Security researcher Mikko Hypponen reports finding a piece of malicious software that was cryptographically signed by a forged Adobe certificate originating with Government of Malaysia: Malaysian Agricultural Research and Development Institute, whose signing certificate was "stolen quite some time ago."
There are several hundred parties that are trusted by OSes, browsers and software to issue certificates, from Verisign to many national governments. A computer receiving a software update signed by a forged certificate will not be able to tell that there's anything funny about the update, but installing such an update could result in a thoroughly compromised computer.
I've been hearing persistent reports of this from security researcher friends, including reports of signed malware that can take over mobile phones and computers, compromising them so that their cameras and mics can be operated covertly, their keystrokes logged, their files plundered, etc. And the worst thing is, if you don't install updates, you can end up with security vulnerabilities that leave your computer liable to takeover by malware that does just the same thing.
Malware Signed With a Governmental Signing Key
Software can be thought of as a system for encapsulating the expertise of skilled practitioners; translate the hard-won expertise of a machinist or a dental technician or a bookkeeper into code, and people with little expertise in those fields can recreate many of the feats of the greatest virtuosos, just by hitting Enter.
The Miele PG 8528 is a “washer-disinfector” intended for hospitals and other locations with potentially dangerous pathogens on their dirty dishes; it’s networked and smart. And dumb.
In 2012, Google rolled out Certificate Transparency, a clever system to spot corrupt “Certificate Authorities,” the entities who hand out the cryptographic certificates that secure the web. If Certificate Authorities fail to do their jobs, they put the entire electronic realm in danger — bad certificates could allow anything from eavesdropping on financial transactions to […]
Maybe it’s entirely because of podcast ads, but drag-and-drop tools like Squarespace have gotten immensely popular in recent years. While it’s definitely a great tool for any non-coders who want to get a small website up and running quickly, managing content with a primarily visual interface can become a pain once you have more than […]
When you can’t wait for the world’s longest meeting to end, the mindless leg bouncing makes your boredom obvious and just annoys everybody else. Everyone knows the TPS reports need the damn cover sheet, but some sadistic colleague keeps forgetting, probably on purpose just to eat into your lunch hour. Enough is enough!While serving a […]
What could be more fun than a slingshot that shoots tiny airplanes? A slingshot that shoots tiny glowing airplanes of course! These toy planes are outfitted with ultra-bright LEDs, so you can fly all night without losing them in the trees.Whether you are a regular-sized child, or an overgrown adult one, these light-up flyers offer […]