NEWS - September 06, 2011

Operation Black Tulip: Fox-IT's report on the DigiNotar breach

Fox-IT, the security auditors hired to investigate the compromise of DigiNotar, the digital certificate authority that signed fraudulent certificates for Google, the CIA and others, released their preliminary findings this afternoon.

It's at least as bad as many of us thought. DigiNotar appears to have been totally owned for over a month without taking action, and they waited another month to take necessary steps to notify the public.

Fox-IT's report shows that the initial compromise appears to have occurred on June 17th, 2011. On the 19th DigiNotar noticed the incident, but doesn't appear to have done anything about it.

The first rogue certificate (as far as we know), *, was issued on July 10th, 2011. All of the other 530 rogue certificates were issued between July 10th and 20th.

There are several very disturbing conclusions about security at DigiNotar and the investigation isn't even complete yet:

1. All of the certificate servers belonged to one Windows domain, allowing the compromise of one administrator account to control everything.

Continued :

DigiNotar breach due to disastrous security - Update
Inside 'Operation Black Tulip': DigiNotar hack analysed
Iran IP addresses compromised by DigiNotar SSL hack
Discussion is locked
Reply to: NEWS - September 06, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - September 06, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
DigiNotar Hacker Comes Out

From F-Secure Antivirus Research Weblog:

Almost from the beginning of the DigiNotar CA Disaster (report here), we had a reason to believe the case was connected to "ComodoGate" - the hacking of another Certificate Authority earlier this year, by an Iranian attacker.

This connection has now been confirmed.

After ComodoGate, the hacker - who called himself ComodoHacker - sent a series of messages via his Pastebin account. Then at the end of March 2011, it went silent. We've been keeping an eye on it, just in case the attacker will post something related to the Diginotar case.

And he just did. [Screenshto]

In his latest post, ComodoHacker claims that he is the one that hacked DigiNotar as well. He also claims he still has access to four other "high-profile" CAs and is still able to issue new rogue certificates (including code signing certificates).

As a proof to show that he really did infiltrate DigiNotar, he shares the domain administrator password of the CA network: Pr0d@dm1n. DigiNotar would be able to confirm if this was accurate or not.

The same hacker seems to be active on Twitter as well, under the nickname "ich sun" at @ichsunx2.

Continued :

Claimed DigiNotar hacker: I have access to four more CAs
Comodo Hacker Claims Credit for DigiNotar Attack

- Collapse -
BitDefender Safego scans Twitter for potential threats

Security firm BitDefender has launched security software for micro-blogging service Twitter that will identify which of a user's contacts are a security threat.

BitDefender Safego, which is currently in beta, features a Contact Safety Rainbow that trawls your followers and gives them one of four colour ratings based on their threat levels. For example, any followers flagged as red are considered highly suspicious and may be spreading malware, spam or are being used for phishing. However, those marked as green are safe.

Furthermore, once installed the app will continue to scan your account and notify you by direct message of any threats. However, a Scan on Demand feature means you can check an account before you start following it.

Bitdefender Safego will also scan direct messages for spam and malicious links, as well as messages sent as a result of account highjacking.

Continued :

Also: Hands on with Twitter security app

- Collapse -
New fraud software distribution stratagem via spam email

"New fraud software distribution stratagem via spam email impersonating government agencies"

After the blog entry of spam emails impersonating FBI to distribute W32.FakeFBIVariantovLT.Trojan, we have discovered a new fraud software distribution stratagem which uses spam email faking New York State Police. The email, sent from email address at domain name, informs of receiver's over-speeding at 7:25 am July 5. Following is the request that the receiver prints out the enclosed ticket and sends it to the court in case he wants to plead. [Screenshot]

The receiver may even not have been in New York at the mentioned time. He still opens the attachment file due to his desire to plead or just for his curiosity. When being extracted, this file appears with the icon of a PDF file. This is actually a trojan. Once run, this trojan will connect to different addresses and download many other malwares, which lowers the security level of the system.

One of the downloaded malwares is detected as W32.FakeHddRepair.Trojan by Bkav. Like FakeFBIVariantovLT.Trojan, FakeHddRepair.Trojan constantly displays notifications of hard drive errors: [Screenshot]

Continued :

- Collapse -
Sleazy slutt y emails bombard inboxes, carrying malware

As many North Americans return to their offices after a long Labor Day weekend, they may find something unpleasant in their email inboxes.

A malware campaign has been widely distributed over the last couple of days, using a wide variety of different subject lines and attachment names.

There's one thing in common between all the emails, however. All of the emails use sleazy slutt y language to trick red-blooded men (we assume) into open the attached file.

The many different messages claim to come from what some would euphemistically describe as online "dating" websites. Typically the emails will claim to contain photos of a young woman in her twenties, who isn't fussy about what kind of man she would like to hook up with (some say ages "between 21-99" are fine).

