[145921] in cryptography@c2.net mail archive
Re: Certificate-stealing Trojan
daemon@ATHENA.MIT.EDU (Thierry Moreau)
Wed Sep 29 23:37:56 2010
Date: Tue, 28 Sep 2010 10:18:52 -0400
From: Thierry Moreau <thierry.moreau@connotech.com>
To: Marsh Ray <marsh@extendedsubset.com>
CC: "Rose, Greg" <ggr@qualcomm.com>, Steven Bellovin <smb@cs.columbia.edu>,
Cryptography List <cryptography@metzdowd.com>
In-Reply-To: <4CA15E02.2050209@extendedsubset.com>
Marsh Ray wrote:
> On 09/27/2010 08:26 PM, Rose, Greg wrote:
>>
>> On 2010 Sep 24, at 12:47 , Steven Bellovin wrote:
>>
>>> Per
>>> http://news.softpedia.com/news/New-Trojan-Steals-Digital-Certificates-157442.shtml
>>>
>>> there's a new Trojan out there that looks for a steals Cert_*.p12
>>> files -- certificates with private keys. Since the private keys
>>> are password-protected, it thoughtfully installs a keystroke logger
>>> as well....
>>
>> Ah, the irony of a trojan stealing something that, because of lack of
>> PKI, is essentially useless anyway...
>
> While I agree with the sentiment on PKI, we should accept this evidence
> for what it is:
>
> There exists at least one malware author who, as of recently, did not
> have a trusted root CA key.
>
> Additionally, the Stuxnet trojan is using driver-signing certs pilfered
> from the legitimate parties the old-fashioned way. This suggests that
> even professional teams with probable state backing either lack that
> card or are saving it to play in the next round.
>
> Is it possible that the current PKI isn't always the weakest link in the
> chain? Is it too valuable of a cake to ever eat? Or does it just leave
> too many footprints behind?
>
Don't forget that the described trojan looks for an actual *client*
private key and certificates. This puts Malory in a position to
impersonate the victim comprehensively including non-crypto validity
checks (e.g. confidence gained from log of recent activity using this
certificate).
Then the question is which PKIs actually deploy client certificates.
> - Marsh
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
>
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
