back to article D-Link spilled its private key onto the web – letting malware dress up as Windows apps

Taiwanese networking kit maker D-Link leaked a private code-signing key onto the internet for anyone to download. This is rather embarrassing because this key can be used to trick Windows computers into trusting and running malware. An eagle-eyed netizen told tweakers.net on Thursday that the code-signing key appeared in a …

  1. Michael Habel Silver badge

    This is what happens...

    When you fogo a good QA Team.... Just ask S0NY when they dumped their own PS3 Key(s)...

    1. Anonymous Coward
      Anonymous Coward

      Re: This is what happens...

      That's utter bullcrap. You know no everything on the internet is true right??? This is a long running myth along with their random generator was "return 4; //chosen by fair dice roll"

      Both utterhorseshit, that only a total cretin would actually believe. Getting the keys from the cell hypervisor on the PS3 took 6 years of hacking and a lucky break

      http://www.flyingpenguin.com/?p=9144

      But why let the truth get in the way of a good internet myth.

  2. elDog

    "Apple does not respond to The Reg's requests for comment. ®"

    Of course not - they are happily playing in their walled garden, completely immune from the threats all around them.

  3. regadpellagru

    "No one at D-Link was available to comment on the reported leak. No one at Microsoft was able to confirm whether or not Windows has stopped trusting code signed by the leaked key. No one was available to comment at Symantec, which owns the part of Verisign that issued the code-signing certificate to D-Link. Apple does not respond to The Reg's requests for comment. "

    While I find largely disturbing D-Link are not commenting, since they are the red-faced people, here, I don't see the point of questioning MS, Apple or Symantec over the issue.

    For MS and Apple, there's really not much they could do or have done to counter this blunder. If cert is legitimately signed, then of course let the install happen !

    And even less for Symantec: if someone's been stupid enough to let a private key leak, how is it at all their problem ? Their job as CA has been done neat and clean ...

    1. edge_e
      Facepalm

      Re: I don't see the point of questioning MS, Apple or Symantec over the issue.

      The answer to why MS and Apple were questioned is in the text you quoted.

  4. frank ly

    I'm wondering

    Are these certificates and passphrases in a declaration block at the top of the sourcecode, surrounded by comments, IN CAPS, to say "don't allow this information to be released"; or are they sprinkled throughout the sourcecode?

    P.S. The above is my second attempt at posting that comment. On the first, I had to complete a Captcha question (which I seemed to have failed), for which I had to enable Flash. The second time I tried, there was no Captcha question. Is this anything to do with El Reg or have I been 'hit' by something?

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm wondering

      I would say you have been donked

    2. Bronek Kozicki

      Re: I'm wondering

      Normally these certificates would be stored as a data file, possibly in text format

    3. Ken Hagan Gold badge

      Re: I'm wondering

      I think "best practice" is that these certificates are stored on a handful of machines, away from the developers writing the software, and that only a handful of staff are therefore able to sign executables and only then as an act outside of the normal development process. Passcodes would live in sealed envelopes, or something, and would not normally reside on any machine.

      Clearly that didn't happen here and we know of at least one certificate that has escaped as a result. I'm somewhat staggered that a company as big as D-Link would be willing to play so fast and loose with their company's reputation. Let's be clear; as of this morning, a D-Link signature carries slightly less weight than, say, mine. (And I'm not boasting.)

      One final point: if your only D-Link product is a cheapish ADSL box or network switch, rather than waiting for D-Link to re-establish some credibility, you could just replace the box. I wonder how many admins will respond to this by plonking D-Link on their Sony list.

    4. Voland's right hand Silver badge

      Re: I'm wondering

      It is el-reg's lousy CDN contract. The CDN they use works OK if you get stuff. If you post and it has decided you are suspicious, this is what you get. That is buggy. You end up retrying multiple times losing your post every time in the process.

      It is more common from abroad and from behind big CG-NATs as used in Mobile.

  5. Frumious Bandersnatch

    can't sign with an expired key?

    Why ever not? I'm thinking that in the worst case you just manually set the time, do the signing and then reboot? The fact that you say that existing signed code will continue to work suggests that any safeguards around expired keys are on the signing end, and surely it's possible to get around any restrictions?

  6. Crazy Operations Guy

    Proper signing procedures

    I always figured that a shop like their would have more security than mine. In my company's shop, code signing certificates are kept on an air-gapped machine sitting on the QA director's desk. Once the QA department's tests have been completed and the product is ready to ship, the code gets burnt to disc, scanned and then copied to the code-signing machine. Once compiled, it is written to another disc and scanned again, this disc the gets duplicated so that we have a known-good golden copy of the code and the executable.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021