North Myrtle Beach, SC
reply to Name Game
Re: Emergency Bulletin: Unauthorized Certificate used in "F Good read here...
Tech behind Flame attack could compromise Microsoft Update
Permit me to translate that into English.
A "cryptographic collision attack" is a brute-force approach to cracking a hashing method, where the attacker guesses at a whole bunch of input strings, runs the hashing algorithm, and compares the result to the real hash. If the hashes match, then the original strings matched. Sophisticated guessing techniques can be employed, but in general cracking not one, but three original Microsoft certificates must've taken eons of computing time. There's still a lot of confusion about exactly how the Flame folks used the collision attack. Microsoft's statement is subject to a lot of interpretation. Dan Goodin has an analysis on Ars Technica.
As Microsoft rightly notes, just having the certs isn't good enough. In order to subvert WSUS/Windows Update for a site, the person with the cracked certs has to be able to insert themselves between the site's network and the Microsoft update servers: a man-in-the-middle attack. In some countries, that's certainly possible for any organization that has influence over local DNS servers. In general, though, it's a highly nontrivial exercise.
But working inside a network, man-in-the-middle may not be so difficult. Aleks Gostov at Kaspersky Lab has started peeling away at Flame and discovered that fully patched Windows 7 machines running on a network with one Flame-infected machine were getting infected "in a very suspicious manner. When a machine tries to connect to Microsoft's Windows Update.
Gladiator Security Forum