Security vendor Malwarebytes has reported that a new variation of an old password stealing Trojan is out in the wild, but all is not as it may seem. Notably, this particular Trojan is signed with an apparently 'genuine' digital certificate that authenticates the file. Which rather prompts the question: "say what?" Or to put it another way, if the billion-dollar digital certificate and encryption market can't actually guarantee squat, then what's the point of it?
The Trojan, it appears, evades many security barriers by a system of spoofing that involves the criminal enterprise behind the scheme setting up a bogus company which in turn has obtained genuine , legitimate and otherwise perfectly valid digital certificates of trust from Digicert. "This allows the cybercriminals to slide an infected PDF file into a large number of organisations, since the certificate is the equivalent of the baggage checked tag on luggage as it is carried by an airline to its destination" warns Calum MacLeod, a director at security vendor Venafi, who continues "in this case, everyone in the electronic chain takes the certificate - as they should – at its face value and the legitimate certificate authenticates the Trojan". MacLeod blames the trust management rather than the certificate authority schema in this case, explaining that "it is management and control flaws like this that undermine confidence in the structural status quo of Internet security – and this is not good for anyone, or any user, of the World Wide Web, email and other forms of IP communications".
Truth be told, this is nothing new. Certificate and Certificate Authority abuse has been far from hypothetical for some time. Equally, the inability of business to control trust is a rabbit that is not able to hide in the hat any longer. If we are to continue along the road of depending upon both encryption and digital certification to help secure our data, than more effective trust management is required and urgently. Heck, how many organizations have the faintest idea about the total number of keys and certificates that exist within their own networks? Or in the cloud? Or on the mobile devices they have deployed? Let alone understanding how these are being accessed and by whom.