Continued :

- Collapse -
Microsoft Revokes Trust in Five DigiNotar Root Certs

The fallout from the DigiNotar compromise continued on Tuesday, as Microsoft said it has now revoked its trust of all five of the certificate authority's root certificates. The update that makes this change is being pushed out to users on all supported versions of Windows.

The move by Microsoft effectively makes any certificate that has been issued by DigiNotar untrusted by Internet Explorer and other Windows applications. Any IE user who visits a site that presents a DigiNotar-issued certificate as proof of identity will get an error message telling him that the certificate isn't trusted. Microsoft's change applies to these root certificates from DigiNotar:

• DigiNotar Root CA
• DigiNotar Root CA G2
• DigiNotar PKloverheid CA Overheid
• DigiNotar PKloverheid CA Organisatie - G2
• DigiNotar PKloverheid CA Overheid en Bedrijven

The software giant said that it has continued to investigate the DigiNotar attack and work with other certificate authorities and software vendors as they all look for viable solutions to what has become a huge problem. Also on Tuesday, responding to claims by the hacker who has taken credit for the DigiNotar attack that he also has compromised several other high-level CAs, GlobalSign, one of the CAs mentioned, said it is aware of the claim and is looking into it.

The company posted a message on its corporate Twitter feed, saying: "We are aware of the Comodo hacker BLOG that claims access to a number of major CAs including #GlobalSign. We are taking this claim seriously and are investigating."


SEE Below Post Within Stickie / Thread Titled - "Microsoft Security Advisory (2607712)" :

Microsoft Updates Security Advisory 2607712

- Collapse -
Microsot revokes certs from Windows, Mac users vulnerable

"Microsoft revokes DigiNotar certificates from Windows, Mac users still vulnerable"

Microsoft have just released an update to security advisory 2607712 permanently moving all five of DigiNotar's root certificates to the "revoked" certificate store.

How is this different than the previous update Microsoft released?

1. It provides protection for all supported versions of Windows (XP, 2003, Vista, 2008, 7 and 2008R2).

2. It covers all five root certificates owned by DigiNotar. The previous release only blocked two.

3. Users are no longer presented with a certificate warning, they are prevented from accessing sites with SSL certificates issued by DigiNotar.

The third point is a particularly important one. Previously users were presented with a dialog asking them if they wish to proceed (which most users click through) as seen below. [Screenshot]

Considering the risk involved with these compromised certificates Microsoft has taken the additional step of fully revoking them. This prevents the user from clicking though, effectively blocking all access to sites using DigiNotar keys. [Screenshot]

All Windows users using automatic updates will apply this update and no reboot is required. What about the users in the Netherlands? Won't they be prevented from accessing a lot of secure websites with legitimate certificates from DigiNotar?

Yes. Microsoft has worked with the Dutch authorities to delay the rollout of this update to users in the Netherlands and their territories until next Tuesday (Patch Tuesday coincidentally).

This will give the many .nl websites an opportunity to replace their DigiNotar certificates with something more trustworthy. Users in the Netherlands will not be prevented from applying the update, it simply won't automatically apply until next Tuesday.

What about Apple users? Well, apparently they are too busy playing Angry Birds and making pictures in Photoshop to worry about pesky certificate issues.

My advice if you run a Mac? Use BootCamp and Windows 7 until Apple decides to provide a patch. Or I guess you could use Firefox or Chrome... your choice.

- Collapse -
Rent-a-Bot Networks Tied to TDSS Botnet

Criminals who operate large groupings of hacked PCs tend to be a secretive lot, and jealously guard their assets against hijacking by other crooks. But one of the world's largest and most sophisticated botnets is openly renting its infected PCs to any and all comers, and has even created a Firefox add-on to assist customers.

The TDSS botnet is the most sophisticated threat today, according to experts at Russian security firm Kaspersky Lab. First launched in 2008, TDSS is now in its fourth major version (also known as TDL-4). The malware uses a "rootkit" to install itself deep within infected PCs, ensuring that it loads before the Microsoft Windows operating system starts. TDSS also removes approximately 20 malicious programs from host PCs, preventing systems from communicating with other bot families.

In an exhaustive analysis of TDSS published in June, Kaspersky researchers Sergey Golovanov and Igor Soumenkov wrote that among the many components installed by TDSS is a file called "socks.dll," which allows infected PCs to be used by others to surf the Web anonymously.

"Having control over such a large number of computers with this function, the cybercriminals have started offering anonymous Internet access as a service, at a cost of roughly $100 per month," the researchers wrote. "For the sake of convenience, the cybercriminals have also developed a Firefox add-on that makes it easy to toggle between proxy servers within the browser."

Continued :

Related : TDL-4 Indestructible or not???

CNET Forums