A group of Indian hackers recently broke into Symantec, the makers of the Norton cybersecurity software suite, and while the story rests on a salacious premise, embarrassment is probably the worst thing that could happen to the company. Symantec admitted late Thursday night -- on Facebook of all places -- that "a segment of its source code used in two of our older enterprise products [had] been accessed." The statement goes on to explain that the exposed code is old and hardly a risk to consumers, and while we're always skeptical of PR departments doing damage control, cybersecurity guru Bruce Schneier can confidently say that the idea of hackers' exposing a software company's source code really isn't that big a deal. "Bad press is certainly Symantec's biggest worry right now," Schneier told The Atlantic Wire. "It'd be worse if Symantec leaked the credit card numbers of their users, but the source code is a pretty abstract problem."
The press love to swarm around stories like this. Especially given the explosion of high profile hacks from groups like Anonymous and LulzSec, it makes for sexy sounding copy. Take these Indian hackers: the Lords of Dharmaraja. The hackers uploaded a portion of the source code to Pastebin on Tuesday, and though it's since been taken down, the code and the message can be accessed through Google's cache. And the threatening they say! "As of now we start sharing with all our brothers and followers information from the Indian Militaty Intelligence servers [sic]," the Lords of Dharmaraja write, "so far we have discovered within the Indian Spy Programme source codes of a dozen software companies which have signed agreements with Indian TANCS programme and CBI." But as frightening as it is to talk about military intelligence servers and the Indian Spy Programme, the only real risk of releasing that source code would be opening Symantec up to future hacks that could damage its business.
We just don't know until experts get to see the source code the hackers stole. "The source code might have huge smoking guns," Schneier explained, adding that "the bad guys" will certainly look through the code for vulnerabilities and potentially exploit them. And the revelations could be anything. "Who knows, right? there could be stuff that's really embarrassing." Perhaps Symantec is working with the National Security Agency on some top secret government projects, Schneier suggested. Leaking that secret could be really bad! We have no reason to suspect that to be true, though. Though it does appear that the hackers acquired some documents about Symantec working with Indian spies, we'll have to wait and see if this will matter.
The experts at fellow cybersecurity firm Sophos provided a similarly sober read of the whole
scandal situation. (It's probably going overboard to call it a scandal right now.) At Sophos's blog Naked Security Graham Culley said we ought to just feel bad for Symantec :
It's hard not to feel sympathy for Symantec - who appear to have been caught in the crossfire between a hacking gang and the Indian authorities. Although Symantec customers may not be at risk, it's easy to see how the software company will feel bruised by the publicity that the Lords of Dharmaraja have generated through their hack.
As Culley's tone suggests, Symantec's competitors aren't attempting to use this breach as a competitive advangage so far. Schneier told us that if another cybersecurity like McAfee even tried, it would only make them look bad for inflating the issue. The real worst case scenario, he said: trash-talking in the boardroom. "I'm sure all competitors will go to their meetings today," Schneier concluded. "And say, 'Look at Symantec. Look at how dumb they are.'"
Some of these hacks do end up mattering. But from what we know so far, this isn't one of them.