Page 44 – Encryption Consulting

Google’s TLS Certificate Validity Proposal: Are You Ready for the Shift from 398 Days to 90 Days?

Organizations around the world rely on Transport Layer Security (TLS) certificates to secure their online communications, protect sensitive information, and establish trust with their users. The rising digital threats have catapulted the need for stricter security measures, which has resulted in the reduced lifespan of these certificates. Recently, Google has made a groundbreaking move by proposing a significant change (Moving Forward, Together) at the Certificate Authority/Browser (CA/B) Forum, seeking to reduce the maximum TLS certificate validity from 398 days to 90 days.

This proposal, while rooted in advancing security, brings new challenges for organizations reliant on manual certificate management. In this blog, we will provide you with the complete background of this proposal, its implications for you, and why automated certificate lifecycle management will come to your rescue by helping you maintain a secure and efficient digital environment in your organization.

Understanding Google’s 90-Day Proposal for TLS Certificates

For over a decade, the Web PKI community has been focused on enhancing the security of the Internet. And with increasingly sophisticated attacks that pose serious security threats, the need for enhanced security measures has never been more important. In 2017, the industry moved to limit TLS certificate validity to 825 days, which was later shortened to 398 days in 2020. These changes were driven to push organizations towards more frequent renewals with the ultimate goal of reducing the time a compromised certificate could be exploited and encouraging quicker adoption of new encryption standards.

Now, in July 2023, Google released a new post, “Moving Forward, Together,” at the CA/B Forum, focusing on the proposal to cut TLS certificate validity to 90 days as the next step in the progression of data security. This shorter validity period aims to address several security concerns:

Decreasing the Threat Surface:
Shorter certificate validity periods can add a significant contribution to minimizing
the window of opportunity for attackers to exploit compromised certificates.
Promoting the latest Security Updates:
Frequent renewals will strongly encourage organizations to adopt the latest security practices and cryptographic algorithms.
Enhancing overall Ecosystem Agility:
A more agile ecosystem is more likely to respond more effectively to sophisticated threats.

How Could Google’s Proposed Change Impact Your Organization?

Google’s proposal to reduce the validity of TLS certificates to 90 days has significant implications for organizations that rely on manual certificate management processes. Manual certificate management already comes with its own set of challenges, and this proposed change further amplifies the complexities and increases the difficulties that organizations will face.

Increased Renewal Frequency

Under the new proposal, organizations will be required to renew their certificates every 90 days, a drastic increase in frequency from the current annual or biannual process, potentially exacerbating the complexities and risks associated with manual management. The shorter validity window burdens IT teams, who must diligently track expiration dates, initiate renewal processes, and ensure the timely deployment of updated certificates across various domains, subdomains, and servers.

Manual Management Challenges

Manual certificate management often involves the laborious tasks of maintaining complex spreadsheets for regular processes such as tracking expiration dates, renewing certificates, and deploying them across multiple servers and domains, all while keeping up with multiple compliance requirements. These manual processes are not just time-consuming but highly prone to errors, considering humans are the leading cause of certificate outages. The risk of missing renewal deadlines could lead to catastrophic issues such as expired certificates, misconfigurations, and compliance violations, which might cause website outages, breaches, and hefty fines.

Security Vulnerabilities

The proposed change necessitates a heightened focus on security updates and patches. Organizations will now have to diligently stay informed about the latest security vulnerabilities and encryption algorithms to make sure certificate management processes are aligning with the best practices that are needed to meet all the necessary security and compliance requirements. Failure to keep up with these updates can leave organizations vulnerable to potential compromises and exploitation of outdated encryption standards. The shorter-lived certificates mean a faster transition to quantum-resistant cryptographic algorithms, protecting organizations from emerging threats in a post-quantum world.

In light of Google’s proposal, organizations relying on manual certificate management processes will face even greater pressure to adapt their workflows and adopt automated certificate lifecycle management solutions.

Why has Automating Certificate Lifecycle Management become Essential?

The proposed reduction in certificate validity highlights the need for automated certificate lifecycle management. As certificate renewal frequency increases, organizations will find it increasingly difficult to manage certificates manually. Automation ensures organizations stay compliant with this shift while minimizing operational headaches.

In fact, according to Google, automation is already being heavily embraced within the Web PKI ecosystem. Over 50% of certificates issued today rely on the Automatic Certificate Management Environment (ACME), and more and more organizations are demanding automated solutions. And here’s why automation is slowly becoming a necessity for effective certificate management:

Enhanced Security

Automated systems reduce the need for manual involvement which considerably reduces the risks of human errors by automatically tracking certificate expiration dates and renew certificates before they expire, which eliminates the risk of outages caused by expired or compromised certificates.
Time and Cost Savings

Automation also streamlines the entire certificate management workflow, from issuance to renewal to deployment, reducing manual intervention and streamlining your IT operations, renewal, and installation processes. This significantly reduces the time and resources required to manage certificates, allowing IT teams to focus on more strategic initiatives.
Centralized Management

With an automated solution, organizations can centrally manage all their certificates from a single platform. This gives them the benefit of getting a holistic view of all their certificates which in turn simplifies the management process and ensures consistent policy enforcement across the entire infrastructure.
Proactive Monitoring and Alerts

Automated certificate lifecycle management solutions often include monitoring capabilities that proactively identify issues such as impending certificate expirations, weak encryption algorithms, or misconfigurations. Real-time alerts prove to be beneficial for the organization as they enable the IT teams to address potential risks promptly and prevent service disruptions.
Better Security and Agility

With automation, organizations can more easily adopt new security practices protocols, encryption algorithms, and cryptographic standards, ensuring their certificates remain secure even as the threats become increasingly more advanced.
Compliance and Reporting

Automated solutions facilitate compliance with industry regulations and standards like PCI-DSS or HIPAA, by providing detailed reporting and audit trails. Down the line, it largely simplifies the auditing process and helps organizations demonstrate adherence to best practices and regulatory requirements.

Google’s Broader Vision for the Web PKI Ecosystem

Google’s proposal to shorten TLS certificate validity to 90 days is part of a broader effort to modernize the Web PKI ecosystem. As outlined in their “Moving Forward, Together” initiative, their goals include promoting modern infrastructures, agility, simplicity, and automation across the ecosystem.

