After news that the leader of LulzSec, Sabu, was busted and had been working as an informant to the FBI, commentary flowed freely. Some bloggers, like Panda Security's Luis Corrons, appeared over eager to denounce LulzSec and Anonymous. Rather than offer a more rational commentary with speculation, Corrons opted to insult Anonymous (site unavailable at time of posting) by claiming that without their leader, they would be relegated to annoying denial of service at best:
Really good news. I have just read that LulzSec members have been arrested and that their main head Sabu has been working as an informant for the FBI. It turns out he was arrested last year, and since then he has been working with Law Enforcement. As I said, really good news :) Will this mean the end of Anonymous? No. It will mean the end of LulzSec, but Anonymous existed before LulzSec and will continue existing. However we probably won't see any more hacks as the ones LulzSec had been perpetrating, and Anonymous will only use their known childish tactic of DDoS using their LOIC tool.
Taunting a group like Anonymous, who has a clear history of hacking into networks without Sabu, is like sticking your penis into a hornet's nest, as Stephen Colbert once said. It was no surprise to many that shortly after this blog post, Anonymous compromised many of Panda Security's web sites and posted a message directed toward Sabu [1] [2]. A ZDnet article provides the full list of the 36 web sites that were compromised and replaced with the message.
Attrition.org was told of one of the sites very shortly after the defacement, so we tweeted about it and CC'd @PandaSecurity as a courtesy, in case they weren't aware. Shortly after, Panda replied to the tweet with a link and said "not our site". The link went to a Facebook post which is ironic enough. Claiming that websites on the pandasecurity.com domain are "not theirs", then using Facebook (also "not theirs") to refudiate the point is as absurd as it is dangerous:
Panda Security On March 6th the hacking group LulzSec, part of Anonymous, obtained access to a Panda Security webserver hosted outside of the Panda Security internal network. This server was used only for marketing campaigns and to host some of the company's blogs. Neither the main website www.pandasecurity.com nor www.cloudantivirus.com were affected in the attack. The attack did not breach Panda Security's internal network and neither source code, update servers nor customer data was accessed. The only information accessed was related to marketing campaigns such as landing pages and some obsolete credentials, including supposed credentials for employees that have not been working at Panda for over five years. We continue investigating the cause of the intrusion and will provide more details as soon as they become available. Meanwhile we assure all our customers and partners that none of their information has been compromised and that our products and services continue functioning as normal.
First, it doesn't matter if it wasn't part of your internal network, it was one of your web servers. 36 Panda Security owned domains were defaced, and they can only try to spin and backpedal, rather than focus on the integrity of their web sites (and response to the public). Claiming that no internal servers were breached that fast shows they are guessing, not summarizing a sufficient investigation. Second, using terms like "some obsolete credentials" for the 100+ email accounts stolen does not reassure anyone, as it speaks to the lack of basic security policy being followed within the company. Third, the defacement said that their flagship Antivirus product had been backdoored. Panda Security owes it to their customers to perform a diligent investigation to ensure that did not happen, rather than a quick denial that may or may not be true.
All around, Panda Security's handling of this incident has been dismal and an insult to the security community.