[cryptography] How are expired code-signing certs revoked?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Dec 8 20:27:32 PST 2011


<dan at geer.org> writes:

>One would assume that the effort to get such a signing certificate would 
>persuade the bad team to use that cert for targeted attacks, not broadcast 
>ones, in which case you would be damned lucky to find it in a place where you
>could then encapsulate it in a signature-based protection scheme.

My post was based on data gathered by a well-known anti-malware company, I'm 
just reporting what they found in real-world use.

In any case getting signing certs really isn't hard at all.  I once managed it 
in under a minute (knowing which Google search term to enter to find caches of 
Zeus stolen keys helps :-).  That's as an outsider, if you're working inside 
the malware ecosystem you'd probably get them in bulk from whoever's dealing 
in them (single botnets have been reported with thousands of stolen keys and 
certs in their data stores, so it's not like the bad guys are going to run out 
of them in a hurry).

Unlike credit cards and bank accounts and whatnot we don't have price figures 
for stolen certs, but I suspect it's not that much.

Peter.
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE





More information about the cypherpunks-legacy mailing list