Blog

  • Hackers Breached Adobe Server in Order to Sign Their Malware

    posted by Keito
    2012-09-29 17:01:17
    'The ongoing security saga involving digital certificates got a new and disturbing wrinkle on Thursday when software giant Adobe announced that attackers breached its code-signing system and used it to sign their malware with a valid digital certificate from Adobe.

    Adobe said the attackers signed at least two malicious utility programs with the valid Adobe certificate. The company traced the problem to a compromised build server that had the ability to get code approved from the company’s code-signing system.

    Adobe said it was revoking the certificate and planned to issue new certificates for legitimate Adobe products that were also signed with the same certificate, wrote Brad Arkin, senior director of product security and privacy for Adobe, in a blog post.

    “This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh,” Arkin wrote. “The revocation does not impact any other Adobe software for Macintosh or other platforms.”

    The three affected applications are Adobe Muse, Adobe Story AIR applications, and Acrobat.com desktop services.

    The company said it had good reason to believe the signed malware wasn’t a threat to the general population, and that the two malicious programs signed with the certificate are generally used for targeted, rather than broad-based, attacks.

    Arkin identified the two pieces of malware signed with the Adobe certificate as “pwdump7 v7.1″ and “myGeeksmail.dll.” He said that the company passed them on to anti-virus companies and other security firms so that they could write signatures to detect the malware and protect their customers, according to the post.

    Adobe didn’t say when the breach occurred, but noted that it was re-issuing certificates for code that was signed with the compromised signing key after July 10, 2012. Also, a security advisory the company released with its announcement showed that the two malicious programs were signed on July 26 of this year. Adobe spokeswoman Liebke Lips told Wired that the company first learned of the issue when it received samples of the two malicious programs from an unnamed party on the evening of Sept. 12. The company then immediately began the process of deactivating and revoking the certificate.

    The company said the certificate will be re-issued on Oct. 4, but didn’t explain why it would take that long.

    Digital certificates are a core part of the trust that exists between software makers and their users. Software vendors sign their code with digital certificates so that computers recognize a program as legitimate code from a trusted source. An attacker who can sign their malware with a valid certificate can slip past protective barriers that prevent unsigned software from installing automatically on a machine.

    Revoking the certificate should prevent the signed rogue code from installing without a warning.

    Stuxnet, a sophisticated piece of malware that was designed to sabotage Iran’s nuclear program, was the first malicious code discovered in the wild to be using a valid digital certificate. In that case the attackers – believed to have been working for the U.S. and Israel – stole digital certificates from two companies in Taiwan to sign part of their code.

    Adobe said that it stored its private keys for signing certificates in a hardware security module and had strict procedures in place for signing code. The intruders breached a build server that had access to the signing system and were able to sign their malicious programs in that way.

    In addition to concerns about the compromised certificate, the breach of the build server raises concerns about the security of Adobe’s source code, which might have been accessible to the attackers. But Arkin wrote that the compromised build server had access to source code for only one Adobe product. The company did not identify the product but said that it was not the Flash Player, Adobe Reader, Shockwave Player or Adobe AIR. Arkin wrote that investigators found no evidence that the intruders had changed source code and that “there is no evidence to date that any source code was stolen.”

    Questions about the security of Adobe’s source code came up earlier this month after Symantec released a report about a group of hackers who broke into servers belonging to Google and 33 other companies in 2010. The attackers were after source code for the companies. Adobe was hacked around the same time, but has never indicated if the same attackers that hit Google were responsible for hacking them.

    Symantec found evidence that the attackers who struck Google had developed and used an unusually large number of zero-day exploits in subsequent attacks against other companies. The attackers used eight zero-day exploits, five of which were for Adobe’s Flash Player. Symantec said in its report that such a large number of zero-days suggested that the attackers might have gained access to Adobe’s source code. But Arkin insisted at the time that no Adobe software had been stolen.

