Late Tuesday night, at least 35 public facing websites belonging to Panda Security were hacked and defaced by the LulzSec and Anonymous hacking groups. The defacement also posted multiple usernames and passwords associated with Panda Security employees.
For its part, Panda Security has publicly claimed that the attack did not breach their internal security or their source code. They also claim that no customer data was accessed. The breached sites were hosted by an external web hosting provider.
"The only information accessed was related to marketing campaigns such as landing pages and some obsolete credentials, including supposed credentials for employees that have not been working at Panda for over five years," Panda Security stated.
The attack against Panda Security was evidently in retaliation for the security vendor's participation in efforts to help shut down the hacker groups. Multiple alleged LulzSec operatives were arrested yesterday, following an FBI investigation involving a top LulzSec leader turned informant. The attack came shortly after PandaLabs' technical director publicly boasted in a blog that the arrests meant the end of LulzSec.
"LulzSec is far from being over," Vinnie Liu, managing partner at security services firm Stach & Liu, told InternetNews.com. "You can't just call the game with statements like 'It will mean the end of LulzSec'. It should be obvious by now that if you poke the bear, it's going to come after you."
Liu noted that it has long been the theory that LulzSec and Anonymous will step up their game as the stakes increase and the situation escalates.
"Well, the government just turned it up a notch," Liu said. "Chances are that the arrests are going to incite rather than quell any additional activity."
Protecting Your Sites
At this early stage, the precise mechanisms by which the Panda Security sites were exploited remains publicly undisclosed. That said, there are a number of good practices that security experts recommend to help mitigate risks. According to WhiteHat Security CTO and Founder, Jeremiah Grossman, these types of attacks are painfully common.
"The Panda Security breach is yet another reminder that no one is safe from breaches, not even security companies," Grossman told InternetNews.com. "As has been suggested in the community, we really need more organizations sharing the details of their incident response investigation. Only then can we learn what controls are working, or not, and improve our industry's outcomes."
Graham Cluley, senior technology consultant at security vendor Sophos, noted that while it's unclear as to how Panda's sites were exploited, there are some rules that businesses can use to help protect themselves.
"Many businesses try to use the net to promote their brands and for marketing operations, but they should be cautious that they don't race to put new webpages in place without proper thought around security," Cluley told InternetNews.com. "Let's not forget that Panda is the victim here - the ones who really did wrong are the criminal Anonymous hackers who defaced the firm's sites and spread untruths about Panda's software being interfered with."
Cluley recommends ensuring that websites are coded securely, that web application software is kept up-to-date with the latest security patches, and that sensitive data is securely encrypted -- so that it will be useless even if stolen. He also recommends that organizations enforce policies to ensure users choose passwords that are not susceptible to dictionary attacks.
WhiteHat's Grossman said he suspected the Panda Security defacement was a web-layer breach, as this is how a huge percentage of incidents take place. As a security consultancy, WhiteHat recommends that its clients always keep the following mantra in mind: Hack Yourself First.
"Bottom line, all websites have security vulnerabilities," Grossman said. "That's why it is vital to know what the bad guys know -- or eventually will."
Going a step further, Grossman suggest that companies adopt a Security Development Life-Cycle (SDL) approach to web applications.
"When mistakes are identified from the Hack Yourself First policy, tie them back to a missed process or control in the SDL," Grossman said. "As a result over time, new code quality and security will improve dramatically."
Lastly, Grossman suggests the use of proper incident detection and response mechanisms. That involves monitoring of traffic and log files to constantly be vigilant against potential attacks.
"Despite the best effort of any security program, hacks happen -- it is only a matter of time," Grossman said. "Much of the value a comprehensive security program provides is noticing when a breach occurs, being ready to respond quickly, and preventing catastrophic damage."