Three Symantec Employees Fired for Issuing Fake Google SSL Certificates

[Batu69]

Symantec employees mistakenly leak test SSL certificates

Symantec was forced to fire 3 employees after Google's engineers found rogue SSL certificates issued in its name used in the wild.

SSL certificates are a technology through which browsers and Web service providers create a secure and authorized channel of communication.

They are used billions of times each day and have become a common practice in securing communications between users and banks, online shops, social networks, and about any website that wants to protect its users and their private data from hackers and privacy-intruding government agencies.

Responsible for issuing these certificates is a Certificate Authority (CA). There are numerous CAs around the world, all of which are recognized and trusted by browsers makers to issue certificates to authorized and trustworthy clients only.

One of those CAs is Symantec, a cyber-security vendor known primarily for its Norton antivirus engine.

Google's Certificate Transparency project was first to note the rouge SSL certs

This Friday, September 18, Google's engineers working for Certificate Transparency, a project that double checks for rogue SSL certificates used in the wild, has found a series of fake Google.com SSL certificates that were issued by Symantec. These rogue certificates were also observed by DigiCert's technicians in their logs as well.

What's worse is that these certificates were issued with an "extended validation" label, which means that Symantec had supposedly carried out extra checks on the client that requested the certificates to validate its real identity, as Boing Boing reports. This information was not officially confirmed by either Google or Symantec in their press releases.

Google has blacklisted the certificates in question. Since they were leaked only for a day, Google and Symantec don't believe they might have been used in real-world attacks.

If hackers had had more time, these rogue SSL certificates could have been used in MitM (man-in-the-middle) attacks, allowing malicious actors to intercept secure communications between users and Google-operated services, like Gmail, Google+, YouTube, and such.

Not the first time rogue SSL certificates are detected in the wild

This is not the first time that this has happened. In 2011, Dutch-based CA Diginotar was breached and hackers issued hundreds of fake certificates. Some of these SSL certificates (also issued in Google's name) were used by the Iranian government to spy on political dissidents.

The Diginotar incident was what convinced browser makers and certificate authorities around the world to create the Certificate Transparency project.

The same thing happened in December 2013, when ANSSI also mistakenly issued fake Google certificates, and at the end of March this year, when the CNNIC CA issued some unauthorized digital certificates for several Google domains. After the last incident, Mozilla and Google banned all CNNIC existing root and extended validation SSL certs.

Symantec has addressed the issue by firing the employees at fault

Investigating its recent incident, Symantec was quick to follow suite with Google's inquiries in this matter, fearing the ax above its head.

According to their official statement, the company says that these rogue certificates were issued for tests inside the company, and they were immediately revoked when Google notified them of the leak.

"We discovered that a few outstanding employees [...] failed to follow our policies," said Quentin Kiu of Symantec. "Despite their best intentions, this failure to follow policies has led to their termination after a thoughtful review process. [...] As much as we hate to lose valuable colleagues, we are the industry leader in online safety and security."

Source

[Holmes]

Digital certificates are a very good way to isolate legitamite programs from illegitamite programs when you have malware signed with stolen certificates its not difficult if you know what your doing to spot a fake certificate. If you have a random file thats signed by realtek and you look the file name up online and its not a recognized realtek file then you have yourself malware.

[namek]

Digital certificates are a very good way to isolate legitamite programs from illegitamite programs when you have malware signed with stolen certificates its not difficult if you know what your doing to spot a fake certificate. If you have a random file thats signed by realtek and you look the file name up online and its not a recognized realtek file then you have yourself malware.

Just one problem. 99% of people don't care about certificates, most don't even know they exist. Us (1%) , while we do care about certificates, we still don't trust them.

[CODYQX4]

Even if you are looking at a file, if it is say, "signed" by Microsoft, and is a Windows DLL, with a legit name (overridden with malware appended), just exactly, without some tortuous process and services that are whitelisting huge collections of certs for you, do you verify that specific cert as trash? There's likely thousands of MS certs.

Also, if you're frantically checking files for fake certs, you've probably already been hacked, or convinced that you have been, and probably too late. If something on my OS has a "legit" cert, I'm probably not going to be aware of it unless it starts throwing up massive red flags, and the first thing I'm going to be looking for is unsigned crap in the autorun with dodgy names. The last place is going to be system daemons. At that point I've probably thrown my hands up and burned the OS vs verify every single system file that is signed and the hacked OS running while doing so.

[Holmes]

That is why programs likke process explorer are your friend and the sysinternalssuite full of useful programs are very useful for forensic diagnostics. Checking digital certificates on system files without process explorer would be like looking for a needle in a haystack and I completely agree I wouldnt want to mess with that situation. Thanks to process explorer and autoruns I am pretty sure Im not infected (I dont want to jinx myself). Unless your dealing with a advanced persistent threat like duqu two point zero your likely to be safer than you would think you are. Kasprersky ended up finding the duqu infection and it was only on there computers for two months that infection doesnt target individuals like you and me that doesnt mean we cant get infected the chance is with some update antivirus and common sense is slim to none.

[212eta]

I remember what happened

a few years ago with Comodo