Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Code Signing Debacle 2.0: A Hacked Adobe Server and Its Impact on Us All

316

Published on

Adobe’s code-signing infrastructure got hacked and now you have to worry about some really bad software out there that your computers will think are valid, safe applications from Adobe. One of them is …

Adobe’s code-signing infrastructure got hacked and now you have to worry about some really bad software out there that your computers will think are valid, safe applications from Adobe. One of them is pwdump which gets Windows passwords. Ever since Flame, Randy Franklin Smith from Ultimate Windows Security, has been saying that if Microsoft’s update infrastructure got hacked, it was only be a matter of time before another vendor’s did too. And that’s what this is all about. The methods are different, but both boil down to exploiting mistakes Microsoft and Adobe made in their PKI used to sign code. The reason this is so impactful to an organization, is that it allows the bad guys to trick your systems into running malicious code that looks like it came from Adobe – but you get that right? It really stinks though because no matter how good you maintain your systems, you are still at the mercy of the security of your software vendors.
Download this presentation to learn:
• How can you stop this particular threat?
• How can you deploy some strategic technologies and controls to address the risk of compromised code signatures and vendor update infrastructures?
• How can you preemptively control your exposure to the mistakes of your software vendors and/or when they get hacked? (In all fairness no one is safe from getting breached.)

