An emerging information security threat highlighted this week by Róbert Lipovský, namely theft and abuse of digital certificates by malware creators, serves as a timely reminder that these certificates are highly valuable digital assets that should be accorded the highest levels of protection. If your company uses certs purchased from root authorities such as Verisign, Microsoft, or Thawte, now is the time to check that you have adequate security policies and controls in place to protect them. You don't want to see your company's stolen digital certificates featured in USA Today or the latest Trojan code.
A good place to start, particularly if you have not visited this aspect of your organization's security for a while, might be Larry Seltzer's very helpful "Securing Your Private Keys as Best Practice for Code Signing Certificates" which is thoughtfully provided by Thawte. A good way to get up to speed on this topic in general is the handy primer on the role of digital certificates in code distribution posted on the Microsoft Developer Network.
Right now it is not clear if malware authors will achieve significantly greater distribution for their malicious code through code signing, but if they do, then it could become open season on code signing certificates. Particularly worrying is the fact that a lot of these certificates are held, as Eric Law's article on MSDN makes clear, by relatively small companies, all the way down to individuals trying to sell their software online.
I'm not suggesting that individuals or small companies are any less responsible than big corporations, in many cases small firms may be doing a better job of protecting their digital assets, but I do think it's fair to say that many small to medium-size businesses are not yet aware that they may be targeted by well-funded cyber criminals looking to steal their code-signing certificates.
Of course, businesses of all sizes face the challenge of finite resources for security and seemingly infinite demands for more and more of this or that type of security. So what's the incentive to take the time to review and possibly beef up security for digital certificates? Perhaps the biggest incentive is the huge pain in the butt, and checkbook, that an organization may suffer if it loses control of a certificate. Compromised certificates do get yanked by the issuing Certificate Authority and that can create a ton of work. Here's Larry Seltzer: "The company must replace any code in the hands of customers which was signed with what is now a revoked certificate. This means contacting customers and explaining what happened, which you probably should do in any event. It’s embarrassing, but it’s the right thing to do if you hope to regain customer trust."
A review of your digital signature security today could head off a lot of trouble tomorrow.
Author Stephen Cobb, ESET