

Inappropriate Use of Adobe Code Signing Certificate - jjguy
http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html

======
FireBeyond
I was impressed by the detail and level of disclosure in this post. Very
little PR speak, very little vagueness and handwaving - Adobe acknowledged the
severity and demonstrated how important they viewed their response.

I have to give a nod of admiration for the professionalism of their handling
of such a situation.

~~~
SpikeGronim
My favorite part is that they shut off their code signing infrastructure
"within minutes". Good job Adobe! They are also saying that the root cause was
essentially "somebody didn't follow procedures for setting up secure build
servers, and we didn't catch it." Such a typical security threat: humans doing
the wrong stuff.

~~~
mparlane
Get rid of humans: problem solved.

At least that's what the singularity will think.

------
ghshephard
I wonder how many sub $100million non-security-focussed companies

    
    
      A) Properly use an HSM at the root of their PKI.  (Following 
         all the procedures for sharding their XofY control of the device)
    
      B) Have " corporate standards for a build server"
    
      C) Routinely audit their build servers to ensure they adhere 
         to those corporate standards.
    

At least the HSM limited the damage to the compromised servers and, of course,
all the code that got signed in the interim.

~~~
gsibble
Most small companies cannot afford to invest the time into this kind of thing
(obviously).

~~~
ximeng
B and C could be something as similar as having a VM with a standard set of
build tools and checking nothing else has been added, which should be in reach
of even small companies.

~~~
alexchamberlain
Perhaps storing a hash of the VM's hard disk?

------
0xdecaff
Having just looked at adobe 'cracks' recently for CS5 and CS6 I wonder why
these entries (destined for the HOSTS file) 127.0.0.1 crl.verisign.net
127.0.0.1 tss-geotrust-crl.thawte.com Are there... The cracks work by
replacing a DLL but also by blocking connections to all the servers it thinks
are activation servers (key validation) I tested removing these CRL entries
and the software had no issues. Just speculating wildly but maybe this was a
planned attack a long time coming (given that these entries have existed since
CS5)

~~~
eli
I don't follow, how is a crack for adobe software related to breaking into an
adobe build server?

