Downclimb: Summit Route’s Weekly Infosec News Recap
2014.10.03 – 2014.10.10: https://SummitRoute.com

Top stories

HP code signed malware

Brian Krebs reports on how HP accidentally signed some malware. The code signing cert was not compromised, but they still have to revoke their certificate which means they need to try to re-sign all their old files with a new certificate. This creates a big mess and is more awkward because it’s supposedly only one piece of malware that was accidentally signed. Initially you would think that under this circumstance you could “revoke” only that one mistakenly signed file, but that is not possible. It’s all or nothing. Companies such as Adobe actually sign each product line (and sometimes major version) with a different certificate, so for example, there is an “Adobe Reader XI” certificate and an “Adobe Flash” certificate. This makes it easier to keep deal with situations like this, but at the expense of needing to keep track of more certificates. I don’t know if HP was using a similar process at the time of the malware being signed. The certificate in question was used by HP from May 26, 2010 to December 18, 2011, so this signed piece of malware has been around for a few years.

• http://krebsonsecurity.com/2014/10/signed-malware-is-expensive-oops-for-hp/

Windows 10 updates will not be constrained to Patch Tuesday

The second Tuesday of each month is Patch Tuesday, when Microsoft releases it’s patches for Windows. In Windows 10, consumers (and businesses that opt-in) will receive patches as soon as they are available instead of having to wait until Patch Tuesday. Microsoft has done out-of-band patches previously, but they needed to be installed manually, so this is different in that it will be automatic.

• http://blogs.windows.com/business/2014/09/30/introducing-windows-10-for-business/

ATM malware

Kaspersky discovered malware, called Tyupkin, that infects ATM’s. It’s important to point out that the attackers install the malware via a bootable CD. It has always been the case that if you can get physical access to a system, you can own it. So the interesting question then becomes why did the attackers go this route? It seems to be so that they could repeatedly rob the ATM, which begs the question as to how the bank running the ATM didn’t notice something was amiss when the malware was installed (shouldn’t an alarm go off when the ATM is opened?), or after the ATM was robbed the first time?

• https://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/

Business

• Symantec splitting up: Symantec is splitting into two companies: One focused on cyber-security and the other focused on data-storage. Symantec joins HP and eBay who have also recently announced they are splitting their businesses into separate companies.

Other reads

• BERserk vuln Part 2
• Vulnerability in Cuckoo Sandbox
• MBIA (the largest US bond insurer) had all of it’s customers’ account information online
• FireEye now supports OS X
• List of POS malware families
• Bug in Bugzilla exposes potentially unfixed vulnerabilities