Feeds

Microsoft vexed by falsified certs

Scam artist dupes VeriSign for MS digital certificates

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Microsoft is scrambling to revoke two digital certificates that were issued last January by California-based VeriSign to a scam artist posing as a Microsoft employee.

Digital certificates are used to electronically sign computer programs and patches so that end users can be assured that the code came from a particular person or company, and was not subject to tampering in transit. The technology relies on trusted third-party "certificate authorities" who issue the certificates and vouch for their authenticity to users.

On 30 and 31 January, someone posing as a Microsoft employee persuaded VeriSign, the largest US certificate authority, to issue two certificates under Microsoft's name.

"They came to our Web site, they signed on as a Microsoft employee... and provided enough correlatable information that led us to believe that it was a bona fide order," says Mahi deSilva, VP of applied trust service at VeriSign.

VeriSign has procedures in place to prevent such chicanery, deSilva said, but on this occasion a company employee failed to properly verify the order. "It was our failure, and it was human error."

Law enforcement is investigating.

Microsoft warned that the culprit could use the certificates to trick users into running malicious code, signing Trojan horses and viruses with Microsoft's name, then planting them on Web sites or sending them via e-mail. Users would still have to click Yes in a dialog box before the code would execute.

"The certificates could be used to digitally sign programs, ActiveX controls, Office macros and other executable content," a company spokesman said. "Once we were informed of the error by VeriSign last week, we immediately began taking steps to protect our customers."

Microsoft plans to distribute software to revoke the fraudulent certificates. In the meantime, the company encourages users to keep their eyes open for certificates dated 30 or 31 January. No legitimate Microsoft certificates were issued those days.

Further information is available from VeriSign.

According to a source familiar with the incident, the hacker used a stolen credit card number to obtain the certificates - a detail deSilva would neither confirm nor deny.

"We've been asked not to talk about the specifics. But there is an active investigation with the bank associated with that card, around the usage of that card." ®

Copyright © 2001 SecurityFocus.com. All rights reserved.

Intelligent flash storage arrays

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
HTML5 vs native: Harry Coder and the mudblood mobile app princes
Developers just want their ideas to generate money
prev story

Whitepapers

Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.