Stolen encryption key the source of compromised certificate problem, Symantec says

When Kaspersky Lab last week spotted code-signed Trojan malware dubbed Mediyes that had been signed with a digital certificate owned by Swiss firm Conpavi AG and issued by Symantec, it touched off a hunt to determine the source of the problem. 

The answer, says Symantec's website security services (based on the VeriSign certificate and authentication services acquisition), is that somehow the private encryption key associated with Conpavi AG certificate had been stolen.

BACKGROUND: Kaspersky Lab spots malware signed with digital certificate

"The private key for Conpavi was exposed," says Quentin Liu, senior director of engineering at the Symantec division. "Someone got hold of the private key." For this type of digital certificate, the private key is held by the certificate owner, in this case, Conpavi. Whether the private encryption key was stolen by an insider at Conpavi or outside attacker isn't known. But the incident points out the risks associated with private encryption keys for this type of digital certificate and the need to safeguard them.

More @ networkworld.com/news/2012/031912-symantec-stolen-key-257407.html