Stuxnet again…and its Symantec Certificate again!!
“sample that appeared to be very similar to Stuxnet”
“first recording of one of the binaries was on September 1, 2011”
“The certificate was revoked on October 14, 2011”
Why did it take Symantec to revoke their certificate they have issued (misissued?) 44 days even though they say the file appeard to be very similar to stuxnet?
This can happen to any CA, such as COMODO too.
But the difference its that when happens to COMODO, it only needs a few hours only to stop and revoke.
Others CA could take days, weeks or even months only to notice the problem.
Its good that COMODO takes this things very seriously, and the results are clearly seen when COMODO handles this situtation with total transparency and in a very short period of time.
This is not my field, so please forgive any apparent ignorance by this question.
Why are Symantec masking/hiding the company name on the signed driver (cmi4432.sys)? Based on the MD5 supplied by Symantec, it seems that all the signature information has been stripped off the Virus Total submission of the driver as well. Wouldn’t this information help others? Or is this something that industry only shares with each other? Thanks.
How did the attacker obtain the Certificate to sign the code?
Did they steal it from the company? (where is the police report if this is the case?)
Did Symantec mississue?
I have a personal saying, but this can be said also for a Company as a whole! “We all mistakes, it’s what we do after that defines us (a person, but same for a company)”. So in other words, if one Company makes a mistake and holds hands up, listen we’re only human, sorry it happend… we’re on it now to make sure this never happens again etc… then fair enough. It’s those who tried to pull the wool over your eyes that should not be let off lightly, such as the case in Symantecs…
Fair enough, things have happened to Comodo, but their response was open for all to see, and we was always updated.
Not that I’m aware of. But, since Symantec are not disclosing their clients name I doubt that something like this would be easy to obtain.
However, a newer blog from Symantec’s Authentication Team does seem to indicate that Symantec doesn’t actually have any details on how the certificate was stolen…
.. We won’t speculate .. as to how the keys were compromised at the customer site in the Duqu situation ..
customer’s name has been revealed.
This is a serious theft that caused huge amount of infection in key places. One would expect someone to report to Police and have a report about it at least…