When Thieves Target SSL Certificates
SSL is one of the most commonly used protocols to provide encryption for a variety of different applications. As such, it has come under great scrutiny over the years.While SSL misconfiguration is commonplace, one of the more recent attacks against SSL is to steal the Certificate Authority (CA) certificate. (In a paper released in July 2012, NIST warned that this type of attack would increase). Access to this certificate allows the attacker to issue valid certificates, and in the case of a code-signing certificate, use it to sign malware. Malware executing with this level of trust increases the chances of successfully being installed on the system. Other CA certificates are used to generate website certificates used by attackers to impersonate secure access to a given website.
Attackers stealing CA certificates has become more common. Don't think of it as stealing a cookie (or three), but more like attackers stealing the recipe to make their own cookies (and not the ones used between web browsers and web applications).
The attacks described above provide great return on investment (ROI) for attackers. By compromising one system and stealing the CA certificate, they can often turn around and compromise several more systems. The attacks tend to remain undetected for some time as they implement valid certificates that do not generate web browser errors. Fortunately, once the compromised certificate has been identified, it can be revoked, making future usage invalid. In addition, the offending certificate can be identified and revoked in your environment.
Finding Compromised Certificates
Nessus has several plugins to detect this type of vulnerability, including:
- Adobe's code-signing certificate was stolen and used by malware. Adobe revoked the compromised certificate and released an update containing new code-signing certificates. Tenable's plugin team released a new plugin to detect the compromised certificates revoked in update APSA12-01 (See plugin: Adobe Software Signed By Revoked Certificate (APSA12-01)).
read more.....http://blog.tenablesecurity.com/2012/12/detecting-compromised-ssl-certificates-using-nessus.html