from the code-by-john-hancock dept.
Submitted via IRC for SoyCow1984
One of the breakthroughs of the Stuxnet worm that targeted Iran's nuclear program was its use of legitimate digital certificates, which cryptographically vouched for the trustworthiness of the software's publisher. Following its discovery in 2010, researchers went on to find the technique was used in a handful of other malware samples both with ties to nation-sponsored hackers and, later on, with ties to for-profit criminal enterprises.
Now, researchers have presented proof that digitally signed malware is much more common than previously believed. What's more, it predated Stuxnet, with the first known instance occurring in 2003. The researchers said they found 189 malware samples bearing valid digital signatures that were created using compromised certificates issued by recognized certificate authorities and used to sign legitimate software. In total, 109 of those abused certificates remain valid. The researchers, who presented their findings Wednesday at the ACM Conference on Computer and Communications Security, found another 136 malware samples signed by legitimate CA-issued certificates, although the signatures were malformed.
Source: https://arstechnica.com/information-technology/2017/11/evasive-code-signed-malware-flourished-before-stuxnet-and-still-does/
(Score: 0) by Anonymous Coward on Thursday November 09, @03:33AM (2 children)
It's a contradiction in terms.
The only workable solution is one that is inherently decentralized; authority must be established either through a web of trust, or through compounded proof of work on validation (e.g., a blockchain).
Eat a dick, you trash website.
Reply to This
(Score: 2) by JoeMerchant on Thursday November 09, @04:17AM (1 child)
I think web of trust is the long-term answer. Blockchain has yet to prove an economic ability to scale - I don't want to spend $5 every time I want to verify a transaction, and when Bitcoin et. al. lose their speculative glamour and start paying their own bills, that's what transactions are currently costing. Maybe they can trim on that and get to $0.50 per transaction, but that's still too damn high for mainstream applications. The whole "compounded work" aspect of blockchain makes it a loser for microtransactions right out of the gate.
Reply to This
Parent
(Score: 2) by JNCF on Thursday November 09, @04:36AM
Read up on Namecoin. Transaction costs aren't a huge issue when you're just recording who owns what namespace, and what their signature looks like. End-users only read data.
Reply to This
Parent