebook announced a new suite of safety tools and advanced security features.

“As with any major event, criminals have been quick to take advantage of the online attention,” a Symantec representative tells WebProNews.

Among the threats is a spam email campaign, which advertises a replica of Princess Diana’s engagement ring. This has been going around since February.

“Furthermore, as we had anticipated, we have recently observed additional spam campaigns making use of this significant event to promote various products,” said Symatec’s Suyog Sainkar. “In one such recent spam campaign, email promoting a ‘limited edition Buckingham Mint Royal Wedding Commemorative Coin’ at a discounted rate is being observed.”

As noted, the threats don’t stop at email. All kinds of search terms related to Prince William, Kate Middleton, and the royal wedding are being searched for by interested Internet users. This has been quite clear, looking at Google Trends from day to day.

Fake pages are being set up to rank for terms that people are searching for. “At one point, a search for ‘william and kate movie imdb’ returned 61 malicious links in the first 100 search results,” said Sainkar. “Fifty-eight of the first 100 results for the search term ‘princess diana death photos’ and 45 of the first 100 results for the search term ‘royal wedding guest list kanye’ also led to malicious sites.”

Other search terms, Symantec says have been commonly turning up “poisoned links” include: “william and kate movie cast,” “prince charles age,” “princess diana death facts,” “prince harry last name,” “william and kate movie on lifetime,” “royal wedding guest list bush,” “royal wedding guest list snubs,” “prince charles siblings,” and “the royal wedding date and time”.

“We have seen over 500 compromised sites being used in this campaign over the past few days,” said Sainkar. “Attackers create multiple fake pages on each site and use unethical SEO techniques—such as keyword stuffing, cloaking, and link farming—to “game” the search engine algorithms to achieve high search engine rankings.”

According to a Norton survey, 62% of Americans are likely to follow the British Royal Wedding.

That conclusion’s based on data from BitDefender’s Safego app, and may actually be conservative.  The data doesn’t cover whatever’s been sent through private messages, for example.  Plus, the 14,000 or so people who have downloaded the security-related app might be a little more paranoid than the average Farmville-obsessed individual, and they might have more security-conscious friends.

Still, Caroline McCarthy was able to report yesterday, "20 percent of Facebook users are exposed to malicious posts in their ‘news feeds’ of friends’ activity, generally defined as posts that, when clicked on, result in ‘the user’s account being hijacked and in malware being automatically posted on the walls of the respective user’s friends.’"

McCarthy later added, "Over 60 percent of attacks come from notifications from malicious third-party applications on Facebook’s developer platform."

That’s a serious cause for concern.  No one likes getting infected by a virus, and users and advertisers might grow a little less fond of Facebook if they ever start to feel like the site is making it too easy for malware authors to attack them.

On the other hand, these sorts of problems are difficult to escape.  Paul Wood, MessageLabs Intelligence Senior Analyst at Symantec, pointed out in an email to WebProNews, "Whatever methods of communication that mankind invents, sooner or later someone will find a way of taking advantage of the new invention and using it for illicit gain, whether this is for theft, confidence trickery or nuisance advertising."

"One attack that may be predicted is for malware faking location information in order to boost ranking or prominence of the spoofed location," Wood told us. "This type of information will be of value in the reconnaissance stage prior to a targeted attack, or perhaps prior to burgling someone’s house – the robber can know the owner is elsewhere." 

We asked Wood to elaborate this a bit. "Most attacks are conducted for profit," he says. "Therefore for a new service to be utilized as a source of attacks the methods by which the attack can be used to make money need to be clear. In the case of location sharing, it’s not clear how this information can be used to make money for the legitimate provider of the service, and equally unclear how this can be subverted by criminals for their profit, unless it’s part of a surveillance or reconnaissance process prior to an attack."

"One way that location sharing may be expected to raise revenue for the provider is by offering services by which the most popular ‘X’ in location ‘Y’, according to the number of people registering their location, can be promoted," he explains. "This could be by allowing a service provider to promote themselves as the most popular ‘coffee shop’ in ‘New York’ according to location sharing. In this case, there is a motive for less popular and less scrupulous service providers to artificially boost their popularity according to location sharing by buying fake location sharing registrations from criminals who have illegal access to mobile devices or location sharing accounts."

If it can be done, I’m sure it will be. 

"If location sharing is used to boost rankings in any system then this gives criminals a motivation to subvert the system," he adds. "However, at the moment, location sharing is very new, it’s not clear how it will be used by the companies providing the service and so not clear how it may be abused either."

On the topic of "boosting ranking or prominence", when asked if search engines are capable of detecting fake location sharing entries, he admits he has no idea. He also says he’s not familiar with any such instances in the past. 

If location-based services continue to pick up steam, and Google continues its trend of delivering location-based results, I’m betting we will start go see more integration between the two (not unlike what we’ve seen with real-time search). This will be something to keep an eye on to say the least. 

When asked if this kind of thing could occur within Facebook and/or Twitter with their respective location-based offerings, Wood says, "We cannot comment on specific services. However, humans are social creatures that always take advantage of efficient methods for indulging their hunger for communication with their friends, family and contacts."

"My guess is that ever since the first language was invented, there have been liars and con men who have found ways to subvert the new means of communication to their own ends," he continues. "If an attacker is able to identify the individual concerned and then use public services to track them, this may be a concern – do you want everyone and anyone to know your location or the location of your mobile device at all times? This is where privacy controls come in to play – parents may wish to benefit from this technology for their children, but privacy is important when publishing this type of data – if that information were to fall into the wrong hands, the consequences could be disastrous; for example, cyber bullying and cyber stalking are already increasingly becoming a concern for many individuals."

The United States Air Force is apparently concerned. A recent report says the Air Force has warned its troops about using location-based services for fear that they can jeopardize missions. While it’s unclear whether other branches of the military have issued similar warnings, the Army’s Chief of Strategic Communications recently told WebProNews that the Army doesn’t have many social media restrictions, as long as lives aren’t being put in danger, meaning communications don’t violate "operational security" – they don’t reveal anything involving upcoming missions. He didn’t talk specifically about location-based services, however, but they are becoming very much part of social media.