VeriSign certificate snafu highlights threat of human errors

Computerworld - When VeriSign Inc. disclosed last week that it had issued two digital certificates to an individual who fraudulently claimed to be a Microsoft Corp. employee, the incident highlighted for corporate users how simple human error can undo technology-based security schemes.
The mistaken issuance of the digital certificates, which led Microsoft to release a software update for all Windows releases dating back to 1995 (see story), also put companies on notice about the importance of having both preventive and reactive processes in place to deal with such security lapses. In addition, users and analysts said, VeriSign's goof points out some of the broader challenges associated with reliably establishing identities within public-key infrastructure (PKI) networks.
"The whole thing proves that online security isn't about the technology," said Laura Rime, a vice president at Identrus LLC in New York. "It's more about the operating procedures and processes [that companies implement]." Identrus is a consortium that was formed last year by a group of eight leading banks to develop standard methods of verifying identities for processing electronic payments between different companies (see story).
Like VeriSign, Identrus built its security system around PKI technology. But the consortium also has stringent "know your customer" operating rules that are supposed to be used when determining whether to issue digital certificates, Rime said. And while Identrus generates the certificates, she added, it relies on member banks to issue them to companies in the belief that the banks are in a better position to vouch for the identities of applicants.
VeriSign mistakenly issued the two code-signing digital certificates to an unknown person in late January (see story). The danger is that the certificates -- which supposedly prove the authenticity of software code -- could be used by a malicious attacker to try to trick users into thinking that unsafe programs are bona fide Microsoft products.
Microsoft, which characterized the lapse as a "grave threat" for all Windows users, made the software update available yesterday as part of its effort to combat any potential usage of the fraudulent certificates. The software vendor recommended in an updated advisory about the incident that the update be installed by users of all its operating system releases starting with Windows 95.
VeriSign, which is the largest issuer of digital certificates, hasn't provided full details on how the January lapse occurred. But Mahi deSilva, a vice president and general manager at the Mountain View, Calif., company, said last week that the imposter "was able to get through the screening process as a bona fide representative