Panda Security Insight

As I have already explained on some other occasion, at Panda we are making a significant effort to ‘listen to’ the market. This means actually having a more direct contact with you, the user community. Along these lines I have created an email address for you to contact me directly and send me your feedback about Panda’s solutions. I am very interested in knowing what you like, what you don’t like and any other suggestions you might have to help us develop solutions more suited to your needs.

The email address is: feedbackCEO[at]pandasecurity.com.

This initiative doesn’t intend to replace, but rather complement other ways to contact the company. Therefore, I’d like to ask you to keep using the usual contact channels for issues regarding analysts, the media, tech support, etc.

In order to encourage you to send us your feedback on our most recent solution, Panda Cloud Antivirus, the first 25 people that contact me with their opinion or any suggestion about the product will get a free license of Panda Cloud Antivirus PRO.

Tweet This Post 

Uncategorized

Last March 3, as I have already explained on this blog, Panda Security together with Defence Intelligence, the Spanish Guardia Civil , the FBI and other international institutions collaborated to bring down the largest botnet ever reported in an operation called ‘Mariposa’. This joint effort not only resulted in the dismantling of the botnet and retrieval of a considerable amount of compromised data from private and public organizations, home users, government bodies and universities from over 190 countries, but also led to the arrest of the criminal network’s alleged administrators. So far, nothing new; but…

We knew, however, that they hadn’t developed the software that allowed them to build their network. They had purchased the original bot from a website, and had configured it to suit their own purposes without really having much computer knowledge. During the investigation, and thanks to the information collected from the botnet itself as well as the material seized from the defendants, a lot of information was obtained indicating the relationships between them and other cyber-criminals. Among them there was the author of the software that they used to create the bot, the so-called Butterfly Kit. This information has let the Slovenian authorities arrest ‘Iserdo’, the 23-year-old hacker that developed the malware creation software.

The Butterfly Kit original software is behind Mariposa and many other botnets. As far as we know –bear in mind that the investigation is still under way- the kit was sold online for between €500 and €1,000 per unit. This software was designed to make cyber-crooks’ lives a lot easier, as it was very simple to configure and manage. This is clearly shown by the fact that the three cyber-criminals arrested in Spain had limited computer skills.

We estimate that the Butterfly Kit has been used to create almost 10,000 unique pieces of malicious software and over 700 botnets. Mariposa was just one of the hundreds of botnets created with it, and just one malware strain allowed its administrators to infect almost 13 million computers all over the world. So far, we are not sure about the dimensions of the other uncovered botnets, but the total number of affected computers could be alarming.

There is no doubt that this joint effort provides a great example of how to fight cyber-crime: coordinately; bringing together synergies and the knowledge of the different security industry players and public bodies; pushing for appropriate legislation and punishment; and sharing the necessary information and training for the different working groups –like the Mariposa Working Group– to develop prevention technologies and research strategies to arrest, prosecute, and sentence criminals effectively.

In this case, after a long investigation (we have been collaborating in the botnet shutdown for almost two years now), we have been able to track down the mastermind behind the cyber-criminal group. There is no need for me to say how proud we are of having been involved in such a successful operation from the start. As Jeffrey Troy, Deputy Assistant Director for the FBI’s cyber division says, “As opposed to arresting the guy who broke into your home, we’ve arrested the guy that gave him the crowbar, the map, and the best houses in the neighborhood. And that is a huge break in the investigation of cyber crimes.”

The fight against cyber-crime is still a priority for all of us. From Panda Security we will continue participating in investigation projects, taking as an example the excellent work done by all parties involved in the Mariposa case. And we’ll do it not only privately, but also as members of various associations, working groups and organizations (like www.cnccs.es) whose common goal is to improve Internet security for everyone.

Tweet This Post 

Uncategorized

A new 0-day vulnerability has recently been discovered in Windows (even though it is not strictly speaking a vulnerability, but a feature of the operating system) which allows  unauthorized execution of files through the desktop shortcut icons. Our laboratory urges users to apply the small application released by Microsoft as a workaround until the definitive patch is developed (despite its side effects).

