Tuesday, 26 June 2012

How to get a new SSL certificate for your website

The tutorial below on obtaining SSL Certificates will walk you through something Support Specialists like Terri will regularly perform for our Windows Cloud Server and Dedicated Windows Server clients that are set up on on our Complete Care Managed Services (CCMS).

I am asked quite often how to request an SSL certificate for a website. I decided to blog about this as a way to help the new web administrator get started with obtaining an SSL certificate when that functionality is requested.

There are multiple steps required to request, obtain and install a new SSL certificate on your website. For this walkthrough, I will cover the steps necessary to complete this process in IIS7.

The first step is to generate a Certificate Signing Request (CSR). This is done via Internet Information Services (IIS) Manager. The second step is to submit the CSR to a Certificate Authority. There are quite a few companies that perform this service including Symantec, Thawte, and GeoTrust. The last step is the completion of the request within IIS Manager that installs the certificate on your server. Once each of these steps is completed, you are set to configure your website using SSL to protect yourself and your customers.

The first step requires you to generate a CSR. This file is an encrypted document that contains information about the SSL certificate that you would like to obtain. To start this process, open IIS Manager and select your server name from the Connections Window. This will open the features available on your IIS instance in the Features View window on the right.

Double click on Server Certificates which will open another window within the Features View frame. Click on Create Certificate Request in the Actions menu on the right side of the application. This will open a wizard that is used to gather the information for the request. For simplicity sake, you should always enter the domain name that you would like to generate the CSR for as the Common name. All of the fields must be completed before you can continue within the wizard. The one that stumps most people is the Organizational unit. This can be anything. OrcsWeb usually specifies Internet as seen below.

After clicking Next, you are prompted for the Cryptographic service provider and bit length information. The provider should be left as Microsoft RSA SChannel Cryptographic Provider and the bit length should be changed to 2048 for most implementations. There are some Certificate Authorities that are no longer issuing certificates using 1024 bit length which is the default. Click on Next and lastly specify a filename for the request and click Finish.

You are now ready to submit your request for a CSR to the Certificate Authority of your choice. When the request has been processed, the Certificate authority will provide you with the file necessary to complete the request on your server.

Once you have received the response file from the Certificate Authority, it is time to complete the request process. Log back on to the server where you generated the CSR. Open IIS Manager and click on the server name in the Connections box on the left. In the right hand window, double click on Server Certificates. Click on Complete Certificate Request…

Navigate to the folder where you saved the response from the Certificate authority. Enter the requested domain name in the Friendly name: input box.

Click OK and the request will be completed and the certificate will be installed. You are now ready to bind your website to the SSL port 443 and assign your new certificate.

Click on the [+] sign by Sites to expand the website on your server. Select your site name by clicking on it. Click on Bindings in the Actions pane.

Click on Add in the Site Bindings window. Change the Type: to https and click on the dropdown arrow in the SSL certificate box. Select your domain name and click OK.

Your website is now ready to serve SSL encrypted data via the Internet to your customers. This process is slightly different if you are using a different web server but the general concepts are still the same.

How to install an SSL certificate for Apache, from start to finish

  1. Create an SSL key to use to generate the certificate signing request

    (Save this, you’ll need it to install the certificate). To generate the keys for the Certificate Signing Request (CSR) run the following command from a terminal prompt:

    openssl genrsa -des3 -out server.key 1024
    Generating RSA private key, 1024 bit long modulus
    unable to write 'random state'
    e is 65537 (0x10001)
    Enter pass phrase for server.key:
    Enter a passphrase.

    Now we’ll remove the passphrase from the key, so that you don’t have to enter this passphrase whenever you restart Apache:

    openssl rsa -in server.key -out server.key.insecure
    mv server.key
    mv server.key.insecure server.key
  2. Generate a certificate signing request

    openssl req -new -key server.key -out server.csr
    It will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file.
    You can now submit this CSR file to a Certificate Authority (CA) for processing. The CA will use this CSR file and issue the certificate.
  3. Purchase an SSL certificate

    You will be asked to supply the CSR that you generated in #2.
  4. Install the SSL key from #1, the SSL certificate from #3, and the SSL issuer root certificates (aka “bundle” or “chain”).

