Adobe breach leads to digital certificate code signing infrastructure compromise.

Adobe, on Thursday 09-27-2012, delivered a public statement that an internal server with access to its digital certificate code-signing infrastructure was hacked by “sophisticated threat actors” engaged in “highly targeted attacks.”

Apparently the attack took place before July 11th, and it has led to the creation of at least two malicious files that were digitally signed using a valid Adobe certificate, according to Adobe security chief Brad Arkin.

Although it was reported that only two files were signed, the hack effectively gave the attackers the ability to create malware masquerading as legitimate Adobe software, and F-Secure’s Mikko Hypnonen stated today at 6:30pm that 5,127 files have already been submitted to F-Secure’s Malware Repository that were signed by the compromised Adobe certificate.

The initial report from Brad Arkin at Adobe mentions two digitally signed malware files: “PWdump7 v7.1” which is a well-known utility that extracts password hashes from the Windows operating system and is sometimes used as a file that statically links the OpenSSL library “libeay32.dll”. Arkin went on to say “The sample we received included two separate and individually signed files. We believe the second malicious utility, myGeeksmail.dll, is a malicious ISAPI filter. Unlike the first utility, we are not aware of any publicly available versions of this ISAPI filter.”

Once Adobe realized what had happened, they halted their normal code signing infrastructure and implemented a “clean-room implementation of an interim signing service for re-signing components that were signed with the impacted key.” Apparently, this new interim signing solution is relying on offline human verification to ensure that “all files scheduled for signature are valid Adobe software.” Arkin went on to say that they are in the process of designing and developing a new permanent signing solution.

“We are investigating why our code signing access provisioning process in this case failed to identify these deficiencies. The compromised build server did not have rights to any public key infrastructure (PKI) functions other than the ability to make code signing requests to the code signing service,” he added.

Arkin said a forensics investigation identified malware on the build server and the likely mechanism used to first gain access to the build server.

“We also have forensic evidence linking the build server to the signing of the malicious utilities. We can confirm that the private key required for generating valid digital signatures was not extracted from the HSM. We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software,” he added.

Adobe plans to revoke the impacted certificates on October 4, 2012.

The revocation will affect all code signed after July 10, 2012, which indicates the attackers had access to Adobe’s infrastructure for more than two months.

“This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh,” Arkin wrote. “The revocation does not impact any other Adobe software for Macintosh or other platforms.”

The three affected applications are Adobe Muse, Adobe Story AIR applications, and Acrobat.com desktop services.

The company said it had good reason to believe the signed malware wasn’t a threat to the general population, and that the two malicious programs signed with the certificate are generally used for targeted, rather than broad-based, attacks.

Digital certificates are a core part of the trust that exists between software makers and their users. Software vendors sign their code with digital certificates so that computers recognize a program as legitimate code from a trusted source. An attacker who can sign their malware with a valid certificate can slip past protective barriers that prevent unsigned software from installing automatically on a machine.

Revoking the certificate should prevent the signed rogue code from installing without a warning.

Stuxnet, a sophisticated piece of malware that was designed to sabotage Iran’s nuclear program, was the first malicious code discovered to be using a valid digital certificate. In that case the attackers – believed to have been working for the U.S. and Israel – stole digital certificates from two companies in Taiwan to sign part of their code.

Adobe said that it stored its private keys for signing certificates in a hardware security module and had strict procedures in place for signing code. The intruders breached a build server that had access to the signing system and were able to sign their malicious files in that way.

Questions about the security of Adobe’s source code came up earlier this month after Symantec released a report about a group of hackers who broke into servers belonging to Google and 33 other companies in 2010. The attackers were after source code for the companies. Adobe was hacked around the same time, but has never indicated if the same attackers that hit Google were responsible for hacking them.

Symantec found evidence that the attackers who struck Google had developed and used an unusually large number of zero-day exploits in subsequent attacks against other companies. The attackers used eight zero-day exploits, five of which were for Adobe’s Flash Player. Symantec said in its report that such a large number of zero-days suggested that the attackers might have gained access to Adobe’s source code. But Arkin insisted at the time that no Adobe software had been stolen.

We will most likely find out more in the future about this breach and only time will tell if Adobe is telling the truth about what happened.

Internet Explorer 7,8,9 users at immediate risk of Compromised computers…

Update: Microsoft issued an out-of-cycle Update fixing two security issues in Internet Explorer.

Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user. The researcher Eric Romang found this exploit by monitoring infected servers of the recent Java SE 0day. He found a folder titled /public/help with 4 files in it and one named exploit.html. This file is the entry point of the attack and it “creates an array of “img” and loads a file named “Moh2010.swf.”(A Shockwave Flash File) As of yesterday neither of these files was picked up by VirusTotal.com

The file is actually packed with DoSWF which is a Flash encryption tool and it decompresses into the memory. Once it decompresses, Moh2010.swf works its magic as it sprays the heap and projects into an iframe with the title of “protect.html

There is also some interesting ActionScript embedded in the original packed SWF file, which you can see on Pastebin here. The decoded SWF file is actually linked to CVE-2010-2884 SWF:Dropper on VirusTotal and is detected by only 3/34 anti-virus scanners. The file checks the infected computer’s Flash Website Storage Settings and after the browser has been exploited it will not load the “protect.html” file again. The official explanation of how this exploit actually compromises the Internet Explorer user is: “When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition” (Use after Free)

It is already available to all users of Metasploit so it won’t be long before this attack begins compromising IE users.

To protect yourself right now from this attack, I suggest using Google Chrome or Firefox. There is also a program called EMET from Microsoft that is for the more technically inclined users, that may protect users from this exploit, but it is unsure at this time. If you have no choice but to use Internet Explorer than I suggest you read the entire Microsoft Security Advisory for ways to jack up the security of IE.

Read more about this new exploit at the following links:

https://community.rapid7.com/community/metasploit/blog/2012/09/17/lets-start-the-week-with-a-new-internet-explorer-0-day-in-metasploit

https://krebsonsecurity.com/2012/09/internet-explorer-users-please-read-this/

https://krebsonsecurity.com/2010/12/exploit-published-for-new-internet-explorer-flaw/

https://krebsonsecurity.com/2012/09/exploit-released-for-zero-day-in-internet-explorer/

If you have someone close to you that uses Internet Explorer and doesn’t know much about computers, the best thing to do to protect them is to configure IE to prompt before allowing active scripting, or by raising the internet security zone to high. Since this breaks most sites, you can add whatever sites the user frequents the most to the trusted sites zone. For example, say your mother uses Facebook and AOL all the time. You can add *.facebook.com and *.aol.com to the trusted sites list and then she will be able to visit those sites without scripting being blocked but any other sites that she visits will not work correctly (if they use scripting). This workaround will most likely lead to an angry mother who thinks that you broke her computer, so what I do is use Sandboxie and configure Internet Explorer to always run inside a sandbox, this way even if someone executes the Metasploit module against the computer, once the browser is closed everything will be deleted. Sandboxie is a great tool for locking down browsers, and protecting users.

I want to credit Eric Romang (Eromang.zataz.com) for most of the information in this blogpost, here is his Proof of Concept Video and a link to his blog:
https://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/

Protect yourself from Flash and Java exploits!

When you enter my page, you may or may not hear a song start playing.

Many people say you should never have a song play automatically when someone hits your website, but don’t be alarmed, I have decided to do this because I want to show how easy it is to have your browser hijacked. I find that most people do not take me seriously when I explain to them how easy it is to have your computer(or device) compromised. (If you don’t hear the song, then you are safe from Flash attacks).

When you go to a page that automatically plays Flash video or audio, you are in danger of being hacked. You really should protect yourself against this. Just because you only go to “safe” sites does not mean you are safe. Often hackers will place malicious code into a well-known site, or embed it in an ad or an iframe.

There are many ways to protect yourselves, here are three:

  1. Google Chrome lets you go into the settings and choose “Click to Play,”, or
  2. you may use many browser plugins that will stop Flash or Java from playing automatically when you visit a page. The best protection is Noscript for Firefox,
  3. or ScriptNo for Chrome. I use both.
  4. If you use Internet Explorer, I recommend using an application called Sandboxie.

The reason this is important is because a large number of hacks occur when someone visits a “malicious page” which has been configured to automatically exploit Flash player or Java by taking advantage of the many vulnerabilities in Adobe Flash and Oracle’s Java. If you always keep your plugins up-to-date you are Saf-er, but there are new zero-day exploits discovered all the time. Don’t worry, you are safe on my site, but one day in the future when you click on a search result and see your browser redirect itself to a compromised website, make sure that you are protected from drive-by downloads exploiting Flash and Java. If the music bothers you you can press pause in the sidebar on the right.

