December 22, 2014

In Brief: Microsoft, Google and Mozilla all block digital certificate issued by intermediate certificate authority of TURKTRUST

turktrust_logo(LiveHacking.Com) –  Microsoft, Google and Mozilla have all removed the trust of certificates issued by an intermediate certificate authority (CA) linking back to TURKTRUST Inc. What has happened is that TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org), the first of which was used to issue a fraudulent digital certificate for *.google.com.

Intermediate CA certificates carry the same authority as CA, so anyone who has one can use it to create a certificate for any website. Fraudulent certificate can be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

“TURKTRUST told us that based on our information, they discovered that, in August 2011, they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates,” wrote Google.

Google is also considering an update to Chrome which will no longer indicate Extended Validation status for certificates issued by TURKTRUST. Mozilla has suspended the TURKTRUST root certificate. TURKTRUST subsequently asked Mozilla to include a newer root certificate and their request was initially approved. However, due to the mis-issued  intermediate CA certificates, Mozilla has decided to suspend inclusion of the new root certificate for now.

Many Android apps open to man-in-the-middle attacks due to weak SSL usage

After injecting a virus signature database via a MITM attack over broken SSL, the AntiVirus app recognized itself as a virus and recommended to delete the detected malware.

Security researchers from the Leibniz University of Hanover and the computer science department at the Philipps University of Marburg have tested 13,500 popular free Android apps and found that 8.0% of these apps contain SSL/TLS implementations that are vulnerable to  Man-in-the-Middle (MITM) attacks.

The researchers created a tool called MalloDroid which is designed to detect potential vulnerabilities against MITM attacks. The tool performs static code analysis to analyze the networking API calls and extract valid HTTP(S) URLs, check the validity of the SSL certificates of all the extracted HTTPS hosts; and  identify apps that contain non-default trust managers. Running the tool on the 13,500 samples showed that 1,074 of the apps exhibited some kind of potential vulnerability.

From this 1,074 app a further 100 apps were picked for manual audit to investigate different SSL problem  including the accepting of all SSL certificates regardless of their validity. This manual audit revealed that 41 of the apps were vulnerable to MITM attacks due to SSL misuse.

A particularly embarrassing case the researchers found that the Zoner AntiVirus app updated its virus signatures via a broken SSL connection. As the developers considered the connection to be secure and couldn’t be tampered with there is no built-in verification or validation of the signature files downloaded. This meant that the team was able to insert its own signatures files. In one test they added the signature for the anti-virus app itself. The app then proceeded to recognize itself as malware and recommended that itself be to deleted. The Zoner AntiVirus app has been downloaded more than 500,000 times!

By the end of their research the team had managed to capture credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts.

The total cumulative number of installs of all the MITM vulnerable apps is between 39.5 and 185 million users, according to the download numbers from Google’s Play Store.

Adobe’s internal build server hacked, needs to revoke certificate

(LiveHacking.Com) – Adobe has discovered that its internal code signing infrastructure was breached and used to sign to malicious programs to make them appear like genuine Adobe files. The security breach happened back in July and as a result Adobe will revoke the certificate for all software code signed after July 10, 2012. This will happen on October 4th, in the mean time Adobe is in the process of issuing updates signed using a new digital certificate for all affected products.

Once the breach was discovered and the signatures verified, Adobe immediately decommissioned its existing code signing infrastructure and initiated a forensics investigation to determine how the signatures were created.

The first, of the two malicious files signed with Adobe’s certificate, is called pwdump7 v7.1, it extracts password hashes from the Windows OS. The second malicious utility, myGeeksmail.dll, is thought to be a malicious ISAPI filter. However it doesn’t appear to be publicly available.

“Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise. As a result, we believe the vast majority of users are not at risk,” wrote Adobe security chief Brad Arkin.

The revocation of the certificate affects only the Windows platform and three Adobe AIR applications (Adobe Muse, Adobe Story AIR applications and Acrobat.com desktop services). However the revocation does not impact any other Adobe software for Macintosh or other platforms. Adobe has informed its partners of the incident including participants in the Microsoft Active Protections Program (MAPP) who have received samples of the falsely signed programs.

