Crooks use Microsoft name in security gambit

The security of online B2B transactions was back in the spotlight after Microsoft revealed that digital certificates bearing its name had been obtained fraudulently.

VeriSign, a US internet security firm, was tricked into issuing two certificates bearing the name ‘Microsoft Corporation’ after being contacted by someone falsely claiming to be an employee of the software giant.

Digital certificates are used to reassure users that content and software they receive electronically is from a trusted source.

The rogue certificates were issued by VeriSign on 29 and 30 January, but the fraud was only picked up recently following routine checks.

VeriSign immediately cancelled the certificates and listed them as revoked, but in a lengthy security bulletin Microsoft said it was concerned that they could still pose ‘a grave risk’ to its customers if used in a bid to smuggle malicious content into networks.

Although the certificates could not automatically bypass any security systems in place, the warning dialogue seen by users would claim that they had been digitally signed by Microsoft.

‘Clearly this would be a significant aid in persuading a user to run the program,’ said a Microsoft salesman.

The security breach could potentially affect all versions of Microsoft’s Windows software. Full details of the company’s advice to users are in the security bulletin (see web address below). Microsoft is updating its packages so the list of revoked certificates is consulted automatically.

VeriSign said it would tighten procedures for signing off digital certificates and has called in ‘appropriate law enforcement agencies’ – almost certainly the FBI – to find out who wanted the certificates and why.

Chris Potter, who works for the BeTrusted digital security operation of PricewaterhouseCoopers, said the incident highlights the need for tight controls when certificates are issued.

‘The procedures sometimes used when a digital certificate is registered are well known among security professionals as a potential point of weakness,’ said Potter.

He said some certificates are issued with no greater proof of identity needed than possession of an e-mail address.

‘You have to question whether that is enough, particularly when you are talking about business-to-business transactions,’ he said.