Stuxnet-style code signing of malware becomes darknet cottage industry Underground cybercrooks are selling digital certificates that allow code signing of malicious instructions, creating a lucrative and expanding cottage industry in the process, according to new research from threat intelligence firm InfoArmor. In one case, a hacker tricked a legitimate certificate authority into issuing digital …
Even if it worked perfectly, it's only a chain of identity trust - that the person/organisation is the same as the identity they're claiming. And since you can create a legal identity with an off-the-shelf company, that trust is pretty valueless in itself. Moreover, there's no chain of trust of intention - or very little of any practical value. You can't get that without the operating system applying the same granularity of access controls to third-party components (and, ideally, first-party components) as it does to user processes.
In short, it's all broken. Have a nice day!
It's broken because it became a business - just like selling domains. I'm not surprised to see the usual names - Comodo, Thawte, GoDaddy - listed, as long as they can get money, they're going to sell everything. Both domains and certificate should be far harder to get, and it shouldn't be a pure open business. It's a business that should be highly regulated to ensure only legitimate users get them, and "mistakes" are quickly spotted and fixed - or big fines apply.
>It's broken because it became a business
It's broken because it's hard - businesses may have taken the easy way out, but governments struggle if they try to be more rigorous. If you try too hard to get proof of "identity" (and that's a more slippery concept than you might imagine), you simply exclude more people from access to services or entrench large monopolies by raising barriers to new entrants. That's bad for business and bad for citizens.
Furthermore, these theoretical monopolies can become targets for industrial espionage. How many of these certificates being passed through the black market, for example, possibly came direct from the firms themselves, copied by a careful spy? After all, if you can get the driver signing key for a major component manufacturer like Realtek (which is what Stuxnet used), then you're pretty much sitting pretty because a much-used certificate that goes back years will be difficult to revoke without massive collateral damage.
Also goes to show how fundamentally broken ANY system of trust is. Fundamentally, there is simply no way for Alice to be all that sure that she is talking to the one and only Bob if they've never met before. At some point, you're going need to just trust what's in front of you, but you can always be fooled at this point of First Contact.
It is not just the problem of how Alice and Bob know they are not talking through Eve, but the fact that any one of hundreds of buggers can issue a certificate to Eve matching Alice and/or Bob. It only takes one of those to fail and the trust link is useless.
Just think of a RAID-0 strip with 600 flaky disks...
Or a RAID-0 where one of the drive firmwares has been pwned. Basically, trust on the Internet is a pipe dream yet you need trust to make communications work, meaning we're basically screwed. ANY trust system we can think up, someone else can subvert (like using shills to subvert a Web of Trust).
This has me wondering about UEFI and SecureBoot. It's bad enough that Micro$haft think they own your kit, but with "bad actors" oot and aboot, it could just get much, much worse.
Somehow when I heard M$ saying it would make booting absolutely secure, the first thing that came to mind was "and then, when they're hacked"... (WInXP and XP SP1 anyone?).
All Your Boot Are Belong To Us it appears.
Now where did that steampunk PC go...
This has never been about security. Microsoft knew a lot of people might flee from its Windows as a service gift so they figured out a preemptive move. SecureBoot it is about control, it makes sure you will run the version of Windows Microsoft wants you to run and nothing else.
"Somehow when I heard M$ saying it would make booting absolutely secure, the first thing that came to mind was "and then, when they're hacked"... (WInXP and XP SP1 anyone?)."
Although, to be fair, it seems most of the big boys take great care to make sure their most important signing keys never see the light of day (it should be a black-box operation under normal circumstances). At least this way, no one can make a rogue bootloader that can pass the Secure Boot check (Bootloader signature checking is at least one security method that has been too difficult to crack for the most part; this is true here, in the portables arena, and with embedded hardware like Tivo's).
These folks are end running government agencies and corporatations. Too bad it puts us all at risk, but that's what you get when you use outdated, flawed technology to secure sensitive information.
Might as well use self-signed certificates. The ones you pay for from the big Certificate Authorities might well be worthless. In any case, how could you be sure?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