Here’s a closer look at some of the key initiatives outlined in the proposal:

Encouraging Modern Infrastructures: Google is pushing to rotate aging root certificates to modern ones, with a proposed seven-year term limit for root CA certificates. This ensures that the ecosystem remains agile and secure by promoting the continuous renewal of critical cryptographic infrastructure.
Promoting Automation: Google advocates for the widespread adoption of ACME for certificate management. This open standard makes the certificate issuance, renewal, and deployment process seamless, helping organizations manage their certificates with ease, even in a 90-day validity scenario.
Focusing on Simplicity: Google is also pushing for purpose-built infrastructures dedicated to TLS certificate issuance, simplifying the Web PKI ecosystem and increasing its stability.
Preparing for a Post-Quantum World: With shorter-lived certificates, organizations will be better positioned to quickly transition to quantum-resistant algorithms as they emerge, minimizing the security risks posed by the advent of quantum computing.

The Risks of Manual Certificate Management

Organizations still relying on manual certificate management face numerous risks, including:

Service Outages: If a certificate expires unnoticed, it can lead to critical website or service outages, damaging both revenue and brand reputation.
Security Breaches: An expired or mismanaged certificate can create vulnerabilities, allowing attackers to exploit weaknesses in your system.
Non-Compliance: Industries governed by regulations like PCI-DSS or GDPR risk significant penalties if certificates are not properly managed.

Want to know how we can assist you?

Encryption Consulting’s CertSecure Manager is an advanced solution designed to address the challenges of manual certificate management and assist organizations in meeting these upcoming requirements. With its comprehensive features, including lifecycle management, certificate discovery, inventory management, issuance, deployment, renewal, revocation, and reporting capabilities, CertSecure Manager streamlines the entire certificate management process through end-to-end automation.

Additionally, CertSecure Manager’s built-in alerts provide timely notifications for critical events such as upcoming certificate expirations, allowing organizations to take proactive measures and prevent service disruptions. With a focus on security and compliance, CertSecure Manager helps organizations meet the highest industry standards, such as PCI-DSS, HIPAA, and GDPR, ensuring a secure and compliant certificate infrastructure.

By leveraging CertSecure Manager, organizations can effectively manage their certificates, enhance security, save time and resources, and maintain a strong online presence while aligning with Google’s proposed TLS certificate validity reduction.

Key Dates and What to Expect

Google’s proposal is still under review, but the timelines are moving fairly quickly. Here are some key dates that you need to watch for:

July 2023: Google proposed the 90-day certificate validity change at the CA/B Forum under the “Moving Forward, Together” initiative.
2024: The proposal could be implemented, reducing certificate lifespans to 90 days. Organizations can start prepping up by evaluating their certificate management processes and considering automation to meet the frequent renewal demands.

So, Are You Ready for 90-Day Certificates?

Google’s proposal to reduce the validity of TLS certificates is a pivotal moment for the Web PKI ecosystem. Organizations around the world will have to change how they manage their certificates to keep up with change in order for them to effectively maintain a secure and efficient online environment. The implications of this change are significant, particularly for organizations relying on manual certificate management processes.

The challenges of manual management, including the increased frequency of certificate renewals, tracking expiration dates, and ensuring timely updates across domains and servers, become even more pronounced with the reduced validity period. However, automation will not just help organizations comply with these changes. Still, it will transform the way certificates are managed, which will boost security and overall efficiency while reducing IT overload. Automated certificate lifecycle management solutions like CertSecure Manager provide a compelling solution to these challenges and prove to be an effective investment in the long run with the innumerable benefits that organizations get when it comes to efficient and secure certificate management.

Don’t wait until it’s too late, prepare now! Contact us at [email protected] to learn how CertSecure Manager can help your organization automate certificate lifecycle management and stay ahead of the curve in this new era of security.

Code Signing Certificates as Supply Chain Attack Targets

Code signing certificates play a crucial role in ensuring software authenticity and integrity. However, they have also become prime targets for supply chain attacks, posing risks to the entire software supply chain. This article explores the targeting of code signing certificates in supply chain attacks, their impact on organizations, and measures to protect against such threats.

Understanding Supply Chain Attacks

Supply chain attacks are cyberattacks that exploit vulnerabilities in an organization’s supply chain. These attacks compromise third-party vendors, suppliers, or contractors to gain unauthorized access to the target organization’s systems. Attackers exploit the lower security measures of these third parties and use tactics like malware injection or data theft to propagate throughout the supply chain network. Successful supply chain attacks can have severe consequences, including data breaches, intellectual property theft, financial losses, and reputational damage.

In today’s interconnected digital landscape, supply chain attacks have emerged as a significant and evolving threat to cybersecurity. These attacks exploit vulnerabilities in an organization’s supply chain, targeting third-party vendors, suppliers, and contractors to gain unauthorized access to valuable systems and data. By infiltrating the systems of these trusted entities, attackers can move laterally within the supply chain network, potentially compromising multiple interconnected systems and wreaking havoc on organizations. It is crucial for businesses to understand the nature of supply chain attacks and take proactive measures to protect their digital assets.

Code Signing Certificates as Supply Chain Attack Targets

Code signing certificates, which verify the authenticity and integrity of software, have become attractive targets for supply chain attacks. Attackers compromise the code signing process to inject malicious code into legitimate software, which is then distributed through regular software channels. Detecting such attacks becomes challenging, and their impact can be widespread. Attackers can acquire code signing certificates by compromising development environments, employing social engineering techniques, or using stolen or forged certificates to make their malware appear legitimate. Examples of supply chain attacks involving code signing certificates include the SolarWinds malware incident in 2020.

Code signing certificates, once considered a cornerstone of software security, have now become attractive targets for supply chain attacks. These certificates provide digital signatures that verify the authenticity and integrity of software, assuring users that it has not been tampered with and originates from a trusted source. However, attackers have recognized the potential of compromising code signing certificates to distribute malicious software through legitimate channels, making detection and prevention challenging. This insidious tactic puts millions of users at risk, and organizations must recognize the vulnerability of their code signing infrastructure and take necessary precautions to safeguard against such attacks.

Impact of Code Signing Certificate Compromise

Compromised code signing certificates can have severe consequences for organizations:

Damage to Reputation

Compromised certificates can erode user trust in software vendors, leading to reputational damage and reluctance to download future releases.
Financial Loss

Reduced trust can result in decreased sales and revenue, while remediating the situation through certificate revocation and reissuance incurs additional costs.
Legal Liability

Harm caused to users due to compromised certificates can result in legal liabilities and costly legal battles.
Spread of Malware

Attackers can inject malicious code into legitimate software, which unknowing users download, leading to harm and potential legal consequences.
Compliance Violations

Compliance requirements may be violated due to compromised certificates, resulting in regulatory fines and legal liabilities.

