[Cryptography] Sony-certified malware
Jerry Leichter
leichter at lrw.com
Wed Dec 10 17:01:04 EST 2014
On Dec 10, 2014, at 1:17 PM, Henry Baker <hbaker1 at pipeline.com> wrote:
> FYI -- Some thoughts come to mind: "kicking them when they're down", "shooting the wounded", "what goes around, comes around" ...
>
> Of course, this certificate has been revoked, so there's no problem, right ?
>
> http://arstechnica.com/security/2014/12/sony-attackers-also-stole-certificates-to-sign-malware/
>
> Sony attackers also stole certificates to sign malware....
Apropos a thread about concern in the financial sector: Signing games containing malware *after the attack has been made public* is amateur stuff. Imagine getting access to a bank's signing authority and issuing some big money transfers. (Even if the bank has an HSM and you can't actually extract the private keys, a Sony-level attack could well give you a way to create the necessary orders and have the HSM sign them for you.)
-- Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141210/aad3f87b/attachment.bin>
More information about the cryptography
mailing list