Besides the clear threat that this issue might represent should a cyber-crook develop specific malware to exploit this feature massively (in which case we can expect some weeks of high-activity…), it turns out that somebody had already realized this possibility of infection and had already developed and distributed a malware specimen specifically designed to affect SCADA systems.

SCADA systems –for those not familiar with the term- are normally used to control public services like electricity, water, as well as other large-scale industries and infrastructures related to the stability and functioning of countries, such as nuclear plants.

Since we started the National Cyber-Security Advisory Council (www.cnccs.es) in May 2009, one of the initiatives we have most strongly pushed for is the need to tighten up security in critical infrastructures. When we talk about this, people usually react as if these arguments actually belong to the script of the latest Hollywood summer blockbuster rather than a real danger.

We always argue that it is not that these threats are not real, but they -fortunately enough- have not yet been exploited… Even though we don’t have to go too far back in time to find news about potential cyber-attacks between countries.

Now, this malware strain is capable of silently infecting a user simply by sharing a memory device, and letting cyber-crooks, cyber-activists or even cyber-terrorists take control of any of the aforementioned infrastructures.

You must also bear in mind that these infrastructures are considered more vulnerable. Why? For a number of reasons:

- SCADA systems connect and communicate over the Internet.

- All sectors are increasingly dependent on information and communication technologies

- The “bad guys” have gradually more access to tools and networks that let them conduct this type of attack.

Add to this the existence of vulnerabilities or features that make their job easier and you will have the perfect ingredients for a devastating attack.

What is clear is that what once seemed to be a science-fiction scenario is now seen as a real threat (even though this danger existed in the past…). We hope these types of attacks take a long time to arrive… And we are truly prepared to neutralize them should they eventually occur.

Tweet This Post 

Uncategorized

Over the last few days we have been presenting in Spain the results of a survey we carried out from January to May asking parents (with children up to 18 years old) and teenagers-youngsters (up to 20 years old) about their Internet browsing habits. This study is part of a campaign we have been carrying out in various countries over the last two years.

Once again, and despite the awareness and education campaigns conducted by security companies and other entities, the study has revealed some surprising facts:

• 1 in 3 teenagers has met a stranger on the Internet, even though 30% consider it dangerous.
• 99% of young people in the survey use some social networking site or some kind or direct communication system on the Internet. Only 47% of parents are aware that their children visit these websites, and in many cases they don’t know exactly which ones they are or what their children’s profiles are.
• There is a general sense of security among parents (72% of them claim to know how to stay protected) and children (83% of them say they feel safe on the Web). Only 44% of children in the survey say they have received information about how to use the Internet safely. This contradicts parents’ responses, as 79% of them say they have discussed Internet security issues with their children.
• Parents and children agree that the Internet’s greatest dangers are contact from strangers, followed by viruses and data theft.

Even though some months have passed since we released these videos, they are still perfectly valid to illustrate the reality we are facing http://vimeo.com/3721066 and http://vimeo.com/3722519

The debate is mainly focused on the way social networking sites are used, and their risks. In my opinion it is a mistake to think of the Internet as something “evil”. The Internet is a fantastic tool that opens up a world of possibilities, and as such there is no doubt that it will gradually become a more extensive part of our lives. Nevertheless it is important to take some basic precautions when using it. Social networking sites are fun and a great way of socializing and staying in touch with people. However, we cannot ignore the fact that they can also pose a series of threats:

• Risks and threats to data privacy and integrity. This greatly depends on the security awareness and education of minors (and adults as well).
• Security flaws:  The hackers’ favorite target to spread their creations and to attack databases and exploit platform vulnerabilities to get private data and take advantage of it.
• Identity theft.
• Sometimes we forget the fact that we are actually exposing our private lives on the Web: personal information revealed, online or offline targeted attacks (E.g. FourSquare) or theft of data for distribution (E.g. Pictures of celebrities that sometimes end up in the media).

As security awareness increases the situation will improve. From Panda and all the security forums we participate in we will keep asking for collaboration from both private and public institutions to inform about the risks (and benefits) of these tools. 

Luckily, the new generations are growing up “digital”. They have made the use of computers part of their everyday lives so it shouldn’t be difficult to incorporate computer security issues into their learning processes. It is just a question of all parties involved -parents, teachers, companies and public institutions- taking the issue seriously.  It is worth for them… and for us who are responsible for their education and protection.

