CAPEC-474
Signature Spoofing by Key Theft
Moyen
Haute
Draft
2014-06-23
00h00 +00:00
00h00 +00:00
2022-09-29
00h00 +00:00
00h00 +00:00
Alerte pour un CAPEC
Restez informé de toutes modifications pour un CAPEC spécifique.
Descriptions du CAPEC
An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Informations du CAPEC
Conditions préalables
An authoritative or reputable signer is storing their private signature key with insufficient protection.Compétences requises
Knowledge of common location methods and access methods to sensitive dataAbility to compromise systems containing sensitive data
Atténuations
Restrict access to private keys from non-supervisory accountsRestrict access to administrative personnel and processes only
Ensure all remote methods are secured
Ensure all services are patched and up to date
Faiblesses connexes
| Nom de la faiblesse | |
|---|---|
CWE-522 |
Insufficiently Protected Credentials The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Références
REF-411
Security breach stoppedSigbjørn Vik.
REF-412
Bit9 and Our Customers’ SecurityPatrick Morley.
REF-413
Inappropriate Use of Adobe Code Signing CertificateBrad Arkin.
Soumission
| Nom | Organisation | Date | Date de publication |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | |
| CAPEC Content Team | The MITRE Corporation | Updated Mitigations | |
| CAPEC Content Team | The MITRE Corporation | Updated Taxonomy_Mappings |
