Recently, Adobe announced that their internal servers had been hacked back in July and their digital code signing technology compromised. This gave the hackers the ability to distribute malware that appeared to be legitimate Adobe software.
In fact, Adobe is aware of two malware files that contained apparently legitimate code signatures. The files were discovered by a third party that was cleaning up a breach.
In response, Adobe revoking the impacted certificate and published updates for existing software signed with it.
Problem solved?
More or less, for now.
Adobe has revoked the code signing certificate for the time period that they were vulnerable, from July 10th to September 27th of this year. Assuming July 10th is when they were first compromised, that will stop the spread of malware with a falsely applied certificate.
However, Adobe's actions are in response to just two files identified that had in fact breached a firm's security. We do not know if there are more copies of these files, or malware from the same hackers, that have successfully infected computers but have not yet been discovered.
Of course, it is also possible that they have been discovered but the victims have not come forward. Breaches in security often go unreported because firms are reluctant to broadcast bad news and the fear that they will become a target for other hackers.
The bigger problem is that these hackers are still out there. Adobe has referred them as "sophisticated threat actors" engaged in "highly targeted attacks."
These types of attacks are called of Advanced Persistent Threats (APTs). They attack points of weakness that are not critical in themselves but use them to gain increasingly more access and control of computers and networks that they compromise.
One of the two digitally signed malware files is a utility that extracts password data from the Windows operating system. This could be used by a hacker to elevate the security level of a compromised use rid. The second malware file could be used to modify access to and messages from a web server.
How much harm can such hackers cause?
I would group hackers into three categories:
Sport hackers: They do it for the challenge and are generally a nuisance, but do not do anything particular malicious. While not insignificant, they are the least of our problems.Malicious hackers: These are hackers are trying to harm their targets. Some of these have a cause and are making a political statement, known as hacktivists. They can also include foreign governments engaged in the increasingly active art of cyber warfare.Criminal hackers: These are engaged in a variety of schemes and good old fashioned fraud. This includes financial fraud through identity theft, click fraud which inflates advertisement clicks to increase fees paid and the theft of intellectual property.What should you take away from this?
If you connect to the internet you are vulnerable to attack.
Code signing is a way that scanners and firewalls can verify the identity of the author of an executable file and ensure that the file has not been altered since it was signed by the author.
We all hope that this incident does not indicate that the code signing system is fatally flawed, and I expect that it will continue to be an important tool for guarding against attacks. However, it clearly proves that that the system can be compromised. It may take a rare combination of sophisticated hackers and a company that lets its guard down like Adobe, but when that happens the consequences can be severe.
The lesson for both IT professionals and the average computer user is that you cannot be too vigilant in protecting your computers and networks. If you do not use virus scanning and a firewall, start today. There are some very good free security systems available that can do the job.
In dealing with a breach such as this, you need the most aggressive type of antivirus and malware protection possible. The problem with most antivirus protection is that they only address viruses and exploits that have been identified and added to a"blacklist" of known viruses.
This approach would not have caught the malware in this case.
However, scanners that use a "whitelist" concept and sandbox likely would.
With this technique, program files are compared to a list of valid files and only allowed to run in your system if they are on the list. If the scanner has any suspicions about a program, it is run in an isolated system area called a sandbox where the scanner can determine if it is OK or should be deleted.
Firewalls are easy to setup and there are excellent free anti-malware and firewall suites available. Whether you have a network for a business or just a home computer, you owe to yourself to implement the best available.
0 comments:
Post a Comment