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
316
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Code Signing Debacle 2.0: A Hacked Adobe Server and Its Impact on Us All © 2012 Monterey Technology Group Inc.
  • 2. Brought to you by www.lumension.comSpeaker  Russ Ernst – Group Product Manager
  • 3. Preview of Key Points Current situation What can/need you do? Going forward© 2012 Monterey Technology Group Inc.
  • 4. Current Situation Code signing server inside Adobe was hacked An unknown quantity of files were signed to look like they were issued by Adobe We know of 3 files for sure but who knows how many more? Tomorrow Adobe will revoke the certificate in question© 2012 Monterey Technology Group Inc.
  • 5. Current Situation What is the risk? The risk is NOT any vulnerability inside Adobe products already installed The risk IS that your computers might trust malicious software© 2012 Monterey Technology Group Inc.
  • 6. Current Situation Then, why do I need to install new versions? You may run into errors when you try to • Run affected applications  “Not doing so may result in an error about the application being from an unknown publisher on launch, although the application should still launch.”  "Publisher unknown, are you sure you want to run this software".  Software Restrictions, AppLocker or other whitelisting applications using certificate rules • Installing affected applications  UAC© 2012 Monterey Technology Group Inc.
  • 7. Current Situation  OK, which applications then? About 30 Already installed versions of Acrobat and Reader not affected • But new installs of Reader will be  “The reason is that the standalone version of Reader has an installation helper file which is be impacted by the certificate revocation. Already installed Reader versions are not impacted.”  Important links http://helpx.adobe.com/x-productkb/global/certificate- updates.html#main-pars_header_5 http://helpx.adobe.com/x-productkb/global/guidance- administrators-certificate-revocation.html© 2012 Monterey Technology Group Inc.
  • 8. Current Situation At what point do Adobe measures protect us from malicious software signed by this certificate? Some protection when certificate is revoked But PKI revocations is fraught with problems Answer is really unknown© 2012 Monterey Technology Group Inc.
  • 9. Current Situation How do I protect my systems from software signed by this breach? Installing the updated Adobe apps provides no protection Adobe says not to install the revoked certificate • Won’t address the risk and causes other problems Remaining options • Tactical • Strategic© 2012 Monterey Technology Group Inc.
  • 10. Tactical  Up-to-date AV  Software Restrictions, AppLocker or whitelisting rule that explicitly denies 3 known bad files  PwDump7.exe: • MD5 hash: 130F7543D2360C40F8703D3898AFAC22 File size: 81.6 KB (83,648 bytes) Signature timestamp: Thursday, July 26, 2012 8:44:40 PM PDT (GMT -7:00) MD5 hash of file with signature removed: D1337B9E8BAC0EE285492B89F895CADB  libeay32.dll • MD5 hash: 095AB1CCC827BE2F38620256A620F7A4 File size: 999 KB (1,023,168 bytes) Signature timestamp: Thursday, July 26, 2012 8:44:13 PM PDT (GMT -7:00) MD5 hash of file with signature removed: A7EFD09E5B963AF88CE2FC5B8EB7127C  myGeeksmail.dll • MD5 hash: 46DB73375F05F09AC78EC3D940F3E61A File size: 80.6 KB (82,624 bytes) Signature timestamp: Wednesday, July 25, 2012 8:48:59 PM (GMT -7:00) MD5 hash of file with signature removed: 8EA2420013090077EA875B97D7D1FF07© 2012 Monterey Technology Group Inc.
  • 11. Strategic There is a way to get systemic protection against breaches of vendor software update infrastructures Need to recognize some important trends and facts© 2012 Monterey Technology Group Inc.
  • 12. Strategic  The facts This is at least the 4 time that either • Software code signing and/or automatic update infrastructure has been compromised • Stuxnet, Duqu, Flame, Adobe Microsoft deserves kudos compared to companies like Adobe Code signing is broken Hack Automatic updates is fool me! hardy© 2012 Monterey Technology Group Inc.
  • 13. Strategic The solution Complain to vendors Keep your AV healthy Take control of software distribution and updates Prevent unvetted software from running no matter who has signed it© 2012 Monterey Technology Group Inc.
  • 14. Strategic Take control of software distribution and updates You cannot trust automatic updates • Not too mention all their other problems Software patching commandments There is not substitute for application white-listing© 2012 Monterey Technology Group Inc.
  • 15. Strategic  Software patching commandments 1. Thou shalt not depend on vendor automatic updaters 2. Thou shalt not allow patch/installation based on code-signing certificates 3. Thou shalt control which patches go down and when 4. Thou shalt be able to deploy patches within hours 5. Thou shalt be able to deploy patches in phases 6. Thou shalt not be blind to patch deployment status 7. Thou shalt patch software from multiple vendors 8. Thou shalt patch applications on all your operating systems© 2012 Monterey Technology Group Inc.
  • 16. Strategic  There is not substitute for application white listing Stuff is going to get past AV You can no longer depend on code signatures You must prevent new, unknown software from executing • Users are too dumb to not run malware • Malware evolving too fast • APTs too sophisticated • Can’t trust software vendors • Don’t fall for the “unlikely you are the one being targeted” line • Problems aren’t going away anytime soon  Only going to get worse© 2012 Monterey Technology Group Inc.
  • 17. Bottom Line  Install the new updates from Adobe  Setup rules for the bad known  Watch my blog or social media feeds  Keep an eye on http://forums.adobe.com/community/certificate?vi ew=discussions  Check your AV  Hang on tomorrow  Going forward Take control of patching Implement software restrictions, AppLocker or intelligent white listing© 2012 Monterey Technology Group Inc.
  • 18. Brought to you by www.lumension.comSpeaker  Russ Ernst – Group Product Manager
  • 19. Defense-in-Depth Strategy Successful risk mitigation starts AV with a solid vulnerability manage- Control the Bad ment foundation, augmented by Device Control additional layered defenses which Control the Flow go beyond the traditional blacklist approach. HD and Media Encryption Control the Data Application Control Control the Gray Patch and Configuration Management Control the Vulnerability Landscape19
  • 20. Defense-in-Depth with Intelligent Whitelisting Known Unknown Unwanted, Application Configuration Malware Malware Unlicensed, Vulnerabilities Vulnerabilities Unsupported applications AntiVirus X X Application X X Control Patch & X XRemediation SecurityConfiguration XManagement
  • 21. More Information• Free Security Scanner Tools • Get a Quote (and more) » Application Scanner – discover all the apps http://www.lumension.com/ being used in your network intelligent-whitelisting/buy-now.aspx#7 » Vulnerability Scanner – discover all OS and application vulnerabilities on your network » Device Scanner – discover all the devices being used in your network http://www.lumension.com/Resources/ Security-Tools.aspx• Lumension® Intelligent Whitelisting™ » Online Demo Video: http://www.lumension.com/Resources/ Demo-Center/Endpoint-Security.aspx » Free Trial (virtual or download): http://www.lumension.com/ intelligent-whitelisting/free-trial.aspx21

×