    “We are not aware of any evidence (direct or circumstantial) indicating bad guys have [source code],” he told Wired at the time.'

    http://www.wired.com/threatlevel/2012/09/adobe-digital-cert-hacked/
  • RAP NEWS X: #Occupy2012 (feat. Anonymous & Noam Chomsky)

    posted by Keito
    2012-09-01 10:15:44
  • Hackers Dump Millions of Records From Banks, Politicians

    posted by Keito
    2012-08-28 20:59:58
    "TeamGhostShell, a team linked with the infamous group Anonymous, is claiming that they have hacked some major U.S. institutions, including major banking institutions and accounts of politicians, and has posted those details online. The dumps, comprised of millions of accounts, have been let loose on the web by the hacking collective. The motivation behind the hack, the group claims, is to protest against banks, politicians and the hackers who have been captured by law enforcement agencies."

    http://it.slashdot.org/story/12/08/26/207241/hackers-dump-millions-of-records-from-banks-politicians
  • Hackers backdoor the human brain, successfully extract sensitive data

    posted by Keito
    2012-08-18 11:29:20
    And this, my friends, is why we need trust-worthy governments more than ever. The future is now, and politics has yet to catch up with technological advancements. We need open, honest and transparent governments if we are to embrace the next century peacefully; not the corrupt, secretive governments which we've put up with for far too long.

    This latest brain-breakthrough, put in the wrong hands, could quite easily be used by unscrupulous governments worldwide to usher in a nightmare Dystopian future for us all. It would obviously be a gross breach of human rights to impose this technology unwillingly on another human being, but time and time again we see our governments ignoring such pesky annoyances; and who's to say that this technology would have to be forcefully imposed upon someone? Whack a great big Apple logo on the hardware and people will not only wilfully wear such a thing, they'll pay a handsome fortune in order to do so! Such is the way of the sheep.

    It's not a hop-skip-and-a-jump away to take a chip, embed it in this part of the brain, and then stream your 'thoughts' via wireless to some central computer system. I'm sure the NSA would love to extend their 'surveillance' operatives further into this realm... all in the name of keeping you safe from terror mind you. Isn't that the key-trigger-word to gain backing from the public now-a-days? This would be a great weapon to add to their arsenal in the War On Terror, nevermind the fact that the real (mis)use of such a technology would be almost certainly far more sinister... never underestimate the corruption that power brings, and the ability for our governments to go 'rogue'.

    To be honest, I'm more worried (read 'terrified') of our 'democratic' governments' attacks on freedom, civil liberties and human rights, than I am of some once-in-a-blue-moon terrorist attack. Hell, I was a child born of the 80's, and the good folk of Britain didn't lose their collective marbles when we were the victim of terrorist attacks back then. Yet, now it seems we're quite willing to drop all sensibilities and power for rational thought, as soon as the politicians tell us "the threat level is significant"... Really? Because I see more of a threat in our governments' daily actions. If anything, our governments actions continue to breed more and more terrorists (thanks to their ridiculous approach to foreign policy in the Middle East), increasing the risk everyday though, in their pursuit to 'combat terrorism' in their failed 'war on terror'. The word itself is an oxymoron. Are our very actions in this 'War On Terror' not terrorism itself? One need only look at the Collateral Damage video, released by the WikiLeaks organisation some time ago, to see that we our governments are waging a terrorism campaign... and not only that, but they are trying to keep this fact hidden from the people they are supposed to be representing/governing.

    Not once, during all this time, has anyone in any position of power addressed the real reason why these 'terrorists' have done what they have done. Who trained them? Why did they have a problem with the US/UK in the first place? Our governments wrongly feel that the way to 'fix' *their* mess is to go into the home countries of these terrorist, guns blazing... That, on closer inspection, is a dumb move (though, I for one, always thought as much).

    Anyway, the real story here, after our little excursion into rantdom, is this:

    "With a chilling hint of the not-so-distant future, researchers at the Usenix Security conference have demonstrated a zero-day vulnerability in your brain. Using a commercial off-the-shelf brain-computer interface, the researchers have shown that it’s possible to hack your brain, forcing you to reveal information that you’d rather keep secret.

    As we’ve covered in the past, a brain-computer interface is a two-part device: There’s the hardware — which is usually a headset (an EEG; an electroencephalograph) with sensors that rest on your scalp — and software, which processes your brain activity and tries to work out what you’re trying to do (turn left, double click, open box, etc.) BCIs are generally used in a medical setting with very expensive equipment, but in the last few years cheaper, commercial offerings have emerged. For $200-300, you can buy an Emotiv (pictured above) or Neurosky BCI, go through a short training process, and begin mind controlling your computer.

