Sign in / up

back to article FACEPALM! HP cert used to sign malware

HP accidentally signed some malware, according to Krebs on Security. Krebs reports that the certificate was “used to cryptographically sign software components that ship with many of its older products”, mostly for PC software, but that back in 2010 it was also used to sign some malware. HP will therefore revoke the …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Mephistro
    Devil

    The malware is set to phone home, which is what led to its detection.

    Yep, HP detected the malware when it phoned them!

    6 0 Reply
  2. Anonymous Coward
    Anonymous Coward

    You what?

    Someone manages to get some malware into certified HP distributions, but we're supposed not to worry "because it had the same name as a genuine HP package"?

    So HP weren't checking ANYTHING other than the package name before HP signed/certified the stuff for distributiion?

    Some more details would be welcome, but on the surface it sounds rather like somebody in HP needs certifying.

    9 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: You what?

      Yes. "SNAFU" doesn't seem quite the right term for this serious lapse.

      3 0 Reply
    2. TimB
      Reply Icon

      Re: You what?

      Let's not forget the part where it took 4 YEARS for them to notice their fuck up.

      2 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    The Compaq buy, Autonomy, Mark Hurd and now this, real confidence building by HP.

    So, some malware had the same name and someone from HP downloaded it from the Internet and included it. Why would someone be downloading software from a source that wasn't internal?

    4 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    Scale of negligence

    I might being sound of wind and limb suggest that further analysis should that analysis be warranted or required or be intimated of this incident or any other incident now or past or present or future and that incident be connected to this incident or any other incident or happening now or in the past or present or in the future whereby the terms past present or pink goblins be defined hereforeto herewith or my teeth fall out or other bollocks be defined wherein.

    Sorry, someone else's day job interferred with my post.

    This is negligence of one sort or another. The scale of which probably needs to go to court. On the face of it as presented, in my opinion: it's probably errr should be criminal.

    Cheers

    Jon

    4 0 Reply
    1. Wensleydale Cheese
      Reply Icon

      Re: Scale of negligence

      "Sorry, someone else's day job interferred with my post."

      That's quite some day job isn't it?

      I wonder how much that monologue costs HP.

      Two and a half minutes long in its latest rendition.

      1 0 Reply
  5. Christian Berger

    And now consider that this is what is supposed to make "Secure" Boot secure

    Even if EFI wouldn't be a mess of complexity far bigger than the BIOS could have ever been, it's only claimed security feature is bogus. Companies will loose their secret keys, and people will use them to sign malware.

    Code signing is no security feature as such.

    5 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like