    On an Ubuntu server, I usually upload the files here:

  5. Modify your Apache vhost

    Note: Apache only supports one SSL vhost per IP address.
    Replace {ip_address} with the public IP address of the server:

    <VirtualHost {ip_address}:443>
        DocumentRoot /var/www/vhosts/
        SSLEngine on
        SSLVerifyClient none
        SSLCertificateFile /etc/apache2/ssl/
        SSLCertificateKeyFile /etc/apache2/ssl/
        SSLCertificateChainFile /etc/apache2/ssl/
        <Directory /var/www/vhosts/>
            AllowOverride All
            order allow,deny
            allow from all
            Options -Includes -ExecCGI
            AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml application/x-javascript
  6. Restart Apache

    /etc/init.d/apache2 restart

Thursday, 14 June 2012

Facebook to Let Advertisers Bid on Ads Using Your Browser Data

For a company less than ten years old, Facebook has developed some surprisingly sophisticated ways to sell your information to advertisers.

Each time you Like a band, book, restaurant or service, Facebook uses that information to tailor ads that would appeal to you. Now the company is helping its advertisers tune into your external Internet behavior as well.

According to a Bloomberg report Wednesday, a new service called Facebook Exchange will allow advertisers to target users based on their browsing history.

Your computer already remembers your history via cookies. The Facebook Exchange program will place cookies on third-party sites, usually when a user has shown an intent to buy.

After that, the Facebook ads you see may be based on that cookie. So if you’re in the market for a car and peruse car reviews online, your computer will remember — and thanks to Facebook Exchange, this will increase the likelihood that you’ll see ads for cars on the social network.

Up to this point, Facebook ads – while targeted based on your interests – have not been linked to your history outside the site.

The Exchange program should give advertisers a better idea of whether you really intend to buy something or not — and will let them bid to place an ad on your profile. The ads you see will depend on who won that bid. To fully opt out, you’re going to have to go through the messy process of disabling those third-party cookies.

Wednesday, 13 June 2012

Install Trusted SSL Certificate in Cisco UCS Manager

One of the tasks you should complete during the installation of the Cisco UCS Manager is configuring the Fabric Interconnects with a trusted SSL certificate. The procedure is straight forward, and only needs to be completed once, since the two Fabric Interconnects are clustered and the configuration is replicated between the two devices. In my example I'm using a Windows Server 2008 R2 Certificate Authority, but any CA should work, but the steps will vary a bit.

1. Login to your Windows CA web services site (https://yourCA/certsrv) and click on Download a CA certificate, certificate chain, or CRL.

2. On the next screen select the current root certificate, Base 64 encoding, and then click on Download CA certificate chain.

3. Save the P7B certificate file and open it in a text editor such as Notepad. Paste the contents of the file to the clipboard.

4. Login to the Cisco UCSM and click on the Admin tab. Right click on Key Management and select Create Trusted Point. Enter a name for this trust point, such as the name of your CA. Then paste the contents of the clipboard into the certificate chain window. Click OK.

5. Right click on Key Management and select  Create Key Ring. Enter a keyring name, and select the modulus (I'd pick 2048). Left click on the new keyring and then click on Create Certificate Request. In the certificate request fill out the information appropriate. Use the FQDN for the "DNS" field and for the "Subject" name use the short hostname. The IP address should be the UCSM VIP (cluster) IP address. Click OK.

6. In the next window copy the request text to the clipboard. Login to your Windows CA then click on Request a certificate, advanced certificate request, then submit a certificate request by using a base-64 encoded CMC of PKCS#10 file. Paste the certificate request into the window provided, and select the appropriate certificate template, such as web server.

7. Download the certificate as Base 64 encoded, open it in notepad, then copy the contents to the clipboard. Back in UCSM under the certificate request expand Certificate and select the appropriate trust point, then paste the certificate into the window. Click Save Changes. 

8. In the Admin tab under Communication Management click on Communication Services. Change the HTTPS configuration to use the new keyring that you configured.

9. If you now log out of UCSM and connect to the URL with your web browser your browser should now show a trusted certificate for the management interface.

And there you go! Your UCS Fabric Interconnects are now using a trusted SSL certificate.

Tuesday, 12 June 2012

Apple Kicks Google Maps Off iOS

As expected, Apple has announced its own mapping solution  for  iOS  6, featuring real-time traffic conditions, turn-by-turn navigation, Yelp integration, vector graphics, and 3D flyovers. The new Maps app, due out this fall with iOS  6, means the end of the Google Maps-powered app that iOS devices have used since 2007.

