Flame Malware Signed By 'Rogue' Microsoft Cert, Once Again Highlights Problems With Relying On Certs

from the time-to-move-forward dept

We've discussed in the past just how dangerous our reliance on Certificate Authorities "signing" security certificates has become. This is a key part of the way we handle security online, and yet it's clearly subject to abuse. The latest such example: the now infamous Flame malware that targeted computer systems in the Middle East was signed by a "rogue" Microsoft certificate -- one which was supposed to be used for allowing employees to log into a remote system. Microsoft rushed out a security update over the weekend, but that doesn't change the core problem: the whole setup of relying so heavily on secure certificates seems to be increasingly dangerous.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Jun 4th, 2012 @ 7:51pm

    FUD much?

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Doug, Jun 4th, 2012 @ 7:57pm

    FUD? Agreed.

    Certs aren't perfect. They're tricky and unforgiving. But most of the time they work. They're tricky and unforgiving because they are expected to do a very specific job quickly and in a very hostile environment.

    Every once in a while, somebody screws up and an attacker is able to slip in, but the problem is corrected (usually quickly). In other words, the system is working as expected. Nobody promised perfection, and the certificate system is still the best solution anybody has found so far.

    Do you have a better solution that you would be willing to share with the rest of the world? (I've heard a few alternatives presented, but they haven't been accepted by the general security industry because they are even easier to screw up than the existing system.)

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    fogbugzd (profile), Jun 4th, 2012 @ 8:35pm

    One problem with the cert system is pricing. Most companies offering reasonably priced certs gets acquired by one of the big players, and the low prices disappear.

    Beyond that, it would be nice to have an alternate and possibly a redundant system for certifications.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Pixelation, Jun 4th, 2012 @ 8:39pm

    I find Certs are great when I have bad breath.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Jun 4th, 2012 @ 8:53pm

    Re:

    Please take some more, I can smell you from here...

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Mike Masnick (profile), Jun 4th, 2012 @ 8:55pm

    Re:

    Do you have a better solution that you would be willing to share with the rest of the world? (I've heard a few alternatives presented, but they haven't been accepted by the general security industry because they are even easier to screw up than the existing system.)

    Er... DNSSEC will go a long way towards decreasing our reliance on cert authorities...

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Jun 4th, 2012 @ 9:36pm

    Re: Re:

    http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Signatures_and_zone_signing

    S igh, Mike.

    You can't have certificates without some sort of authority. The entire infrastructure relies on trust of some hierarchy, somewhere.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Jun 4th, 2012 @ 10:11pm

    Re:

    Elmer brand FUD provides quality paranoia at skeptic prices

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Wally, Jun 4th, 2012 @ 10:14pm

    Screw IE

    It has been no secret that Microsft Internet Explorer is still the most lousy web browser as far as security is concerned. I know nothing of security certificates, but I know they are rather important. All I know is I avoid using IE like the plague. I once had a mobile (Thumbdrive) version of FireFox just so I would have an alternative at college. FireFox, Chrome and Opera are far better at verifying rogue certificates. FireFox is the best at it, Chrome a close second.
    There are three things to keep your computer secured.
    1: use a wireless router as your physical firewall. Use Microsoft's DEP and Built in Firewall. Vista Users have the added bonus of User Account Control being on by default....which identifies whether or not you were the one who just double clicked on the link to a program.

    2. The best Malware/Antivirus Software is currently available for free. Microsoft Security Essentials will pick up viruses on virtual hard disks made by my Macintosh emulator. It treats all VMware hard disks as a volume. You can set the amount of CPU power consumption by it running in the background to 10%.

    3. To clear your browser cache and to have a registry error check and fix, CCleaner works very well.

    After all this, just avoid using Internet Explorer altogether.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Jun 4th, 2012 @ 11:07pm

    Re: Re: Re:

    No system is perfect. I think one of the biggest problems is that we place too much trust in these authorities to the point where we get a false sense of security and when that happens we are actually less secure because we are less actively scrutinizing our security and we are less aware of any vulnerabilities, threats, and potential problems.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Mike Masnick (profile), Jun 4th, 2012 @ 11:42pm

    Re: Re: Re:

    You can't have certificates without some sort of authority. The entire infrastructure relies on trust of some hierarchy, somewhere.

    I never said we needed to DO AWAY with the CAs, but we need to become less reliant on them -- and DNSSEC certainly helps on that front. I'm not arguing that it's terrible and needs to be dumped completely, so don't put words in my mouth.

