Thales Blog

Code Signing Failures: Don’t Fall Into The Same Trap

May 30, 2017

The security community has long recognized the importance of code signing as a method to establish trust and integrity. It is now, however, becoming inescapable for independent software vendors (ISVs) and even ordinary users.

These days, businesses need provably reliable ways to validate the authenticity and integrity of the electronic assets and, perhaps even more importantly in today’s threat landscape, prove that these items have not been tampered with or changed maliciously since they were created.

But what happens when it all goes wrong?

In the large majority of cases, code-signing breaches happen for one of two reasons, both of which result from poor processes and management.

Don’t leave your keys lying around

The first is the stealing of the all-important crypto keys. In this instance, an attacker can steal credentials and impersonate a trusted author. Once the attacker has gotten their hands on the author’s private key, customers will have no way of telling whether programs were made by the organization in question or the criminals.

Hacking into your network is one of the most obvious ways to steal your keys, either from the inside or the outside. You must protect against this as best you can.

Physical access is also a crucial factor in securing private keys. In the case of Stuxnet, executable files were code-signed using private keys from two Taiwanese companies and certificates issued by a certificate authority trusted by Windows. Both of these companies had offices in the same industrial park in Taiwan, indicating that there was an element of physical access to the theft.

However, if these companies had used Hardware Security Modules (HSMs), this theft would not have happened.  The hackers would have looked elsewhere for an easier victim rather than attempting to crack a HSM. The use of HSMs, and proper controls on access to them, makes theft of private keys near impossible.

Intruder alert

The second method to instigate a code signing breach is hacking the process. If an attacker gains operational access to your development network, they bypass the need to steal the keys. These intruders can use your network to make their own executables signed with your key.

This is exactly what happened to the Dutch certificate authority DigiNotar. An attacker penetrated their network and gained complete control of their certificate-issuing servers. The attacker was then able to issue his own certificates allowing him to impersonate Google, Yahoo, Mozilla and other famous, trusted domains.

It is worth noting that DigiNotar did actually have HSMs in place – using smart cards to control access to them. However, at least one smart card was left active to allow certain operations to be performed automatically. So despite its best intentions to properly secure its networks, DigiNotar left holes in its processes. And it’s these vulnerabilities that a malicious attacker is looking.

Learning from mistakes

When a breach occurs, businesses grind to a halt and there is only a limited amount of time to react and perform damage control in the face of public scrutiny. The first thing you need to do is ask yourself is how did this happen, and how can we make sure it doesn’t happen again? If keys were stolen, the answer is straightforward – get HSMs and set up systems to use them properly.

Never before has it been so important that businesses are reassured the digital assets they are receiving are legitimate and in the purest form in which they were created. Don’t let your company fall into the same trap as those before you. Take responsibility for code signing the right way to ensure trust and integrity in your organization today