Anonymous hacks Panda Security

The problem is easily solved. All it takes is taking advantage of RFC 2616, section 14.25's "If-Modified-Since."

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

If you set the "Last-Modified" header on your site server, as explained here:

http://kb.siteground.com/article/LastModified_HTTP_header_explained.html

Then all you need to do is have a robot ping the server at a reasonable interval and have it trip an alarm whenever your pages are "replaced." A break-in would set off such an alarm. It's what we do, it's what many others do as well to be notified of a potential attack on any of their sites. In an http request by a robot, you can even add unique values that can be HTTP queried as additional insurance instead of having an alarm go off when your webmaster makes changes often.

There are many ways to mitigate the damage or at least get a heads-up if you're compromised. That's the kind of stuff we normally write about over at "the Island."

 

Reducing attack surface wherever possible is key and often overlooked, but I am NOT in agreement with your statement.

Any vendor's definition server could theoretically be hacked and backdoored/corrupted. If it is a traditional, non-cloud AV, then as soon as clients update they have mal-definitions. Same effect.

I am a firm believer in anti-malware products that put cloud protection in front. Cloud computing is the future for a lot of applications (not all; I'm not arguing that) and it is a very logical approach for community-based protection. Furthermore, it practically eliminates the inferior reactive concept and replaces it with being proactive.

...Not that that's what this thread is about. I just don't want this topic to lead into bashing cloud products, because the points people use to criticize them could happen to a traditional updating anti-virus program as well (e.g. Vendor server hacking or blocking).

I like Prevx's approach because they have tended to put their advanced heuristics and innovative rollback system at just a high regard as their cloud protection, making for a killer combination.

 

Wow, this was a big mess, hope it's all fine and dandy.

 

I wasn't referring specifically to cloud based or supported packages either. I was referring to any security product that depends on continuous updating in order to be effective, AV, anti-malware, cloud based product, etc. On any of these, the potential is there for a compromised vendor server being used to compromise the security apps that depend on it. Since this is OT, suffice it to say that we will not agree on this.

 

We have to put the facts into a context. Magnifying happenings and extrapolate worrying scenarios is more for science fiction writers than security professionals.

 

Nice quotes!! Where did you get them from?

 

Made them up .. LOL
EDIT: OK, now fixed the quoting ...

 

Excellent!!!

 

I actually do agree with you, nooneparticular, but what can you do?

Use only behavior blockers? There's holes in those that could be exploited. Just cause it hasn't a database doesn't mean it is secure.

Use only true whitelisting? Hey I'm cool with this one but there are even exploits for this although rare.

At this time it seems the actual compromising of the integrity of security definitions is rare so I don't want to get people paranoid...

...I guess what I'm trying to say is eventually the attack surface you can viably, logically reduce ends. You can't remove someone's brain because they might get brain cancer.

 

I would say "theoretical" or "unprecedented" instead of "rare". AFAIK it's never happened before.

 

Hope you guys don't mind me chiding in one last time, but "theoretical" or "unprecedented" once applied to SSL certificates as well. Oh ... and yeah, I used to work for COMODO. I warned them too when I was gettign paid to do so. Got tired of Melih's attention span LONG before they got hit and left. "COMODO Hacker" claimed to be in Iran, but he was actually in Brazil. I chatted with him after the fact once. Hopefully, Panda isn't as honked off at me over the article as it seems, but fact is the arrests took out some script kiddies with big egos, and not the competent coders who still roam free. They're in Brasil, Argentina, Ukraine and Romania and they're pretty good at what they do. When the authorities catch up with them, perhaps I might moderate my tone about their capabilities. I've seen them at work back in the Lulzboat days.

I've often said "anonymous" consists of a handful of very dangerous and very competent coders and a cast of thousands of morons. The Panda attack, like most others was the result of SQL injection which is nothing more sophisticated than googling for targets and running the same old scripts against them. That's how Panda's "sites" got pwned. I hope you guys have decided to bring that in-house after the past event. Fear not, I wrote what I wrote to get the attention of other admins as I usually do and so far in various back and forths with some of my readers, your situation did indeed get the attention towards monitoring their sites that I had hoped to accomplish in that article.

