Symantec Still TimeStamping Malware
Code signing is dead. Long live code signing.
You make software that you want people to trust enough to install it. So you go to a Certificate Authority, pay anywhere between $150 to $1000 to prove your identity, validate that your company should be trusted, promise that your software won’t hurt anyone and the CA will grant you a certificate of trust. This certificate is cross-validated by another CA and a time-stamping authority provides its own stamp of approval and agrees that yes, if the CAs that say this is a valid binary, then it was signed on this date, and this certificate will be good for this number of years. Go ahead and install the software. It’s legit.
The problem is that malware authors want to fool users into installing their software too. So they also go to Certificate Authorities, claim that their binaries are legit, and using cash stolen from credit cards or ill-gotten gains from ransaomware, they purchase a cert. What is a $250 fee if they can fool thousands into installing their malware that generates thousands of dollars in ransomware?
Hackers pay w stolen $$.
CAs gladly take stolen $$@symantec happily timestamps it.
Digital signing is dead.
https://t.co/Yhvifohxdi— Cyber Stitch (@BelchSpeak) February 17, 2016
And to make matter worse, a prominent AntiVirus company, Symantec, serves as a time-stamping authority to validate signed binaries. If only they possessed, oh, I don’t know, an Antivirus engine that could scan the binaries to see if they were malware before they accepted cash payments to timestamp the binaries??
Symantec picked up on my tweet and had the gall to respond that I should invest in more software to ensure that malware that they timestamp and certify as legitimate does not harm my systems.
@BelchSpeak Thanks for the Q. We advise to simply stay vigilant by having multiple layers of protection and keep that updated @SymantecHelp
— Symantec (@symantec) February 19, 2016
My response:
So when it comes to timestamping malware @symantec's reply is
¯_(?)_/¯ buy more products. https://t.co/4kQCh18Hvn— Cyber Stitch (@BelchSpeak) February 20, 2016
Hey Symantec, stop taking cash from cyber criminals to validate their malware code signing. is that too much to ask?