Page 1 of 2
Channel partners have their work cut out for them when it comes to reviewing their customers' security certificates in order to avoid the same type of breach that impacted Microsoft updates.
That's according to Jeff Hudson, CEO of Venafi, a Salt Lake City, Utah-based provider of enterprise key and certificate management solutions, who points to MD5 certificates as a key point of vulnerability to the Global 2000.
“Three of the certificates used in Windows licensing and updates were broken by a hacker, who exploited the fact that those certificates use an MD5 hash,” he said. “MD5 has been known since 2005 to be breakable. The hackers then created a remanufactured certificate and inserted themselves in the middle, in order to use the compromised certificates that open the door for the malware, in this case Flame, to get installed.”
On Sunday, June 3, Microsoft issued a statement indicating that the vulnerability had been closed. The MD5 certificates had been removed, thereby eliminating that particular breach. But, Hudson says there are a substantial number of MD5 certificates still in use throughout the business community. This means the threat is still very real, and it is now compounded by the fact that a wider number of hackers are now acutely aware of the MD5 vulnerability.
"These MD5 certificates live on almost every single network in the Global 2000," he said. "We've surveyed over 450 organizations, and 17.4 percent of the certificates in the global 2000 sample are MD5. So the open door that the hackers used to co-opt the Microsoft programs, those are on corporate networks today. In fact, the number might actually be a lot higher than that."
Certificates support a wide variety of devices, including Web servers, load balancers, routers, printers, cell phones, etc. "So the MD5 certificates are very much at risk," he said. "It's not just Flame that is a threat. It could be anything. Now, every hacker in the world understands that MD5 is vulnerable. So, all they need to do is find MD5 certificates, break them, and then they have the keys to the kingdom.”