[thelist] OT: Microsoft digital certificate stolen

Paul Dewey paul_dewey at hotmail.com
Thu Mar 22 15:32:18 CST 2001

Thought you might like to hear this.


Microsoft digital certificate stolen

Verisign issued "virtual notary seal" to computer criminal
                 By Bob Sullivan

      March 22 Microsoft Corp. issued a warning today to all
its customers that a computer criminal has obtained a
digital certificate with the company's name and
authority. The equivalent of a royal seal, digital
certificates prove software code was written by a particular
company and is safe. Microsoft said the criminal tricked
Verisign Inc. into issuing two of the certificates. The
software giant is warning users to be suspicious of any
program that arrives with a certificate claiming
Microsoft's authority.

      MICROSOFT'S SCOTT CULP said Verisign issued the two
fake certificates accidentally on Jan. 29 and Jan. 30, and
discovered the mistake only recently.  (MSNBC is a
Microsoft-NBC joint venture.)

      Web browsers generally encounter such certificates
when the arrive on a Web site that has an ActiveX control,
which allows dynamic content. Usually, a dialog box pops up
asking the users if they would like to trust the code and
allow it to run on the their machines.

      The fraudulent certificates would indicate to a user
that the code was written by Microsoft and might trick a
victim into allowing the code to run.

      "That's exactly one of the scenarios that pose the
greatest risk," Culp said.

      The firm is working on a downloadable solution for the
problem, but it won't be ready for about a week, Culp
said. In the meantime, he urged Web users to be suspicious
of any digital certificate they encounter, suggesting they
check the certificate's details.

      "Anything that says it was issued on 29th and
30th of January is bogus. Do not trust it," Culp said.


      Culp blamed the problem on human error inside
Verisign. He said law enforcement is now working with the
company to track the criminal, who apparently was able to
convince Verisign he was a Microsoft employee.

      "This wasn't a failure of technology. It was a failure
of one particular Certificate authority to follow its
procedures," he said.

      Digital certificates are issued by third parties,
called certificate authorities, as a way of virtually
"notarizing" computer code. There are hundreds of
authorities, but Verisign is one of the largest. Each
authority is supposed to follow detailed procedures to
verify the identity of the programmer making a certificate

         Mahi deSilva, vice president and general manager of applied trust 
services for Versign, said his company accepts responsibility for the error. 
But he added that Verisign has issued over 500,000 such digital 
certificates, and this is the first incident of fraud.
       “The process breakdown is related to human error,” deSilva said. “We 
have taken active aggressive steps to make sure that vulnerability is closed 
up.” He wouldn’t provide details, citing the ongoing investigation, but he 
did say the verification process includes cross-checking of databases and a 
follow-up phone call to the certificate requestor’s employer.
       He said the firm caught the error in follow-up investigations after 
it issued the certificates in January.

The two bogus certificates have been placed on Verisign’s “revoked” list, 
but currently, nearly all versions of Microsoft’s Internet Explorer don’t 
bother to check the revoked list when encountering a certificate. That 
procedure is akin to a merchant checking a consumer’s credit card with the 
bank before accepting a charge, deSilva said. Microsoft’s update, when 
issued, will turn on this “revocation check” procedure, thwarting the two 
bogus certificates.

What do you think?
"The reality is the infrastructure will become stronger and more adept at 
dealing with these kind of situations now,” deSilva said.
       Still, Russ Cooper, who administers a popular Windows security 
mailing list, said he was concerned with the process breakdown.
       “Somebody had to accept something other than normal due diligence,” 
Cooper said. “It shows the mechanisms Verisign had in place to check 
someone’s ID really stink.”

Don't Trust all of Microsoft's digital certificates. :-)
Get your FREE download of MSN Explorer at http://explorer.msn.com

More information about the thelist mailing list