    Both of these commercial BCIs have an API — an interface that allows developers to use the BCI’s output in their own programs. In this case, the security researchers — from the Universities of Oxford and Geneva, and the University of California, Berkeley — created a custom program that was specially designed with the sole purpose of finding out sensitive data, such as the location of your home, your debit card PIN, which bank you use, and your date of birth. The researchers tried out their program on 28 participants (who were cooperative and didn’t know that they were being brain-hacked), and in general the experiments had a 10 to 40% chance of success of obtaining useful information (pictured above).

    To extract this information, the researchers rely on what’s known as the P300 response — a very specific brainwave pattern (pictured right) that occurs when you recognize something that is meaningful (a person’s face), or when you recognize something that fits your current task (a hammer in the shed). The researchers basically designed a program that flashes up pictures of maps, banks, and card PINs, and makes a note every time your brain experiences a P300. Afterwards, it’s easy to pore through the data and work out — with fairly good accuracy — where a person banks, where they live, and so on.

    In a real-world scenario, the researchers foresee a game that is specially tailored by hackers to extract sensitive information from your brain — or perhaps an attack vector that also uses social engineering to lull you into a false sense of security. It’s harder to extract data from someone who knows they’re being attacked — as interrogators and torturers well know.

    Moving forward, this brain hack can only improve in efficacy as BCIs become cheaper, more accurate, and thus more extensively used. Really, your only defense is to not think about the topic — but if you’re proactively on the defensive, then the hacker has already messed up. The only viable solution that I can think of is to ensure that you don’t use your brain-computer interface with shady software, brain malware — but then again, in a science-fictional future, isn’t it almost guaranteed that the government would mandate the inclusion of brain-hacking software in the operating system itself?"

    http://www.extremetech.com/extreme/134682-hackers-backdoor-the-human-brain-successfully-extract-sensitive-data
  • An Open Letter to Defcon Hackers: Don’t Sell Out to the NSA (2011)

    posted by Keito
    2012-07-26 21:32:59
    Dear Hackers,

    Word on the internet is that the National Security Agency (NSA)—of which I’m sure you’re well aware—has very publicly stated it’s setting up shop at Defcon alongside corporations to recruit hackers to the dark side.

    As reported by Reuters, Richard “Dickie” George, technical director of the NSA’s Information Assurance Directorate (cyber defense wing)–we’ll henceforth call him Simply Dick—is looking to recruit you to work on the “hardest problems on Earth.” They’re appealing to your ego, your vanity. Simply Dick is looking for hackers only in it for the game; those willing to become pro-state, or at least ideologically neutral.

    In short, they are looking for those willing to sell out. The deal? No threat of prison and a steady paycheck doing the power’s bidding.

    Let’s briefly consider some of the hard problems you’ll be working on. You’ll be part of an immense bureaucratic apparatus that operates in the United States, spying on its own citizens through warrantless wiretaps, except you won’t be wiretapping phones, you’ll be tapping American citizens’ emails, search results and other communications. And there are domestic projects that the NSA keep secret and thus beyond our current awareness.

    Maybe some of you already hack average American citizens and you’ll have no problem doing such work for a government spy agency or a corporation. Then the NSA or Bank of America is probably where you belong. Good luck.

    You’ll be disrupting state and individual sovereignty daily in foreign countries, all to ensure political, economic and military hegemony; though you will be told that it’s simply to combat terrorism. Maybe you’ll have some fun going after Chinese hackers, but couldn’t you just as easily do this from the comfort of your own home without a suit telling you what to do?

    But none of this concerns me as much as the idea that people with the talent to hold government to account would so willingly join its ranks.

    In the future, hackers will be integral to dissent—in a sense, you already are in light of WikiLeaks, Anonymous and LulzSec.

    Those of us without hacking expertise do expect that some of you will work for the state, whether it’s because you’re ideologically neutral or you’re a patriot and want to smoke the evildoers out of their caves. But, we also hope far more of you won’t sell out—that you will maintain the counter-culture and grow it.

    Indeed, we hope that most of you stay out of the NSA’s monolithic spy palace to keep the assholes in our government honest.

    Simply Dick knows that you have the capabilities to check power or even threaten its very existence. Simply Dick is counting on the NSA’s power of persuasion.

    Don’t let him whisper sweet nothings in your ears.

    Best,

    D. J. Pangburn