    I'm just saying we're currently overly reliant on the CAs today.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Jun 5th, 2012 @ 2:09am

    Re:

    From MS SA blog:
    "Terminal Server Licensing Service no longer issues certificates that allow code to be signed"

    There's no use for that. Any attacker can still install an unpatched version of server to generate such certificate and sign the code. What Microsoft should do instead is to revoke that intermediate CA certificate.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Jun 5th, 2012 @ 2:10am

    Re: Re:

    Oh, it seems those certificates are revoked afterall.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jun 5th, 2012 @ 2:44am

    Re: Re: Re: Re:

    again you posit something that is the same difference, something somewhere has to be trusted and that means it can be abused like anything else

    your story has nothing to say but use a different system, that will be just as abused.....

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Rich Kulawiec, Jun 5th, 2012 @ 2:58am

    "Convergence" is worth a look

    Convergence is, at minimum, an attempt to address issues similar to this one. I'm as-yet undecided as to whether or not it constitutes a solution or just a shift in the problem space. But it's certainly worth studying for a look at an alternative approach.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Paul L (profile), Jun 5th, 2012 @ 4:46am

    Re: Re:

    The problem really isn't with certificates. If anything, it's the manner in which the various organizations protect their CA's and intermediates. The process is too forgiving.

    Exploiting these weaknesses is a problem that should have the blame placed on the CA, not the technology.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    Some Other AC (profile), Jun 5th, 2012 @ 6:21am

    Re: Screw IE

    While I agree with most of your post, there are occasions where for whatever reason, a Web application is coded to only work properly with a specific Browser version. This can be based on a number of factors, so I will not attempt to debate them all. As for the reference to Vista, Windows 7 also has the UAC enabled by default in most systems. Believe me, as a former internal IT staff member where I work, the number of complaints about the manner of notification with UAC in Win7 by default was huge.
    Best bet for increasing overall security on Systems, regardless of OS version used, is Education and multiple layers of security. Anti-virus programs(updated regularly), Firewalls(both Software and Hardware based), regular updating of OS and applications, and a good dose of basic education will lead to a more secure computing environment for most people who don't have access to Enterprise levels of cash to spend on expensive options.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Jun 5th, 2012 @ 7:05am

    Re: Re:

    DNSSEC is only complimentary to a secure connection between a host and client as it only verifies that the host is correct from the authoritative name server. Encryption between the host and client is still necessary. With an incident like DNSChanger or a poisoned caching server, you could still be lead to a false server with a false certificate and become compromised.
    The only solution that I recommend is simply running your own caching server, and setting up monitoring of DNS records to alert you of any changes. This however doesn't scale very well outside of an office/home environment, and takes some technical skill on the part of the end user.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Jun 5th, 2012 @ 7:44am

    Re: Re: Re: Re: Re:

    As with everything else, viable alternatives are not Masnick's strong suit. Fault finding? You bet. Solutions? Not so much.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    blaktron (profile), Jun 5th, 2012 @ 9:59am

    Re: Re: Re: Re:

    Normally you're spot on with these things Mike, except that DNSSEC is an improvement to the CA infrastructure, not a repalcement. In fact, what makes a DNSSEC record secure is the fact that its digitally signed.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    monkyyy, Jun 5th, 2012 @ 1:29pm

    Re:

    false, u dont build a fence around a jail with "gates" everywhere that a unlocked all the time until a poisoner escapes though each and every huge flaw w/ the system

    the plan to EVER need to patch is a failed way to secure computers, just because its the norm doesnt make it correct
    the reason u see it happen on windows is they trade security for "user friendliness"(mac are even worse)

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Pixelation, Jun 5th, 2012 @ 8:16pm

    Re: Re:

    "Please take some more, I can smell you from here..."

    Um, that's not my mouth...

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    Ninja (profile), Jun 6th, 2012 @ 3:55am

    Re: Re: Re: Re: Re:

    Actually it's pretty clear he says we need to diversify our security measures to the point that if one fails we are not completely exposed. And he's 100% right. DNSSEC is one step to make things more secure. And if you are not just an annoying shill you'll actually admit that Mike is not an IT expert to develop a new solution to the problem. However, problems need to be addressed at some point. And to be addressed some1 has to rise awareness of it. Mike is reporting and providing evidence that the problem needs to be addressed (as he later showed that it is happening in the comments).

    It's only FUD if you are too ignorant to understand what's happening. I see a problem with security certificates and I'm not panicking. I also see huge problems with our current financial system. And I'm not panicking. Neither should you.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    Ninja (profile), Jun 6th, 2012 @ 4:00am

    Re: Re: Re: Re: Re:

    Improvement. And if I get it right it relies on more than 1 entity, which makes it more secure per se. And he is on spot if you think he is telling exactly that we SHOULDN'T do away with CAs..

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This