Tweet This Post 

Uncategorized

Just over a year ago, coinciding with the launch of the first Beta version of Panda Cloud Antivirus,  I wrote a post about the freemium business model. This launch had a major impact on the market, largely because, in addition to being the first cloud-based antivirus, Panda Security was a company with a traditional business model ‘daring’ to offer a free solution. 

Back then I explained the reasoning behind our ‘Free’ strategy.  And one year on, what was then just a theory, has become a reality, and our decision to go with this solution has helped us in many ways:

a)      Our brand recognition has increased considerably, thanks to the launch of a pioneering and revolutionary product which, in addition, is free.

b)      We have a large user community taking advantage of our product, who increasingly help to improve it and prescribe it to others.

c)       Thanks to this strategy, Collective Intelligence, our automatic system for detecting, scanning and disinfecting new malware, has benefited enormously. It now receives more knowledge from an enlarged user community, and this in turn has positive repercussions for the protection delivered to clients and users of other Panda solutions.

I also said at the time that such a model is only sustainable if there is a monetization strategy behind it, albeit one in which the return on investment is over a longer term. Now is the time to take the next step. We are now immersed in the launch of Panda Cloud Antivirus Pro, a pay version that will allow us to continue advancing our strategy of providing free security for all users who want it, as well as offering additional functionality for those who want to buy the Pro version.  

A year ago we were convinced that the sector would evolve in this direction. And now the data confirms this: Morgan Stanley has recently published a report indicating, on the basis of a study carried out in the United States, that 46% of home users use free security solutions (and an additional 13% intend to “switch to free” when their license expires in the coming months). 

IT security is evolving rapidly and this evolution will affect the entire sector.  At a time when it is more critical than ever to be protected against malware, it is paradoxical to see how this protection can now be obtained for free… this is good news for users and explains the success of solutions such as Panda Cloud Antivirus.

Tweet This Post 

Uncategorized

On several occasions I have spoken on this blog and in interviews about our take on IT threats for Mac. There is a widely held view that Mac users are in no danger, as viruses are only designed for Windows platforms and because the Mac operating system is more secure than Windows. The truth is that there are viruses that operate in the Mac environments. The difference lies in the amount of malware circulating in comparison with threats designed for Windows. The explanation is simple: If you are a cyber-crook trying to profit from your activity and you want to infect as many victims as possible, what is the ideal target? A platform with 100 million users or one with 1000 million? The answer is obvious.

I’m also convinced that as the number of Mac users increases and as it reaches a significant market share, hackers will begin to find an inviting breeding ground for distributing their infections. I would go so far as to say that they will find victims unprepared, precisely thanks to the false sense of security that Mac users have. Therefore, when this happens, the situation could well bring back memories of some of the notorious epidemics such as Nimda or Sircam.  And regardless of any presumed absence of viruses, Mac users are just as vulnerable to spam and phishing.

In any event, it is important to underline that although there may be less malware designed specifically for Mac, and the chances of infection may be lower, this has no bearing on whether Mac users are contributing (knowingly or unknowingly) to the propagation of IT threats.  Perhaps unwittingly, many of them will be infecting Windows users connected across various channels (email, social networks, etc.). We should also bear in mind that Mac users often have Windows installed on separate partitions, or distributions that allow them to share files with Windows, and that it is practically essential to have an antivirus installed on these partitions.

In our business, we would say this is another infection vector. There are a couple of scenarios that illustrate well the reality of malware distribution in these environments: the exchange of information via USB devices (pen drives, hard disks, cell phones…) which are connected to both Mac and Windows systems, on the one hand, and on the other, Mac codecs, which are becoming a popular trend for hiding malware. These situations are just an example, but if we stop to think, there are many cases where using a Mac platform without protection is a risk for the users themselves and for others that come into contact with them.

Finally, regarding the myth that the Apple operating system is more secure than Windows … we’ll talk about that another day: -)

Tweet This Post 

Uncategorized

Traditionally, at Panda Security our technological innovation has set us apart from our competitors and has been the cornerstone for our competitiveness. Throughout our 20-year history, we have reinvested 30% of our turnover in innovation, and this has made us a company that commands wide respect among users, the industry, analysts, opinion leaders, etc.