For iOS users, this news comes not a moment too soon--many of the features Apple announced Monday have been available on Google Maps for Android for years. Apple's break with Google means the iPhone maker can finally offer significant improvements to Maps on iOS instead of relying on a reluctant partner/competitor to bring new maps features to Apple devices.

If you have an iOS device, chances are the new Maps app will be arriving on your handset, since nearly every popular iOS device in use today (with the exception of the original iPad) is getting iOS 6. Apple introduced the new Maps app during the keynote address at the company's Worldwide Developer's Conference (WWDC) in San Francisco.

Here's how the new Apple-designed Maps app matches up to the old Google-powered one.

The New Stuff

There are several new additions to the iOS Maps app, including a visual redesign that uses vector-based graphics instead of bitmap images. Vector graphics are drawn by the device based on a set of instructions, instead of loaded from a remote server. This change means that it will be easier for users to pan across a map quickly, without having to wait for new map images to load every few seconds. Google introduced vector graphics for Google Maps for Android in 2010.

Apple has also integrated real-time traffic information and turn-by-turn navigation into its new Maps app. There are numerous third-party apps on iOS that offer turn-by-turn navigation, but having a baked-in version is slowly becoming the standard. Nokia has offered this option with its smartphones for some time, and Google added the capability for Android handsets in  2009.

The new Maps app will also include local information for more than 100 million businesses worldwide at launch, as well as integrated Yelp reviews. Apple first integrated Yelp information into the iPhone with the introduction of Siri on the iPhone 4S.

Similar to the recently announced Google  Maps overhaul, Apple's maps in iOS will be getting photo-realistic 3D flyovers for major urban areas across the world. However, Google's 3D flyovers are actual images, while Apple appears to be using detailed and lifelike computer-generated models.

The Not-So-New Stuff

As mentioned earlier, Apple will be offering local information for more than 100 million businesses worldwide. Maps for iOS already offers local information, but we'll have to wait for the final product to see if the new Maps app matches up to the current Google-powered local listings.

Apple is also making a big deal about Siri integration with the new Maps app. The thing is, Siri was already integrated with Maps--allowing users to say things such as "show me the nearest coffee shop," and see their results on a map. In iOS 6, however, when users ask Siri for directions to a coffee shop the Maps app will also be able to supply turn-by-turn navigation, instead of just directions. Google added voice command navigation in Google Maps for Android in 2010.

The End of the Road

Apple didn't come right out and say this, but it's a good bet that Google's Street View feature will be gone in iOS 6. Maps will also be losing walking and transit directions, but Apple said during the WWDC keynote that it plans to incorporate third-party solutions into the Maps app for metro transit information.

Monday, 11 June 2012

4 Tips to Protect Your Small Business Against Cyberattacks

You may think that cybersecurity  is only important for major companies, but think again. Small businesses are particularly vulnerable to cyberattacks: Without the big security budgets of Fortune 500 companies, they’re seen as easy prey by digital information thieves and corporate espionage experts. And if you’re hit by an attack, you should be prepared to face a revenue loss of up to $10,000 (or more) if your website goes down in the process. That’s a lot of money for a small business to lose, and it can happen at any time.

How can a small business protect against cyberattacks and information leaks without breaking the bank? Mashable spoke with Rick Doten, former chief scientist for cybersecurity at Lockheed Martin and current vice president of cybersecurity at DMI, a leading cybersecurity solutions provider, for his advice.

1. Smart Passwords

Doten’s first piece of advice for securing small business may also be the cheapest and simplest move: using better passwords.

“I’ve spent 10 years running ethical hacking groups, and most of the ways we got in [to target networks] was because of weak passwords,” says Doten.

What, exactly, makes up a “better” password? Doten says it should be highly complex, difficult to guess and at least eight characters — so “deJ1s4qFDAS” is much better than “superman.”

“The longer the better,” says Doten. “Penumonics help, too. Take the first letter of each word in a sentence such as, ‘Don’t forget to feed your dog.’ 15 characters, with mixed upper case, lower case and numerical symbols will be much harder for a would-be hacker to crack.”

2. Mobile Device Education

Explaining the importance of mobile cybersecurity to each and every employee is critical, says Doten. This is especially important if some employees aren’t particularly technology-savvy or if a company allows employees to connect to an internal network via a personal device, such as an iPad.

