Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Adobe Incident Highlights Automatic Certificate Signing Dangers

Venafi : 03 October, 2012  (Technical Article)
Venafi discusses certificate hacking incidents and how to prevent costly remediation processes resulting from a hacking incident
Adobe Incident Highlights Automatic Certificate Signing Dangers

Commenting on reports that Adobe is to rework its code-signing certificate process after discovering malware that was signed with the code, Venafi says this incident - the latest in a series of certificate-related security compromises - will add unnecessary expense to most organisations hit by the incident.

According to Calum MacLeod, EMEA Director of the Enterprise Key and Certificate Management (EKCM) solutions specialist, it appears that hackers accessed a compromised build server that was able to get code approval from the firm's code-signing system.

"It's important to understand that code-signing certificates are essentially cryptographic identifiers that confirm that executable software originates from the author and can be allowed to execute. It's a verification of trust - in much the same way that most people trust a policeman’s warrant card. As a result, certificate-based compromises are becoming as common as phishing attacks and malware infections." MacLeod said.

"Because the certificate verification process is automatic, the fact that there is a compromised certificate in active circulation places the integrity of an organisation's IT security resource at risk. And whilst most companies will probably escape any problems, there are clear enrolment admin overhead and management costs for those companies that continue to rely on manual enrolment and revocation processes," he said.

“Adobe’s admission that one of its certificates has been hijacked is another example of why organisations that rely on this most basic trust technology need to have a strategy in place for quickly identifying, revoking and replacing them when they have been compromised,” he said.

The Venafi CEO went on to say continuous maintenance of certificates and keys throughout all stages of their lifecycle – from request to secure generation, renewal and revocation – is critical functionality of a good key and certificate management system – either done manually or through an automated process. Given the string of certificate- and CA-related attacks, MacLeod strongly advised companies to evaluate management best practices and automated solutions.

"While it's good to hear that Adobe is revamping its code-signing certificate processes in the wake of this latest certificate compromise, the bottom line here is that the extra administration involved adds to the cost of remediating this hack - as well as eroding confidence in the certificate system itself. Unfortunately, most organisations wait until a disaster strikes before taking action, hopefully this will serve as a wake-up call to all enterprises that there is simply no excuse for not having a remediation plan in place,” he added.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo