Feeds

Microsoft vexed by falsified certs

Scam artist dupes VeriSign for MS digital certificates

  • alert
  • submit to reddit

The essential guide to IT transformation

Microsoft is scrambling to revoke two digital certificates that were issued last January by California-based VeriSign to a scam artist posing as a Microsoft employee.

Digital certificates are used to electronically sign computer programs and patches so that end users can be assured that the code came from a particular person or company, and was not subject to tampering in transit. The technology relies on trusted third-party "certificate authorities" who issue the certificates and vouch for their authenticity to users.

On 30 and 31 January, someone posing as a Microsoft employee persuaded VeriSign, the largest US certificate authority, to issue two certificates under Microsoft's name.

"They came to our Web site, they signed on as a Microsoft employee... and provided enough correlatable information that led us to believe that it was a bona fide order," says Mahi deSilva, VP of applied trust service at VeriSign.

VeriSign has procedures in place to prevent such chicanery, deSilva said, but on this occasion a company employee failed to properly verify the order. "It was our failure, and it was human error."

Law enforcement is investigating.

Microsoft warned that the culprit could use the certificates to trick users into running malicious code, signing Trojan horses and viruses with Microsoft's name, then planting them on Web sites or sending them via e-mail. Users would still have to click Yes in a dialog box before the code would execute.

"The certificates could be used to digitally sign programs, ActiveX controls, Office macros and other executable content," a company spokesman said. "Once we were informed of the error by VeriSign last week, we immediately began taking steps to protect our customers."

Microsoft plans to distribute software to revoke the fraudulent certificates. In the meantime, the company encourages users to keep their eyes open for certificates dated 30 or 31 January. No legitimate Microsoft certificates were issued those days.

Further information is available from VeriSign.

According to a source familiar with the incident, the hacker used a stolen credit card number to obtain the certificates - a detail deSilva would neither confirm nor deny.

"We've been asked not to talk about the specifics. But there is an active investigation with the bank associated with that card, around the usage of that card." ®

Copyright © 2001 SecurityFocus.com. All rights reserved.

Boost IT visibility and business value

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
Intel's Raspberry Pi rival Galileo can now run Windows
Behold the Internet of Things. Wintel Things
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.