We recently received two malicious utilities that appeared to be digitally signed using a valid Adobe code signing certificate. The discovery of these utilities was isolated to a single source. As soon as we verified the signatures, we immediately decommissioned the existing Adobe code signing infrastructure and initiated a forensics investigation to determine how these signatures were created. We have identified a compromised build server with access to the Adobe code signing infrastructure. We are proceeding with plans to revoke the certificate and publish updates for existing Adobe software signed using the impacted certificate. This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications* that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms.
Enterprise Wi-Fi networks can keep using WPA2 security safely, despite a recent Defcon exploit that has been widely, but wrongly, interpreted as rendering it useless.
The exploit successfully compromised a legacy authentication protocol, MS-CHAPv2, which was created by Microsoft years ago. But the vulnerabilities of this protocol (and other similar ones) are well known, and Wi-Fi Protected Access 2 makes use of additional mechanisms to protect them. That protection is still in force, according to both the Wi-Fi Alliance and a wireless architect, who blogged in depth on this issue after the Defcon exploit was reported.
In the wake of the Defcon demonstration, enterprises were being urged by some to abandon MS-CHAP, the Protected Extensible Authentication Protocol (PEAP), WPA2 or all of the above. None of that is necessary. The Wi-Fi Alliance has reviewed the chapcrack tool and cloudcracker service announced last week at Defcon 20 and these tools do not present an exploitable vulnerability in Wi-Fi CERTIFIED products, according to statement issued by the Wi-Fi Alliance, via Kelly Davis-Felner, the WFA marketing director. These tools exploit previously-documented weaknesses in the use of Microsoft CHAP (MS-CHAP). All uses of MS-CHAP in WPA2 are protected by the Transport Layer Security (TLS) protocol. TLS is the same strong cryptographic technology that protects all online e-commerce transactions. TLS prevents interception of the MS-CHAP messages used in WPA2 Enterprise and effectively protects against attacks using chapcrack or cloudcracker.
A hacking expert has launched a $200 password-cracking tool that makes it easy to decipher Internet traffic sent through a widely used method for securing businesses communications. Moxie Marlinspike, one of the world’s top encryption experts, unveiled the tool on Saturday during a presentation at the Def Con hacking conference in Las Vegas. Marlinspike said he developed the service, CloudCracker.com, by taking advantage of a vulnerability he discovered in a widely used virtual private network technology known as point-to-point tunneling protocol. Virtual private networks, or VPNs, scramble traffic as it travels between a PC and its final destination so that the data is useless to hackers if they eavesdrop on those communications. But Marlinspike provides clients with a tool that analyzes captured data streams and creates a data file that they upload to his website. He then runs that through code-cracking computer programs that figure out a password that will unscramble the protected communications. He delivers that to clients within 24 hours.
A hacker group called D33D is claiming to have accessed more than 453,000 logins from Yahoo. The group says it used a union-based SQL injection to access an unidientified Yahoo service to retrieve the data, which it says was unencrypted, and has posted it online. “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” says D33D in a statement. “There have been many security holes exploited in Web servers belonging to Yahoo that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”