THE DATA STREAM FOR VISIONARIES OF THE CONVERGENCE ERA      

Latest News


The security certificates to make the statement on the Internet, how at risk? 



Windows default gives a level of security means to use the certificate when it is stored in the computer's owner.
This allows use without introducing any password.
This ensures a security consultant who has created a tool that would steal and use certificates without permission of the owner.



The default choice of a medium security when it comes to storing digital certificates on computers running Windows XP could allow a hacker creating tools able to steal at will and use these identification documents, allowing all kinds of efforts before the administration, as the statement of Finance.

Yago Jesus, an independent security consultant, today unveiled the existence of the problem, says that does no


e to a vulnerability of certificates issued by the Fabrica Nacional de Moneda y Timbre (FNMT) as the choice for Windows "Some protections inappropriately low" for the private key associated with the certificate.

This, coupled with the use of Internet Explorer 6, creates the hole. To prove this assertion Jesus has created a computer program that, after Cole in the computer of their victims with the help of a Trojan horse, could export the digital certificate and send it to the attacker. This then would be free to use it, not because it would require the introduction of any password.

The problem stems from the storage of the certificate in the computer's owner. By default, Windows is proposing a level of security means, which allows to use the digital document without identifying key.



As certificates are exportable along with his private key, built a program that can perform this task automated and mass, putting at risk the security of their holders. To ensure safety certificate, Jesus recommends storing in an external device like a USB key.

The FNMT could remedy

The problem affects not only the certificates issued by the FNMT, but these are those who are most critical, allowing all kinds of efforts before dozens of public and private agencies.

The consultant also blames the FNMT some responsibility because "if you want, you can force the use of maximum protection of the private key," but they have not done so.

From Microsoft, Luis Martin, responsible for the safety initiative of the company, explained that since the operating system "there are the necessary tools to force the maximum protection of digital certificates, and that rely on user and issuer of the certificate choose the level security. In no case is a vulnerability in the operating system. "

Technically, "describing the scenario is possible but highly unlikely" because there are few cases in which provides full circumstances described. In addition, to issue the statement not often enough with the certificate, Treasury asks you to other data, "he says.












 

Email Newsletterr | Advertising | Privacy Statement | Terms and Conditions | Contact Us  
Copyright © 2000-2008
Designed by Publishaweb.com
Concern by Maxwork Publishing