“Companies today are getting access to adversaries’ [digital] environments by hacking into employees’ devices,” says Doten. “One of the things compounding that is the rapid development of mobile devices and the ‘bring your own device’ concept. Small businesses should manage what devices employees are allowed to use on internal networks, what’s allowed to go on those devices and use encryption appropriately.”

Luckily for small businesses, there are fewer employees to educate and fewer devices to manage than at larger firms, which Doten believes gives them an advantage. Small businesses can bring in cybersecurity experts to host training seminars on mobile security.

“Small businesses can implement [device management] much easier than larger firms,” he explains. “Understand that people make mistakes, but people can do risky things that can cause an impact on the business.”

3. Social Media Education

Doten acknowledges that companies should allow employees to post online about the company in a positive light, but cautions that employees who use social media too carelessly can give away sensitive details about a firm’s internal business.

“Depending on what your business does, you might be tipping your hand to competitiors to what you’re doing or who your customers are,” says Doten. “If I see someone tweeting about a conference in Omaha, I can guess what’s happening there. Social media’s great from a competitive counter-intelligence point of view. I can learn a lot [by] following tweets.”

Doten says that employees should be encouraged to tweet, but should be taught how to do so in a way that doesn’t reveal any trade secrets to the public or competing businesses.

“We’ve got a generation of employees sharing a lot,” says Doten. “And that can pose a risk.”

4. Risk Management

Finally, Doten says that small businesses should look at cybersecurity from the perspective of risk management.

The core of your business, says Doten, will determine how much focus — and budget — you should place on protecting your systems. An e-tailer whose entire business is online and done on the front-end, for example, stands to lose a great deal of business if its servers are knocked offline for a substantial period of time.

“Companies should be asking themselves, ‘What do we have to protect?’ And, ‘What would impact our business the most?’” says Doten.

Doten also points out that cybercriminals often use lesser-protected small businesses as a “digital bridge” to attack larger firms with which they have a relationship. That, says Doten, can make unprepared small firms a less attractive business partner in the future, getting in the way of potentially lucrative business deals. That prospect, he adds, should be weighed in calculations about cybersecurity budgets.

Sunday, 10 June 2012

How install Geotrust SSL Certificate on Apache Server

To install the Geotrust SSL Certificate onto Apache, please follow these steps:

Step 1: Download the Geotrust intermediate CA Certificates

To download the Geotrust intermediate CA Certificates, refer to article AR1421

Save the intermediate certificate file into a directory, for example /usr/local/ssl/crt/intermediate.crt - Note the path and filename the certificate file was saved in as it will need to be referenced when updating the Apache configuration file.

Step 2: Download the SSL Certificate

Your SSL certificate will be sent imbedded in the body of the email, copy the code including the ----- BEGIN CERTIFICATE ----- & ----- END CERTIFICATE ----- and paste it into a text editor like Notepad or Vi. Do not use Microsoft Word or other word processing programs that may add characters or additional spacing. Confirm that there are no extra lines or spaces in the file.

1.After pasting the certificate code in a text editor, save the filename with a .crt extension. For example: cert.crt
2. Save the certificate file into a directory, for example /usr/local/ssl/crt/cert.crt - Note the path and filename the certificate file was saved in as it will need to be referenced when updating the Apache configuration file

Step 3: Configure the Server

In order to use the key pair, the configuration file will need to be updated.  To update the file:

1. Open the configuration file and find the Virtual Host settings.
2. Verify that you have the following 3 directives within this Virtual Host and add them if they are not present:

SSLCertificateFile /usr/local/ssl/crt/public.crt 
SSLCertificateKeyFile /usr/local/ssl/private/private.key 
SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt 

For Example

If you are using a different location and certificate file names than the example above (which most likely you are) you will need to change the path and filename to reflect your server.

Note: Some instances of Apache contain both a httpd.conf and ssl.conf file. Please enter or amend the httpd.conf or the ssl.conf with the above directives. Do not enter both as there will be a conflict and Apache may not start

The VirtualHosts should be configured as follows:
<VirtualHost [IP ADDRESS]:443>
                DocumentRoot /www/home
                ErrorLog /www/home/logs/error_log
                SSLEngine on
                SSLProtocol all
                SSLCertificateFile /etc/httpd/conf/ssl.crt/
                SSLCertificateKeyFile /etc/httpd/conf/ssl.key/
                SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt
                ServerPath /home
                <Directory "/www/home">

3. Save your config file and restart Apache. You can most likely do so by using the apachectl script:

apachectl stop

apachectl startssl

Check that apache has successfully started. It's recommended you check the apache error logs if apache fails to start for hints on the problem.