Protecting Against Code Signing Certificate Compromise

In the face of the growing threat of code signing certificate compromise, organizations need to adopt robust security measures to protect their software integrity and regain user trust. By implementing comprehensive strategies, organizations can mitigate the risks associated with code signing certificate compromise and prevent the potential devastating consequences. Measures such as secure certificate storage, two-factor authentication, regular auditing, and swift certificate revocation are essential to maintain the integrity of code signing certificates and ensure that only legitimate software reaches end-users. With careful planning and a proactive approach, organizations can effectively safeguard their code signing infrastructure and protect both their reputation and the security of their software supply chain.

Organizations can take several measures to protect against code signing certificate compromise:

Secure Certificate Storage

Implement robust security measures to protect certificates, including password protection, encryption, and limited access to trusted personnel.
Two-Factor Authentication

Enhance security by implementing two-factor authentication, requiring additional verification alongside passwords, such as security tokens or biometrics.
Regular Certificate Auditing

Conduct periodic audits to detect irregularities, unauthorized requests, and revoked certificates.
Certificate Revocation

Swiftly revoke compromised certificates, including associated keys, to prevent further misuse.
Limited Certificate Access

Restrict access to code signing certificates to authorized personnel with a legitimate need, promptly revoking access when no longer necessary.
Secure Network Connections

Transmit code signing certificates over secure network connections using encryption protocols like SSL or TLS to prevent interception and misuse.
Vulnerability Scanning

Regularly scan for vulnerabilities in code signing certificate systems, including malware, phishing attacks, and other potential cyber threats.

Conclusion

Code signing certificates are essential for software security but are increasingly targeted in supply chain attacks. The compromise of code signing certificates can have severe consequences, including reputation damage, financial losses, legal liabilities, malware propagation, and compliance violations. Organizations must prioritize secure storage, two-factor authentication, regular auditing, and robust security measures to protect against code signing certificate compromise. Continuous vigilance and proactive measures are crucial to mitigate risks and safeguard against potential damage.

SolarWinds: Should Security Live in InfoSec or DevOps

The SolarWinds cyberattack, discovered in December 2020, affected numerous government agencies and private companies worldwide. The incident raised concerns about the security of software supply chains. To determine where security should reside, it’s important to understand InfoSec (information security) and DevOps (development operations).

The SolarWinds attack involved compromising SolarWinds’ network management software, impacting an estimated 18,000 customers, including major government agencies. It was a supply chain attack, highlighting the need to secure software supply chains.

InfoSec and DevOps: What are they?

Before diving into the SolarWinds attack and the role of security, it’s important to understand what InfoSec and DevOps are.

InfoSec involves protecting information systems, networks, and data from unauthorized access, use, disclosure, disruption, modification, or destruction. InfoSec teams identify vulnerabilities, develop security policies, and educate users on best practices.

DevOps is an approach to software development that emphasizes collaboration and communication between development and operations teams. It aims to streamline the development process by automating tasks, continuously testing code, and integrating workflows for faster, reliable software releases.

The SolarWinds Attack

In December 2020, cybersecurity experts discovered that attackers had compromised SolarWinds, which provides network management software to numerous government agencies and private companies worldwide. The attackers had inserted a backdoor into the SolarWinds Orion software, allowing them to access sensitive data and systems. The attack affected an estimated 18,000 SolarWinds customers, including major government agencies such as the US Department of Homeland Security and the Treasury Department.

The SolarWinds attack was a supply chain attack, meaning that the attackers targeted a third-party software vendor rather than the organizations themselves. This attack is becoming increasingly common and highlights the importance of securing software supply chains.

Where should security live: InfoSec or DevOps?

The SolarWinds attack raises the question of whether security should live in InfoSec or DevOps. Some argue that security should be the responsibility of InfoSec teams, while others argue that security should be integrated into the DevOps process.

Arguments for InfoSec

Focus on risk management

InfoSec teams are trained to focus on risk management and threat mitigation. They have a deep understanding of the potential vulnerabilities and threats that an organization may face, and they are equipped to develop and implement policies and procedures to protect against those threats.
Independence

InfoSec teams are independent of the development process, which allows them to provide an unbiased perspective on security issues. They are not subject to the pressures of meeting development deadlines and can prioritize security concerns without compromising the development process.

Arguments for DevOps

Security as code

DevOps teams are responsible for creating and deploying code, so they are best positioned to integrate security into the development process. By incorporating security into the code, DevOps teams can ensure that security is built into the software from the beginning rather than being bolted on as an afterthought.
Faster response times

DevOps teams are responsible for deploying code quickly and efficiently. By integrating security into the development process, DevOps teams can respond more quickly to security issues and vulnerabilities, minimizing the risk of a successful attack.

Here are some factors to consider when deciding where security should reside

Organizational culture

Depending on whether the organization prioritizes security and compliance or innovation and agility, either InfoSec or DevOps may be better suited.
Development methodology

In the case of a waterfall development methodology, a separate InfoSec team may be more appropriate. However, with Agile or DevOps methodologies, integrating security measures into the development process may be more feasible
Regulatory compliance

If the organization must adhere to stringent regulatory requirements, a separate InfoSec team may be necessary to ensure compliance. However, if the organization is not required to meet such regulations, a DevOps approach could be a viable option.
Skillset and resources

Leveraging the knowledge of a large, experienced InfoSec team may be the best course of action. Conversely, if the InfoSec team is small or if security needs are constantly changing, a DevOps approach may be more practical.

Conclusion

The question of where security should live – in InfoSec or DevOps – is not straightforward. Both approaches have their merits, and the best approach will depend on the organization and its specific needs. Ultimately, the most effective approach will likely involve a combination of InfoSec and DevOps. InfoSec teams should be responsible for setting security policies.

What are the CA/Browser forum requirements for code signing certificate private keys? Are you prepared?

What are CA Browser forum requirements for code signing certificate private keys Are you prepared

Security is critical in today’s digital world, especially when it comes to the protection of codesigning certificate private keys. Over the years, developers have used code-signing certificates to establish their software applications’ authenticity, integrity, and trustworthiness. However, the private keys associated with the code signing certificate were not adequately protected due to a lack of stringent policies and guidelines.

In this blog, we will delve deep into the recent updates to Baseline Requirements for Code Signing Certificates by the Certificate Authority/Browser (CA/B) Forum, which have to be implemented from 1^st June 2023.

What are CA/B Forum updates?

The CA/Browser Forum, a consortium of certificate authorities (CAs) and browser vendors, periodically revises its guidelines and requirements to enhance the security of digital certificates. In a recent update, the forum introduced new recommendations specifically aimed at code-signing certificate private keys. These updates aim to address emerging security threats and strengthen the overall security posture of the code-signing ecosystem.