If it's true that they never got behind Panda's REAL wall, that's good. But let's not underestimate their capabilities. Most of their successful "hits" have been against sites doing "LAMP" installs, and most of them ran Linux. When a security company keeps coming out and dismissing these kids, it makes me roll my eyes. To see the same old attacks working years after CERT and SANS have written up the exact means as to how they've been successful and sites STILL get pwned when the solutions to the issues have been out there now for years, that's why I come and deliver the spankings I do.

COMODO had their certificates pwned. So have others since. VPN's between labs have been hit as well. I tried to bring some interlopers to COMODO's attention when I was working there and sat and watched entries going into and being removed from the databases, along with detections I personally put into their databases disappearing before my very eyes back in 2008. The people I worked for refused to believe it even though I supplied screenshots of it happening right in my face.

So don't be smug about it ... I offer this ... be absolutely sure of your walls and be sure to check them. I'm not claiming that you have any holes or deficiencies of any kind. We didn't think we had any either. Fortunately, there's only a small handful of extremely clever people out there amongst all so many idiots. But they're out there indeed.

I've learned an awful lot watching the lulzers and folks like them. And I'm extremely grateful for what I've learned by watching them. Helps me make what I'm doing now all the more useful in knowing what can be done and how to stop it. Folks count on people like you guys as well. Crime pays bigtime these days ... it's not like the old days of opening drive trays on a neighbor's machine and watching them flip. There's cash money out there for actual "talent" and the biggest hits don't show up on twitter. Times have changed, and the folks who can do the damage have not been apprehended yet.

Sabu ... a "mastermind" ... lol

 

"As far as we know" being the operative term here. I can't imagine any AV vendor ever admitting to it if it did happen. Doing so would be the end of any user confidence in their product.

True, there is a limit to how far you can reduce the attack surface and still retain web access. That said, when your security package depends on anothers servers, that's an extension of your attack surface that you can't protect or control in any way. Take the incident that this thread is about for example. Panda gets hacked in response to or in retaliation for comments they made or alliances they have, (real, perceived or imagined, doesn't matter). The attackers claim they've backdoored their product. The company says they haven't. We (the users) can't verify this either way. The only thing we know for certain is that they have been targeted and attacked with some degree of success.

This is more than protecting your attack surface. It's about not being part of the target. It's been clear for some time that parts of these "anti" groups do not care about the collateral damage they cause. Those update and cloud servers are someone elses attack surface. If they're successfully attacked, you're vulnerable to damage even though you weren't directly targeted. The security apps that rely on those servers have access to all of your system. What better way to own a system than compromise the apps that secure it? Besides, it's not even necessary to compromise the app or its definitions. Corrupting an executable of an auto-update could render it ineffective.

True. IMO, it is the most effective option even if it's not perfect. The big difference is that an attacker has to target you directly, not the servers for an app that you happen to use. That's the simple part of the policy, staying out of the line of fire.

 

I hear ya...

I use whitelisting and rely on it via Software Restriction Policy fairly heavily.

The problem is, that won't help me if my AV's servers get compromised, because my AV of course is whitelisted and has admin access already.

Suggesting or implying using AV is a security risk is really theoretical this point and is a hard risk to mitigate...

...I think what AV vendors ought to do is build a mechanism into the heuristics that checks the cloud data or update definitions and if it sees a change that the company doesn't do, it rejects them and turns off that protection medium and relies on heuristics only then launches a protective scan and notifies the user and company so they can quickly address if they were compromised.

 

For me, that combination of requiring admin/root access, access to servers the user can't control or monitor, and especially the need to be able to replace its executables and other components as part of the update process conflicts with much of my security policy, making it unacceptable. My whitelists use MD5 or SHA1 hashes. Auto-updating makes that impossible unless I disable the integrity checking for all of the AVs components, which effectively makes the policy default-permit (with core system access) for any file the AV downloads. If someone ever did hack one of those update servers, they could pwn thousands of PCs in a very short time. How much more tempting can a target get?

Update process aside, the combination of unrestricted internet access combined with admin/system access is a nearly impossible problem to mitigate. One only has to look at IE6 to see where that can lead.

Is it? The fact that this thread exists shows that we're past that point. Anonymous claims they did. Panda says they didn't. No way for any of us to verify if it happened or to what extent. It might be just part of the website they got to. They might have targeted the app itself or the servers that maintain it. I can only begin to imagine what kind of havoc they could cause by adding a few items to the detections (system components, the AVs own files, etc). When I weigh the cost and potential risk against the benefit of an AV, AFAIC I'm better off without one.

