Venafi: Microsoft's Recent Certificate Issue Common To Global 2000
That's according to Jeff Hudson, CEO of Venafi, a Salt Lake City, Utah-based provider of enterprise key and certificate management solutions, who points to MD5 certificates as a key point of vulnerability to the Global 2000.
“Three of the certificates used in Windows licensing and updates were broken by a hacker, who exploited the fact that those certificates use an MD5 hash,” he said. “MD5 has been known since 2005 to be breakable. The hackers then created a remanufactured certificate and inserted themselves in the middle, in order to use the compromised certificates that open the door for the malware, in this case Flame, to get installed.”
On Sunday, June 3, Microsoft issued a statement indicating that the vulnerability had been closed. The MD5 certificates had been removed, thereby eliminating that particular breach. But, Hudson says there are a substantial number of MD5 certificates still in use throughout the business community. This means the threat is still very real, and it is now compounded by the fact that a wider number of hackers are now acutely aware of the MD5 vulnerability.
"These MD5 certificates live on almost every single network in the Global 2000," he said. "We've surveyed over 450 organizations, and 17.4 percent of the certificates in the global 2000 sample are MD5. So the open door that the hackers used to co-opt the Microsoft programs, those are on corporate networks today. In fact, the number might actually be a lot higher than that."
Certificates support a wide variety of devices, including Web servers, load balancers, routers, printers, cell phones, etc. "So the MD5 certificates are very much at risk," he said. "It's not just Flame that is a threat. It could be anything. Now, every hacker in the world understands that MD5 is vulnerable. So, all they need to do is find MD5 certificates, break them, and then they have the keys to the kingdom.”
NEXT: Advice to Partners Venafi's Hudson is advising channel partners to canvass their customer base to locate MD5 certificates and replace them with SHA-1 or SHA-2 certificates. He says it's also important to institute a tracking system so that future gaps in security can quickly be closed.
“You can't do commerce without certificates," he said. "But you also need to track the certificates, know where they are, know the expiration dates, and not set those expiration dates out too far into the future. Some people set the expiration dates out for 10 years because they don't want to deal with them. That's just poor management because it fails to take into account changes in the security environment. Ten years ago MD5 was okay, but not anymore."
Hudson points to his own product line as an important resource in helping the channel to resolve the MD5 issue. "We have a number of different products for managing certificates," he said. "One of them, which is called, ‘Assessor,’ will give you a report on how many MD5 certificates are on the network. We make this available to our channel partners so that they can close this vulnerability quickly and easily."