Andrey Ladikov a researcher with Kaspersky issues warning about digital certificates saying don’t completely trust files signed with digital certificates . A digital certificate issued with a file is always seen proof that it’s genuine. It is also used to show that the file does not contain any malicious code. Most company’s system administrators have their security policies configured to allow users to only use files that are signed with a digital certificate. Also some antivirus software considers a file secure if it is signed with a valid digital certificate.
As long as users faithfully trust and believe that files signed with digital certificates are secure and genuine, cybercriminals will find ways to have their dangerous files signed with digital certificates that make these files appear to be genuine and secure. This also means that users and administrators can longer trust signed files because their digital certificate appears to be valid.
Andrey has given the following 5 tips that will greatly reduce the chances of running a new malware program that has a valid digital certificate and hasn’t yet reached your anti-virus databases
1 – Only allow the launch of software programs signed by a reputable manufacturer.
You can substantially reduce the risk of infection on your computer by disabling the launch of all software programs signed with digital certificates belonging to unknown software manufacturers. As described above, certificates are most often stolen from smaller software companies.
2 – Only allow programs to be launched after they are identified by their unique digital signature attributes. Several certificates issued to the same company may be distributed under the same name. If one of these certificates is stolen from a reputable company, a check that automatically trusts well-known publishers would allow a file signed with a stolen certificate.
To prevent this from happening, before allowing programs signed with known certificates to launch, it is necessary to check other attributes as well as the certificate name. These attributes might be the serial number or certificate fingertip (hash sum). Serial numbers are only unique within the range of certificates issued by a single CA, so we recommend checking this along with the company that issued the certificate in the first place.
3 – Activate the MS13-098 security update.
For experienced users and system administrators, it is advisable to enable update MS13-098 – it fixes an error which enables the inclusion of additional data in a signed file without tampering with the file’s signature. To read more about how to activate this update, follow this link to Microsoft Security Center.
4 – Do not install certificates from unknown CAs into your security storage. It is not a good idea to install root certificates from unknown CAs into your storage. If you do so, any files signed with a certificate confirmed by that specific CA will subsequently be considered trusted.
5 – Use a trusted certificates database from a security software manufacturer. Some security software manufacturers, including Kaspersky Lab, include a database of trusted and untrusted certificates in their products; this database is updated on a regular basis along with the anti-virus databases. With this database, you will receive prompt updates about as-yet unrecalled certificates used to sign malware and/or potentially unwanted software. Files signed with untrusted certificates from this database require enhanced monitoring by the security product.
The database of trusted certificates includes certificates from reputable software publishers that were used to sign trusted software programs. If a certificate is listed in this database, it is a strong indicator that corporate application control can allow the application to launch. If this kind of database is included in a security product it will help make the administrator’s job easier, sparing them the need to create and maintain an in-house database of trusted certificates.
If you add the above 5 tips into your companies security policy you can ensure that the chances of malware or unwanted software being installed being installed is greatly reduced.