Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday February 25 2018, @08:29AM   Printer-friendly
from the broken-strands-in-the-web-of-trust dept.

Arthur T Knackerbracket has found the following story:

The Stuxnet worm that targeted Iran's nuclear program almost a decade ago was a watershed piece of malware for a variety of reasons. Chief among them, its use of cryptographic certificates belonging to legitimate companies to falsely vouch for the trustworthiness of the malware. Last year, we learned that fraudulently signed malware was more widespread than previously believed. On Thursday, researchers unveiled one possible reason: underground services that since 2011 have sold counterfeit signing credentials that are unique to each buyer.

"Contrary to a common belief that the security certificates circulating in the criminal underground are stolen from legitimate owners prior to being used in nefarious
campaigns, we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate identities, making traditional network security appliances less effective," Andrei Barysevich, a researcher at Recorded Future, reported.

Barysevich identified four such sellers of counterfeit certificates since 2011. Two of them remain in business today. The sellers offered a variety of options. In 2014, one provider calling himself C@T advertised certificates that used a Microsoft technology known as Authenticode for signing executable files and programming scripts that can install software. C@T offered code-signing certificates for macOS apps as well. His fee: upwards of $1,000 per certificate.

[...] "Although code signing certificates can be effectively used in widespread malware campaigns such as the distribution of banking trojan or ransomware, the validity of the certificate used to sign a payload would be invalidated fairly quickly," [Barysevich] explained. "Therefore, we believe that the limited number of power-users specializing in more sophisticated and targeted campaigns, such as corporate espionage, is the main driving force behind the new service."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday February 26 2018, @09:18AM

    by Anonymous Coward on Monday February 26 2018, @09:18AM (#643845)

    So, even malware authors get certificates easier than a home user with a private web server, who doesn't want to pay a fortune to a CA or run suspect software implementing deliberately over-complicated protocols for the purpose of getting people to running their software, such as letsencrypt.

    IMHO, the only reason browser makers are pushing for SSL is to commercialize the web, replacing personal webservers with Facebook. It's not like they care about our privacy. Even Firefox, the only one claiming to care about privacy, gets caught again and again, spying on users, installing unauthorized software, etc.