[Cryptography] Sony-certified malware

Jerry Leichter leichter at lrw.com
Wed Dec 10 17:01:04 EST 2014

On Dec 10, 2014, at 1:17 PM, Henry Baker <hbaker1 at pipeline.com> wrote:
> FYI -- Some thoughts come to mind: "kicking them when they're down", "shooting the wounded", "what goes around, comes around" ...
> Of course, this certificate has been revoked, so there's no problem, right ?
> http://arstechnica.com/security/2014/12/sony-attackers-also-stole-certificates-to-sign-malware/
> Sony attackers also stole certificates to sign malware....
Apropos a thread about concern in the financial sector:  Signing games containing malware *after the attack has been made public* is amateur stuff.  Imagine getting access to a bank's signing authority and issuing some big money transfers.  (Even if the bank has an HSM and you can't actually extract the private keys, a Sony-level attack could well give you a way to create the necessary orders and have the HSM sign them for you.)

                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141210/aad3f87b/attachment.bin>

More information about the cryptography mailing list