It’s no easy task to base the culture of a company on radical innovation, as it requires having a series of determining factors in place in the corporate environment, or, if they don’t exist, creating the necessary framework. Such experiences vary in line with the country in which the company operates: In countries where there is a strong technological tradition along with governmental understanding and support for innovation, any company that undertakes these activities with intelligence will probably be successful. In countries without such a technological tradition (as is the case in Spain), this task can become more complex, although, as demonstrated by Panda, it is still possible to succeed.

The human assets of a company represent the cornerstone for successful innovation. They must be fully committed to the project and have the initiative required to drive the engine of innovation. To support this, the country where these types of activities are developed should, in my opinion, have policies that incentivize capital investment in several ways:

- On the one hand, favoring capital investment so companies have sufficient financial capacity and muscle: policies incentivizing investment -not just towards the raising of ‘national’ capital, but also attracting international investment.

- A fiscal framework that makes it possible to attract talent from outside and adopt competitive stock option policies, special fiscal conditions, etc.  In our case, security is a specialized niche market, and it is not always easy to find people who fit the profile we need to perform this type of work.  It is important we have a framework that is competitive with other markets in this respect.

- Thirdly, also as an engine of innovation, we need to create an environment where future generations are suitably trained and competitive within our own country, driving research and development with measures, grants and specific training programs, with a dual purpose: on the one hand generating wealth through the creation of talent in the country itself, and on the other, preventing a brain drain by enabling this talent to flower in its own country.

These policies would help contribute to the success of entrepreneurs in any country, yet they can never replace the key to success of any entrepreneur: having an innovative idea and executing it effectively in the right-sized market. They can’t replace it, but they offer significant help.

In many countries in southern Europe, we still have a long way to go, and our governments seem to be focused more on short-term policies -with one eye on their own personal horizons (the four-year term in office…)- than on defining policies and structural reforms that would guarantee the competitiveness of our markets and companies in the long-term…

Tweet This Post 

Uncategorized

Every once in a while a security company faces a tough week due to a false positive.  Last week was one of those for a competitor I respect.   Since they released a now infamous signature update, a lot has been talked about them, their QA processes, their PR strategy, their products, etc.

The easy reaction is to hammer them due to the consequences it had for clients, partners and businesses in general.  Some even go a step further and try to take advantage commercially pointing out to prospective clients that their approach would have prevented something like this from happening, which I don’t think it is realistic by the way.

The reality (at least the one I see) is somewhat different:

·         All security companies are acutely aware of how mission critical our business is.  We are all in the business of ensuring business continuity fighting against an army of bad guys whose only interest is to make money, steal information and cause disruption to legitimate businesses and consumers around the world

·         This fight has become more sophisticated as time passed due to the increasing monetary rewards that cybercriminals get

·         We all have procedures in place to avoid false positives, but sometimes for many different reasons, those procedures do not work as planned.  A wide variety of factors can affect an intended flawless process:  human error, faulty procedures or their execution, changing teams, sabotage, etc

·         In security, like in any other business, we rely on people to design, implement and execute systems and procedures.  The very systems we protect often have “holes” in their initial design that are used by hackers to gain access, were designed by other people that also worked hard to try and make their systems flawless and secure

·         The vast majority of days those processes work, however, from time to time, they don’t work as intended: there is a glitch, a bug, etc. and that is because they are not 100% safe, they can’t be.  And it may affect a critical component of the operating system or any other software, and that creates a “big mess”.

·         That is what happened last week. The bad news is that, as it has happened in the past to virtually every vendor  it may happen in the future

Security users may (legitimately) ask: how can the companies that are supposed to be protecting me can say that it may create such a mess in my systems? Why should I trust security companies when they openly admit that this may happen in the future? Don’t they have the right technology / people to guarantee that this does not happen? Why don’t they establish procedures (whitelist, blacklist or “whatever lists”) to avoid it from happening and impacting me? If that is the case, why not change to another operating system that someone told me is “guaranteed safe”? etc, etc.

