Embedded devices of some 50 manufacturers has been found sharing the same hard-coded X.509 certificates (for HTTPS) and SSH host keys, a fact that can be exploited by a remote, unauthenticated attacker to carry out impersonation, man-in-the-middle, or passive decryption attacks, Carnegie Mellon University's CERT/CC warns.
All desktop and laptops shipped by Dell since August 2015 contain a root CA certificate (eDellRoot) complete with the private cryptographic key for it, opening users to the danger of Man-in-the-Middle and signed malware attacks.
Unprotected and poorly managed keys and certificates result in a loss of customers, costly outages, failed audits, and security breaches, according to The Ponemon Institute and Venafi.
Symantec has fired several employees that have been involved in the issuing of rogue certificates for some Google domains.
Malware peddlers don't always have to steal or buy (from sellers on underground forums) legitimate and valid code-signing certificates to sign their malware with - sometimes the certificates can be found just "laying around" in open source software and code repositories.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.