[cryptography] How are expired code-signing certs revoked?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Dec 8 20:27:32 PST 2011
<dan at geer.org> writes:
>One would assume that the effort to get such a signing certificate would
>persuade the bad team to use that cert for targeted attacks, not broadcast
>ones, in which case you would be damned lucky to find it in a place where you
>could then encapsulate it in a signature-based protection scheme.
My post was based on data gathered by a well-known anti-malware company, I'm
just reporting what they found in real-world use.
In any case getting signing certs really isn't hard at all. I once managed it
in under a minute (knowing which Google search term to enter to find caches of
Zeus stolen keys helps :-). That's as an outsider, if you're working inside
the malware ecosystem you'd probably get them in bulk from whoever's dealing
in them (single botnets have been reported with thousands of stolen keys and
certs in their data stores, so it's not like the bad guys are going to run out
of them in a hurry).
Unlike credit cards and bank accounts and whatnot we don't have price figures
for stolen certs, but I suspect it's not that much.
Peter.
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list