Stolen certs an issue for Malaysia, a security reminder for all of us
Malaysia just can’t catch a break lately. Earlier this month it was discovered that Malaysian certificate authority, DigiCert Sdn. Bhd. (no relation to DigiCert, Inc.) had been issuing weak 512-bit SSL certificates, a serious no-no in the CA business. This led to the major browsers yanking DigiCert Sdn. Bhd. from their trusted root stores. Then last week a story broke in which a code signing certificate had been stolen from a Malaysian government agency and used to sign malware that exploits a vulnerability in Adobe Acrobat 8.
An investigation found that the certificate was issued by DigiSign Server ID to a domain managed by the Malaysian Agricultural Research and Development Institute. Although the certificate has since expired, Malaysian authorities say the certificate was stolen “some time ago”.
I’ve read a number of articles on this subject since the story broke and each article makes mention of this being the latest in a series of events that erode undermine trust in the current digital certificate business model. We’ve certainly seen our fair share of poor network security practices and RA oversight among smaller, less sophisticated certificate authorities – which begs the question: Should they really be in the business of trust if they can’t properly protect their own infrastructure? But I digress.
This issue of the stolen certificate in Malaysia however, is not a matter of lax CA practices or a broken digital certificate model – it’ s a matter of serious concern about operational and network security at the end user level. In a world of ever increasing network attacks in which the threat landscape contains a spectrum of bad actors ranging from recreational hackers to loosely organized groups such as Anonymous to cyber terrorists, it is vital for organizations to protect their networks. It’s always a bad thing when a digital certificate is stolen from an organization, but when that organization is a government agency then it can become a national security concern.
If your organization has been issued any type of digital certificate I implore you to take another look at your network and implement security best practices to protect your data. Earlier this year, the Online Trust Alliance released a set of best practices for data security. It is worth your time to read. As a CA it’s our responsibility to protect our private keys, but also to ensure that encrypted data transmitted over your networks remains so. It is equally important that digital certificate owners take the appropriate steps to ensure that their own systems are as bulletproof as possible.