Re: Microsoft says beware of stolen certificates

[InfoSec News <isn () C4I ORG>]

http://biz.yahoo.com/prnews/010323/sff029.html

Friday March 23, 11:46 am Eastern Time
Press Release

SOURCE: ValiCert, Inc.

ValiCert Provides Secure Electronic Commerce Solution for Environments
With Revoked or False Digital Certificates What: Falsely issued or
revoked digital certificates are one of the primary security issues
that are inhibiting the full-scale deployment of e-Commerce. In light
of the recent statements by Microsoft Inc. that two digital
certificates have been mistakenly issued in their name, there is now
concrete evidence that users must validate digital certificates before
trusting them in order to safeguard their electronic activity, whether
it be downloading applets, or engaging in high value e-Transactions.
In situations such as this, the validation of digital certificates
would provide a necessary step required to warn users before they
place trust in the certificate, thus eliminating the threat before it
does damage.

ValiCert, Inc (Nasdaq: VLCT - news) made its name as a leading
provider of Validation Authority(TM) (VA) solutions for digital
certificates. ValiCert's solutions provide the proactive process for
the effective validation of digital certificates, to detect revoked or
false digital certificates before they cause harm.  Without
validation, ex-employees and short-term workers can use revoked
certificates to access confidential systems, even after they have left
the organization.

ValiCert representatives are available to offer their expert industry
perspective on how the use of ValiCert products allows for the safe
engagement of e-Commerce transactions in light of falsely issued or
revoked digital certificates.


-----Original Message-----
From: ISN Mailing List [mailto:ISN () SECURITYFOCUS COM]On Behalf Of
InfoSec News
Sent: Thursday, March 22, 2001 8:44 PM
To: ISN () SECURITYFOCUS COM
Subject: [ISN] Microsoft says beware of stolen certificates


http://www.zdnet.com/zdnn/stories/news/0,4586,5079987,00.html?chkpt=zdhpnews
01

By Robert Lemos
ZDNet News
UPDATED March 22, 2001 3:46 PM PT

Two digital certificates have been mistakenly issued in Microsoft's
name that could be used by virus writers to fool people into running
harmful programs, the software giant warned Thursday.  According to
Microsoft, someone posing as a Microsoft employee tricked VeriSign,
which hands out so-called digital signatures, into issuing the two
certificates in the software giant's name on Jan. 30 and Jan. 31.

Such certificates are critical for businesses and consumers who
download patches, updates and other pieces of software from the
Internet, because they verify that the software is being supplied from
a particular company, such as Microsoft.

In this case, a person using the VeriSign-issued certificates could
post a virus on the Web that would appear to be from Microsoft but
could actually be used to wipe out a person's hard drive, for example.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".