Time to guard your digital certificates

Code-signing certificates are an important part of the security ecosystem -- why aren't companies paying more attention to them?

When criminal hackers break into a company, they're usually looking to steal stuff they can sell, like credit-card information or intellectual property. But these days, some sophisticated thieves also seek digital certificates as a way to make their malware appear to potential targets to be valid software.

In a recent report, security firm AVG gave two examples of companies whose certificate data was taken by attackers and then used to sign malicious software so that it would better bypass security protections. "More malware -- almost three times more malware -- is digitally signed with a legitimate stolen digital certificate," says Yuval Ben-Itzhak, chief technology officer for AVG.

Thousands of companies have had the private keys to their certificates stolen, he says. In the last year, security firms have found malware samples that target certificate information left on computers. For example, security firm Symantec analyzed a piece of malicious software, known as Infostealer.Nimkey, designed to steal private keys and keystrokes.

It's a problem that most companies are not ready to deal with. Take nonprofit software provider Blackbaud: Earlier this year, a Trojan horse infected an employee's system and stole the company's private keys for its digital certificates. Attackers used the certificate to sign a variant of the Qbot bot software, according to AVG.

Prior to the attack, Blackbaud -- like many companies -- did not think of protecting its digital certificate data in the same way as its most highly sensitive data, like customer data, says Jana Eggers, senior vice president of products and marketing for the Charleston, S.C.-based firm.

"A security certificate is not what you think of protecting in the same way as customer information," Eggers says. "It is one of those things that we need to take a step back and take a look at."

For large firms, certificate management systems are a possibility. Such systems can run anywhere from $50,000 to millions of dollars, according to Jeff Hudson, CEO of enterprise key and certificate management software maker Venafi.

"Key management is a problem calling for automation," says Hudson.

Smaller businesses, who may not be able to afford such systems, need better policies around which systems can use and store digital certificates.

Correction: This article has been amended to clarify the remarks attributed to Blackbaud's Jana Eggers.

This story, "Time to guard your digital certificates," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.