"Trust no one" is a saying embraced by everyone from punk rockers to "X-Files" fans to privacy advocates. But in the real world, life would come to a grinding halt without any trust at all.

Likewise, computer security has always involved some degree of trust. Trusted networks, trusted hosts, and trusted apps are granted privileges unavailable to their untrusted counterparts. But punk rockers aren’t exactly wrong; trust can be a dangerous thing.

Digital signatures, certificates signed with a private key which is intended to ensure recipients of the identity of the certificate's owner, are built on the principle of trust. The certificate is issued by a CA, or certificate authority, itself a form of trust. The CA is granted the power to issue these certificates, and therefore we trust them.

The private key used to sign the certificate is a cryptographic token owned by the organization or individual whose identity is linked to that key. In short, a piece of software digitally signed by Microsoft can be trusted to actually be created by Microsoft.

Digital Certificates and Malware

Trust is flawed. When we program our systems to trust the sheep, the malicious hackers (wolves) turn their efforts to creating a costume that looks like a sheep. The hackers have succeeded so well that, according to a 2012 McAfee report, over 200,000 pieces of malware have been identified which present legitimate digital signatures. In other words, the wolves are literally running loose around the world dressed like sheep.

The modern era of digital signature hacking arguably was accelerated by the famous Stuxnet attack in 2010. Malware which targeted industrial control systems (now known to have been created by the U.S. government for cyberwarfare) was "signed" using digital signatures from respected technology companies like Realtek and JMicron. Experts believe malware called Zeus, which can search for and retrieve private keys from infected machines, was used to steal the signatures.

Today, theft of digital signatures is virtually a cottage industry among malicious hackers. Even a single piece of malware -- such as the fake anti-virus scanner "Antivirus Security Pro" -- contains a dozen digital signatures stolen from legitimate companies.

Lessons from Master Key Compromise

Dressing as sheep is just one strategy used by malicious hackers. Avoiding detection altogether is also becoming widely used tactic. On the Android mobile platform, the most famous such compromise is known as the Master Key compromise.

Revealed this past July, the Master Key compromise is not actually a compromise of digital signatures themselves. Instead, it exploits a flaw in Android which fails to correctly detect when an app’s data does not match the inventory verified by its key. This security hole allowed hackers to create malicious Android apps which contained malware code that the system would install after being fooled by the digital signature.

Google has since patched Android to fix the vulnerability, but because of device fragmentation in the Android market, it is up to each handset vendor to propagate updates to devices – which sometimes never happens.

For Android users – such as enterprises using company-issued Android devices or those with BYOD policies which allow employee-owned devices on the corporate network – the best defense is the same advice as always: Only install apps from the Google Play store.

Although security researchers have detected 700,000 pieces of Android malware, these apps circulate outside the Google Play store and must be sideloaded onto an Android device. This requires disabling the default in Android which prevents installing apps from unapproved sources. In short, the best defense is "don’t do that!"

Digital Certificates and Limits of Trust

Every enterprise must mitigate against malware risks. The usual defense policies all apply – particularly active network scanners and employee education against "unsafe" behaviors like opening unknown email attachments.

Some exploited digital signatures are detected as suspicious by operating systems and malware scanners. For example, when a private key is stolen, the Certificate Authority can revoke that key. Revoked certificates should prevent automatic installation of low-level malware-laced software such as device drivers.

But users often instinctively ignore or click-through warnings about esoteric details like expired digital certificates when installing software. Defending against this behavior requires specific education about digital certificates, and possibly even a de facto ban against installing any software with questionable digital certificates.

Securing Digital Certificates

While many enterprises already focus significant resources defending against malware attacks, the sheer quantity of stolen digital certificates suggests that similar efforts are not invested in protecting an organization’s private keys.

It is bad news for an organization whose private keys have been stolen and exploited to sign digital certificates used in malware. Not only does this harm trust in the enterprise and their security practices, but their certificates will need to be revoked and re-issued, potentially affecting a large base of customers.

Hackers typically steal private keys through a malware compromise of corporate machines. Among particularly attractive targets are companies which develop software and therefore actively generate and distribute digital certificates. When hackers gain access to development machines, they will look for exposed private keys to steal. The fact that so many forged digital certificates are now in the wild demonstrates the success of this strategy.

The best defense for organizations is simple to say and complex to implement: Keep your private keys secure.

Policies that support this goal include:

  • Store private keys on a network separate from general enterprise activity.
  • Store private keys in encrypted containers or encrypted physical devices (such as secure thumb drives) stored in a secure location.
  • Strictly limit access to private keys on a “need to know” basis.
  • Consider using a digital certificate and key management system.

Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet and Wi-Fi Planet.