For instructions on creating a Private Key and CSR in apache, refer to article AR876

Friday, 8 June 2012

How to obtain the highest assurance from SSL certificates

Secure Sockets Layer (SSL) is a transport level technology (protocol) for authentication and data encryption between a Web server and Web browser, ie sending documents around the Internet and the Web.

The protocol uses a third party, a Certificate Authority (CA), to identify one or both ends of the transactions involved. While there have been criticisms leveled against the protocol, it remains the only widely implemented and adopted standards-based security tool available to Web site and IT infrastructure operators.

A certificate issued by a CA means that a correlation has been established between a company's existence through its registration information and the information registered with the URL registration authority regarding the Internet domain of that company. In this situation, not only the names associated with the two entities are checked for accuracy and consistency with the relevant registration authorities, but also that the requester is employed by and authorized to apply for the certificate on behalf of the organization.

An Extended Validation (EV) certificate is an X.509 public key certificate issued according to a specific set of identity verification criteria. These criteria require extensive verification of the requesting entity's identity by the CA before a certificate is issued, and, for example, all the checks are validated by an external legal practitioner, and as well, more stringent verification measures are applied as dictated by the international CA Browser Forum.

“An important motivation for using digital certificates with SSL was to add trust to online transactions by requiring Web site operators to undergo vetting with a Certificate Authority (CA) in order to get an SSL certificate. However, commercial pressures have led some CAs to introduce 'domain validation only' SSL certificates for which minimal verification is performed of the details in the certificate,” commented Maherry.

“Most browsers' user interfaces did not clearly differentiate between low-validation certificates and those that have undergone more rigorous vetting. Since any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the Web site owner has been validated or not. As a result, fraudsters, including phishing Web sites, have started to use SSL to add perceived credibility to their Web sites.

“Thus, it is important that the CA utilized for the issuing of certificates is chosen very carefully,” continued Maherry. “Fortunately, that doesn't mean utilizing an overseas CA, as there are local companies, such as TheSSLStore, that can be chosen to issue these EV certificates on behalf of reputable public CAs such as Entrust. Also, the major versions of the various browsers recognize an EV certificate and change the top bar on these sites to 'green bar', so as to clearly indicate this more secure situation. This clear, visual indicator of trust is implemented so as to easily allow users to recognize a high assurance site. This can be especially important where people come to a site and rely on the information, eg the JSE Web site.

“In addition, it should also be remembered that SSL certificates are not only required for server-to-browser situations, but are needed for Outlook Webmail Access, Web-based VPN access and server-to-server mutual authentication. In many instances, a company may not be aware of all the numerous SSL certificate expiry dates that exist within its organisation, many of which may well be different. This potentially exposes an organisation to a significant business risk. Again, this situation needs to be handled appropriately, and managed by a Certificate Management System, which can report on the issued certificate base and order, renew, monitor and track SSL certificates. Certificate Discovery tools can also be implemented by solutions integrators such as ourselves, who can report and manage internally issued certificates as well as the SSL certificates issued from any third-party public Cas,” concluded Maherry.

Wednesday, 6 June 2012

6 keys to SSL and choosing the right cloud provider

Cloud computing is quickly changing the IT landscape, perhaps most prominently in healthcare.

But, according to a recent whitepaper by digital certificate provider GeoTrust, cloud services also pose "significant potential risks for enterprises that must safeguard corporate information assets while complying with a myriad of industry and government regulations."

With that said, GeoTrust helped outline six keys to understanding SSL and choosing the right cloud provider for you. 

1. Recognize the additional security challenges cloud technologies pose. 
Although there are obvious benefits of cloud technology, compliance and data privacy have slowed enterprise adoption, according to the report. "An IDC survey of IT executives reveals that security is the #1 challenge facing IT cloud services," it read. The report added that Gartner Research identified seven specific areas of security risk associated with enterprise cloud computing, and organizations should consider several of them when selecting a provider. They include access privileges, regulatory compliance, data location, and monitoring and reporting. "To reap the benefits of cloud computing without increasing security and compliance risks, enterprises must ensure they work only with trusted service providers that can address these and other cloud security challenges," it read. "What's more, when enterprises move from using just one cloud-based service to using several from different providers, they must manage all these issues across multiple operators."