 

Considering on-demand scanners could suffer the same vulnerability...

...How do you scan your computer?

Even true, default deny whitelisting security setups should have a good scan every now and then.

I don't know that I'm ready to ditch my AV because of 1 or 2 unverified claims of vendor server intrusion. It is so rare that even if they did use this to push malware to my PC, then this is the scenario that which I make system images for.

 

It's, indeed, a tough call for many. But, in your case, just because you make system images, is no excuse for the breaches that occur in such servers.

Even without a system image, I could just reformat the hdd. Completely wipe it clean. It's still no excuse for what happens.

A few days ago I've seen in the news the story of two kids (brother and sister) suffering from a rare disease. Just because it's rare, it doesn't take away the severity.

Even recently I've seen in this same forum a representative of a security vendor saying that only a small portion of users were at risk, due to the inability of their security solution detecting something.

It's not important whether it's rare or if it only affects a small portion of users. OK... What's important is that it happens, and I'd hate to be part of the statistic of those that get the hit.

Note that I'm not trying to make need of scanners VS no need of scanners. I'm just saying it's a tough call to make for many, and I'd hate to be part of the few who could be hit by something - either due to what was discussed at this thread or due to inability of security solutions to protect users, thus only affecting a small portion of users.

If this wasn't true, it would be almost hilarious.

 

A nightmare scenario, for sure.

 

Sorry...

I wasn't trying to defend AV vendors by suggesting system images...

I was simply defending my own security setup/philosophy by saying I am not ditching antivirus because of these rare events; events that which are theoretical/so rare that that is what the system image is for.

 

I suppose we use system images for different things. I use them to protect myself against software/hardware failure. I don't use them to protect my system against security vendors servers getting hacked and distribute bad malware definitions ( as discussed in this thread), though. As far as I'm concerned, that's not what a system image should be for.

And, while I know you weren't defending them, I simply do not agree with events that which are theoretical/so rare that that is what the system image is for. Which again, is just my opinion; which is why I say I don't agree with that view.

 

*Sigh*

I use system images for last resort restoration.

This may include:

- Hardware failure
- Irreparable software or OS corruption
- Rare malware that was able to bypass my very tight, default deny setup. Whether it bypassed it by targeting my AV vendor, or just being that sneaky, whatever.

What's not to agree with system images as a last resort? Who cares why you make them. The important point is that you make them.

 

A system image is great, provided that you know when you're infected. If your security package doesn't catch it immediately, you have no way of knowing how long you've been compromised, days, weeks, months? How much damage might it have done in that time period? Missed detections have always been an AVs weakness. Even so, this is a completely different problem. A missed detection might affect a few users. A compromised server will affect them all.

I scan new downloads at VirusTotal, but that's all. I don't scan my system. The contents of the root, windows, and system directory are checked at bootup. All of the autostart locations are protected. My registry is replaced with a clean, optimized copy during each bootup. I also have on demand integrity and content checking of all the folders that matter. Some time ago, I used to run the occasional scan with HouseCall and another one similar to it, forgot its name. Those scans regularly flagged several of the batch files and scripts I use. Beyond those and the occasional piece of malware sitting on my desktop for testing, they never found anything.

Correct me if I'm wrong here. When Blue Frog was hit by those huge DDOS attacks, didn't that attack come from PCs running an exploited Norton Internet Security?

If you look back over the last couple years at the major breaches at security related companies, not a single one of them admitted the extent of what was compromised until well after the fact. Without exception, they all went straight to damage control mode, first denying the problem, then understating the extent. As for verification, by who? The company whose bottom line is damaged in proportion to what they reveal? Not going to happen. The bottom line comes first, the customer second. That's business.

Slightly OT, but something to think about. That's one advantage of Open Source over commercial software. Decisions aren't based on their effect on the bottom line. There isn't one.

 

While I get where you are coming from, this is getting a bit paranoid personality/obsessive compulsive. There is only so much attack surface you can realistically reduce in a reasonably conventional security setup, let alone a security setup of an average, non PC savvy user!

