A free tool has been made available to aid companies in locating MD5-signed certificates

Jul 4, 2012 08:55 GMT  ·  By

Enterprise key and certificate management solutions provider Venafi has performed an analysis of 450 of the companies present in the Forbes Global 2000 annual ranking. The results of the scans revealed that, on average, around 20% of these firms are susceptible to attacks that leverage malware such as Flame, Duqu or Stuxnet.

As the company’s CEO highlighted on numerous occasions, the poor management of digital security certificates makes many organizations a tempting target for cybercriminals.

The main problem is that many companies still rely on the outdated MD5 signing algorithm for the certificates they utilize to facilitate secure and trusted communications between their systems and human users.

Identifying vulnerable certificates is no easy task, but now, Venafi has released a free piece of software that can significantly reduce the time needed to perform this operation.

It’s called the Venafi MD5 Certificate Assessor and it allows firms to identify all the certificates deployed in a network and highlight the locations of those that are signed using MD5.

The tool also provides validity periods, encryption key details, and the name of the certificate authority responsible for issuing each certificate.

“The risks are no longer hypothetical. MD5 certificates were the open door that allowed Flame to penetrate networks and gather information. Microsoft closed their door by issuing a security patch,” said Jeff Hudson, the company’s CEO.

“Your door, however, remains wide open. Intrusion detection systems, firewalls, antivirus and other security measures do not address these open doors on your network. Organizations need to take specific action immediately to remove MD5."

Other experts, such as Eric Ogren, principal analyst with Ogren Group, agree that the risks are present and reinforce the need for applications such as the MD5 Certificate Assesor.

“Cybercriminals are exceptionally creative, financially organized, and highly motivated to steal confidential information. Organizations focused on reducing security risk need to do all they can to close as many open doors and to change as many locks as they can,” Ogren explained.

“Free tools such as this one being provided by Venafi to track down weak certificates could provide an advantage in staying a step ahead of the attackers,” he added.

Venafi MD5 Certificate Assessor is available for download here