2. Learn the ins and outs of SSL. Secure socket layer (SSL) is a security protocol used by Web browsers and servers to help users protect data during transfer. According to the report, it is the standard for establishing trusted exchanges of information over the Internet. "Without the ubiquity of SSL, any trust over the Internet simply would not be possible," it read. SSL delivers two services that help solve some cloud security issues, such as SSL encryption and establishing a trusted server and domain. Understanding the "SSL handshake," said the report, means knowing the importance of public and private key pairs as well as verified identification information. "[I]t can begin a secure session that protects data privacy and integrity," the report read.

3. Take steps to ensure data segregation and secure access. Data segregation risks are "ever-present" in cloud storage, according to the report. "With traditional onsite storage, the business owner controls both exactly where the data is located and exactly who can access it," it read. "In a cloud environment, that scenario is fundamentally changed; the cloud service provider controls here the servers and the data are located." But a proper implementation of SSL can secure sensitive data. To ensure this, the report advised a potential cloud provider should provide three things: encryption, authentication, and certificate validity. "Businesses should require their cloud provider to use a combination of SSL and servers that support … 128-bit session encryption," it read. "[They] also should demand that sever ownership be authenticated before one bit of data transfers between servers."

4. Keep regulatory compliance in mind. "When it comes to secure and confidential data, businesses are burdened with a slew of regulations," read the report, with HIPAA being the most notable for healthcare organizations. "When an organization outsources IT to a cloud service provider, the organization is still responsible for maintaining compliance with [HIPAA] and any other applicable regulations – and possibly more depending on where the servers and the data are at any given moment." The report mentioned since the enterprise IT manager can't rely solely on the cloud provider to meet requirements, he/she should require the provider to seek some compliance oversight. "Cloud computing providers who refuse to undergo external audits and security certifications are signaling that customers can only use them for the most trivial functions," the report read.

5. Know that not all SSL is created equal. The "chain of trust" when employing a cloud provider should also extend to their security provider, according to the report. "The cloud vendor's security is only as good as the reliability of the security technology they use," it read. Furthermore, organizations need to make sure their cloud provider uses an SSL certificate that can't be hacked. In addition to ensuring the SSL comes from an authorized third party, they should demand security requirements such as a certificate authority that safeguards its global roots, a certificate authority that maintains a disaster recovery backup, a chained hierarchy supporting their SSL certificated, global roots using new encryption standards, and secure hashing using the SHA-1 standard, "to ensure that the content of certificated can't be tampered with."

6. In the end, go with what you know. "SSL is a proven technology and a keystone of cloud security," the report read. "When an enterprise selects a cloud computing provider, the enterprise should consider the security options selected by that cloud provider." Knowing that a cloud provider uses SSL, said the report, can go a long way toward establishing confidence. Also, when selecting a cloud service provider, enterprises should be very clear with their partners regarding handling and mitigation of risk factors not addressable by SSL. "Cloud providers should be using SSL from an established, reliable and secure independent certificate authority," it read.

Sunday, 3 June 2012

Flame signed with Microsoft certs

Microsoft has issued an emergency patch revoking digital certificates used to sign the Flame malware.

The patch revoked three intermediate Microsoft certificates used in active attacks to “spoof content, perform phishing attacks, or perform man-in-the-middle attacks”.

Microsoft also killed off certificates that were usable for code signing via Microsoft’s Terminal Services licensing certification authority (CA) that ultimately “chained up” to the Microsoft Root Authority.

The authority issued certificates for users to authorise Remote Desktop services in their enterprises.

Flame (Worm.Win32.Flame) had existed since 2010 and spread via removable media, according to the CERT, and by exploiting a patched Microsoft printer hole -- the same tapped by Stuxnet. It contained a backdoor and trojan and had worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so.

Components of the sophisticated Flame malware were signed by the certificates using “an older cryptography algorithm [that] could be exploited and then be used to sign code as if it originated from Microsoft”, Microsoft security response centre senior director Mike Reavey said in an advisory.

The bugged algorithm “provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft”.

“Now things may make sense with the Flame hoopla: It used the fake, but ‘valid’, MSFT certificate,” SANS Institute chief research officer Joannes Ullrich said in a tweet.

The bulletin did not specify who accessed the certificates.

The thumbprints of the untrusted certificates:


Intermediate PCA
2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70
Intermediate PCA
3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08

Registration Authority CA (SHA1)
fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97