Tom Olzak

Do you know where your certificates are?

In Access Controls, Business Continuity, Certificates, Cybercrime, Hacking, Password Management, Risk Management, Security Management on September 13, 2010 at 07:29

So what’s next in the growing black hat toolkit?  According to some researchers, it is theft of certificates.  And this is not just theory, as demonstrated with the recent Adobe PDF zero-day exploit.  The creators of this little gem used a certificate obtained by nefarious means to bypass Microsoft Windows address space layout randomization (ASLR) and data execution prevention (DEP) safeguards.

“So the Adobe [zero-day] is using DEP+ASLR Bypass with a binary that is signed with stolen certificate!” said “Neeraj,” who works as a senior security research engineer for Nevis Network, an Indian firm. “That’s how future attacks gonna be. Scary!”

via Newest Adobe zero-day PDF exploit ‘scary,’ says researcher.

Yes, this is scary for organizations that have become complacent about protecting their certificates.  Managers tend to forget about certificate protection unless it is touted in the press or they are surprised by misuse of a cert that leaked into the wrong hands.

Certificate management is not only important for the signing organization.  It is also critical for user trust related to Web services access.  If users can no longer count on certificates to verify site authenticity, for example, what will that do to e-commerce?

So what’s the big deal?  This is just one instance in a world of hundreds of thousands of commonly used certs.  Well, the problem is that the organization whose cert was stolen had to shut down Web-facing operations until a new cert was obtained.  Think revenue loss and customer dissatisfaction.  On top of those concerns, there is the FUD (fear, uncertainty, and doubt) spread via the media and around the multi-function device at the office (the replacement for the venerable water cooler as the dissemination point for office gossip…) causing mass hysteria about the dangers of the dark, foreboding forces on the Web.

In my experience, certificates are often not managed properly, putting organizations at serious risk of a business continuity event–or worse.  Certificates, whether personal or organizational, are your electronic identity.  Lose it and game over.

For some simple guidelines for protecting certificates, see Protecting ECA Software-Based Certificates.

%d bloggers like this: