Symantec have recently confirmed that source code to their PCAnywhere and Norton Antivirus was stolen in a 2006 security breach. Now hackers have demanded $50,000 (R378,026) to keep the source code from appearing online.
An email exchange between a Symantec employee named Sam Thomas and an individual named “Yamatough” shows the two discussing how Symantec would pay the hacker group $50,000 to prevent them from releasing the source code.
“We will pay you $50,000.00 (R378,026) USD total,” Thomas said in an e-mail dated Thursday. “However, we need assurances that you are not going to release the code after payment. We will pay you $2,500 (R18,901.30) a month for the first three months. Payments start next week. After the first three months you have to convince us you have destroyed the code before we pay the balance. We are trusting you to keep your end of the bargain.”
Symantec confirmed the extortion attempt to Cnet, saying “In January an individual claiming to be part of the ‘Anonymous’ group attempted to extort a payment from Symantec in exchange for not publicly posting stolen Symantec source code they claimed to have in their possession. Symantec conducted an internal investigation into this incident and also contacted law enforcement given the attempted extortion and apparent theft of intellectual property.”
Negotiations have since broken down, and the source code has apparently made it onto popular torrent websites under the name “Symantec’s pcAnywhere Leaked Source Code”.
Read the full story at: Cnet.
Symantec have sent through the statement below, clarifying that communications between Sam Thomas and “Yamatough” were in fact between law enforcement agencies and the hackers; no Symantec employees were involved.
To clarify and reiterate, the e-mail string posted by Anonymous was actually between them and a fake e-mail address set up by law enforcement. Anonymous actually reached out to us, first, saying that if we provided them with money, they would not post any more source code. At that point, given that it was a clear cut case of extortion, we contacted law enforcement and turned the investigation over to them. All subsequent communications were actually between Anonymous and law enforcement agents – not Symantec. This was all part of their investigative techniques for these types of incidents.