[ALERT] Rogue Certificates

Security experts advise us not to enter passwords, credit card details, or other sensitive information on any website that does not provide an encrypted connection, and to use a bookmark to access sites that deal with banking or other private matters. But there’s a new threat being used by clever hackers to thwart both of those measures. Read on for details…

Do You Have a Rogue Certificate?
Remember hacks in secondlife are on the rise sadly Linden Labs does not have trusted certificates but they are protected and trusted.

It’s easy to tell if your connection to a site is encrypted. At the left end of the URL address bar, you will see a padlock icon and the “https” protocol label; it literally means “HTTP Secure.”

A secure connection SHOULD tell you two things. First, no one can eavesdrop on the data that flows back and forth between your browser and the site, because all traffic is encrypted. Second, the https protocol authenticates the identity of the server to which you are connected; you can rest assured that you really are connected to your bank’s site and not a scammers imitation of it.

Authentication makes use of digital certificates. A certificate is an encrypted file containing information such as the certificate holder’s name, the name of the trusted authority that issued the certificate, the unique public encryption key that the certificate holder uses, and other info. Copies of certificates are kept in a trusted “certificate store.”

Rogue Certificates

The first time you connect to a site using https, the certificate the site sends you is compared to the copy in the store; if they match, the site is authenticated. Then a copy of the certificate is stored on your computer, so future visits to that site don’t have to check with the certificate authority. Instead, your browser checks the site’s certificate against the copy in your local certificate store.

Unfortunately, clever hackers have figured out ways to plant “rogue certificates” in victims’ local certificate stores, replacing your bank’s trusted certificate with one that belongs to a rogue website. Now you’ll see the reassuring padlock and “https” even though you are not connected to the site you think you are. Also, the rogue site can now read everything you send it, including your login credentials.
Try This Signature Checking Tool

A Microsoft tool called sigcheck can detect suspicious certificates in your local certificate store. You can read about all of sigcheck’s features and how they work, or download the zip file containing sigcheck.

Extract sigcheck.exe or sigcheck64.exe from the zip file, depending on whether you have a 32-bit or 64-bit Windows PC. (To find out which you have, click Start -> Control Panel -> System. The System panel will tell you whether you have 32-bit or 64-bit Windows. If it doesn’t say either, you have a 32-bit system.)
To use sigcheck, click the Start button, type “cmd” in the search box, and hit Enter to open a command-line window.
Navigate to the folder that contains the extracted sigcheck executable file
Type “sigcheck -tv” or “sigcheck64 -tv” and press Enter

This command checks your local certificate store for certificates that were not generated by a certificate authority that is known by Microsoft. There are many certificate authorities; each has its own “root” certificate, and Microsoft keeps a database of them. If one of your local certificates appears to be valid but wasn’t created by one of the known certificate authorities, it may (or may not) be a rogue certificate.

Ideally, you should see “No Certificates Found.” If sigcheck does list some suspicious certificates, you will need to do some detective work to see which are legit and which should be deleted.

On my test machine, sigcheck flagged two certificates from Avast, my anti-malware program. Like many security suites, Avast offers a “Web shield” feature that monitors incoming browser traffic for signs of malware payloads of JavaScript attacks, and blocks them before they can do damage. To monitor an encrypted connection, Avast Web Shield has to create a certificate that allows it to read traffic. Avast needed to create a second certificate to provide real-time protection for my email, which is sent and received via encrypted connection. So these Avast certificates can remain on my machine.

Next, there’s a certificate for “Machine\TrustedPeople:Administrator.” That would be me, or anyone with administrator privileges. So this certificate can remain, too.

Certificates for “Harmony(Test)” and “HarmonyNew(TEST)” took a bit of googling. They seem to have been created during old Java installations, and serve no purpose now. Let’s delete them.
How to Delete Rogue or Unnecessary Certificates

First, I recommend that you run a full malware scan on your system before deleting any certificates, to eradicate the malware that created the certificate(s). Otherwise, the malware may simply re-create the rogue certificates.

To delete certificates, you’ll need another command-line utility called MMC.exe (Microsoft Management Console). It is built into Windows, so all you need to do is open a command-line window and enter MMC to start it. (If prompted, click YES to continue.)

Select “File” and then “Add/Remove Snap-In”
Select the snap-in “Certificates” in the left column on the next screen, then click the “Add” button to move “Certificates” to the right column.
Select “Computer account” on the next screen, then click Next
Click Finish on the final screen without changing anything.
Click “OK” on the Add/Remove Plug-ins screen

Now you see a folder tree on the left. The middle window shows the selected folder’s contents, if any. Drill down the folder tree to find the certificate(s) you wish to delete. Right-click on a certificate in the middle windows and select “Delete” to delete it.

I know this sounds a bit geeky, but if you follow the steps carefully, it’s not so hard, and will give you extra peace of mind.
Have a Great week!