Starting June 1, 2023, it is mandatory for subscriber private keys associated with code signing certificates to be protected using a Hardware Crypto Module that complies with either FIPS 140-2 Level 2 or Common Criteria EAL 4+ requirements. Subscribers are required to select one of the approved approaches for generating and securing their code signing certificate private keys:

Option 1

Use a Hardware Crypto Module operated by them that adheres to the prescribed standards.
Option 2

Employ a cloud-based key generation and protection solution that satisfies the following criteria:
- Keeps private keys within the secure boundaries of the cloud platform’s hardware crypto module, meeting the specified requirements.
- Logs all access, operations, and configuration changes related to the resources securing the private key.
Option 3

Utilize a Signing Service that meets the established baseline requirements.

In addition, CAs shall verify that the subscriber’s private key is generated, stored, and used in a suitable hardware crypto module using one of the following methods:

The CA provides a hardware crypto module with pre-generated key pairs.
The subscriber uses key attestation to verify the private key’s secure generation in a hardware crypto module.
The subscriber employs a prescribed crypto library and suitable hardware crypto module for key pair generation and storage.
The subscriber presents an IT audit report confirming the exclusive use of a suitable hardware crypto module for key pair generation of code signing certificates.
The subscriber provides a report from their cloud-based key protection solution, demonstrating the secure configuration of resources protecting the private key.
The CA relies on a report, signed by an approved auditor, confirming key pair creation in a suitable hardware crypto module, including cloud-based solutions.
The subscriber provides an agreement agreeing to use a Signing Service that meets the requirements.

How can you stay compliant?

To ensure compliance with these updates and enhance the security of their digital certificates, organizations should take the following steps:

Review the Requirements

Thoroughly study the updated recommendations the CA/Browser Forum provided to understand the specific requirements and changes related to code signing certificate private keys.
Assess Existing Infrastructure

Organizations need to review their current infrastructure and identify their methods to generate and protect code signing certificate private keys. This assessment will help identify gaps or areas that must be addressed to comply with the new guidelines.
Select a Suitable Approach

Organizations must choose one of the approved approaches stated in the blog for generating and securing their code signing certificate private keys.

Want to know how can we assist you?

Encryption Consulting’s CodeSign Secure provides organizations with a comprehensive code-signing solution tailored to their unique requirements. By utilizing this solution, organizations can establish a strong code-signing policy that effectively mitigates security risks and ensures the authenticity of their software. Our product streamlines the code-signing process and offers a range of features designed to enhance security.

One key feature of CodeSign Secure is secure key management. It enables organizations to securely store their private keys of the code-signing certificate by integrating with industry-leading Hardware Security Modules (HSMs) that are FIPS certified. This integration eliminates the potential risks associated with stolen, corrupted, or misused keys, as the private keys never leave the HSM during the code signing operation.

Conclusion

In conclusion, the recent updates to the Baseline Requirements for Code Signing Certificates by the CA/Browser Forum emphasize the criticality of protecting code signing certificate private keys. Organizations must adapt to these updates by implementing robust measures, such as using Hardware Crypto Modules that do not only comply with but exceed the requirements of FIPS 140-2 Level 2 or Common Criteria EAL 4+ standards. Organizations can bolster trust, integrity, and authenticity in their software applications by prioritizing the security of code signing certificate private keys.

Reference: Baseline Requirements for Code-Signing

Decrypting Ransomware: Understanding How Cybercriminals Hold Your Data Hostage

Ransomware has emerged as a significant threat in the field of cybersecurity, posing severe risks to individuals and organizations alike. This malicious software holds digital assets hostage, demanding payment in exchange for releasing access to the victim’s data or computer system. The implications of ransomware can be devastating, including the loss of critical data, financial costs, and damage to one’s reputation. It is crucial for individuals and organizations to understand how ransomware attacks work and take proactive steps to prevent and respond to such attacks in today’s digital landscape.

Ransomware Attacks and Their Process

Ransomware attacks typically follow a three-step process: gaining access, encrypting data, and demanding a ransom. The first step, gaining access, can be accomplished through various means such as phishing emails, compromised software, P2P sharing, USB flash drives, and sketchy websites. Phishing emails and click-baiting are common methods employed by threat actors to trick individuals into inadvertently downloading ransomware onto their systems. Additionally, compromised software and peer-to-peer sharing present opportunities for cybercriminals to exploit vulnerabilities and infect systems. USB flash drives, often found misplaced or intentionally placed to infect devices, can also introduce ransomware to a system. Lastly, threat actors create counterfeit websites that closely mimic legitimate brands or organizations, luring users into entering their personal information or downloading malware.

Once the attacker gains access to the target system, they proceed to encrypt valuable information, such as personal details, credit card information, or account credentials, which can fetch them monetary rewards. Modern ransomware employs hybrid encryption schemes, combining symmetric and asymmetric encryption methods to render the victim’s data inaccessible.

After encrypting the data, the threat actors demand a ransom to release the private key required for decryption. Ransoms are typically demanded in cryptocurrencies like Bitcoin or Ethereum, offering a degree of anonymity to the attackers. It is important to note that paying the ransom does not guarantee the release of the private key, and there is no guarantee that the cycle of attacks and ransom demands will cease.

Notable Ransomware Examples and Attacks

Numerous ransomware variants have caused significant damage and financial losses over the years. Some well-known examples include WannaCry, Kronos, Darma, DoppelPaymer, GandCrab, Maze, MedusaLocker, NetWalker, NotPetya, Petya, REvil, TeslaCrypt, and SamSam. These ransomware strains have targeted various individuals, organizations, and even critical infrastructure, leaving a trail of destruction in their wake.

In 2022, notable ransomware attacks occurred against prominent organizations. One such attack targeted Nvidia, the world’s largest semiconductor chip company. The Lapsus$ group claimed responsibility for the attack, stating that they had access to employee information and had seized over 1TB of data. Another significant attack was aimed at Entrust Corporation, a digital security giant. The LockBit ransomware gang carried out the attack and even created a dedicated website displaying a countdown timer for the release of customer data if their demands were not met. Despite the attack, Entrust refused to pay the ransom, leading to a surprising turn of events where LockBit’s data leak site was knocked out by a DDoS attack.

The Role of Encryption Consulting in Ransomware Prevention

To protect against ransomware attacks and strengthen overall cybersecurity, organizations can seek assistance from reputable cybersecurity firms like Encryption Consulting. Encryption Consulting is a leading organization that specializes in data protection, Public Key Infrastructure (PKI), and Hardware Security Modules (HSMs). They offer CodeSign Secure, a comprehensive tool for code signing files, which helps organizations ensure that no malicious code is injected into their files. Code signing mitigates the risks associated with compromised software and downloaded files, enhancing overall security. Encryption Consulting’s expert consultants provide organizations with a roadmap for end-to-end data encryption, empowering them to establish robust security measures and protect their sensitive information in the digital realm.

