When assessing a breach, one should examine the standards of due care before quickly and, in many cases incorrectly, assessing fault. Back in March, Kaspersky Lab highlighted how the trojan Mediyes was signed using a stolen private signature key whose digital certificate was owned by Swiss firm Conpavi AG. Anti-virus vendors look for code that is digitally signed as part of their evaluations, and their algorithms trust digitally signed code more. Therefore, trojans such as Mediyes can propagate further – without detection by anti-virus applications – when they are digitally signed.
Since the signature key used to sign Mediyes was stolen, the incident and coverage that followed is worrisome to those who promote the importance of digital signatures, key management and encryption. Many people incorrectly assume when reading of such incidents that digital signatures are a flawed concept. In reality, this case demonstrates the blame does not lie within the concept, but rather the people who implemented the digital signature process.
Among the standards of due care discussed in the industry, companies should never allow anyone to come into possession of the full plain text of a private or secret key. While the circumstances in the Mediyes situation were not entirely clear, the private key was indeed somehow compromised, which means someone was able to access it in full plain text.
Certainly there have been and will be other cases like Mediyes, where those responsible for the digital signature process did not follow standards of due care, and those with malicious intent took advantage. Hopefully, such incidents help highlight the importance of private key security as part of a secure digital signature process.