Adobe number one target for hackers

In the first quarter of 2010, Adobe products were the number one target for hackers.  It is believed the reason for this is because of the multi-platform capability of Adobe products like Flash and Acrobat PDF.   Many users are not aware of the dangers of opening PDF files from unknown parties.

The Adobe Reader & Acrobat exploit Pdfka was by far the most common at 42.97%.  Combining two of the most common exploits for Adobe products yields almost 50% of the total exploits found in that quarter.  Many Adobe users do not frequently update their software to the latest versions much less apply recent patches.

1024-bit RSA encryption crackable

1024-bit RSA encryption is used around the world to protect web servers and other devices using OpenSSL.  In the past only the RSA 768-bit version has been crackable using brute force methods with 1,500 years of processing time.  Recently computer scientists from University of Michigan claim they are able to crack OpenSSL  using a full 1024-bit RSA encryption by fluctuating the voltage on the servers power supply.  Although the scientist say this type of attack can be easily prevented by changing the error-checking algorithm, they claim this type of attack is repeatable and consistent and able to be performed in just over 100 hours.  Exponentially quicker than previous successful attacks on weaker key lengths.

Because direct access to the servers power supply is required to perform this attack, it is unlikely this vulnerability will be exploited in the wild on most servers.   Many consumer devices like MP3 players, BluRay players, and mobile phones use RSA encryption to protect intellectual property.   Consumer devices on the other hand are easy to gain physical access to and manipulated to gain access to intellectual property or private data.

More information can be found in their white paper (PDF) that will be presented next week in Dresden at the Design Automation and Test in Europe conference.

OpenSSL has acknowledged this vulnerability and are currently working on a patch.

TechCrunch: Now Hiring Hackers

Recently was hacked and 310 confidential documents were taken from their Google Apps account.  These documents consisted of executive meeting notes, partner agreements and financial projections to the meal preferences, calendars and phone logs of various Twitter employees.   These documents were delivered to TechCrunch(.com) via email by someone who refers to themselves as “hacker Croll”.

Any individual or company with a shred of ethics would contact authorities and keep this information private.  TechCrunch on the other hand would rather use this information to get more links to their website.  So Mike Arrington  over at TechCrunch thinks leaking confidential documents is a great way to do this.  I for one think this is very unethical and don’t agree with their stance that this is what is considered news.

Twitter has responded to this incident with their own post.

What do you think?

Crimeware kits for sale

Independent research reports from several different internet security firms are warning about the increased level of technology, sophistication, and organization that criminals are employing in their endeavors to steal, defraud, extort, and otherwise scam individuals and corporate entities for their money. Today’s hacker wannabe doesn’t even have to be particularly skilled technologically. He just has to be willing and able to cough up the money for a good crimeware kit, which can cost upwards of $3000.00 depending on the capabilities desired.

According to Symantec, 3 phishing kits were responsible for over 40 percent of the phishing attacks they observed during a recent 6 month interval. These kits come complete with sample phishing web sites and email messages, and their availability on the black market can be linked to the 53 percent increase in the number of phishing attacks observed during that same period.

Other crimeware kits such as MPack combine multiple attack types, exploiting both web server and client vulnerabilities. Additionally, kits are available that allow criminals to customize Trojans in order to target specific sectors or agencies. Finjan is reporting that these crimeware Trojan kits create new binary files with each use, making signature-based detection extremely difficult. These kits are also capable of generating Command and Control modules for remote control of distributed Trojans, in effect creating botnets.

These kits show all the traits of professionally developed software suites, utilizing the latest web 2.0 programming technologies. This has resulted in skyrocketing infections within the most popular web 2.0 sites, including social networks and P2P file-sharing sites. In fact, according to Websense, 60 percent of the most popular sites on the internet either hosted crimeware, or linked to malicious websites which hosted crimeware during the first 6 months of 2008. Various MySpace hacks for example allowed criminals to view private profiles and capture logon details, enabling the hackers to use the hacked accounts to send spam or host malware.

One of the newest kits available to hackers was discovered by Panda Security in June. It converts traditional Trojans into worms. This means that once a machine is infected with the Trojan, other computers sharing the same network could be infected without the users opening an infected email attachment or visiting a malicious site. Such hybrids spread much more quickly than the original Trojans from which they’re created.