Conclusion

Ransomware attacks have become increasingly prevalent and costly in today’s digital landscape. The consequences of such attacks, including data breaches and financial losses, can be devastating for individuals and organizations. It is crucial for all internet users to be aware of the mechanisms employed by ransomware and take proactive measures to prevent falling victim to such attacks.

Prevention is key when it comes to ransomware. Implementing robust cybersecurity measures, such as regularly updating software and operating systems, using strong and unique passwords, and employing reputable antivirus and anti-malware software, can significantly reduce the risk of ransomware infections. Additionally, organizations should conduct regular employee training on recognizing and avoiding phishing attempts and other social engineering techniques used by threat actors.

Backups play a crucial role in mitigating the impact of ransomware attacks. Regularly backing up important data and storing backups offline or on separate systems can ensure that, even if a ransomware attack occurs, data can be restored without paying the ransom. It is essential to test the effectiveness of backups regularly to ensure their reliability.

Collaboration and information sharing among individuals, organizations, and cybersecurity professionals are paramount in the fight against ransomware. Staying informed about the latest ransomware trends, vulnerabilities, and prevention strategies can help individuals and organizations stay one step ahead of threat actors. Government agencies, cybersecurity firms, and law enforcement agencies should work together to investigate and disrupt ransomware operations and hold cybercriminals accountable for their actions.

In conclusion, ransomware attacks continue to pose a significant threat to individuals, businesses, and critical infrastructure. Understanding the workings of ransomware and implementing preventive measures are essential to safeguarding valuable data and minimizing the impact of potential attacks. By staying vigilant, investing in robust cybersecurity practices, and leveraging the expertise of reputable organizations like Encryption Consulting, we can collectively mitigate the risks posed by ransomware and create a more secure digital environment for all.

Why are organizations not enforcing code signing policies?

As technology advances and the world becomes more reliant on software, cyber threats continue to evolve, posing a significant risk to organizations. Code-signing policies have become a critical aspect of ensuring the safety and integrity of software. These policies ensure that only authorized code is executed on systems, preventing malware from being installed. Despite its importance, many organizations still fail to enforce these policies, leaving their systems vulnerable to attacks.

Lack of Understanding

One of the main reasons why code signing policies are being disregarded or not enforced is due to a lack of understanding. Many organizations may not fully comprehend the risks associated with unsigned code or may not understand how to implement a code-signing policy effectively. Sometimes, the IT team may not have the necessary skills and knowledge to manage code-signing policies. As a result, the organization may not prioritize code signing policies and may not be given the necessary attention.

Cost

Another reason why organizations may be reluctant to enforce code-signing policies is the cost associated with implementing them. Code signing certificates can be expensive, and organizations may not want to invest in them, especially if they do not fully understand their benefits. Additionally, implementing code signing policies may require changes to existing infrastructure, which can be time-consuming and costly. This may result in organizations deciding not to enforce code signing policies, leaving them vulnerable to cyberattacks.

Lack of Accountability

In some organizations, there may be a lack of accountability when it comes to enforcing code-signing policies. This may occur if it is unclear who is in charge of overseeing the code signing guidelines. If there is no one person or department responsible for implementing and enforcing code signing policies, it can be challenging to ensure that they are followed consistently. This lack of accountability can lead to policies being disregarded or not implemented.

Legacy Applications

Legacy applications can also be a hindrance to enforcing code signing policies. Many older applications were not designed with code signing in mind and may not be compatible with modern code-signing certificates. In some cases, code signing may not be possible without significant modifications to the application, which may not be feasible or cost-effective. This can create a situation where code-signing policies cannot be enforced effectively, leaving the organization vulnerable to cyberattacks.

Lack of Awareness

Another reason why code signing policies may be ignored or not enforced is due to a lack of awareness. Some organizations may be unaware of the advantages of code-signing policies or may not completely comprehend how they work. This can lead to a situation where code signing policies are not considered a priority and may not be enforced. Furthermore, employees may be unaware of the significance of code signing policies, which can lead to unintentional violations.

Resistance to Change

Finally, some organizations may resist implementing code-signing policies due to resistance to change. Change may be challenging, particularly when introducing new security measures. Employees may be reluctant to workflow changes or unwilling to learn new methods. This can make it difficult to implement and enforce code-signing policies effectively.

Conclusion

In conclusion, code-signing policies are essential to modern cybersecurity, and their implementation and enforcement are critical for protecting software applications against malicious attacks. Ignoring or neglecting these policies can result in severe consequences for organizations, including data breaches, financial loss, and damage to reputation. Organizations can ensure their systems and data remain secure by addressing the common barriers to code signing policy implementation, such as a lack of understanding, cost, and resistance to change.

Learn How Code Signing Can Impact Your Organization

Code signing is a technique used to ensure the authenticity and integrity of software code. This technique involves digitally signing the code with a digital signature, which can be verified by the user to ensure that the code has not been modified or tampered with. Code signing is an essential security measure for any organization that develops or distributes software, as it helps to prevent unauthorized code from being installed on users’ systems. In this blog, we will explore the importance of code signing and its impact on your organization.

What is Code Signing?

Code signing is the process of digitally signing software code to ensure its authenticity and integrity. A digital signature is a mathematical algorithm that uses a private key to encrypt the code and a public key to decrypt it. This signature ensures that the code has not been modified or tampered with since it was signed.

Code signing is done using a digital certificate issued by a trusted certificate authority (CA). The digital certificate contains information about the signer and the code being signed, and it is used to verify the signature’s authenticity. When the code is installed on a user’s system, it checks the digital signature against the certificate to ensure it has not been tampered with.

Why is Code Signing Important?

Code signing is essential for several reasons. Firstly, it ensures the authenticity and integrity of software code. This means that users can trust that the code they are installing is from a trusted source and has not been tampered with. This is particularly important for software that is used to handle sensitive data, such as financial or healthcare data.

Secondly, code signing helps prevent malware and other malicious code from being installed on users’ systems. Malware often tries to disguise itself as legitimate software, and code signing helps to prevent this by providing users with a way to verify the authenticity of the code they are installing.

Finally, code signing is often a requirement for software vendors that want to distribute their software through trusted channels, such as app stores or enterprise software distribution platforms. These platforms often require that software be signed with a trusted digital certificate to ensure its authenticity and security.

How does Code Signing impact your organization?

