Welcome Guest. | Log In| Register | Membership Benefits


InformationWeek.com March 26, 2001
Printer-friendly
Printer-friendly

VeriSign Authenticates Hacker As Microsoft Employee

Bogus digital certificates could install Trojans, viruses, and other dangerous apps

By George V. Hulme   (ghulme@cmp.com)

More on Digital Certificates:

  • Payment For Perishables: B-To-B System Guarantees It

  • Alliance Brings Digital Certificates To Wireless Networks

  • Digital Certificates Meet Web Forms

    • V eriSign Inc., a major digital certificate vendor, wrongly issued two digital certificates earlier this year to a person who claimed to be a Microsoft employee, Microsoft revealed last week.

    According to the software vendor, someone duped VeriSign into believing he or she was a Microsoft employee and was issued the certificates on Jan. 29 and 30. The certificates are commonly used to verify the authenticity of software patches and applications.

    The holder of the bogus certificates could harm users of Windows 95, 98, Millennium Edition, NT 4.0, and 2000. Once a user accepts the certificate, it's possible the attacker could install a Trojan, a virus, or another malicious application, gain system access, or destroy data on the hard drive. Both vendors say that no one has reported seeing the certificates in use yet.

    There's no way of automatically knowing that a given certificate has been revoked, but Microsoft is working on an update. In the meantime, the company is urging all Windows users to carefully check all certificate-warning dialogue boxes for certificates issued on either Jan. 29 or 30, because no valid Microsoft certificates were issued on those dates, Microsoft says. The company also suggests that users install the Outlook E-mail Security Update to stop malicious E-mails from being launched, and the Office Document Open Confirmation Tool to force Web pages to request permission before opening Office documents.

    Mahi deSilva, VP and general manager of applied trust services for VeriSign, attributes the mistake to human error. "We have been coached by the FBI not to go into details," he says. Analysts say this incident shouldn't take away from the strengths of digital certificates as a security tool, but it points out a weakness. Says Pete Lindstrom, a senior security analyst with Hurwitz Group, "The initial authentication process is the Achilles' heel of PKI."



     E-mail To A Friend | Printer-Ready Printer-Friendly |  Send Us Your Feedback
    Home | This Week's Issue | Workplace and Careers | Resource Centers | Research