Crimeware kits are distributed to potential buyers, who use private chat facilities to negotiate and consummate the transactions. Sites which host torrent trackers also index many hacking toolkits. Of course, the illegal gangs and cybercriminals have their own distribution and management channels. These organizations seem very much like a cross between modern high-tech business enterprises and mafia-style organized crime. The top managerial tier does not engage directly in hacking activities, but directs middle management layers which control the distribution of crimeware and crimeware kits to lower tiers. These lower tiers are the actual hackers collecting the stolen data, identities, credit card numbers, etc. They also control the botnets which are used to launch attacks, send spam, and expand their networks.

The growing sophistication of crimeware (and the ease with which it can now be developed and deployed), the increased use of blended attacks involving multiple attack vectors, and the continual refinement of the criminal organizations behind cybercrime are all symptoms of the trend away from malware created for glory or anarchistic destruction and toward crimeware geared for stealth and profit.

Sophisticated kits generate custom trojans for stealing data and conscripting into C & C networks (botnets). — Finjan Web Security Trends Report Q2 2008.

Intel CPU Rootkit to be released

Tomorrow at 12pm EST Joanna Rutkowska and Loic Duflot are publishing a paper and actual exploit code that works against Intel cache mechanisms.  These attacks will allow privileged escalation in SMM (System Management Mode) space and capable of deploying a rootkit that can take complete control of the machine.   SMM space is out of reach of operating systems and this attack cannot be detected or protected with any current form of software anti-virus protection.  SMM space is available on all Intel CPUs from as far back as the Intel 386.

This exploit has been reported to Intel on numerous occasions over the last few years.  Loic reported it 3-4 months prior back in October and Intel’s own employees had made mentioned of it in documents as far back as 2005.  So far to date, Intel has not provided any resolution to this vulnerability and is this is the main reason behind Joanna and Loic going the full disclosure route.  Joanne mentions on her blog “If there is a bug somewhere and if it stays unpatched for enough time, it is almost guaranteed that various people will (re)discover and exploit it, sooner or later.”

Intel did alert CERT back in October when Loic reported his findings, this was tracked under Issue VU#127284.

You will find full details published at Joanna’s website Invisible Things Kernel Security Blog

Currently, there is no defense to this threat outside of using AMD or Virtualization, or is there Intel?

DNS Exploit at Black Hat

As Dan Kaminsky recently demonstrated at the Black Hat conference in Las Vegas, the DNS security flaw presents a serious vulnerability.  In case there was previously any doubt, he showed just how dangerous to internal networks and the internet at large it is to run un-patched DNS servers.  Even with the patch, the exploit is still possible, just extremely difficult.

The vulnerabilities are not limited to the web, but affect every type of internet service and traffic, including IM, telnet, email, and usenet.  Every protocol uses DNS servers to locate and communicate with between servers and client computers.  Even HTTPS (web sites using SSL – Secure Sockets Layer) would be affected because the Certificate Authorities who authenticate the certificates rely on DNS.  Note that all major CAs have patched their DNS servers, but of course many sites use self-signed certificates.

Some services have already fallen prey to this exploit, with AT&T being the first publicized victim.  Actually, the victims were the people whose requests were directed to a bogus Google search site because of an un-patched AT&T DNS server.  Fortunately, the bogus site only hosted code to auto-click the adsense advertisements, creating extra revenue for the perpetrators.  It could have been worse, if for example the site had been created to infect visitors with drive-by infections or inducements to download crimeware.

The picture is not completely bleak.  Thanks in part to Kaminsky’s presentation, more organizations are taking the threat seriously and patching their servers.  Also, any SSH-based connections which had been made at least once prior to the exploit would warn users if new connection attempts were made to bogus sites, because of the way SSH keeps digital fingerprints of remote hosts.  So Secure Shell, sftp, scp, and SSH-based VPNs would at least warn users about the change in fingerprints, or deny the connection altogether, depending on the local configuration.

For anyone wishing to know whether or not the DNS server he or she is using has been patched, Dan has published an online DNS checker on his blog at