Code signing can have a significant impact on your organization. Here are some of the keyways that code signing can impact your organization:

Enhanced Security

Code signing can help to enhance the security of your organization’s software. Signing your code with a trusted digital certificate ensures that only legitimate code is installed on users’ systems. This can help prevent malware and other malicious code from infecting your organization’s network.
Compliance

Many regulatory bodies require that software be signed with a trusted digital certificate to ensure its authenticity and security. Signing your software with a trusted digital certificate ensures that your organization complies with these regulations. This can help to avoid costly fines and legal issues.
Brand Protection

Code signing can help to protect your organization’s brand. Signing your software with a trusted digital certificate ensures that users trust the software they are installing. This can help to protect your organization’s reputation and prevent damage to your brand.
Increased User Confidence

Code signing can increase user confidence in your organization’s software. By signing your software with a trusted digital certificate, you can provide users with a way to verify the authenticity and integrity of the software they are installing. This can help to increase user confidence in your organization’s software and lead to increased adoption.
Reduced Support Costs

Code signing can help to reduce support costs for your organization. By ensuring that only legitimate software is installed on users’ systems, you can reduce the likelihood of software-related issues. This can help to reduce the number of support requests your organization receives, leading to lower support costs.

To ensure that your organization maximizes the benefits of code signing, there are several best practices which can be followed:

Use a Trusted Certificate Authority

To ensure that your digital certificate is trusted by users, it is important to use a trusted certificate authority (CA) to issue your certificate. Trusted CAs are widely recognized and trusted by most operating systems and web browsers, ensuring that users can verify the authenticity of your code.
Keep Your Private Key Secure

Your private key is used to sign your software code, and it must always remain secure. If your private key is compromised, an attacker could use it to sign and distribute malicious code that appears to be from your organization. To prevent this, ensure that your private key is stored securely, and that only authorized personnel have access to it.
Sign All Code

To ensure maximum security, it is important to sign all of your organization’s software code, including drivers, DLLs, and other executables. This ensures that users can verify the authenticity and integrity of all your code, not just the main executable.
Timestamp Your Signature

When you sign your code, including a timestamp to indicate when the code was signed is important. This ensures that users can verify that the code was signed before a specific date, helping to prevent attacks that rely on the compromise of older signed code.
Use Strong Passwords

When generating your private key, it is important to use a strong password to prevent unauthorized access. A strong password should be long, complex, and unique and should be changed regularly to ensure maximum security.
Verify Your Signature

Before distributing your code, it is important to verify your signature to ensure that it is valid. This ensures that users will be able to verify your signature when they install your software.
Revoke Certificates as Necessary

If your private key is compromised or if you need to revoke a certificate for any reason, it is important to do so immediately. This ensures that users will not trust any code signed with the compromised or revoked certificate.

How can Encryption Consulting (EC) CodeSign Secure help you?

EC has developed the most efficient and user-friendly code-signing solution, CodeSign Secure. What makes us the best out in the market?

CodeSign Secure starts with virus scanning before commencing any type of signing process. It searches for any viruses or malware that may have been injected into the file before sending it away for the signing process.
CodeSign secure uses client-side hashing, providing customers with that extra layer of security. Hashing a file at its origin helps maintain its integrity at its peak and gives the customer a clear view of the file and what comes after signing.
Never exposing the key while signing the file/code. The file is signed inside the HSM, and the keys are never exposed to the outside world.
Our organization provides Role-based access control for code/file signing providing correct access and privileges to the user. Ensuring only those with proper roles can access certificates and keys within the tool.
Timestamp your signed code avoids the risks of software expiring unexpectedly when the code signing certificate expires. When a code signing certificate expires, the validity of the software that was signed will also expire unless the software was timestamped when it was signed.
CodeSign Secure follows the latest NIST (National Institute of Standards and Technology) guidelines of code signing
Monitor and audit key signing workflows, certificates and keys are associated with specific applications, and whoever is signing anything gets recorded in the logs of our tool, so we have the IP and the username of anyone attempting to sign. They will be blocked if they do not have valid credentials, or the key or certificate has expired.
Enable automated code signing in SDLC processes, we have the ability to sign from a client tool, via APIs, or via the command line so it is very straightforward and simple to integrate our tool into SDLC processes, including tools like Jenkins and Bamboo.
Compare signing from different build servers, our tool will check that the code being signed is the most up to date version of the code on the build servers in use by the client, ensuring an older or potentially malicious version of the code is not being signed.
Revoking compromised certificates, when a certificate expires, it will automatically be renewed, but in the case that a certificate or key is found to have been compromised, the key can be revoked and thus the signing process cannot occur with that key and certificate.

Conclusion

Code signing is an essential security measure for any organization that develops or distributes software. It helps to ensure the authenticity and integrity of software code, preventing unauthorized code from being installed on users’ systems. Code signing can significantly impact your organization, enhancing security, ensuring compliance, protecting your brand, increasing user confidence, and reducing support costs.

To ensure that your organization maximizes the benefits of code signing, it is important to follow best practices such as using a trusted certificate authority, keeping your private key secure, signing all code, timestamping your signature, using strong passwords, verifying your signature, and revoking certificates as necessary. Following these best practices ensures that your organization’s software is secure, trusted, and compliant with industry regulations.

EC’s CodeSign Secure offers a simple and efficient way to sign your code and protect your software, ensuring it complies with today’s security-conscious digital environment standards.

How to Integrate GitLab CI/CD Pipeline with CodeSigning?

GitLab is a web-based Git repository manager that provides source code management, continuous integration/continuous development (CI/CD) pipeline automation, and several other features for software development. It is a comprehensive DevOps platform that enables experts to carry out every project work, from planning and managing the source code to monitoring and security.

Teams can collaborate and create better software as a result. GitLab offers comprehensive DevOps capabilities throughout every stage of the software development lifecycle. Its continuous integration (CI) capabilities automate the building and testing of code for development teams. The platform also includes security features that provide scan results within the native CI pipeline/workflow, and a dashboard that assists security professionals with managing vulnerabilities.

Codesigning

Code signing is a procedure that verifies the legitimacy of the author and the originality and authenticity of digital information, particularly software code. It also ensures that the information is not malicious code. Additionally, it guarantees that this information has not been altered, falsified, or canceled after being digitally signed. The digital signature is created using a private key that’s only available to the software’s publisher. When the software is downloaded and installed, the digital signature is checked against the public key to confirm that it matches and that the software hasn’t been modified. Code signing is important for ensuring the safety and security of software applications, as it helps prevent the distribution of malware and other malicious software.

Encryption Consulting has a CodeSigning solution, “CodeSign Secure,” which can help you with tamper-proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys.

