Published On: 9. Mai 2023Categories: Knowledge

MSI Data Breach – how the hack threatens us and what we should do

This morning the headline „MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web“ shocked me a bit.

However, it’s not so much the fact that something like this is happening that worries me, but rather that many customers are not adequately protected. Often, the safety net that Microsoft has put up for such cases does not take effect. The reasons for this can be the ignorance of network administrators or overly restricted Internet access.

The exact extent and consequences are not yet clear, but various places report that the automated firmware deployment via „Intel BootGuard“ affects many different manufacturers, such as Intel, Lenovo, Supermicro and others.

 

But first things first:

What is a code signing certificate and what is it used for?

A code signing certificate is a type of digital ID that a software developer or vendor can use to mark their programs as trustworthy.

It is used to ensure that downloaded software actually comes from the specified manufacturer and has not been tampered with by another person or a malicious hacker.

What can criminals do now?

Concretely, for example, criminals could add a fake signature to tampered software to make it appear trustworthy and authentic in order to trick users into downloading and running the software. Through this, they could then install malware on the user’s system or spy on sensitive data.

How does protection against stolen certificates work in Windows?

Windows provides a method called Certificate Revocation List (CRL) to protect users from stolen or invalid certificates.

A CRL is a list of all certificates that have become invalid or are known to have been stolen. When a user creates signed software or an encrypted connection, the operating system checks to see if the certificate is listed on the CRL.

If the certificate is on the CRL, the operating system will deny access and warn the user that the certificate is not trusted and the connection or program may be potentially dangerous.

The CRL is updated regularly to ensure that it contains up-to-date information. When a certificate is removed from the list because it is valid again, the operating system will once again allow connections or software updates to be made using the certificate.

Why are many customers at risk?

The Certificate Revocation List (CRL) is provided not only by Microsoft, but also by other Certificate Authorities (CAs). The IP addresses and ports for accessing the CRLs of other CAs must therefore be accessible on the company network.

Often the CRLs are provided via a Content Delivery Network (CDN), such as Akamai. Unfortunately, at many companies these IP addresses are not or only partially unlocked, so that employees cannot be warned of manipulated software.

What root CAs are there?

There are many CAs, here is a list of the most important:

  • DigiCert
  • GlobalSign
  • Comodo
  • Verisign (now part of Symantec)
  • GoDaddy
  • Entrust
  • QuoVadis
  • SwissSign
  • IdenTrust
  • GeoTrust (now part of DigiCert)

 

In summary, we should be careful about the source from which we download software and driver updates. It is important to verify that the updates are signed with trusted certificates and that we can reach the CRL server IP and DNS addresses of the associated root CA. By taking these precautions

 

Never miss news again?SUBSCRIBE TO OUR NEWSLETTER