Why trust should not automatically mean trusted
You run an executable on your system. It starts up drivers and loads DLLs without errors or security warnings and both windows and your antivirus software do nothing to stop it. Why? Because everything that executable is loading has been signed by a certificate from a trusted party.
Now this is not normally an issue and as a system, Public Key Infrastructure (PKI) underpins so much of what we do day to day and allows encryption to be widespread to anyone without any interaction on their path. But what about when this goes wrong?
On February 23rd 2022, Nvidia announced that they had been made aware of a breach of their network security. The attackers got away with plenty of confidential information, but one of the most worrying was a certificate that can be used to sign code as if you are Nvidia.
Now this certificate expired in 2014, which should mean that it shouldn’t be trusted by most computers right? Unfortunately, this has proven to not the case. Windows itself is an offender here due to Microsoft’s Driver Signing Policy, as if a driver has signed with a certificated that expired prior to 2015 and if the PC was upgraded to Windows 10 from an earlier version, it will accept these certificates as still valid.
This is being done to allow for compatibility issues, but also how many times have administrators had certificate issues they can’t figure out and then disabled all verification checks just to get something working?
This isn’t the first time a certificate issue has wreaked havoc on the security world. Back in 2018, certificate vendor Trustico had to revoke 23,000 certificates due to an issue where they accidentally mishandled the private keys for them, causing them to be storage insecurely. This ultimately meant they had to be revoked, causing thousands of customers to have to replace them or have their websites and apps untrusted by the public.
If my years in IT/Networking/Security have shown me anything is that most people do not understand PKI or certificates, but its not just limited to this area. How many services and processes run constantly in your environment without you really understanding what they are doing or why?
This is why it’s so key to have sufficient logging, detection, and remediation in place. Because it’s becoming increasingly impossible to police every part of your environment, especially systems like this one put in place to make your lives and jobs easier.
Come speak to SEP2 and let us highlight why trust should not automatically mean trusted.