With this mentality, you guys are eventually going to be recommending people turn off updating of other software, up to and including Microsoft Windows Update, because MS *might* get hacked and be delivering mal-updates, and then they won't admit it. Next thing you know, you've got a non-functional, out-of-date computer that which is significantly more vulnerable due to unpatched holes; more vulnerable than it ever would be with automatic updating turned on.

To each his own. I usually make a known clean system image when I first set my computer up, and then make incremental ones after that. I still think this whole concept is a very rare occurrence and with Webroot, they guarantee removal of anything even if they have to connect to your PC to perform a remote cleanup session. So if they cause the issue, I'll make sure they personally fix it...it was guaranteed to me upon purchase.

Jerry's Final Thought: VirusTotal has its limitations/drawbacks.

 

Much of todays reality was considered paranoid thinking a few years ago. Common sense advice like "don't visit questionable sites" is far less effective than it used to be. If 5 years ago some had said that the servers of financial sites would be serving up malware, they would have been labelled paranoid immediately. Then the Bank of India hack takes place.

Todays reality is obvious.
Legitimate sites get hacked with some serving up malware.
The internet structure is vulnerable as is the equipment that's responsible for its operation. DNS attacks and trojans have done this.
Together, the prove that there's no such thing as a truly trustworthy site, or server.

Very true when the design of those security apps and the OS they run on keep increasing the attack surface in addition to making your system part of someone elses attack surface. AFAIC, "conventional security" is going in the wrong direction. It's become the equivalent of plugging holes in a sieve that keeps getting bigger. Your Microsoft example doesn't apply. It's not "might get hacked". Panda was hacked, just like several other security oriented companies have been. Show me one of them that admitted to the extent of the damage on the first try. Call it paranoid if you like, but I totally expect to see more security apps (and/or their support servers) attacked, especially those that rely on cloud based services. Some of them will get pwned, as will those who rely on them.

 

You described your security setup. That won't work for me and I would imagine it would not work for most people. I don't even know how you are "flushing your registry" every time you boot up. Are you using 3rd party software to do that?

I don't like security setups that don't use a realtime anti-malware product. The reason being is, if someone is trying to attack you individually, you have no anti-malware protection.

I really don't know what else to say. I don't think there is a right answer here, at least not now. You are using something Norton did as a precedent to predict how all AV vendors would respond to if they got compromised. That might not necessarily be the right way to assume.

The only reason I am concerned about this at all, being that software restriction policies and whitelisting is the staple of my security, is because my antivirus runs elevated, obviously...

...but then again, Webroot/Prevx technology places a LOT of emphasis on advanced behavior detection, so even if their cloud was compromised, there is still heuristics as well as the rollback system in place.

I don't know. Perhaps you are right in the long run. Perhaps you aren't. But my Microsoft analogy did apply. How do you know Microsoft Update won't ever be backdoored, and serve up mal-updates?

You can't know. Nor can any of us know what really happened with Panda. The powers that be claim nothing that compromised the integrity of their product occurred. You can choose to believe them, or you can choose not to. You can choose to do away with realtime protection and rely on VirusTotal and use a security setup much like you described. It'll get the job done no doubt, but I still think it is reasonably important to have some form of realtime protection. Don't get me wrong - I'm all for not relying on 3rd party security products - but I think doing away with them completely is way too radical, considering that the issues being addressed here are still mostly (deny it if you will) theoretical and not proven. This of course may or may not change.

 

The registry replacement is done with a boot loader running batch files before Windows starts.

If someone was specifically targeting me, they most likely wouldn't be using pre-assembled malware of the sort that's distributed by the usual means.

The Norton example wasn't used to show how companies would react. That was to show that such attacks are not just theoretical. I'd have to dig up the incidents and company names for the other examples. The encrypted access cards used to access secure areas come to mind.

Point taken on Microsoft. The main difference there is that no one has claimed to have hacked them. Besides, why should MS serve malware when their system borders on spyware by design? Then again, there's always WGA.

No, we don't know exactly what has happened with Panda. My issues aren't with Panda or 3rd party security apps but with AVs in general, especially those that depend on services performed in cloud servers. Cloud services are a big, tempting target for a lot of different people and reasons, ranging from common criminals, parts of the "anti-" groups, terrorists, foreign governments, etc, especially those that could give an attacker root access to thousands of PCs. Instant botnet potential, or worse. I expect to see a lot more of this sort of thing soon. I don't see a good answer for the average user either, not with the available options.