The hacked server

Adobe has identified a compromised build server that required access to the code signing service as part of the build process. However the compromised server did not have rights to any public key infrastructure (PKI) functions other than the ability to make code signing requests to the code signing service. During its initial investigation, Adobe has discovered malware on the server and the probable mechanism used to gain access.

“We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software,” added Arkin. “The build server had no access to Adobe source code for any other products and specifically did not have access to any of Adobe’s ubiquitous desktop runtimes such as Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR.”

No Critical priority vulnerabilities to be fixed by Microsoft for September’s Patch Tuesday

(LiveHacking.Com) – Microsoft has issued its advanced nofiticaton outlining the security bulletins that it will release for September’s Patch Tuesday. This month’s release will only contain two bulletins, both of which have the severity ratings of important. The bulletins affect Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1, Microsoft Systems Management Server 2003 Service Pack 3 and Microsoft System Center Configuration Manager 2007 Service Pack 2. Both bulletins address elevation of privileges vulnerabilities.

Microsoft has also published a heads-up concerning the minimum key length of  Public Key Infrastructure (PKI) certificates. Microsoft is increasing the requirement for certificates used in PKI to an RSA key length minimum of 1024 bits. In June, Microsoft  announced the availability of an update to Windows (via the Download Center as well as the Microsoft Update Catalog) that restricts the use of certificates with RSA keys less than 1024 bits in length. Microsoft is now planning to release this update through Microsoft Update in October, 2012.

“By raising the bar of our certificate requirements, as part of our ongoing work to evaluate Microsoft’s security efforts and make improvements, we aim to help create a safer more trusted Internet for everyone,” wrote Angela Gunn on the Microsoft Security Response Center blog.

“We recommend that you evaluate your environments with the information provided in Security Advisory 2661254 and your organisation is aware of and prepared to resolve any known issues prior to October,” continued the post.

The release of September’s bulletins is scheduled for Tuesday, September 11, 2012.

Untrusted SSL Certificate on MasterCard Australia Website

[UPDATE:  MasterCard has fixed the issue]

(LiveHacking.Com) – It appears as if one part of the MasterCard Australia Website has not been audited recently as it is using an untrusted digital certificate. The error was noticed on the https://migs.mastercard.com.au/ site when a Mastecard customer was trying to pay for some insurance.

Since this is a financial site which processes financial transactions, the certificate on the site should be one globally recognized. Without a valid certificate any user of the service can not be sure that the site hasn’t been spoofed or hijacked in some way.

A copy of the exported certificate can be downloaded from here.

Flame Malware Using Unauthorized Microsoft Certificates

(LiveHacking.Com) – Microsoft has released a security advisory outlining how components of the Flame malware have been signed by unauthorized Microsoft certificates. The result is that the signed components appear as if they were produced by Microsoft.  The problem originates with an older cryptography algorithm that can be exploited and then be used to sign code. Specifically, Microsoft’s Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in the enterprise, used the older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.

To fix the problem Microsoft has done three things: First, it released another security advisory outlining steps users can take to block software signed by these unauthorized certificates. Second, it released a software update that automatically takes this step and third, the Terminal Server Licensing Service has been changed to no longer issues certificates that allow code signing.

Microsoft’s update, which  is available through Windows Update and Automatic Updates, revokes three intermediate certificate authorities, pushing the following certificates into the “Untrusted Certificates Store”:

  • Microsoft Enforced Licensing Intermediate PCA (2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70) – Issued by Microsoft Root Authority
  • Microsoft Enforced Licensing Intermediate PCA (3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08) – Issued by Microsoft Root Authority
  • Microsoft Enforced Licensing Registration Authority CA (SHA1) (fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97) – Issued by Microsoft Root Certificate Authority

Microsoft is also concerned that the same technique could have been used by other types of malware. “Our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks.  Therefore, to help protect both targeted customers and those that may be at risk in the future, we are sharing our discoveries and taking steps to mitigate the risk to customers,” wrote Jonathan Ness from Microsoft Security Response Center.

Mozilla Sends Another Message to Certificate Authorities

(LiveHacking.Com) – Mozilla has sent an email to all certificate authorities in the Mozilla root program to reiterate that the issuance of subordinate CA certificates for the purposes of SSL man-in-the-middle interception or traffic management is unacceptable. Mozilla has asked the CAs to revoke any such certificates by April 27, 2012. After that date, if it is found that a subordinate CA is being used for MITM, Mozilla could remove the corresponding root certificate from the Mozilla root program. This would mean the applications like Mozilla FireFox wouldn’t accept the certificate when presented.

