Hacker obtains "Microsoft" code signing key;

Trei, Peter ptrei at rsasecurity.com
Thu Mar 22 12:31:04 PST 2001


My reading of this is that a hacker managed to 
human-engineer Verisign into signing a public
key used for codesigning. While the key is
signed as being Microsofts, it is in fact the
hackers. He can therefore sign his own
ActiveX  components and make them appear
come from Microsoft. Trojan horses, anyone?

Verisign should be getting a lot of flack on this
one - they're who business model relys on being
a trustworthy confirmer of identies.

Peter Trei

---------------------------------------


http://www.msnbc.com/news/548228.asp

Microsoft digital certificate stolen

Verisign issued "virtual notary seal" to computer criminal
                By Bob Sullivan
                      MSNBC

     March 22 Microsoft Corp. issued a warning today to all
its customers that a computer criminal has obtained a
digital certificate with the company's name and
authority. The equivalent of a royal seal, digital
certificates prove software code was written by a particular
company and is safe. Microsoft said the criminal tricked
Verisign Inc. into issuing two of the certificates. The
software giant is warning users to be suspicious of any
program that arrives with a certificate claiming
Microsoft's authority.

     MICROSOFT'S SCOTT CULP said Verisign issued the two
fake certificates accidentally on Jan. 29 and Jan. 30, and
discovered the mistake only recently.  (MSNBC is a
Microsoft-NBC joint venture.)

     Web browsers generally encounter such certificates
when the arrive on a Web site that has an ActiveX control,
which allows dynamic content. Usually, a dialog box pops up
asking the users if they would like to trust the code and
allow it to run on the their machines.

     The fraudulent certificates would indicate to a user
that the code was written by Microsoft and might trick a
victim into allowing the code to run.

     "That's exactly one of the scenarios that pose the
greatest risk," Culp said.  

     The firm is working on a downloadable solution for the
problem, but it won't be ready for about a week, Culp
said. In the meantime, he urged Web users to be suspicious
of any digital certificate they encounter, suggesting they
check the certificate's details.

     "Anything that says it was issued on 29th and
30th of January is bogus. Do not trust it," Culp said.

HUMAN ERROR?

     Culp blamed the problem on human error inside
Verisign. He said law enforcement is now working with the
company to track the criminal, who apparently was able to
convince Verisign he was a Microsoft employee.

     "This wasn't a failure of technology. It was a failure
of one particular Certificate authority to follow its
procedures," he said.

     Digital certificates are issued by third parties,
called certificate authorities, as a way of virtually
"notarizing" computer code. There are hundreds of
authorities, but Verisign is one of the largest. Each
authority is supposed to follow detailed procedures to
verify the identity of the programmer making a certificate
request.  

     Verisign did not immediately return phone calls.





More information about the cypherpunks-legacy mailing list