The answer to all that is all security companies will always do everything we can (and trust me, we all do a lot) to avoid it from happening, but, I believe, nobody can guarantee that it will not happen to them.  Regardless of what they say.  In addition, no operating system is 100% safe and if there are some less attacked is just because they have not yet become a profitable target, but as their share increase, they will be, hence they also require protection.

Our business has reached a level of sophistication and requirement for speed (to protect our users from the incredibly vast amount of malware out there) that is virtually impossible to, at the same time, timely protect our users and guarantee 100% that we will not fall under a false positive.

Equally to the “physical world”, if there is something valuable, someone will try (and may succeed) to get unlawful access to it.  Equally to the physical world, you have people trying to prevent that from happening (security companies), and equally to the physical world their preventive measures may have unintended consequences that we all try to avoid and correct if they happen.  It comes down to whether the preventive actions are justified and done in the better interest of the users.  The battles that we win every day against cybercrime prove that in a vast majority of the cases, the security industry is taking the right actions.

Equally to the physical world, the benefits outweighs the risks.  Same in Cybersecurity: we are all better off protecting our systems despite the very few unintended consequences like a false positive. All security players I have talked to over the years have their users’ security as a first priority and that we all work extremely hard to protect our users, clients and partners.  We will continue to do so, improving even further our technology and procedures.

You can count on us at Panda Security (and I am sure it applies to all our competitors) to work hard every day to continue to protect you!

Tweet This Post 

Uncategorized

I went to Brussels on April 12 and 13 to represent Panda Security at the meeting of the Cybersecurity CxO Council, of which we are members. Framed within TechAmerica, the aim of this initiative is to present current cyber-crime problems to governments from the industry’s point of view. We share this forum with other security companies such as Symantec, PayPal, Qualys, PGP, Techguard Security, TechAmerica, etc.

The Council wants to be close to the market in the US and in Europe. To do so, it holds meetings with EU organizations to present itself, its mission and its objectives; share the main initiatives taking place; be at their disposal if they require expert opinions; help develop laws and cyber-security initiatives, and reinforce international collaboration.

We therefore went to Brussels to meet different EU figures and representatives: Gilles de Kerchove (EU Anti-Terrorism Coordinator), Viviane Reding (European Commissioner for Justice, Fundamental Rights and Citizenship), Maria Asenius (Deputy Chief of the Cabinet for the Enlargement Commission of the European Union), Cecilia Malmstrom (European Commissioner for Home Affairs) and Neelie Kroes (European Commissioner for Digital Agenda).

As well as discussing recent international operations against cyber-terrorism including Mariposa, and setting them as an example to follow, we stressed the need to create laws to fight the current cyber-crime scenario; develop education and awareness programs as proactive preventive measures against Internet crime, and increase international collaboration (and its quality) among security forces in different countries to allow hackers to be arrested, prosecuted and sentenced in a way that reflects the seriousness of the crimes committed.

The Council works together with the National Cyber-Security Advisory Council in Spain, of which we are founder members. We have a long way to go and it’s not easy, but we believe we are going in the right direction and will continue supporting and taking part in initiatives that are in line with our objective: to improve the way we protect all users.

Tweet This Post 

Uncategorized

We have recently announced some excellent news: we have bought our distributor in Brazil, which will allow us to take full advantage of the opportunities for growth that we’re seeing in this country. This brings to 13 the number of wholly-owned subsidiaries, including our offices in Austria, Germany, Belgium, China, Spain, Finland, France, Holland, Japan, Sweden, UK, and the USA.
 
The successful strategy of the local team in Brazil has made it one of our most successful offices in Latin America. In fact, in 2009 revenue grew almost threefold with respect to 2008.
 
It barely needs stating that Brazil is a key market, as it represents a great opportunity for our group to grow. In fact, Gartner has classified it as the largest Latin American market.
 
As I’ve said previously, Panda is probably, after Inditex, the Spanish company with a presence across most countries (56 in total including subsidiaries and exclusive distributors). Specifically in Latin America, we are present in 18 countries.
 
This strategy of buying distributors in key markets is an initiative that we started in 2007 with the entry in our share capital of investment groups led by Investindustrial, GalaCapital, HarbourVest and AtlanticBridge, and has allowed us to strengthen our international positioning as well as delivering great opportunities for growth.

Tweet This Post 

Uncategorized