VeriSign certificate snafu shows threat of human errors

When VeriSign Inc. disclosed late last month that it had issued two digital certificates to an individual who fraudulently claimed to be a Microsoft Corp. employee, the incident highlighted for corporate users how simple human error can undo technology-based security schemes.

The mistaken issuance of the digital certificates, which led Microsoft to release a software update for all Windows releases dating back to 1995, also put companies on notice about the importance of having both preventive and reactive processes in place to deal with such security lapses. In addition, users and analysts said, VeriSign’s goof points out some of the broader challenges associated with reliably establishing identities within public-key infrastructure (PKI) networks.

“The whole thing proves that on-line security isn’t about the technology,” said Laura Rime, a vice-president at Identrus LLC in New York. “It’s more about the operating procedures and processes [that companies implement].” Identrus is a consortium that was formed last year by a group of eight leading banks to develop standard methods of verifying identities for processing electronic payments between different companies.

Like VeriSign, Identrus built its security system around PKI technology. But the consortium also has stringent “know your customer” operating rules that are supposed to be used when determining whether to issue digital certificates, Rime said. And while Identrus generates the certificates, she added, it relies on member banks to issue them to companies in the belief that the banks are in a better position to vouch for the identities of applicants.

VeriSign mistakenly issued the two code-signing digital certificates to an unknown person in late January. The danger is that the certificates – which supposedly prove the authenticity of software code – could be used by a malicious attacker to try to trick users into thinking that unsafe programs are bona fide Microsoft products.

Microsoft, which characterized the lapse as a “grave threat” for all Windows users, made the software update available yesterday as part of its effort to combat any potential usage of the fraudulent certificates. The software vendor recommended in an updated advisory about the incident that the update be installed by users of all its operating system releases starting with Windows 95.

VeriSign, which is the largest issuer of digital certificates, hasn’t provided full details on how the January lapse occurred. But Mahi deSilva, a vice-president and general manager at the Mountain View, Calif., company, said last week that the imposter “was able to get through the screening process as a bona fide representative of Microsoft only because of human error.”

“The process [used by VeriSign] was not fail-safe,” said Gerard Brady, a vice-president at security software vendor Guardent Inc. in Waltham, Mass. Before digital certificates are issued, Brady said, a certificate authority typically needs to take a number of steps to establish and validate identities, such as verifying an applicant’s employment status, title and authority to request a certificate on behalf of a company.

That process can easily lead to human error, according to Brady. For instance, he said, there sometimes are no clear guidelines spelling out which person within a company should be responsible for confirming an employee’s identity during the certificate application process.

Companies frequently don’t even keep track of the employees who are authorized to be on their systems, thereby posing a security vulnerability, said Pete Lindstorm, an analyst at Hurwitz Group Inc. in Framingham, Mass.

“Many companies don’t go out and do anything in a regimented way to verify user accounts and disable the ones that are no longer active,” Lindstrom said. The VeriSign incident also highlights the need for companies to have processes in place for responding to such snafus when they do happen, he added.

“PKI technology has the capacity to address this sort of issue,” Lindstorm said. “It is the process [set up within companies] that sometimes doesn’t.”