Security firm, secure thyself.
Symantec recently became the latest to join the list of computer security companies that have had trouble living up to the image of invincibility they sell. Source code for some Symantec software is now spilling onto the Web, the result of an attack in 2006 on its own networks.
Yesterday, the company said a person claiming to be part of the Anonymous hacker group tried to extort $50,000 to keep it from posting that code on the Internet. In one e-mail exchange, the hackers told law enforcement agents who were pretending to be a Symantec employee:
If we dont hear from you in 30m we make an official announcement and put your code on sale at auction terms. We have many people who are willing to get your code
While companies in many industries suffer data breaches, for security firms, getting hacked can put them in the uncomfortable position of trying to blunt news of the attack, while their marketing arms continue to tout the dangers of these digital infiltrations to sell products.
The antivirus industry is known for using aggressive warnings to sell subscriptions to security software. Symantec is currently being sued for using “scareware” tactics, such as warning of infections that don’t exist. Symantec, the No. 1 maker of security software, denies the allegations.
“You certainly see a company change its perspective when it’s the one in the newspaper for being hacked,” said Josh Shaul, chief technology officer at Application Security Inc., which sells database security software and is a rival of Symantec.
Shaul said Symantec has focused less on the fact its network was breached and more on why the pilfered source code mostly wouldn’t be useful in an attack.
“There’s certainly room to do better, but I don’t know if I were under the same pressure that they are right now, that I’d be doing any better,” Shaul said.
Symantec, which is still investigating how the intrusion occurred, wanted to convey quickly that because the stolen code was old, it likely posed little threat to users’ data, said Cris Paden, a company spokesman.
“Symantec takes very seriously the theft of its source code and is by no means trying to minimize the incident,” Paden said in a statement.
While it’s understandable that Symantec wouldn’t want to comment about an investigation before it’s complete, the company’s reputation could falter if the intrusion itself isn’t addressed quickly, said Buford Barr, professor of marketing and communications at Santa Clara University.
“This is a very, very typical crisis communications situation, when your very lifeblood is being threatened publicly,” Barr said in a telephone interview.
“You’ve got to try to come up with a response, and usually it’s a defensive one, which it looks like Symantec did here,” he said. “This is a time to be totally, 100 percent honest. This is a potentially horribly damaging situation, and I think they have to go in and decide, how did we get hacked, and how are we going to ensure that’s never going to happen again, and tell the world.”