Adobe’s code-signing infrastructure got hacked and now you have to worry about some really bad software out there that your computers will think are valid, safe applications from Adobe. One of them is pwdump which gets Windows passwords. Ever since Flame, Randy Franklin Smith from Ultimate Windows Security, has been saying that if Microsoft’s update infrastructure got hacked, it was only be a matter of time before another vendor’s did too. And that’s what this is all about. The methods are different, but both boil down to exploiting mistakes Microsoft and Adobe made in their PKI used to sign code. The reason this is so impactful to an organization, is that it allows the bad guys to trick your systems into running malicious code that looks like it came from Adobe – but you get that right? It really stinks though because no matter how good you maintain your systems, you are still at the mercy of the security of your software vendors. Download this presentation to learn: • How can you stop this particular threat? • How can you deploy some strategic technologies and controls to address the risk of compromised code signatures and vendor update infrastructures? • How can you preemptively control your exposure to the mistakes of your software vendors and/or when they get hacked? (In all fairness no one is safe from getting breached.)

1. Code Signing Debacle 2.0:
A Hacked Adobe Server
and Its Impact on Us All
© 2012 Monterey Technology Group Inc.

2. Brought to you by
www.lumension.com
Speaker
 Russ Ernst – Group Product Manager

3. Preview of Key Points
Current situation
What can/need you do?
Going forward
© 2012 Monterey Technology Group Inc.

4. Current Situation
Code signing server inside Adobe was hacked
An unknown quantity of files were signed to
look like they were issued by Adobe
We know of 3 files for sure but who knows how
many more?
Tomorrow Adobe will revoke the certificate in
question
© 2012 Monterey Technology Group Inc.

5. Current Situation
What is the risk?
The risk is NOT any vulnerability inside Adobe
products already installed
The risk IS that your computers might trust
malicious software
© 2012 Monterey Technology Group Inc.

6. Current Situation
Then, why do I need to install new versions?
You may run into errors when you try to
• Run affected applications
 “Not doing so may result in an error about the application
being from an unknown publisher on launch, although the
application should still launch.”
 "Publisher unknown, are you sure you want to run this
software".
 Software Restrictions, AppLocker or other whitelisting
applications using certificate rules
• Installing affected applications
 UAC
© 2012 Monterey Technology Group Inc.

7. Current Situation
 OK, which applications then?
About 30
Already installed versions of Acrobat and Reader not
affected
• But new installs of Reader will be
 “The reason is that the standalone version of Reader has an
installation helper file which is be impacted by the certificate
revocation. Already installed Reader versions are not impacted.”
 Important links
http://helpx.adobe.com/x-productkb/global/certificate-
updates.html#main-pars_header_5
http://helpx.adobe.com/x-productkb/global/guidance-
administrators-certificate-revocation.html
© 2012 Monterey Technology Group Inc.

8. Current Situation
At what point do Adobe measures protect us
from malicious software signed by this
certificate?
Some protection when certificate is revoked
But PKI revocations is fraught with problems
Answer is really unknown
© 2012 Monterey Technology Group Inc.

9. Current Situation
How do I protect my systems from software
signed by this breach?
Installing the updated Adobe apps provides no
protection
Adobe says not to install the revoked certificate
• Won’t address the risk and causes other problems
Remaining options
• Tactical
• Strategic
© 2012 Monterey Technology Group Inc.

10. Tactical
 Up-to-date AV
 Software Restrictions, AppLocker or whitelisting rule that explicitly
denies 3 known bad files
 PwDump7.exe:
• MD5 hash: 130F7543D2360C40F8703D3898AFAC22
File size: 81.6 KB (83,648 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:40 PM PDT (GMT -7:00)
MD5 hash of file with signature removed: D1337B9E8BAC0EE285492B89F895CADB
 libeay32.dll
• MD5 hash: 095AB1CCC827BE2F38620256A620F7A4
File size: 999 KB (1,023,168 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:13 PM PDT (GMT -7:00)
MD5 hash of file with signature removed: A7EFD09E5B963AF88CE2FC5B8EB7127C
 myGeeksmail.dll
• MD5 hash: 46DB73375F05F09AC78EC3D940F3E61A
File size: 80.6 KB (82,624 bytes)
Signature timestamp: Wednesday, July 25, 2012 8:48:59 PM (GMT -7:00)
MD5 hash of file with signature removed: 8EA2420013090077EA875B97D7D1FF07
© 2012 Monterey Technology Group Inc.

