On Wednesday, September 16th, the Department of Justice announced that Chinese hackers from a group called APT41 hacked into at least 100 companies in the U.S and worldwide. The series of attacks involved the theft and abuse of code-signing certificates – yet another textbook example of the need to protect and manage keys and certificates, especially those used to sign code.
All too often, code signing certificates are treated as an inconvenient requirement of building software and not given the necessary care and security controls. Code signing keys are usually kept on build machines or developer computers with no additional security or controls to protect them. If the machine can be accessed by stolen or hijacked credentials, the keys can be removed from that machine. Very few companies audit the use of those code signing certificates and would be challenged to know if a key has been copied or stolen.
These attacks should serve as a wake up call to the entire software development community to finally take the security of code signing certificates seriously. Very few organizations have any idea of the number of code signing certificate that are in use, where they are located and by whom or by what they are being used. In the interest of frictionless development and rapid product releases in many organizations, there are as many code signing certificates as there are developers. This leads to keys being treated in unsecure ways, such as keeping them in software or simply protecting them with a password.
The software industry needs to take the protection of these keys seriously and treat them with the same diligence as they do other valuable assets. Keys need to be:
1. Centralized into a secure location and protected with appropriate security hardware like an HSM.
2. Keys should only be usable when a signing transaction is approved thus eliminating the scenario in which malware or a hijacked machine is used.
3. Audit logs of signing key usage should be reviewed and periodically audited.
4. The number of keys should be kept to a minimum number. Ideally less than five for an organization.
Modern code signing solutions are no longer a ‘nice to have’ they are now a ‘need to have’ – and a matter of national security.