Integration of GitLab with CodeSigning

To get started with this, you’ll first require a GitLab Account and a Runner, where you’ve signtool and ECSigning KSP installed and configured. Listing down the pre-requisites:

Self Hosted Runner which has ECSigning KSP, Signtool installed and configured. This runner should be provided with Administrative privileges.
A GitLab Account.

To set up the ECSigningKSP and Signtool, go through the following steps:

Download Windows SDK: (developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/)

You can choose to install only the Windows SDK Signing Tools for Desktop Apps.

Open the winsdksetup.exe file. Remember the default path shown in the install path, as this will be helpful with running these commands from the command prompt.

On the Windows Kits Privacy page, either option for allowing Microsoft to collect insights is okay. Click next.

Accept the license agreement

Deselect every feature except for Windows SDK Signing Tools for Desktop Apps, then select install.

When prompted if you want to allow this app to make changes, select yes.

Click on windows search bar on task bar and type “Edit the system environment variables” and select the control panel option of the same name.

Click environment variables.

Before editing the variable list, navigate to where the Windows SDK is installed to using file explorer, you must copy the path of the folder which contains the signtool application, the default path is C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64, refer to the below screenshot. Make sure to right click and copy the path as shown. You can also see the signtool application at the bottom of the file list, this is the command you will run.

In the System Variables list, click new. Then type Path as the variable name, and copy and paste the aforementioned path. Then click OK on the environment variables window and system properties window.

To test the installation, open command prompt, and type signtool, and the output should be as shown below.

The default signtool installation location is, for example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64

To set up KSP follow the steps below:

If you’re using our solution you can download the KSP using the steps below:

Sign in to Code Sign Secure.
Navigate to: Signing tools repository.
Download “Encryption Consulting CNG-SigningKSP”
Install the client tools using the .MSI installer. The .MSI installer automates much of the configuration. Navigate to where the downloaded file is saved and launch the installer.
Click next when the installation wizard appears.
Click next.
In the Username field, type admin.
In the Code field, copy the code from the Postman API Repository. Click on the GetLoginToken api and copy the code from the Body.

Download PostMan from this link. Once downloaded, click the skip button at the bottom of the window. Once on dashboard, add a new collection using the plus sign button next to collections.

GetLoginToken API (http://codesignsecureapi.encryptionconsulting.com/api/auth/GetLoginToken): This is the most important API, as this gives you a Bearer Token to use with the rest of the APIs, What should be in the body is shown below. The code serves as a password in order to get a the Bearer Token, the user field is the username, and the identity type field specifices the user type. Click Send to generate an output which has the Bearer Token listed at the bottom. Copy this token for use.
Change the Identity Type to 1.
Leave API BaseURL the same.
Click next.
Click next.
You will then be notified that this program will make changes to your pc, click yes.
Installation is now complete.

Please follow the steps below:

Set Up a GitLab Account. Navigate to creating a New Blank Project.
Scroll down to settings -> CI/CD and navigate to runner. Expand it.
Click on new project runner.
Click on platform of your choice and provide a tag for the runner. Give timeout seconds and click on create runner.
Copy the token displayed we’ll need it to register the runner. Now we’ll first install Gitlab runner in our device.
Install GitLab runner in your device using the link. This link is for Windows. You can look this link to see steps to Install it in your specific device.
You can follow the documentation to set up your runner and register it as per your device.

To register a runner under Windows, run the following command:

.\gitlab-runner.exe register
Enter your GitLab instance URL (also known as the gitlab-ci coordinator URL). Example: https://gitlab.com
Enter the token you obtained to register the runner. You can access this from settings -> CI/CD -> Expand -> Project runners. Under project runners you can find token.
Enter a description for the runner. You can change this value later in the GitLab user interface. Example: Device
Enter the tags associated with the runner, separated by commas. You can change this value later in the GitLab user interface. Example: WindowsRunner
Enter any optional maintenance note for the runner.
Provide the runner executor. We’re operating this in Shell.

Once the runner is installed and configured, navigate to services in your device, scroll down to GitLab Runner and set log on as Administrator. Provide Admin Password here.

Once this is done, go to your project. You might have to rename the .ym file name. Rename it as .gitlab-ci.yml. Run the script below to perform codesigning.

 job1:
    tags:
        - WindowsRunner //The tag you provided while setting up the runner
    script:
        - signtool sign /csp "Encryption Consulting Key Storage provider" /kc evcodesigning /fd SHA256 /f "C:\Users\Administrator\Desktop\ForTesting\evcodesigning.pem" /tr http://timestamp.digicert.com /td SHA256 "C:\Users\Administrator\Desktop\ForTesting\AgentService.exe"

If you click on CI/CD -> jobs you’ll see it being successfully signed.

You’ll need to modify the command as per your variables

kc evcodesigning: replace evcodesiging with your key name
f “C:\Users\Administrator\Desktop\ForTesting\evcodesigning.pem”: replace location with location of your .pem file to perform codesiging. You can get this by using signing KSP. From command prompt reach to the directory having SigningKSP. Use command ECGetCert.ece <key name> to get pem file of your certificate.
tr http://timestamp.digicert.com: time stamping server
td SHA256 “C:\Users\Administrator\Desktop\ForTesting\AgentService.exe”: location of file you want to get signed.

Conclusion

The article above demonstrates the process of integration your GitLab CI/CD pipeline with codesigning. It is a very simple process as you’re just required to set up a runner, connect it with a GitLab account and build the pipeline to run the job. Codesigning is crucial in today’s date as malicious software, files continue to grow. You can contact us at [email protected] for any help regarding our code signing solution.

How to Integrate a GitHub Actions CI/CD Pipeline with CodeSigning?

GitHub Actions is a continuous integration and continuous development (CI/CD) platform that allows user to automate their build, test, and deployment pipeline. Users may design workflows that build and test every pull and push request to their repository or deploy merged pull requests to production. GitHub Actions is a powerful tool that allows developers to automate workflows within their GitHub repositories.

Each workflow is made up of one or more jobs, which are made up of one or more steps. Each step is a set of commands that are executed on a runner, which is a virtual machine that runs your workflows.

Getting Started with GitHub Actions

To get started with GitHub Actions, you’ll need a GitHub account and a repository. Once you’ve created your repository, you can create a new workflow by adding a YAML file to the .github/workflows directory in your repository.

