[thelist] OT: Microsoft digital certificate stolen
Paul Dewey
paul_dewey at hotmail.com
Thu Mar 22 15:32:18 CST 2001
Thought you might like to hear this.
http://www.msnbc.com/news/548228.asp
Microsoft digital certificate stolen
Verisign issued "virtual notary seal" to computer criminal
By Bob Sullivan
MSNBC
March 22 Microsoft Corp. issued a warning today to all
its customers that a computer criminal has obtained a
digital certificate with the company's name and
authority. The equivalent of a royal seal, digital
certificates prove software code was written by a particular
company and is safe. Microsoft said the criminal tricked
Verisign Inc. into issuing two of the certificates. The
software giant is warning users to be suspicious of any
program that arrives with a certificate claiming
Microsoft's authority.
MICROSOFT'S SCOTT CULP said Verisign issued the two
fake certificates accidentally on Jan. 29 and Jan. 30, and
discovered the mistake only recently. (MSNBC is a
Microsoft-NBC joint venture.)
Web browsers generally encounter such certificates
when the arrive on a Web site that has an ActiveX control,
which allows dynamic content. Usually, a dialog box pops up
asking the users if they would like to trust the code and
allow it to run on the their machines.
The fraudulent certificates would indicate to a user
that the code was written by Microsoft and might trick a
victim into allowing the code to run.
"That's exactly one of the scenarios that pose the
greatest risk," Culp said.
The firm is working on a downloadable solution for the
problem, but it won't be ready for about a week, Culp
said. In the meantime, he urged Web users to be suspicious
of any digital certificate they encounter, suggesting they
check the certificate's details.
"Anything that says it was issued on 29th and
30th of January is bogus. Do not trust it," Culp said.
HUMAN ERROR?
Culp blamed the problem on human error inside
Verisign. He said law enforcement is now working with the
company to track the criminal, who apparently was able to
convince Verisign he was a Microsoft employee.
"This wasn't a failure of technology. It was a failure
of one particular Certificate authority to follow its
procedures," he said.
Digital certificates are issued by third parties,
called certificate authorities, as a way of virtually
"notarizing" computer code. There are hundreds of
authorities, but Verisign is one of the largest. Each
authority is supposed to follow detailed procedures to
verify the identity of the programmer making a certificate
request.
Mahi deSilva, vice president and general manager of applied trust
services for Versign, said his company accepts responsibility for the error.
But he added that Verisign has issued over 500,000 such digital
certificates, and this is the first incident of fraud.
The process breakdown is related to human error, deSilva said. We
have taken active aggressive steps to make sure that vulnerability is closed
up. He wouldnt provide details, citing the ongoing investigation, but he
did say the verification process includes cross-checking of databases and a
follow-up phone call to the certificate requestors employer.
He said the firm caught the error in follow-up investigations after
it issued the certificates in January.
The two bogus certificates have been placed on Verisigns revoked list,
but currently, nearly all versions of Microsofts Internet Explorer dont
bother to check the revoked list when encountering a certificate. That
procedure is akin to a merchant checking a consumers credit card with the
bank before accepting a charge, deSilva said. Microsofts update, when
issued, will turn on this revocation check procedure, thwarting the two
bogus certificates.
What do you think?
"The reality is the infrastructure will become stronger and more adept at
dealing with these kind of situations now, deSilva said.
Still, Russ Cooper, who administers a popular Windows security
mailing list, said he was concerned with the process breakdown.
Somebody had to accept something other than normal due diligence,
Cooper said. It shows the mechanisms Verisign had in place to check
someones ID really stink.
<tip>
Don't Trust all of Microsoft's digital certificates. :-)
</tip>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
More information about the thelist
mailing list