Anonymous hacks Panda Security

pbust,

You forget something you wrote: the word "ethical".
Were you implying that Kevin is not "ethical"?

 

I wasn't implying it... I was saying it straight out and directly. He is making stuff up. That's not ethical to me. He's just spreading FUD.

 

That's quite an accusation you are writing there, pbust, about a well respected person.
Did you actually read his article?

Only some quotes from Kevin from the article:

 

At least Kevin admits he could be wrong.

 

Yes of course I read it. I haven't had the pleasure of meeting Kevin but let me answer each of his propositions one by one. Please do read our official statement at https://www.facebook.com/PandaUSA/posts/10150581593176701 before continuing:

Actually the defacement does not contain "tremendous amounts of extremely sensitive information" as that information was specific to the external server, not connected to our lab as we've already said. Also he mentions "cloud infrastructure configuration". and "access to the lab". How you go from "external marketing server which hosts landing pages and blogs" to "access to the lab" is beyond me. This is obviously just a supposition on his part with zero facts and without actually bothering to gather more information. The fact that he is spreading FUD that the hackers reached the lab when we have already said they didn't is, by definition, spreading FUD.

Now he goes on to spread a bit more fear by imagining a theoretical situation where we could hose all our customers systems because someone had access to the signature distribution system and planted a "special" signature. Even though this is highly unlikely it is amusing how realistic he makes it sound. We've said they didn't reach our internal network, let alone the updates servers or labs. But let's ignore that fact and let our imaginations run wild. After all its more fun like that, right?

Again, read our statement.

How does he reach the conclusion that the 3 TeamViewer accounts gave access to the lab and to our cloud infrastructure? For all he knows they could be disabled at the time of the hack, they could be TV accounts to the same server which was hacked or they could be accounts for the home PC of the admin of that specific server. But of course it's more fun if we let our imaginations run wild and imagine the most catastrophic of situations where they have accessed our cloud infrastructure and lab and are in control of the company.

No facts, just FUD.

Yes good idea, let's spread some more FUD completely ignoring our statement that they did not reach our labs nor cloud infrastructure.

Great, after a huge amount of ranting and FUD to scare the s**t out of people, he does admit that all he has to go on is a list of accounts, server names and configuration files which he has no clue what kind of access they give, if any.

Now it could be he wrote all this before we published our official statement and trieds to scare the s**t out of people with the worse case scenario. But then if he knows and respects Luis so much how come he didn't verify his statements against our side of the story? After all, the statement has been published for about 18 hours now and still there's no update nor rectification on the article to show the correct information.

 

But by the way he's written it he's saying he's sure he's not.

 

Thank you good sir for this quote. You have summed up why I refuse to support any hacktivist groups.

While some of anonymous's causes I used to agree with, their methods are obviously flawed.

If you don't like party X, hack them. Hacking is a federal offense at any scale. There's a reason they say "two wrongs don't make a right." Because they don't. They make you eventually get arressted and throw your life away in a federal prison.

Good riddance Lulzsec guys. I hope they enjoy their prison cells next to Bernie Madoff.

And don't even use the arugment that it is a peaceful, non-violent way of protesting. I just took a Peace Studies and Conflict Resolution course for honors and out of all the creative, non-violent ways of protesting we learned about, hacking people and comitting federal offenses wasn't one of them.

Besides, how does hacking Panda help anyone? Panda didn't do anything wrong. Did Panda deny selling AVs to minorities or something to deserve that? No! And how did hacking Sony and causing millions of people to have to reset a bunch of passwords help anyone?

Let's get real. These hacktivists are a way to have fun out at other peoples' expenses.

 

Here's my theory of what could have happened with Kevin's "assumptions":

One of the sub-domains that was accessed was pandalabs.pandasecurity.com. This is just a wordpress blog. This blog is not even hosted by Panda but by an external hosting provider. It is not connected to our network.

Kevin probably assumed that pandalabs.pandasecurity.com must be direct access to the lab simply because it shows the word "pandalabs" in the domain name and then packaged all his novelistic suppositions around this assumption.

This is the very definition of the worse type of FUD-spreading.

 

When you say "FUD" do you mean Fear, Uncertainty, Doubt.

I can't believe I had to look that up.

For some reason I thought it meant f**k*d up details.

 

haha
Yes I mean Fear, Uncertainty and Doubt. That's what I think about Kevin's "article" if you can call it that.

 

Well thank you for diligently and actively assuring people here that use Panda that they can breathe a sigh of relief. No action is required on their part as nothing related to the actual security has been compromised.

 

Hi, folks ...

I see that we've got some major butthurt happening over here, so figured I'd drop by and explain my side of it all. I'm a writer for Infosecisland and my beat is LulzSec/AntiSec. Been watching them for a long time now and reporting on their various "exploits." Many of you here know that I spent better than ten years in the antimalware business with a unique way of attacking the problem. Instead of just running samples through a Cuisinart and spitting out hashes of infected files, I discovered that the better way of being ahead of the curve with our old BOClean product was watching the malware authors and spotting their next move. I bring that ability to the table in the articles I write for InfoSecIsland.