11. Strategic
There is a way to get systemic protection
against breaches of vendor software update
infrastructures
Need to recognize some important trends and
facts
© 2012 Monterey Technology Group Inc.

12. Strategic
 The facts
This is at least the 4 time that
either
• Software code signing and/or
automatic update
infrastructure has been
compromised
• Stuxnet, Duqu, Flame, Adobe
Microsoft deserves kudos
compared to companies like
Adobe
Code signing is broken Hack
Automatic updates is fool me!
hardy
© 2012 Monterey Technology Group Inc.

13. Strategic
The solution
Complain to vendors
Keep your AV healthy
Take control of software distribution and updates
Prevent unvetted software from running no matter
who has signed it
© 2012 Monterey Technology Group Inc.

14. Strategic
Take control of software distribution and
updates
You cannot trust automatic updates
• Not too mention all their other problems
Software patching commandments
There is not substitute for application white-listing
© 2012 Monterey Technology Group Inc.

15. Strategic
 Software patching commandments
1. Thou shalt not depend on vendor automatic
updaters
2. Thou shalt not allow patch/installation based on
code-signing certificates
3. Thou shalt control which patches go down and
when
4. Thou shalt be able to deploy patches within hours
5. Thou shalt be able to deploy patches in phases
6. Thou shalt not be blind to patch deployment status
7. Thou shalt patch software from multiple vendors
8. Thou shalt patch applications on all your operating
systems
© 2012 Monterey Technology Group Inc.

16. Strategic
 There is not substitute for application white listing
Stuff is going to get past AV
You can no longer depend on code signatures
You must prevent new, unknown software from
executing
• Users are too dumb to not run malware
• Malware evolving too fast
• APTs too sophisticated
• Can’t trust software vendors
• Don’t fall for the “unlikely you are the one being targeted”
line
• Problems aren’t going away anytime soon
 Only going to get worse
© 2012 Monterey Technology Group Inc.

17. Bottom Line
 Install the new updates from Adobe
 Setup rules for the bad known
 Watch my blog or social media feeds
 Keep an eye on
http://forums.adobe.com/community/certificate?vi
ew=discussions
 Check your AV
 Hang on tomorrow
 Going forward
Take control of patching
Implement software restrictions, AppLocker or
intelligent white listing
© 2012 Monterey Technology Group Inc.

18. Brought to you by
www.lumension.com
Speaker
 Russ Ernst – Group Product Manager

19. Defense-in-Depth Strategy
Successful risk mitigation starts
AV with a solid vulnerability manage-
Control the Bad ment foundation, augmented by
Device Control
additional layered defenses which
Control the Flow go beyond the traditional blacklist
approach.
HD and Media Encryption
Control the Data
Application Control
Control the Gray
Patch and Configuration Management
Control the Vulnerability Landscape
19

20. Defense-in-Depth with Intelligent Whitelisting
Known Unknown Unwanted, Application Configuration
Malware Malware Unlicensed, Vulnerabilities Vulnerabilities
Unsupported
applications
AntiVirus X X
Application
X X
Control
Patch &
X X
Remediation
Security
Configuration X
Management

21. More Information
• Free Security Scanner Tools • Get a Quote (and more)
» Application Scanner – discover all the apps http://www.lumension.com/
being used in your network intelligent-whitelisting/buy-now.aspx#7
» Vulnerability Scanner – discover all OS and
application vulnerabilities on your network
» Device Scanner – discover all the devices
being used in your network
http://www.lumension.com/Resources/
Security-Tools.aspx
• Lumension® Intelligent Whitelisting™
» Online Demo Video:
http://www.lumension.com/Resources/
Demo-Center/Endpoint-Security.aspx
» Free Trial (virtual or download):
http://www.lumension.com/
intelligent-whitelisting/free-trial.aspx
21