Feeds

Microsoft vexed by falsified certs

Scam artist dupes VeriSign for MS digital certificates

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Microsoft is scrambling to revoke two digital certificates that were issued last January by California-based VeriSign to a scam artist posing as a Microsoft employee.

Digital certificates are used to electronically sign computer programs and patches so that end users can be assured that the code came from a particular person or company, and was not subject to tampering in transit. The technology relies on trusted third-party "certificate authorities" who issue the certificates and vouch for their authenticity to users.

On 30 and 31 January, someone posing as a Microsoft employee persuaded VeriSign, the largest US certificate authority, to issue two certificates under Microsoft's name.

"They came to our Web site, they signed on as a Microsoft employee... and provided enough correlatable information that led us to believe that it was a bona fide order," says Mahi deSilva, VP of applied trust service at VeriSign.

VeriSign has procedures in place to prevent such chicanery, deSilva said, but on this occasion a company employee failed to properly verify the order. "It was our failure, and it was human error."

Law enforcement is investigating.

Microsoft warned that the culprit could use the certificates to trick users into running malicious code, signing Trojan horses and viruses with Microsoft's name, then planting them on Web sites or sending them via e-mail. Users would still have to click Yes in a dialog box before the code would execute.

"The certificates could be used to digitally sign programs, ActiveX controls, Office macros and other executable content," a company spokesman said. "Once we were informed of the error by VeriSign last week, we immediately began taking steps to protect our customers."

Microsoft plans to distribute software to revoke the fraudulent certificates. In the meantime, the company encourages users to keep their eyes open for certificates dated 30 or 31 January. No legitimate Microsoft certificates were issued those days.

Further information is available from VeriSign.

According to a source familiar with the incident, the hacker used a stolen credit card number to obtain the certificates - a detail deSilva would neither confirm nor deny.

"We've been asked not to talk about the specifics. But there is an active investigation with the bank associated with that card, around the usage of that card." ®

Copyright © 2001 SecurityFocus.com. All rights reserved.

Security for virtualized datacentres

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
'People have forgotten just how late the first iPhone arrived ...'
Plus: 'Google's IDEALISM is an injudicious justification for inappropriate biz practices'
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
Netscape plugins about to stop working in Chrome for Mac
Google kills off 32-bit Chrome, only on Mac
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.