Yesterday, at about 5PM US Eastern time, a tweet went out on #Antisec reporting that Panda Labs was "tango down" with a defacement. OK, these things happen all the time, no big deal. Since there was plenty of account information presented, I looked it over and yes ... I *surmised* that it was typical of most antivirus lab structures that I've seen and worked within (some may remember that I worked for COMODO for a while, and their layout is pretty much the same, using a VPN to access the databases on a central server). The KEY thing though in the defacement was that Antisec said that they had BACKDOORED Panda.

One thing I can tell you in my experience is that AntiSec's claims, despite marketing speak, have almost always been verified. So there was no reason to doubt their word in this case either. Given that there were no claims of access to the source code or the product deliverables, and being acutely aware of what could be backdoored, that would reasonably only leave the database contents and there appeared to be more than ample evidence posted on that page that they could ... COULD ... have accessed the lab contents.

After two hours at 7PM US Eastern time, I once again checked the defaced pages and to my astonishment, found that they were still defaced. This is unheard of, particularly for a company whose mission is security. Even our little mom and pop "cottage industry" BOClean company managed to keep an eye on our sites 24/7. So I contemplated writing up the article that I wrote for InfosecIsland and began composing it around midnight when once again, all of Panda's base are belong to skiddies. I finished up the article and submitted it to InfosecIsland around 2AM. And when I submitted it, all of Panda's base ... yada yada still.

As I was headed off to sleep, I checked in again at 2:45AM. STILL pwned. Finally a refresh at around 2:50AM revealed that all of the sites were finally unreachable. I went back in to my submission bucket and noted that. InfosecIsland published my article around noon US Eastern time. I have no contacts at Panda and haven't for several years now. The only means I was aware of to contact Panda was through their (pwned and then desaparecido) site. I find it curious though that Facebook (which I am not a member of) is the only official contact for Panda.

When I checked in a couple of hours ago and verified that my article had been published, I noted from here at Wilders that there was something about the incident on Facebook. I went, I looked and then posted an update in the comments section of my article pointing directly to the Facebook page. It doesn't really answer any of the questions I raised, and now I see that I've become a FUDmaster here. Well ... my apologies and sympathies to Panda and all, but a security company that leaves their public-facing pages defaced for such a long period of time isn't exactly inspiring confidence in the handling of this entire situation and certainly doesn't assuage the reasonable fears raised by their inaction in this matter.

And as to whether or not those databases are or aren't compromised in any way, all I can offer is that AntiSec's "word" has proven to be sufficiently reliable in the past to run with a story as they've been confirmed too many times to count. And as I stated in the article, all I can go by is the names, permissions and other data seen in the defacement which certainly appears sufficiently plausible and yet I expressed extreme caution in my words after explain the reason WHY I was concerned about what I saw.

The response out of Panda here though only causes me more concern. You should be assuring your customers, not attacking the messenger. I'll leave it there. And do say Hello to Luis for me and extend by sincerest sympathies. If you mention "the BOClean guy," he'll remember me.

 

Thanks for your response Kevin. To contact Panda all you had to do was to type "www.pandasecurity.com" in your browser and find the contact number or email. Neither our website nor our network were compromised. Only an external server managed by marketing for landing pages and blogs (amongst them the pandalabs.pandasecurity.com blog) was breached.

I'll tell Luis you said hi.

 

Funny you should mention that. That wasn't possible during the pwnage, and I note that now that your pages are back, apparently through amazon, every single click everywhere on those pages merely reloads the pages and doesn't bring up anything else. I can assure you that it wasn't for a lack of trying.

Rest assured that no harm is ever intended in what I write, but there are reasonable questions. Simple answers to them always suffices. Once again, my sympathies to all over all this. Hopefully some of the folks in the lab in China will watch over them at night ...

 

The main site at www.pandasecurity.com and www.cloudantivirus.com was up at all times. This includes the contact page. Maybe you clicked on a link to the blog at pandalabs.pandasecurity.com which was down.

 

OK ... not to keep beating a dead horse, but your "marketing people" apparently SEO'd your company's sites straight out of google. I tried numerous pages from the listing, all of which were showing a bad film and red text and not the main pages.

The names you're offering as main pages didn't occur to me, all I went for was Panda, and when I got tired of looking at links to cute bears, I put in "Panda antivirus" and followed google's links until I got tired of the Lulzer's awful music. I've made sure to put both www.pandasecurity.com and www.cloudantivirus.com into my Rolodex for future use since neither was intuitive to me at the time. I don't use antiviruses anymore given our OS, so the branding didn't quite occur to me.

