[ALERT] Rogue Certificates

Category: Security

Security experts advise us not to enter passwords, credit card details, or other sensitive information on any website that does not provide an encrypted connection, and to use a bookmark to access sites that deal with banking or other private matters. But there's a new threat being used by clever hackers to thwart both of those measures. Read on for details…

Do You Have a Rogue Certificate?

It’s easy to tell if your connection to a site is encrypted. At the left end of the URL address bar, you will see a padlock icon and the “https” protocol label; it literally means “HTTP Secure.”

A secure connection SHOULD tell you two things. First, no one can eavesdrop on the data that flows back and forth between your browser and the site, because all traffic is encrypted. Second, the https protocol authenticates the identity of the server to which you are connected; you can rest assured that you really are connected to your bank’s site and not a scammer’s imitation of it.

Authentication makes use of digital certificates. A certificate is an encrypted file containing information such as the certificate holder’s name, the name of the trusted authority that issued the certificate, the unique public encryption key that the certificate holder uses, and other info. Copies of certificates are kept in a trusted “certificate store.”

Rogue Certificates

The first time you connect to a site using https, the certificate the site sends you is compared to the copy in the store; if they match, the site is authenticated. Then a copy of the certificate is stored on your computer, so future visits to that site don’t have to check with the certificate authority. Instead, your browser checks the site’s certificate against the copy in your local certificate store.

Unfortunately, clever hackers have figured out ways to plant “rogue certificates” in victims’ local certificate stores, replacing your bank’s trusted certificate with one that belongs to a rogue website. Now you’ll see the reassuring padlock and “https” even though you are not connected to the site you think you are. Also, the rogue site can now read everything you send it, including your login credentials.

Try This Signature Checking Tool

A Microsoft tool called sigcheck can detect suspicious certificates in your local certificate store. You can read about all of sigcheck’s features and how they work, or download the zip file containing sigcheck.

  • Extract sigcheck.exe or sigcheck64.exe from the zip file, depending on whether you have a 32-bit or 64-bit Windows PC. (To find out which you have, click Start -> Control Panel -> System. The System panel will tell you whether you have 32-bit or 64-bit Windows. If it doesn't say either, you have a 32-bit system.)
  • To use sigcheck, click the Start button, type “cmd” in the search box, and hit Enter to open a command-line window.
  • Navigate to the folder that contains the extracted sigcheck executable file
  • Type “sigcheck -tv” or “sigcheck64 -tv” and press Enter

This command checks your local certificate store for certificates that were not generated by a certificate authority that is known by Microsoft. There are many certificate authorities; each has its own “root” certificate, and Microsoft keeps a database of them. If one of your local certificates appears to be valid but wasn’t created by one of the known certificate authorities, it may (or may not) be a rogue certificate.

Ideally, you should see “No Certificates Found.” If sigcheck does list some suspicious certificates, you will need to do some detective work to see which are legit and which should be deleted.

On my test machine, sigcheck flagged two certificates from Avast, my anti-malware program. Like many security suites, Avast offers a “Web shield” feature that monitors incoming browser traffic for signs of malware payloads of JavaScript attacks, and blocks them before they can do damage. To monitor an encrypted connection, Avast Web Shield has to create a certificate that allows it to read traffic. Avast needed to create a second certificate to provide real-time protection for my email, which is sent and received via encrypted connection. So these Avast certificates can remain on my machine.

Next, there’s a certificate for "Machine\TrustedPeople:Administrator.” That would be me, or anyone with administrator privileges. So this certificate can remain, too.

Certificates for “Harmony(Test)” and “HarmonyNew(TEST)” took a bit of googling. They seem to have been created during old Java installations, and serve no purpose now. Let’s delete them.

How to Delete Rogue or Unnecessary Certificates

First, I recommend that you run a full malware scan on your system before deleting any certificates, to eradicate the malware that created the certificate(s). Otherwise, the malware may simply re-create the rogue certificates.

To delete certificates, you’ll need another command-line utility called MMC.exe (Microsoft Mangement Console). It is built into Windows, so all you need to do is open a command-line window and enter MMC to start it. (If prompted, click YES to continue.)

  • Select “File” and then “Add/Remove Snap-In”
  • Select the snap-in “Certificates” in the left column on the next screen, then click the “Add” button to move “Certificates” to the right column.
  • Select “Computer account” on the next screen, then click Next
  • Click Finish on the final screen without changing anything.
  • Click “OK” on the Add/Remove Plug-ins screen

Now you see a folder tree on the left. The middle window shows the selected folder’s contents, if any. Drill down the folder tree to find the certificate(s) you wish to delete. Right-click on a certificate in the middle windows and select “Delete” to delete it.

