Symantec employees fired over fake security certificates

Fake Google certificates put users at risk of cyber attack

Multiple Symantec employees have been sacked after it was discovered they had issued fake Google security certificates - at least one of which was released into the wider web.

Google and Symantec investigated the counterfeit certificates and uncovered they had been issued without the authority of Symantec's Certificate Authority, Thawte.

Although such fake certificates can be used to launch security attacks, such as man in the middle assaults, resulting in information theft, Google blacklisted the fake domain certificates issued by Symantec and said it's unlikely they were used to attack any website or individual.

"During our ongoing discussions with Symantec we determined that the issuance occurred during a Symantec-internal testing process," Google's security and privacy product manager, Stephan Somogyi, and Adam Eijdenberg, certificate transparency product manager, wrote in a blog.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Symantec's senior director of engineering Quentin Liu said it discovered three unauthorised certificates last week during product testing.

"All of these test certificates and keys were always within our control and were immediately revoked when we discovered the issue. There was no direct impact to any of the domains and never any danger to the Internet," he said.

He explained that 'a few' employees who, it said, had passed the company's on-boarding and security training, failed to follow its policies and were therefore fired after a "thoughful review process."

Google added: "We have updated Chrome's revocation metadata to include the public key of the misissued certificate. Additionally, the issued pre-certificate was valid only for one day. We discovered this issuance via Certificate Transparency logs, which Chrome has required for Extended Validation (EV) certificates starting 1 January of this year. The issuance of this pre-certificate was recorded in both Google-operated and DigiCert-operated logs."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020