In January 2014, security experts discovered a Windows file called Word13.exe that claimed to be signed by a security certificate from Adobe Systems. However, when experts checked the certificate’s properties, they discovered Windows didn’t actually trust the CA root certificate. They also discovered the certificate chain processed before terminating in a root certificate not accepted by Windows. Adobe is a VeriSign customer, which means its SSL certificates are authenticated and tested for integrity. When the Word13.exe certificate failed to pass authentication despitebeing signed by Adobe, security experts knew there was malware afoot.
Fake certificates, even when they appear to be from genuine sources, can often be rooted out by up-to-date virus protection software. However, today’s malware developers are even coming up with ways to attach genuine certificates to their files. They purchase certificates from legitimate sources, and then they attach those certificates to code that’s designed to steal data or to disable computers. These abused certificates aren’t stolen or forged. They’re legitimate, purchased from highly reputable companies and attached to extremely malicious programs.
What Is Certificate Forgery and Abuse?
Attackersoften manipulate SSL certificates to get their malware past a network’s perimeter. They can do this by putting forged security credentials onto their malware or by purchasing and abusing legitimate security certificates. Experts report digitally signed malware is increasing by the triple digits every year, and attackers are using either forged or abused certificates to get their malware past gatekeepers.
• Forged certificates. Attackers sometimes steal authentication keys from legitimate sources and use them to digitally sign their malware. They can also exploit digital signature weaknesses to start forging and issuing security certificates. For example, Win32/Winwebsec, a set of fake antivirus programs known by numerous names including “Antivirus Security Pro,” has been using stolen credentials from valid certificate authorities to sign its antivirus software.
• Abused certificates.Malware developers are also obtaining certificates from legitimate sources associated with certificate authorities including Comodo, VeriSign and Thawte. They’re attaching those certificates to their malware. With a legitimate security certificate attached, the malicious code can easily slip by sandboxing or whitelisting defenses.
How Does Certificate Mismanagement Lead to Certificate Theft?
Many organizations don’t effectively track SSL certificates they purchase. For example, some departments manage SSL certificates with spreadsheets, which can lead to lost, matched and mislabeled certificates. Disregarding reminder notes for renewing and deploying up-to-date certificates, another surprisingly common practice, result in forgotten renewals and expired certificates.
In addition to targeting companies that don’t manage security certificates, attackers are targeting the certificate authorities themselves. Comodo and other certificate authorities named DigiNotar and TurkTrust have both reported attacks in recent years. Also, companies should recognize that SSL certificates don’t have to be stolen and attached to malware to create security problems. If an SSL certificate expires on a customer-facing e-commerce website, the business exposes the customer to malware and data theft while exposing itself to reputation damage.
What’s the Best Way to Keep Certificates Safe?
Certificates can be managed locally, or companies can use online tools provided by certificate authorities. Some companies purchase all certificates from a certificate authority and manage them within one customer portal. For example, companies can purchase certificates from Thawte and track every certificate in Thawte’s management console. In the control panel, certificates can be set to auto-renew so customers aren’t exposed to malicious attacks.
Other companies prefer to store certificate information onsite. If SSL certificates are store on premises, the server storing certificates should be attached to a secure network as well as being kept physically securein the datacenter. Private keys should be stored on encrypted devices instead of on computer hard drives or thumb drives. The security level for private keys depends on what the key’s function is. For example, the organization’s certificate authority keys, code signing keys, keys that control access to sensitive email or keys that control access to data or valuable Web resources should be stored on secure devices like smart cards. Additionally, all private keys should be protected with strong passwords.
No company can prevent all SSL certificate theft and abuse, but every company can take precautions to keep its certificates and its private keys current and secure. In addition to preventing the creation of digitally signed malware, good certificate management reduces risk for the entire organization.