Security vendor Malwarebytes has reported that a new variation of an old password stealing Trojan is out in the wild, but all is not as it may seem. Notably, this particular Trojan is signed with an apparently 'genuine' digital certificate that authenticates the file. Which rather prompts the question: "say what?" Or to put it another way, if the billion-dollar digital certificate and encryption market can't actually guarantee squat, then what's the point of it?

The Trojan, it appears, evades many security barriers by a system of spoofing that involves the criminal enterprise behind the scheme setting up a bogus company which in turn has obtained genuine , legitimate and otherwise perfectly valid digital certificates of trust from Digicert. "This allows the cybercriminals to slide an infected PDF file into a large number of organisations, since the certificate is the equivalent of the baggage checked tag on luggage as it is carried by an airline to its destination" warns Calum MacLeod, a director at security vendor Venafi, who continues "in this case, everyone in the electronic chain takes the certificate - as they should – at its face value and the legitimate certificate authenticates the Trojan". MacLeod blames the trust management rather than the certificate authority schema in this case, explaining that "it is management and control flaws like this that undermine confidence in the structural status quo of Internet security – and this is not good for anyone, or any user, of the World Wide Web, email and other forms of IP communications".

Truth be told, this is nothing new. Certificate and Certificate Authority abuse has been far from hypothetical for some time. Equally, the inability of business to control trust is a rabbit that is not able to hide in the hat any longer. If we are to continue along the road of depending upon both encryption and digital certification to help secure our data, than more effective trust management is required and urgently. Heck, how many organizations have the faintest idea about the total number of keys and certificates that exist within their own networks? Or in the cloud? Or on the mobile devices they have deployed? Let alone understanding how these are being accessed and by whom.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

4 Years
Discussion Span
Last Post by LastMitch

Trust in digital certificates cannot be taken at face value.

I still do look at the Trust in Digital Certificates because it's hard to not to trust the software company.

It's hard to separate the the Real Digital Certificates from a fake Digital Certificates.

Edited by LastMitch: grammer

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.