Trust in digital certificates cannot be taken at face value

happygeek

Security vendor Malwarebytes has reported that a new variation of an old password stealing Trojan is out in the wild, but all is not as it may seem. Notably, this particular Trojan is signed with an apparently 'genuine' digital certificate that authenticates the file. Which rather prompts the question: "say what?" Or to put it another way, if the billion-dollar digital certificate and encryption market can't actually guarantee squat, then what's the point of it?

The Trojan, it appears, evades many security barriers by a system of spoofing that involves the criminal enterprise behind the scheme setting up a bogus company which in turn has obtained genuine , legitimate and otherwise perfectly valid digital certificates of trust from Digicert. "This allows the cybercriminals to slide an infected PDF file into a large number of organisations, since the certificate is the equivalent of the baggage checked tag on luggage as it is carried by an airline to its destination" warns Calum MacLeod, a director at security vendor Venafi, who continues "in this case, everyone in the electronic chain takes the certificate - as they should – at its face value and the legitimate certificate authenticates the Trojan". MacLeod blames the trust management rather than the certificate authority schema in this case, explaining that "it is management and control flaws like this that undermine confidence in the structural status quo of Internet security – and this is not good for anyone, or any user, of the World Wide Web, email and other forms of IP communications".

Truth be told, this is nothing new. Certificate and Certificate Authority abuse has been far from hypothetical for some time. Equally, the inability of business to control trust is a rabbit that is not able to hide in the hat any longer. If we are to continue along the road of depending upon both encryption and digital certification to help secure our data, than more effective trust management is required and urgently. Heck, how many organizations have the faintest idea about the total number of keys and certificates that exist within their own networks? Or in the cloud? Or on the mobile devices they have deployed? Let alone understanding how these are being accessed and by whom.

259 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Member Avatar
LastMitch

Trust in digital certificates cannot be taken at face value.

I still do look at the Trust in Digital Certificates because it's hard to not to trust the software company.

It's hard to separate the the Real Digital Certificates from a fake Digital Certificates.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.18 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.