On 06/22/2011 08:04 AM, Marsh Ray wrote:
On 06/22/2011 09:40 AM, Steven Bellovin wrote:
http://www.darkreading.com/advanced-threats/167901091/security/application-security/231000129/malware-increasingly-being-signed-with-stolen-certificates.html
Not surprising to most readers of this list, I suspect...
The interesting thing is that code signing schemes have been around for
decades but 2010 is the first time malware even bothered to steal
signing keys. :-)
Not true; an attack on VeriSign in 2000 caused them to issue two Class-3
digital certificates in the name of Microsoft. The perpetrators were
never caught and to this day, Windows ships with a specific CRL that
identifies these two certificates - you'll find them in your cert trust-
store:
http://support.microsoft.com/kb/293818
There have been other private-key thefts since 2000, but the VeriSign
attack is the earliest I can recall in my PKI-related career.
Arshad Noor
StrongAuth, Inc.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