Here’s All You Need to Know about Apples UDID Mess…

In the words of the Anonymous post on Pastebin …

Update: Anonymous post more info on Pastebin here:
Ip addresses given as another clue: “for the moment we think its quite safe to mention these clues:
3 IPs were involved, 2 of them were like:

206.112.75.XX

153.31.184.XX

“In July 2012 NSA’s General Keith Alexander (alias the Bilderberg Biddy) spoke
at Defcon, the hacker conference in Las Vegas, wearing jeans and a cool EFF
t-shirt (LOL. Wtf was that?). He was trying to seduce hackers into improving
Internet security and colonoscopy systems, and to recruit them, ofc, for his
future cyberwars. It was an amusing hypocritical attempt made by the system to
flatter hackers into becoming tools for the state, while his so-righteous
employer hunts any who doesn’t bow to them like fucking dogs.

Well…
We got the message.
We decided we’d help out Internet security by auditing FBI first. We all know
by now they make Internet insecure on purpose to help their bottom line. But
it’s a shitty job, especially since they decided to hunt us down and jail our
friends.

It’s the old double standard that has been around since the 80’s. Govt Agencies
are obsessed with witchhunts against hackers worldwide, whilst they also
recruit hackers to carry out their own political agendas.

You are forbidden to outsmart the system, to defy it, to work around it. In
short, while you may hack for the status quo, you are forbidden to hack the
status quo. Just do what you’re told. Don’t worry about dirty geopolitical
games, that’s business for the elite. They’re the ones that give dancing orders
to our favorite general, Keith, while he happily puts on a ballet tutu. Just
dance along, hackers. Otherwise… well…

In 1989 hagbard (23yrs old) was murdered after being involved into cold war spy
games related to KGB and US. Tron, another hacker, was
murdered in 1998 (aged 26) after messing around with a myriad of cryptographic
stuff (yeah, it’s usually a hot item) and after making cryptophon easily
accesible for the masses. And then you have Gareth Williams (31), the GCHQ
hacker murdered and “bagged” inside a MI6’s “safe” house (we’d hate to see what
the unsafe ones look like) in August of 2010 after talking about being curious
about leaking something to Wikileaks with fellow hackers on irc. And the list
goes on. It’s easy to cover up when they want to, hackers often have complex
personalities, so faking their suicide fits well.

You are welcome to hack what the system wants you to hack. If not, you will be
punished.

Jeremy Hammond faces the rest of his productive life in prison for being an
ideological motivated political dissident. He was twice jailed for following
his own beliefs. He worked until the end to uncover corruption and the
connivance between the state and big corporations. He denounces the abuses and
bribes of the US prison system, and he’s again facing that abuse and torture at
the hands of authorities.

Last year, Bradley Manning was tortured after allegedly giving WikiLeaks
confidential data belonging to US govt… oh shit. The world shouldn’t know how
some soldiers enjoy killing people and even less when they kill journalists. Of
course, the common housewife doesn’t deserve to know the truth about the
hypocrisy in the international diplomacy or how world dictators spend money in
luxury whilst their own people starve. Yep, the truth belongs only to the
elite, and if you are not part of them (forget it, that won’t happen), fuck
yourself.

People are frustrated, they feel the system manipulating them more than ever.
Never underestimate the power of frustrated people.
For the last few years we have broke into systems belonging to Governments and
Big corporations just to find out they are spending millions of tax dollars to
spy on their citizens. They work to discredit dissenting voices. They pay their
friends for overpriced and insecure networks and services.

We showed how former govt and military officials were making new businesses
using their government relationships.
They funnel public money to their own interests for overpriced contracts for
crap level services. They use those
relationships to extra-officially resolve affairs involving their businesses.

We exposed a criminal System eliminating those who think different;
criminalizing them. This System won’t tolerate those who dig for the truth, it
can’t. So no one has the right to question anything coming from this system. if
you buy a piece of hardware or software you just need to use it as it was
supposed to be used: anything else is forbidden.
No tinkering allowed.

If you buy a Playstation, you are not allowed to use it as you want to — you
can only use it the Sony wants you to. If you have found a way to improve
something, just shut up. You are not allowed to share this info with anyone
else and let them make improvements, too. We are not the real owners of
anything anymore. We just borrow things from the System. Shiny, colorful
things, we agree to play with for a fee. A fee for life.
Because this system works only if you keep working to buy new things.
Not important if they are good things, just buy new crap, even better like that.
So everything gets outdated soon.

