What Symantec Knew But Didn't Say
02:00 AM Feb. 14, 2003 PT
Security firm Symantec withheld information about at least one big cyberthreat for hours after spotting it, possibly harming millions of Internet users.
Symantec claims to have identified the Slammer worm that ravaged the Internet during the last weekend of January hours before anyone else did.
Symantec then shared the information only with select customers, leaving the rest of the global community to get slapped around by Slammer.
In a Feb. 12 press release about its DeepSight Threat Management System, Symantec boasts that the company "discovered the Slammer worm hours before it began rapidly propagating … then delivered timely alerts and procedures (to DeepSight users), enabling administrators to protect against the attack."
This story is damning unto itself, but interestingly enough, not the end of Symantec's mistake. It is now apparent that Symantec didn't have near the jump on worm activity as they claimed. They simply lied to the masses in an attempt to market their "DeepSight" customers.
John Leyden at The Register breaks down the timeline according to Symantec, and debunks their claims. By this point it is obvious Symantec did little but posture to the masses when they knew very little beyond "increased traffic".
What people should question is the value of the "DeepSight" service that is only able to give vague warnings of increased traffic to a specific port, perhaps an hour or less before detailed open source reports are posted to security lists. Companies like eEye were able to detailed analysis of the worm and share the information for free.