Flame Malware Signed By 'Rogue' Microsoft Cert, Once Again Highlights Problems With Relying On Certs
from the time-to-move-forward dept
We've discussed in the past just how dangerous our reliance on Certificate Authorities "signing" security certificates has become. This is a key part of the way we handle security online, and yet it's clearly subject to abuse. The latest such example: the now infamous Flame malware that targeted computer systems in the Middle East was signed by a "rogue" Microsoft certificate -- one which was supposed to be used for allowing employees to log into a remote system. Microsoft rushed out a security update over the weekend, but that doesn't change the core problem: the whole setup of relying so heavily on secure certificates seems to be increasingly dangerous.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: certificate authorities, flame, malware, middle east, security
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Certs aren't perfect. They're tricky and unforgiving. But most of the time they work. They're tricky and unforgiving because they are expected to do a very specific job quickly and in a very hostile environment.
Every once in a while, somebody screws up and an attacker is able to slip in, but the problem is corrected (usually quickly). In other words, the system is working as expected. Nobody promised perfection, and the certificate system is still the best solution anybody has found so far.
Do you have a better solution that you would be willing to share with the rest of the world? (I've heard a few alternatives presented, but they haven't been accepted by the general security industry because they are even easier to screw up than the existing system.)
[ link to this | view in chronology ]
Re:
Er... DNSSEC will go a long way towards decreasing our reliance on cert authorities...
[ link to this | view in chronology ]
Re: Re:
S igh, Mike.
You can't have certificates without some sort of authority. The entire infrastructure relies on trust of some hierarchy, somewhere.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
I never said we needed to DO AWAY with the CAs, but we need to become less reliant on them -- and DNSSEC certainly helps on that front. I'm not arguing that it's terrible and needs to be dumped completely, so don't put words in my mouth.
I'm just saying we're currently overly reliant on the CAs today.
[ link to this | view in chronology ]
Re: Re: Re: Re:
your story has nothing to say but use a different system, that will be just as abused.....
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
It's only FUD if you are too ignorant to understand what's happening. I see a problem with security certificates and I'm not panicking. I also see huge problems with our current financial system. And I'm not panicking. Neither should you.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Exploiting these weaknesses is a problem that should have the blame placed on the CA, not the technology.
[ link to this | view in chronology ]
Re: Re:
The only solution that I recommend is simply running your own caching server, and setting up monitoring of DNS records to alert you of any changes. This however doesn't scale very well outside of an office/home environment, and takes some technical skill on the part of the end user.
[ link to this | view in chronology ]
Re:
"Terminal Server Licensing Service no longer issues certificates that allow code to be signed"
There's no use for that. Any attacker can still install an unpatched version of server to generate such certificate and sign the code. What Microsoft should do instead is to revoke that intermediate CA certificate.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
the plan to EVER need to patch is a failed way to secure computers, just because its the norm doesnt make it correct
the reason u see it happen on windows is they trade security for "user friendliness"(mac are even worse)
[ link to this | view in chronology ]
Beyond that, it would be nice to have an alternate and possibly a redundant system for certifications.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Um, that's not my mouth...
[ link to this | view in chronology ]
Screw IE
There are three things to keep your computer secured.
1: use a wireless router as your physical firewall. Use Microsoft's DEP and Built in Firewall. Vista Users have the added bonus of User Account Control being on by default....which identifies whether or not you were the one who just double clicked on the link to a program.
2. The best Malware/Antivirus Software is currently available for free. Microsoft Security Essentials will pick up viruses on virtual hard disks made by my Macintosh emulator. It treats all VMware hard disks as a volume. You can set the amount of CPU power consumption by it running in the background to 10%.
3. To clear your browser cache and to have a registry error check and fix, CCleaner works very well.
After all this, just avoid using Internet Explorer altogether.
[ link to this | view in chronology ]
Re: Screw IE
Best bet for increasing overall security on Systems, regardless of OS version used, is Education and multiple layers of security. Anti-virus programs(updated regularly), Firewalls(both Software and Hardware based), regular updating of OS and applications, and a good dose of basic education will lead to a more secure computing environment for most people who don't have access to Enterprise levels of cash to spend on expensive options.
[ link to this | view in chronology ]
"Convergence" is worth a look
[ link to this | view in chronology ]