Stolen encryption key the source of compromised certificate problem, Symantec says

[InfoSec News <alerts () infosecnews org>]

http://www.networkworld.com/news/2012/031912-symantec-stolen-key-257407.html

By Ellen Messmer
Network World
March 19, 2012

When Kaspersky Lab last week spotted code-signed Trojan malware dubbed 
Mediyes that had been signed with a digital certificate owned by Swiss 
firm Conpavi AG and issued by Symantec, it touched off a hunt to 
determine the source of the problem.

The answer, says Symantec's website security services (based on the 
VeriSign certificate and authentication services acquisition), is that 
somehow the private encryption key associated with Conpavi AG 
certificate had been stolen.

"The private key for Conpavi was exposed," says Quentin Liu, senior 
director of engineering at the Symantec division. "Someone got hold of 
the private key." For this type of digital certificate, the private key 
is held by the certificate owner, in this case, Conpavi. Whether the 
private encryption key was stolen by an insider at Conpavi or outside 
attacker isn't known. But the incident points out the risks associated 
with private encryption keys for this type of digital certificate and 
the need to safeguard them.

Symantec has revoked the Conpavi certificate that was used to digitally 
sign the Mediyes malware and is assisting the Swiss firm in analyzing 
what occurred and helping them prevent this from happening again.

[...]


______________________________________________________________________________
CISSP and CEH training with Expanding Security is the fastest, easiest way
to grock the relevant data you need now.   A free class invite is in every
PainPill.  Sign up for the free weekly PainPill .  It's that easy.
http://www.expandingsecurity.com/PainPill