I know this sounds a bit geeky, but if you follow the steps carefully, it's not so hard, and will give you extra peace of mind. Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 27 Dec 2016


For Fun: Buy Bob a Snickers.

Prev Article:
Oh No! I Dropped My Phone in The...

The Top Twenty
Next Article:
AskBob's Best of 2016 - Part One

Most recent comments on "[ALERT] Rogue Certificates"

Posted by:

Annie
27 Dec 2016

This all sounds life very useful steps to take -- for PC users. What about us rogues that use iOS (Macintosh)? Do you have advice for us?


Posted by:

Frank
27 Dec 2016

Bob, followed your suggestions but got a statement that said "system did not recognize either sigcheck64-tv or sigcheck-tv. What is my next step? Thank you.

EDITOR'S NOTE: There is a space before the "-tv"


Posted by:

Bob Gilson
27 Dec 2016

Just checking. After running the final MMC check, and clicking to close it, a prompt asks me if I want to "Save settings to Console1?". I assume my answer would be 'No'?
Great article and you made it easy to run through the tests. I had two Avast 'hits' and my personal 'Trusted People: Bob'. All looked fine to me.


Posted by:

Craig
27 Dec 2016

I tried running sigcheck 64 bit on my Windows 10 computer. For about one second a window appeared on left upper corner of my computer screen(black background with white print) and then disappeared so seemingly the program did not work. Any suggestions ?

EDITOR'S NOTE: You have to open a CMD window first, then run the program. You can't run it from the Start button prompt.


Posted by:

John C
27 Dec 2016

Thank you, Bob for the information.

I ran the 64-bit version as I have Win10 Pro 64, and the system is squeaky clean!

This tool like all of them from Mark is totally awesome.


Posted by:

Craig
27 Dec 2016

I opened the CMD window but had same problem when trying to run sigcheck 64 bit


Posted by:

Joseph M. Gates
27 Dec 2016

Hey,
GREAT ARTICLE!!! What about us who use smartphones like iPhone 6+? I do most of my banking from my iPhone and use an app by JP Morgan Chase Bank. Also use Bank of America. What about them?
Thanks,
Joe Gates


Posted by:

Mike Budwey
27 Dec 2016

I have 2 that I don't know how to evaluate:

Machine\AddressBook:


Machine\ROOT:
Default CA


How do I know if these are legitimate?


Posted by:

Mike Budwey
27 Dec 2016

Previous question dropped a line.
Of the two I list below, how can I evaluate their legitimacy?

Machine\AddressBook:
my_username
Cert Status: Valid
Valid Usage: EFS
...

Machine\ROOT:
Default CA
Cert Status: Valid
Valid Usage: All
...

Thanks,


Posted by:

Dennis
27 Dec 2016

The extracted file is sitting in Downloads as an application. Using the CMD putting in the sigcheck64 -tv is not recognised. I'm doing something wrong as what does the application file do just sitting in Downloads? What must I do with that? What does Navigate to that extracted file mean? Advise please.


Posted by:

Dave Smith
28 Dec 2016

Hi Bob, your instructions don't quite work on Windows 10 here is how we sorted it.

Download sigcheck and extract files to any destination you prefer or just extract within downloads. Navigate to sigcheck folder and left click to open.Hover mouse cursor to any clear part of page and hold down shift key, now right click.
Scroll down to "Open command window here" in dialogue window and left click. Type sigcheck -tv into Command Prompt window [note: space between sigcheck and -tv] and hit enter on keyboard. Done! Cheers.


Posted by:

marilyn colby
28 Dec 2016

Dear Bob...

This is very interesting, but as another "rogue" above in the comments would like to know; what do we iMac users are to do. Please do not forget us. Otherwise, the newsletter will not be as helpful.
Thanks for all your efforts.


Posted by:

Marc
28 Dec 2016

Does this vulnerability only affect Microsoft Internet Explorer/Edge browsers?


Posted by:

Butch
29 Dec 2016

This tip is sort of "techy" in that, when I try to unzip the file, I see a window which says that it's recommended to install *all* of the zipped files. The option is simply "Run." As one who knows considerably less than most of your readers, I'm hesitant to click either. My reasoning is that: "Why should I install all files when the "Run" might "do the trick?" The solution to this dilemma might be perfectly clear to 99% but is like mud to me. Maybe it's just my getting cautious with my advancing years?


Posted by:

RandiO
30 Dec 2016

Happy 2017,
And thank you for all your attempts to turn a graduate of U of HardKnocks into a geek!


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- [ALERT] Rogue Certificates (Posted: 27 Dec 2016)
Source: https://askbobrankin.com/alert_rogue_certificates.html
Copyright © 2005 - Bob Rankin - All Rights Reserved