You home, stuff, car and computer, you will pay for everything you have for all
of your life. All the time: a monthly fee, forever until you die. That’s the
future; nothing is really yours. LAAS – Life As A Service.
You will rent your life.

And better hurry up and work all day if you want to stay alive. Work ’til
you’re exhausted and don’t think. No — thinking is bad. Play games instead, do
drugs too, why not? Or go to the movies. The Entertainment Industry is here to
resolve all your philosophical and trascendental problems. Shiny colorful crap.
but please don’t think too much.
Thinking is dangerous.

Accept the offer, it’s the perfect deal.
You get all those amazing shiny colorful beads.
It will only cost you freedom…and your life.
Indians did it with Manhattan.
There’s nothing to worry about it, is there?

And what if you are a lone wolf who quietly outside the system, doing your own
thing, without saying a word? They will be mad as hell. They will try to find
you. You will be fucked up anyway, sooner or later. Because the system wants
you clearly identified, with all your personal details well packed into a
government database so it can make its watchdogs’ lives easier.

Security researchers are often questioned and their movements tracked by Secret
Service, FBI and other shits. They are asked about their projects, who their
clients are, who they are talking to, what they know about other hackers, etc..
So be a good monkey, follow the rules, head down and you’ll get some coins
that let you keep renting your life.

But hey! Wait…
We are hackers…
We are supposed to look beyond the rules, to find things others don’t see. And
THE SYSTEM, yeah the whole fucking system, it’s just another system.
…and we do that.
we hack systems.

This is our next challenge: to decide whether to become tools for the system,
or for ourselves. The system plans to use us to hold the next in their endless
wars, their cyberwars.
Hackers vs. hackers, slaves vs slaves.


We are trapped.

Jack Henry Abbott, a writer who was incarcerated almost his whole life for his
crimes, wrote before hanging himself: “As long as I am nothing but a ghost of
the civil dead, I can do nothing…”, the ‘civil dead’ are those, like himself,
who had their autonomy systematically destroyed by the state. Now his words
extend to cover all of us. We have seen our own autonomy being systematically
destroyed by the State. We are becoming ghosts of our dead civil rights.

criminals.
So yes we are criminals, we are the criminals our dear system have created:
Argumentum ad Baculum

In a world where you fear the words you use to express yourself. Where you are
punished for choosing the wrong ones, we have just decided to follow our own
way. There’s no worst kind of slavery than one where you are afraid of your own
thoughts.

Governments around the globe are already in control of us in real life, and
they have now declared war on the people to take over the Internet.
It’s happening now. It’s not waiting for you to wake up.
So now my dear friends, it’s your turn to decide where you belong,
and what you are made of.

“When the people fear the government there is tyranny, when the government
fears the people there is liberty.”
― Thomas Jefferson”

Rotten Apple

Another Apple Mess

http://pastebin.com/nfVT7b0Z

Note: An Apple UDID could be used in combination with other data to connect devices to their owners’ online user names, e-mail addresses, locations and even Facebook profiles. (Aldo Cortesi)

Here they gave links to an encrypted file with 1,000,001 Apple device UDIDs and accompanying user data.
The file must be unencrypted and instructions are given later in the pastebin post.

Apparently, the UDIDs have been taken from an FBI Special Agent Christopher Stangl, (rumor has it via a Java exploit earlier in the year). According to sources close to the matter… Among the data on his notebook was a file named NCFTA_iOS_devices_intel.csv which contained a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers and addresses.
Read more here
http://par-anoia.net/releases.html

Here are some links from major internet sites covering the story…

http://arstechnica.com/security/2012/09/1-million-ios-device-ids-leaked-after-alleged-fbi-laptop-hack/

http://thenextweb.com/apple/2012/09/04/antisec-hackers-leak-1000001-apple-device-ids-allegedly-obtained-fbi-breach/

http://www.wired.com/threatlevel/2012/09/hackers-release-1-million-apple-device-ids-allegedly-stolen-from-fbi-laptop/

https://www.networkworld.com/community/node/81331

http://techcrunch.com/2012/09/04/apple-udid-leak-theres-no-proof-yet-of-fbi-involvement-but-heres-why-you-should-still-care/

http://bits.blogs.nytimes.com/2012/09/04/hackers-claim-to-have-12-million-apple-device-records/