Security News Bytes: Can We Trust the Broken Cert Ecosystem?

It was Ronald Regan who famously said, “Trust – but verify.” Two weeks ago we reported on one of the most confusingly convoluted scenarios to hit website security so far this year, when SSL/TSL cert reseller Trustico’s plan to rid customers of certificates issued by Symantec and subsidiaries ended in a Twitter spat between Trustico and DigiCert, followed by 23,000 private customer keys being leaked via email and the Trustico website temporarily shutting down.

This week, a new study titled: Issued for Abuse: Measuring the Underground Trade in Code Signing Certificates’ was released by American and Czech researchers, investigating various forms of abuse that allow malware authors to produce malicious code carrying – yet valid – digital signatures.

The study suggests that illicit code-signing certificates being sold by underground vendors are part of a rising trend triggered by the increasing use of Microsoft’s Windows Defender SmartScreen. SmartScreen is a feature included with Windows 10 that acts as an additional layer of security, alerting users if they download files or access websites without valid certificates.

When SmartScreen encounters a certificate for the first time, it alerts the user, who has to click-through a warning in order to proceed. However, for just a few thousand dollars, it’s possible to purchase a certificate that SmartScreen will see as trustworthy. The study suggests that SmartScreen use “plays a growing role” in the trend.

The study took an in-depth look at two aspects of the trade: first, it investigated four leading vendors of Authenticode certificates. Next, it collected a data set of recently signed malware and used that to “study the relationships among malware developers, malware families and the certificates.”

The researchers also studied information obtained from the black market to fingerprint the certs traded and identify when they are used (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Blog. Read the original post at: Cylance Blog