[Cryptography] Sony "root" certificates exposed

Phillip Hallam-Baker phill at hallambaker.com
Mon Dec 15 22:43:29 EST 2014

On Mon, Dec 15, 2014 at 4:26 PM, Erwann ABALEA <erwann at abalea.com> wrote:
> 2014-12-15 16:02 GMT+01:00 Henry Baker <hbaker1 at pipeline.com>:
>> FYI --
>> http://arstechnica.com/security/2014/12/hackers-promise-christmas-present-sony-pictures-wont-like/
>> [...]
>> Also among the spoils in one of last week’s file dumps was a Sony Corp.
>> CA 2 “root” certificate—-a digital certificate issued by Sony’s corporate
>> certificate authority to Sony Pictures to be used in creating server
>> certificates for Sony’s Information Systems Service (ISS) infrastructure.
>> This may have been used to create the Sony Pictures certificate that was
>> used to sign a later version of the malware that took the company’s
>> computers offline.
> Has the private key of the corresponding certificate leaked? If not, that's
> no big deal, a certificate is public by nature.

There are three possible scenarios here

1) Only the certificate leaked, very limited security consequences

2) The internal CA was breached and induced to issue bogus credentials,
pretty serious.

3) The private key was disclosed, game over...

Secure hardware makes it pretty much impossible for (3) to occur unless
there is an insider attack or a physical attack. I am pretty sure there
would be no report for (1) so my guess is that (2) occurred.

Given Sony has hired lots of ex-NSA security staff over the years, (3)
would be an awful embarrassment for Fort Meade.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141215/4ddf1fee/attachment.html>

More information about the cryptography mailing list