Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday February 25 2018, @08:29AM   Printer-friendly
from the broken-strands-in-the-web-of-trust dept.

Arthur T Knackerbracket has found the following story:

The Stuxnet worm that targeted Iran's nuclear program almost a decade ago was a watershed piece of malware for a variety of reasons. Chief among them, its use of cryptographic certificates belonging to legitimate companies to falsely vouch for the trustworthiness of the malware. Last year, we learned that fraudulently signed malware was more widespread than previously believed. On Thursday, researchers unveiled one possible reason: underground services that since 2011 have sold counterfeit signing credentials that are unique to each buyer.

"Contrary to a common belief that the security certificates circulating in the criminal underground are stolen from legitimate owners prior to being used in nefarious
campaigns, we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate identities, making traditional network security appliances less effective," Andrei Barysevich, a researcher at Recorded Future, reported.

Barysevich identified four such sellers of counterfeit certificates since 2011. Two of them remain in business today. The sellers offered a variety of options. In 2014, one provider calling himself C@T advertised certificates that used a Microsoft technology known as Authenticode for signing executable files and programming scripts that can install software. C@T offered code-signing certificates for macOS apps as well. His fee: upwards of $1,000 per certificate.

[...] "Although code signing certificates can be effectively used in widespread malware campaigns such as the distribution of banking trojan or ransomware, the validity of the certificate used to sign a payload would be invalidated fairly quickly," [Barysevich] explained. "Therefore, we believe that the limited number of power-users specializing in more sophisticated and targeted campaigns, such as corporate espionage, is the main driving force behind the new service."


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by bradley13 on Sunday February 25 2018, @09:15AM

    by bradley13 (3053) on Sunday February 25 2018, @09:15AM (#643401) Homepage Journal

    Ok, it's maybe a benefit if you have a certificate stolen from some other company. That said, signing an app is not exactly rocket science. Use a self-signed certificate, or shell out a minor amount of money to get a certificate from a dodgy CA. If malware authors haven't been doing this, it's only because it hasn't been necessary in order to get their stuff distributed.

    --
    Everyone is somebody else's weirdo.
  • (Score: 4, Insightful) by BsAtHome on Sunday February 25 2018, @10:20AM (1 child)

    by BsAtHome (889) on Sunday February 25 2018, @10:20AM (#643413)

    The idea that you can trust a computer in general is a preposterous proposition. Trusting software is simply flawed, especially when you read Ken Thompson's "Reflections on Trusting Trust" (his Turing award lecture). Trusting hardware, well, we know of hardware flaws/trojans already. Trusting humans, well, lets just say we have ample examples of the problem with that. And then we get to trusting a chain of certificates, which is simply naive and ignorant, even though it is all we have got.

    When you use a computer, you should assume to be compromised and act accordingly.

    • (Score: 0) by Anonymous Coward on Sunday February 25 2018, @12:12PM

      by Anonymous Coward on Sunday February 25 2018, @12:12PM (#643425)

      The problem with trust is that you can only validate it afterwards. And you need confirming it again and again. As soon as it is breached, it's gone. This makes it actually costly, but also valuable.

      Regarding computers, you deal with many components, which ALL have to be trusted (or not). Acting accordingly can be very difficult, do you trust the CPU, memory, hard drive, the USB chip that reads the data you provide it? Load OS from a CD-ROM, how do you know the DVD player doesn't insert code in your trusted code on the DVD? Your trusted code on the DVD, did you write all code from scratch yourself, including the compilers?

  • (Score: 0) by Anonymous Coward on Monday February 26 2018, @09:18AM

    by Anonymous Coward on Monday February 26 2018, @09:18AM (#643845)

    So, even malware authors get certificates easier than a home user with a private web server, who doesn't want to pay a fortune to a CA or run suspect software implementing deliberately over-complicated protocols for the purpose of getting people to running their software, such as letsencrypt.

    IMHO, the only reason browser makers are pushing for SSL is to commercialize the web, replacing personal webservers with Facebook. It's not like they care about our privacy. Even Firefox, the only one claiming to care about privacy, gets caught again and again, spying on users, installing unauthorized software, etc.

(1)