“We made it clear that this practice remains unacceptable even when the intended deployment of such a certificate is restricted to a closed network,” said Johnathan Nightingale, Senior Director of Firefox Engineering.

Mozilla also reinforced the the Certificate Authorities responsibilities reminding them that they are accountable for every certificate they sign, directly or through its subordinates.

This isn’t the first time Mozilla has asked CAs to be more responsible. In September 2011 Mozilla sent a message to all the certificate authorities (which participate in the Mozilla root certificate program) requesting that they complete an audit of their PKI systems. This call to review and confirm the integrity of their certificate systems came after Mozilla removed the DigiNotar root certificate in response to its failure to promptly detect, contain, and notify Mozilla of a security breach regarding their root and subordinate certificates.

Another Dutch CA Hacked?

(LiveHacking.Com) – Gemnet, a subsidiary of KPN (a leading telecommunications and ICT service provider in The Netherlands), has taken its website offline to investigate a possible hack. Hacked websites are not a rarity today, however according to Webwereld the hack is related to CA certificates.

In response to these allegations KPN issued a statement saying that the suggestions that there is a connection between the hack and creation of certificates is true. “The hack of the site has no connection with the issuance and management of Government PKI certificates.

Despite the statement issued by KPN,  a second website belonging to a subsidiary of the telecommunications  company that also issues digital certificates to the Dutch government was also taken down.

According to the original Webwereld article by Brenno de Winter, the attack was launched through a PHP MyAdmin account that didn’t have a password. The attacker then used the database to create files including executable scripts.

Stolen Certificate Used to Sign Malware

(LiveHacking.Com) –  A certificate stolen from the Malaysian Agricultural Research and Development Institute, which was taken “quite some time ago”, has turned up as the digital signature used on a piece of malware known as Trojan-Downloader:W32/Agent.DTIW.

The malware, which spreads via malicious PDF files that install it after exploiting holes in Adobe Reader 8, downloads additional malicious components from a server called worldnewsmagazines.org.

By using a private signing certificate that belongs to the Malaysian government the malware is able to bypass the warnings issued by Windows about untrusted software.

According to F-Secure, who discovered the malware signed with the a stolen certificate:

It’s not that common to find a signed copy of malware. It’s even rarer that it’s signed with an official key belonging to a government.

The use of digital certificates and the role of Certificate Authorities (CA) continues to be a hot topic following several well publicized security breaches (Diginotar and Comodo) and the subsequent revoking of fraudulently issued certificates.

DigiNotar Officially Bankrupt

(LiveHacking.Com) – The American parent company of the Dutch certificate authority (CA) DigiNotar has announced that DigiNotar is now officially bankrupt. VASCO Data Security International filed DigiNotar’s voluntary bankruptcy in the Haarlem District Court, The Netherlands at the beginning of this week and one day later the CA was officially declared bankrupt. A bankruptcy trustee, under the supervision of a judge, has now taken over the management of DigiNotar and will work to liquidate the company.

The Dutch government stepped in and took over DigiNotar after it was discovered that the company had been hacked and had been used to issue fake SSL certificates for various major sites, including Google, Mozilla, the CIA, MI6 and Mossad.

T. Kendall Hunt, VASCO’s Chairman and CEO said in a statement, “we would like to remind our customers and investors that the incident at DigiNotar has no impact on VASCO’s core authentication technology.”

“We want to emphasize that the bankruptcy filing by DigiNotar, which was primarily a certificate authority, does not involve VASCO’s core two-factor authentication business,” added Jan Valcke, VASCO’s President and COO.

It was DigiNotar’s failure to be upfront about the security breach which was the main reason it lost all credibility. Having suffered the breach, weeks went past before it started to inform the different domain name owners about what happened. Also the serial numbers for the issued certificates could not be found in DigiNotar’s records. This led to the conclusion that an unknown number of certificates were issued, probably more than 500.

“We are working to quantify the damages caused by the hacker’s intrusion into DigiNotar’s system and will provide an estimate of the range of losses as soon as possible,” said Cliff Bown, VASCO’s Executive Vice President and CFO.