* Posts by Nick FitzGerald

5 publicly visible posts • joined 19 Aug 2008

Java code-execution vuln exploited in drive-by attack

Nick FitzGerald

Re: Research fail

"They introduced Web Start in Java 1.4, they updated it in 6u10. The question becomes, does this mean users of Java 5 are safe?"

Correct about initial release of JWS. The issue with 6u10, which introduced this "vulnerability by design" was that they made JWS more directly accessible, via the "Deployment Toolkit" ActiveX control (for IE) and the equivalent NPAPI plugin for (most) other browsers. This current exploit depends on the 6u10+ "improvement" in JWS functionality.

Indian politico's webmail hacked to punt lost-wallet scam

Nick FitzGerald

@ Anonymous John

I agree with you that the suggestion in the Reg article that "weak passwords" were the likely source of attack is actually much less likely than that Aiyar was phished. However, I disagree on the likely phishing method...

According to the linked Times of India article, it was Aiyar's personal Hotmail account at the heart of this story. Hotmail users are currently extremely heavily (if not almost exclusively) phished in the manner described in one of the Anonymous Coward comments about the father-in-law. That is, by Emails that purport to be from Hotmail admin staff and that ask their potential victims to reply to the Email with their username and password (and occasionally with other PI info), on threat that refusal will result in the account being cancelled.

Aside from being a security professional who sees this stuff every day, I've received very similar scam Emails from a friend-of-a-friend's Hotmail address which got phished just this way.

Nick FitzGerald

Correction to my previous comment

I said that the "Times of India" article said it was Aiyar's personal Hotmail account that was "hacked". I meant the "Indian Express" article...

GlobalSign revokes cert of rogue security app

Nick FitzGerald

GlobalSign needs to get its story straight...

According to the article, a GlobalSign statement said:

"Like all CAs [certificate authorities], GlobalSign vets a company within strict guidelines, but we cannot form an opinion on the software they sign with the issued certificate. While we cannot provide a guarantee around the quality of the software, the certificate does provide proof of which company is responsible for the software, and therefore provides traceability to any parties using that software. This traceability allows us to perform an appropriate investigation."

"The concept of code signing certificates from any CA, whoever they are, is designed to provide assurances of origin of the software, but cannot express that it is virus-free, bug-free or malware-free," it added.

Whilst this is, of course, entirely true -- valid signatures only "prove" that the item is signed by a "known entity" -- GlobalSign's web site suggests in several places, and at least once even outright claims something else, something more. For example:

https://www.globalsign.com/company/press/070207_code-signing.htm

"On the consumer side, ObjectSign gives those buying and downloading from the Web the confidence to acquire new software without the fear of potentially installing malware. The new security precautions also allow consumers to see where software originates and that the vendors are legitimate – on an ongoing basis this means that updates and new drivers can be seamlessly downloaded without undue delay, giving users free reign to maximise usage of their operating system and applications."

Old story -- marketing should actually talk to the tech folk so they know WTF gives.

Also, according to The Reg GlobalSign says that the LLC AJSBIRI cert has been revoked (several days ago now), yet my Windows Vista machine says that a .DLL signed with the cert Sunbelt reported to GlobalSign (same serial number per the screen shots in the Sunbelt blog entry) is still valid ("This certificate is OK." on the Certification Path tab). GlobalSign runs a CRL and OCSP so this Vista machine should be telling me that the cert is invalid/revoked (I don't know if Vista does CRL for GlobalSign certs -- anyone??).

So, can anyone actually confirm that GlobalSign has revoked this cert, or does it just claim to have revoked it?

Nick FitzGerald

re: I See (By Peter)

"Don't trust Global Sign, they can't vet for sh*t ,"

Now, now -- "GlobalSign vets a company within strict guidelines" according to their own statement. If you dig around their web site a bit you find a document describing this strenuous process, but loosely for a code-signing cert (which is at issue here) it involves filling in a form and sending them copies of your national ID card (or similar for non-EU folk -- drivers license maybe??, passport), business registration papers and such.

Ohh, and of course, paying the fee...

"Simple enough, trust Verisign, the money saved just came back to cost you."

That would be the same VeriSign that issued TWO -- not one, but two -- bogus Microsoft certs DESPITE having extra special additional procedures in place as part of its issuing process for any certs in Microsoft's name?

Yeah, those VeriSign folk REALLY know how to vet!

One has to wonder how come, after that, MS kept their certificate business with VeriSign and did not revoke VeriSign's status as a default root CA the following Patch Tuesday... They certainly deserved worse for that lapse...

And although I don't have the data readily at hand, I seem to recall there have been previous instances of signed malware using valid VeriSign certs, so I don't think I'll be taking your advice...