Still ... it would be better for the future to have someone watching those servers or have a robot ping them every now and then to see if they've changed. Linux isn't exactly bulletproof.

 

Well, good to see that issue has been sorted out and that all those "could", "almost verified", "sufficiently reliable", "sufficiently plausible" remain in the air with no factual verification been performed beforehand.

May be all of these "could" serve as a lesson. Next time I am sure the author will at least attempt to verify his sufficiently plausible scenario with the stakeholders concerned.

I am somehow surprised that as a well known reputed person in the security arena he did not appreciate that this type of FUD can be very damaging to any company concerned.

 

Yeah, it seems like a rather long & drawn out cunning plan to get one. The bloke's obviously a genius at strategy.

 

The company in concern are in damage limitation mode.

Sorry but because an AV representitive states something it does not make it automatically the truth either.

Have known the industry and KM for a decade now myself.

I'm more inclined to listen to KM..he has no $ to gain or protect in this and what that guy does not know about the backend of the industry is not worth knowing in the first place.

Kevin is not FUD meister and despite all denials of how far they were compromised.Panda was still hacked by the skiddies

Kev keep at them bro, the game of cat and mouse continues

 

Considering a very recent event involving Symantec, where they initially said nothing bad happened (or something like that), then it a source code that was 6 years old (or something like that), and then start to advise their users to remove (or something like that) one of their apps (or something like that)... for sure, this makes one not trust security vendors that much when they get hit and they try to control the damage.

That said, I'm not saying anything that bad happened to Panda. Just looking it from the perspective of a user, as I am.

 

Well, still unfunded claims and hypothetical scenario for which little has been done to verify beforehand. At least a similar blog post about Symantec source code leak contained some good code analysis. While for panda we got only a wishful trust of whatever was contained in the defaced web pages.

I cannot also believe that a superficial approach like "If it was true yesterday for Symantec it is also true today for Panda" is applied so carelessly. Or if this comes from him it must be true....

As they say in gambling: It is always easier to play with someone else money

I close here since unless some evidence is put forward the discussion is pointless.

 

Layman question;
You wrote that "AntiSec's claims, despite marketing speak, have almost always been verified. So there was no reason to doubt their word in this case either."
But you also reckon they, at most, could have corrupted the sig database, then how can you still be convinced, folks should keep in mind that their claim might be true?
As you wrote, it would take (quite) some work to recreate sigs from the date of entry/hack but that's it.
So, wouldn't the AntiSec claim be hogwash to begin with?

 

I won't even try to guess if their claim of backdooring Panda is true. It also doesn't make much difference if they compromised the app itself or the current batch of signatures. True or not, this incident does show the weakness of security apps that depend on the cloud and vendors servers. Like it or not, if your security package depends on a vendors server, that server is part of your attack surface. If it's compromised and serves up a backdoored update, you better hope that the rest of your security package is up to the challenge.

 

Sorry for the apparent confusion over the article and its intentions. Perhaps it might help to put the article into perspective by explaining what Infosecisland is all about. The site is specifically intended for security professionals, network administrators an their wigs. At InfosecIsland, my usual beat is the feats of the Lulzers and how to mitigate their attacks. If you look at some of my other articles there, I set forth what they do, how they do it, and what should be done in order to help professionals NOT be the next victim. That's what we do.

If you visit InfosecIsland, you'll see how highly technical and geeky all of us are in trying to drum home the simple point that professional site managers are expected to properly secure their sites, even if they're "farmed out" to external contractors and the significance of what happens when sites are broken into. These Antisec people aren't exactly rocket scientists and properly configured servers are not about to fall victim to skiddies. But bottom line, the Island isn't geared towards end users like ZDNet, CNet, PC World and the like.

As I've indicated, readers of the Island know how successful the Antisec kids have been once they've gotten a foothold onto a system, some have even been victims themselves and know that there's often a whole lot more than ends up being reported. And yes, professionals have the interest in following the kids in real time. And when it comes to security companies like Symantec, Panda, HBGary, Stratfor and others, there is an expectation of more supervision of their facilities and contractors than a small office which happens to get hacked. So whether it was Panda's own servers or ones that they rented, they still got pwned, and pwned for many hours without anyone there noticing. Not good.

So we have Panda's word that none of their own servers were attacked, but there's no proof of this either behind their own statements. Same for other security companies as well in the same situation until we find out later that in fact, the kids had actually been sufficiently successful as was the case with Symantec's stuff. That's the reason why when we report on things like this, we put out our theories, and expect fellow security professionals to chide in with what they bring to the table as they often do. We may never know the real answer and we always ask for comment from the affected parties so that the security professionals who visit the Island can all come away having learned something that advances their own security plans.

So what's the answer for real here? We still don't know for sure ...

 

I can't imagine how they didn't notice. Maybe they were unable to immediately fix the problems, because more was broken than they've admitted. Maybe it's just that the server admins were all asleep. But they do need to explain the delay.