leowolfert - Fotolia
Most code-signing processes insecure, study shows
The majority of organisations are failing to enforce security for code-signing processes, providing opportunities for cyber criminals, a survey reveals
Although half of businesses are concerned that cyber criminals are using code-signing certificates as an attack method, few actually enforce the security policies that could thwart them, a study by machine identify protection provider Venafi shows.
On average, only 28% of organisations globally consistently enforce a defined security process for code-signing certificates, but this figure drops to 14% in Europe, according to a poll of more than 320 security professionals in the US, Canada and Europe.
Code-signing certificates are relied on by every organisation, securing and assuring the authenticity of every piece of software an organisation uses.
“When the code-signing keys and certificates that serve as machine identities fall into the hands of attackers, they can inflict enormous damage,” said Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi.
“Secure code-signing processes enable apps, updates and open source software to run safely, but if they’re not protected, attackers can turn them into powerful cyber weapons,” he said, adding that code signing certificates were the key reason Stuxnet and ShadowHammer were so successful.
In the case of ShadowHammer, hardware maker Asus fell victim to a code-signing attack where malware was disguised as a legitimate software update, infecting about one million computers.
“The reality is that every organisation is now in the software development business, from banks to retailers to manufacturers,” said Bocek, with the survey indicating that 69% of those polled expect their usage of code signing to grow in the next year.
“If you’re building code, deploying containers, or running in the cloud, you need to get serious about the security of your code signing processes to protect your business,” he said.
The Venafi study found that although security professionals understand the risks of code signing, they are not taking proper steps to protect their organisation from attacks. Specifically, 35% do not have a clear owner for the private keys used in the code-signing processes at their organisations.
Code-signing processes are used to secure and assure the authenticity of software updates for a wide range of software products, including firmware, operating systems, mobile applications and application container images.
However, more than 25 million malicious binaries are enabled with code-signing certificates, and cyber criminals are misusing these certificates in their attacks. For example, security researchers recently discovered bad actors hiding malware in antivirus tools by signing uploads with valid code-signing certificates.
“Security teams and developers look at code-signing security in radically different ways. Developers are primarily concerned about being slowed down because of their security teams’ methods and requirements,” said Bocek.
“This disconnect often creates a chaotic situation that allows attackers to steal keys and certificates. To protect themselves and their customers, organisations need a clear understanding of where code signing is being used, control over how and when code signing is allowed, and integrations between code signing and development build systems.
“This comprehensive approach is the only way to substantially reduce risk while delivering the speed and innovation that developers and businesses need today.”
In March 2019, an academic study exposed a flourishing market on the dark web for secure sockets layer/transport layer security (SSL/TLS) certificates used to verify machine identities for machine-to-machine communications.
The six-month study, sponsored by Venafi, was undertaken by researchers at the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University and the University of Surrey.
The study examining the availability of SSL/TLS certificates on the dark web, and their role in the cyber crime economy, uncovered thriving marketplaces for these certificates sold individually and packaged with a wide range of crimeware.
Together, these services deliver machine-identities-as-a-service to cyber criminals to spoof websites, eavesdrop on encrypted traffic, perform man-in-the-middle attacks and steal sensitive data because machine identities form the foundations of all online trust and communications between digital actors, from apps to mobile devices.
“One very interesting aspect of this research was seeing TLS certificates packaged with wrap-around services – such as web design services – to give attackers immediate access to high levels of online credibility and trust,” said security researcher and report author David Maimon, associate professor and director of the Evidence-based Cybersecurity Research Group.
“It was surprising to discover how easy and inexpensive it is to acquire extended validation certificates, along with all the documentation needed to create very credible shell companies without any verification information.”
The researchers found that five of the Tor network markets observed offer a steady supply of SSL/TLS certificates, along with a range of related services and products.
Read more about machine identities
- Academics and security professionals are warning businesses that certificates used to establish trust and privacy on the internet are being weaponised and sold to cyber criminals bundled with other services.
- How to manage IIoT authentication and protect machine identities.
- Cyber security firm Venafi has launched a development fund aimed at accelerating the delivery of protection for machine identities.
- Machine identity management crisis looming.