[145916] in cryptography@c2.net mail archive
Re: Certificate-stealing Trojan
daemon@ATHENA.MIT.EDU (Marsh Ray)
Tue Sep 28 07:33:34 2010
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
Date: Mon, 27 Sep 2010 22:16:18 -0500
From: Marsh Ray <marsh@extendedsubset.com>
To: "Rose, Greg" <ggr@qualcomm.com>
CC: Steven Bellovin <smb@cs.columbia.edu>,
Cryptography List <cryptography@metzdowd.com>
In-Reply-To: <2F18CC60-662C-4518-AF56-9F58D270D819@qualcomm.com>
On 09/27/2010 08:26 PM, Rose, Greg wrote:
>
> On 2010 Sep 24, at 12:47 , Steven Bellovin wrote:
>
>> Per
>> http://news.softpedia.com/news/New-Trojan-Steals-Digital-Certificates-157442.shtml
>> there's a new Trojan out there that looks for a steals Cert_*.p12
>> files -- certificates with private keys. Since the private keys
>> are password-protected, it thoughtfully installs a keystroke logger
>> as well....
>
> Ah, the irony of a trojan stealing something that, because of lack of
> PKI, is essentially useless anyway...
While I agree with the sentiment on PKI, we should accept this evidence
for what it is:
There exists at least one malware author who, as of recently, did not
have a trusted root CA key.
Additionally, the Stuxnet trojan is using driver-signing certs pilfered
from the legitimate parties the old-fashioned way. This suggests that
even professional teams with probable state backing either lack that
card or are saving it to play in the next round.
Is it possible that the current PKI isn't always the weakest link in the
chain? Is it too valuable of a cake to ever eat? Or does it just leave
too many footprints behind?
- Marsh
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
