Code Signing Debacle 2.0: A Hacked Adobe Server and Its Impact on Us All
21
Code Signing Debacle 2.0: A Hacked Adobe Server and Its Impact on Us All © 2012 Monterey Technology Group Inc.
-
Upload
lumension -
Category
Technology
-
view
348 -
download
0
Transcript of Code Signing Debacle 2.0: A Hacked Adobe Server and Its Impact on Us All
Code Signing Debacle 2.0: A Hacked Adobe Server and Its Impact on Us All
© 2012 Monterey Technology Group Inc.
Brought to you by
Speaker Russ Ernst – Group Product Manager
www.lumension.com
Preview of Key Points
© 2012 Monterey Technology Group Inc.
Current situationWhat can/need you do?Going forward
Current Situation
© 2012 Monterey Technology Group Inc.
Code signing server inside Adobe was hackedAn unknown quantity of files were signed to
look like they were issued by AdobeWe know of 3 files for sure but who knows how many more?
Tomorrow Adobe will revoke the certificate in question
Current Situation
© 2012 Monterey Technology Group Inc.
What is the risk?The risk is NOT any vulnerability inside Adobe products already installed
The risk IS that your computers might trust malicious software
Current Situation
© 2012 Monterey Technology Group Inc.
Then, why do I need to install new versions?You may run into errors when you try to
• Run affected applications “Not doing so may result in an error about the application
being from an unknown publisher on launch, although the application should still launch.”
"Publisher unknown, are you sure you want to run this software".
Software Restrictions, AppLocker or other whitelisting applications using certificate rules
• Installing affected applications UAC
Current Situation
© 2012 Monterey Technology Group Inc.
OK, which applications then?About 30Already installed versions of Acrobat and Reader not affected
• But new installs of Reader will be “The reason is that the standalone version of Reader has an installation helper
file which is be impacted by the certificate revocation. Already installed Reader versions are not impacted.”
Important linkshttp://
helpx.adobe.com/x-productkb/global/certificate-updates.html#main-pars_header_5
http://helpx.adobe.com/x-productkb/global/guidance-administrators-certificate-revocation.html
Current Situation
© 2012 Monterey Technology Group Inc.
At what point do Adobe measures protect us from malicious software signed by this certificate?Some protection when certificate is revokedBut PKI revocations is fraught with problemsAnswer is really unknown
Current Situation
© 2012 Monterey Technology Group Inc.
How do I protect my systems from software signed by this breach?Installing the updated Adobe apps provides no protection
Adobe says not to install the revoked certificate• Won’t address the risk and causes other problems
Remaining options• Tactical• Strategic
Tactical
© 2012 Monterey Technology Group Inc.
Up-to-date AV Software Restrictions, AppLocker or whitelisting rule that explicitly denies
3 known bad files PwDump7.exe:
• MD5 hash: 130F7543D2360C40F8703D3898AFAC22File size: 81.6 KB (83,648 bytes)Signature timestamp: Thursday, July 26, 2012 8:44:40 PM PDT (GMT -7:00)MD5 hash of file with signature removed: D1337B9E8BAC0EE285492B89F895CADB
libeay32.dll• MD5 hash: 095AB1CCC827BE2F38620256A620F7A4
File size: 999 KB (1,023,168 bytes)Signature timestamp: Thursday, July 26, 2012 8:44:13 PM PDT (GMT -7:00)MD5 hash of file with signature removed: A7EFD09E5B963AF88CE2FC5B8EB7127C
myGeeksmail.dll• MD5 hash: 46DB73375F05F09AC78EC3D940F3E61A
File size: 80.6 KB (82,624 bytes)Signature timestamp: Wednesday, July 25, 2012 8:48:59 PM (GMT -7:00)MD5 hash of file with signature removed: 8EA2420013090077EA875B97D7D1FF07
Strategic
© 2012 Monterey Technology Group Inc.
There is a way to get systemic protection against breaches of vendor software update infrastructures
Need to recognize some important trends and facts
Strategic
© 2012 Monterey Technology Group Inc.
The factsThis is at least the 4 time that
either• Software code signing and/or
automatic update infrastructure has been compromised
• Stuxnet, Duqu, Flame, Adobe
Microsoft deserves kudos compared to companies like Adobe
Code signing is brokenAutomatic updates is fool hardy
Hack me!
Strategic
© 2012 Monterey Technology Group Inc.
The solutionComplain to vendorsKeep your AV healthyTake control of software distribution and updatesPrevent unvetted software from running no matter who has signed it
Strategic
© 2012 Monterey Technology Group Inc.
Take control of software distribution and updatesYou cannot trust automatic updates
• Not too mention all their other problems
Software patching commandmentsThere is not substitute for application white-listing
Strategic
© 2012 Monterey Technology Group Inc.
Software patching commandments
1. Thou shalt not depend on vendor automatic updaters
2. Thou shalt not allow patch/installation based on code-signing certificates
3. Thou shalt control which patches go down and when
4. Thou shalt be able to deploy patches within hours
5. Thou shalt be able to deploy patches in phases
6. Thou shalt not be blind to patch deployment status
7. Thou shalt patch software from multiple vendors
8. Thou shalt patch applications on all your operating systems
Strategic
© 2012 Monterey Technology Group Inc.
There is not substitute for application white listingStuff is going to get past AVYou can no longer depend on code signaturesYou must prevent new, unknown software from executing
• Users are too dumb to not run malware
• Malware evolving too fast
• APTs too sophisticated
• Can’t trust software vendors
• Don’t fall for the “unlikely you are the one being targeted” line
• Problems aren’t going away anytime soon Only going to get worse
Bottom Line
© 2012 Monterey Technology Group Inc.
Install the new updates from AdobeSetup rules for the bad knownWatch my blog or social media feedsKeep an eye on http://
forums.adobe.com/community/certificate?view=discussions
Check your AVHang on tomorrowGoing forward
Take control of patching Implement software restrictions, AppLocker or intelligent
white listing
Brought to you by
Speaker Russ Ernst – Group Product Manager
www.lumension.com
Defense-in-Depth Strategy
AVControl the Bad
Device ControlControl the Flow
HD and Media EncryptionControl the Data
Application ControlControl the Gray
Patch and Configuration ManagementControl the Vulnerability Landscape
Successful risk mitigation starts with a solid vulnerability manage-ment foundation, augmented by additional layered defenses which go beyond the traditional blacklist approach.
19
Defense-in-Depth with Intelligent Whitelisting
Known Malware
Unknown Malware
Unwanted, Unlicensed, Unsupported applications
Application Vulnerabilities
Configuration Vulnerabilities
AntiVirus X X
ApplicationControl
X X
Patch & Remediation
X X
Security Configuration Management
X
More Information
• Free Security Scanner Tools» Application Scanner – discover all the apps
being used in your network» Vulnerability Scanner – discover all OS and
application vulnerabilities on your network » Device Scanner – discover all the devices
being used in your network
http://www.lumension.com/Resources/Security-Tools.aspx
• Lumension® Intelligent Whitelisting™» Online Demo Video:
http://www.lumension.com/Resources/Demo-Center/Endpoint-Security.aspx
» Free Trial (virtual or download):http://www.lumension.com/intelligent-whitelisting/free-trial.aspx
• Get a Quote (and more)http://www.lumension.com/intelligent-whitelisting/buy-now.aspx#7
21
