Malware signed by Adobe

Posted on by
Reply

In September, Adobe detected two malwares that were legitimately signed by Adobe!  Having a valid signature of a trusted source like Adobe was a compelling advantage for these malwares.  As one of the malwares was not publicly available, the likelihood that it was to be used with an Advanced Persistent Threat (APT) is extremely high.

Did a signing private key leak out as it was the case for Yahoo in May?  Adobe performed an extensive forensics analysis.   They discovered that one build server had been compromised.  This build server could submit software for signature.  According to Adobe, the configuration of the server was not at the proper Adobe standard of security. As it was a server that was compromised, this means that the private key stored in a Hardware Secure Module (HSM) was not compromised.  Adobe had also the proof that this server requested the signature of the malwares.  They believe that the attackers accessed first another server and then moved laterally to control this build server.   Once the server controlled, the attackers requested the signature of their malware. This is a typical scheme for APT.  It means also that the signed malware should also be used by other steps of this APT, which target was not Adobe.

Adobe has informed in details about the attack.  The signing key has been revoked on October 4, 2012.  Very proper job.

Once more, we see that APT become more and more sophisticated.  Large organizations are clearly under serious threats (I will come back on that topic in one of my future posts.)

The power plug is watching you

Posted on by
1

Power PwnIf you watch this picture, you may just see an innocent power plug extension.  If you’re looking more carefully at the left bottom corner of the device, you may notice some connectors!   Why should a power extension need connectors?

Indeed, this device is a perfectly integrated penetration testing platform.  Here is a non-exhaustive list of features:

  • On board wireless Wifi connection, Bluetooth connection, Ethernet connection;   Everything to sniff communications.
  • Everything to create SSH connection, VPN connections
  • Out of band communication through 4G/GSM adapter!  You can send commands through SMS.
  • Stealth mode with device unpingable, and no listening ports
  • A wealth of preloaded tools
  • And many, many other goodies…
  • Of course, the plugs are functional

Of course, it should only be used by white hats.   Extracted from the user manual

All Pwnie Express / Rapid Focus Security products are for legally authorized uses only.

This may be a formidable tool!  Of course, it is better suited for the US, as the plugs are following US standards.   The device does not (yet) exist for other power plugs.

The product (and less powerful ones) is available form pwnie express.

Designing security warnings

Posted on by
Reply

Microsoft released some interesting rules for deciding when and what to display to users in case of a security warning.  Microsoft proposed two nice acronyms.

 

A security warning should be Necessary, Explainable, Actionable and Tested (NEAT).  In other words, the designer should only present a security warning to the user if the user is needed to make a decision and that it could be precisely explained to the user.

Explaining a security warning is a difficult task.  Thus, Microsoft proposed another acronym.  The explanation should clearly explain the Source of the issue, the Process that the user may follow to solve, describe the Risk, Unique to user (with his/her context), offer some Choices and give Evidence (SPRUCE).

A nice initiative.

World of Warcraft: a virtual genocide

Posted on by
Reply

On 7 October 2012, the population of the towns of Stormwind, Orgrimmar, Tarren Mill, Ragnaros, Draenor and Twisting Nether were wiped out in a few seconds.   This made tens of thousands of dead people.  Did you here about this carnage?  If not, then you’re probably not a hard gamer.

 

These towns are in the virtual realms of World of Warcraft (WoW).   This is the most deployed MMORPG with millions of players.   Thus, those are virtual deaths.   And the cause was a hack.  It seems that a script allowed to launch an extremely powerful spell (Aura of God) that kills everybody around.  The attack was claimed by Jadd.

 

Blizzard, the developer of WoW, quickly reacted, and hot-fixed the exploit within four hours.   In an official statement, Blizzard announced that

It’s safe to continue playing and adventuring in major cities and elsewhere in Azeroth.

Usually attacks on games are more oriented towards either cheating and gaining more money.  Jadd claims the exploit just for fun.

 

LinkedIn Password Leak (3) or The cost of one leak

Posted on by
Reply

In June 2012, 6.5 million of nonsalted passwords leaked out of LinkedIn.  The company asked the affected members to change their password (and hopefully salted the hashed passwords).

When publishing the earnings of Q2, LinkedIn described some expenses.    Obviously, the leakage had a direct impact.

  • The forensic investigation itself cost in the range $500,000 and $1,000,000.
  • LinkedIn provisioned additional  $2,000,000 – $3,000,000 to increase their security.

Therefore, this leakage seems to have cost less than other recent leakages such as Sony network.   As the number of LinkedIn members still grew, it seems neither to have impacted the popularity of the site.  The Q3 results (to be published soon) should still show growth in membership.

There is no news about the class action initiated by Katie Szpyrka.

World of Warcraft and watermarking

Posted on by
1

An old news, as it started in September.  On 8 September 2012, Sendatsu published on the ownedcore a detailed study of the use of watermark within Blizzard’s World of Warcraft (WoW).  According to him, it seems that WoW adds an “invisible” watermark to screenshots (at least with JPEG in lower quality).   A capture of a screenshot without texture repeatedly produces a pattern similar to this one.  wow-watermark

The watermark carries 88 bytes with the account ID, a time stamp and the IP address of the server.  Clearly, it does not carry any personal information.   It seems that this Digimarc based watermark was in use since 2007 (when screenshots were added).

The aim of this watermark seems obvious to me.  There are many illegal WoW servers in the field.  Of course, users playing WoW through these non-Blizzard servers do not pay the monthly subscription.  This means a loss of revenue for Blizzard.  Finding the IP address of such unauthorized servers is a good start to fight piracy back .

Strangely, nobody reported a similar case for other Blizzard MMORPGs such as Diablo III or StarCraft.  Is it because nobody looked at, it yet? Or because there is no such watermark (less pirate servers)?

Update (30-oct-12):  The allegation that it is a Digimarc solution seems wrong.  Thus, currently no clue about the solution provider.

Insuring clouds

Posted on by
2

Every body is running, very enthusiastically, towards cloud computing.  Sometimes, it reminds me lemmings.  I hope that I am wrong.  Let’s be positive.  Obviously, cloud computing will bring advantages.  Nevertheless, according to me, cloud security is only in its early infancy.

 

Thus, any cloud deployment should make a serious risk analysis (even if we have only a vague idea of the real threats).  When risks appear, insurance should also appear.

 

A company Cloud Insure seems to explore this new opportunity.

CloudInsure is a Cloud Insurance platform designed to specifically address emerging liabilities within the Cloud environment. In partnership with global insurance and reinsurance carriers, we’ve engineered privacy & security liability coverage to meet the needs of the Cloud Computing space for enterprise customers. Through our innovative underwriting models and proprietary analytics, we bring insurance solutions that move at the pace of Cloud technology.

Are you aware of other such companies?