Some of the terms that are used in the YAML file defining workflow are listed below. Let’s break down this workflow to understand how it works:

name: This is the name of the workflow.
on: This specifies when the workflow should be triggered. For example, the workflow can run when a pull request is opened on a branch.
jobs: This is a list of jobs that will be executed as part of the workflow.
run-on: This specifies the operating system and environment for the job. We can set up a self-hosted runner for our job. We are setting up a self-hosted runner for this.
steps: This specifies a list of steps that will be executed as part of the job.
uses: This is a shortcut for using an existing action from the GitHub Marketplace. In our script, we’re using the actions/checkout action to checkout the repository code.
name: This is the name of the step.
run: This is a shell command that will be executed as part of the step.

Codesigning Using GitHub Actions

Code signing is the process of digitally signing software code to verify its authenticity and integrity. It is a security measure that helps ensure that the code has not been tampered with and comes from a trusted source.

We can perform codesigning using GitHub actions. For this, we create a workflow in our desired repository in GitHub and perform codesigning using the script.

Prerequisites for performing this task include:

A GitHub repository (You’ll require an admin account).
A Runner where Signtool and ECSigning KSP is installed and configured.

Before we get started, we will need to configure a runner. Runner will be setup in the device where you have Signtool and ECSigning KSP installed and configured. To do so in your device follow the steps below.

To Setup and Configure Signtool follow the steps below:

Signtool can be downloaded as part of the Windows SDK. Download Windows SDK: (developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/)

You can choose to install only the Windows SDK Signing Tools for Desktop Apps.

Open the winsdksetup.exe file. Remember the default path shown in the install path, as this will be helpful with running these commands from the command prompt.

On the Windows Kits Privacy page, either option for allowing Microsoft to collect insights is okay. Click next.

Accept the license agreement

Deselect every feature except for Windows SDK Signing Tools for Desktop Apps, then select install.

When prompted if you want to allow this app to make changes, select yes.

Click on windows search bar on task bar and type “Edit the system environment variables” and select the control panel option of the same name.

Click environment variables.

To test the installation, open command prompt, and type signtool, and the output should be as shown below.

The default signtool installation location is, for example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64

To set up KSP follow the steps below:

Encryption Consulting provides you with this solution, CodeSignSecure. This solution can help you with tamper-proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys.

If you’re using our solution you can download the KSP using the steps below:

Sign in to Code Sign Secure.
Navigate to: Signing tools repository.
Download “Encryption Consulting CNG-SigningKSP”
Install the client tools using the .MSI installer. The .MSI installer automates much of the configuration. Navigate to where the downloaded file is saved and launch the installer.
Click next when the installation wizard appears.
Click next.
In the Username field, type admin.
In the Code field, copy the code from the Postman API Repository. Click on the GetLoginToken api and copy the code from the Body.

Download PostMan from this link. Once downloaded, click the skip button at the bottom of the window. Once on dashboard, add a new collection using the plus sign button next to collections.

GetLoginToken API (http://codesignsecureapi.encryptionconsulting.com/api/auth/GetLoginToken): This is the most important API, as this gives you a Bearer Token to use with the rest of the APIs, What should be in the body is shown below. The code serves as a password in order to get a the Bearer Token, the user field is the username, and the identity type field specifices the user type. Click Send to generate an output which has the Bearer Token listed at the bottom. Copy this token for use.
Change the Identity Type to 1.
Leave API BaseURL the same.
Click next.
Click next.
You will then be notified that this program will make changes to your pc, click yes.
Installation is now complete.

To set up the runner, follow the steps below:

Navigate to your Github Repository.

Navigate to Settings of Repository
Scroll down to Actions and select Runner from the dropdown menu.
Click on New Self-Hosted Runner.

After doing so, you can click on the runner image (macOS/Linux/Windows) of your choice. The instructions below are for Windows. You’ll see several commands to be followed on the screen.

Run the commands that are shown in the configuration of the runner. The commands are also given below:

mkdir actions-runner; cd actions-runner;
Invoke-WebRequest -Url https://github.com/actions/runner/releases/download/v2.303.0/actions-runner-win-x64-2.303.0.zip -OutFile actions-runner-win-x64-2.303.0.zip
Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory(“$PWD/actions-runner-win-x64-2.303.0.zip”, “$PWD”)
./config.cmd –url https://github.com/Encryption-Consulting-LLC/CodeSignSecure-Desktop –token <token_number>

Once you see Github Actions written on your screen, you’ll be asked for runner registration.

Enter the name of the runner group to add this runner to: [press Enter for Default] (You can leave this to default).
Enter the name of the runner: [press Enter for CLIENT] (You can enter the desired name for your runner).
This runner will have the following labels: ‘self-hosted’, ‘Windows’, ‘X64’

Enter any additional labels (ex., label-1,label-2): [press Enter to skip] (Please enter a label here, it can be anything, do not leave/skip this step. The same name will be used later to call runner in the script).
The following will be prompted on your screen once it’s done
- Runner successfully added
- Runner connection is good
- Runner settings
Enter name of work folder: [press Enter for _work] (You can leave this to default or you can specify a folder of your choice)

Settings Saved
Would you like to run the runner as service? (Y/N) [press Enter for N] (Enter Y)
User account to use for the service [press Enter for NT AUTHORITY\NETWORK SERVICE] (Make sure you enter Administrator here)

(Administrator privilege is required to run the command. Hence it is MUST to set the user as an administrator)
Password for the account CLIENT\Administrator (Provide password of your Administrator account)
Once done, you’ll see the following prompt on your screen.

It will be prompted as Service actions.runner.<repository name>.<runner_name>

Granting file permissions to ‘CLIENT\Administrator’.

Service actions.runner.Encryption-Consulting-LLC-CodeSignSecure-Desktop.TryThree successfully installed

Service actions.runner.Encryption-Consulting-LLC-CodeSignSecure-Desktop.TryThree successfully set recovery option

Service actions.runner.Encryption-Consulting-LLC-CodeSignSecure-Desktop.TryThree successfully set to delayed auto start

Service actions.runner.Encryption-Consulting-LLC-CodeSignSecure-Desktop.TryThree successfully configured

Waiting for service to start…

Service actions.runner.Encryption-Consulting-LLC-CodeSignSecure-Desktop.TryThree started successfully

Once the runner is set up on your device, navigate to your repository in github.

Go to Actions.

Click on New Workflow

Click on set up a workflow yourself

This is what your editor will look like. You can rename your .yaml file or leave the name to default.

Add the script below to your editor after making some changes or updating the variables.

 name: Code Signing

on:
  push:
    branches: <[ Your Branch Name ]>

jobs:
  build:
    runs-on: <Your runner name>
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Sign code
        run: |
         signtool sign /csp "Encryption Consulting Key Storage provider" /kc <Key Name> /fd <hashing algorithm> /f "<Certificate Location>" /tr <timestampserver> /td SHA256 "<file path>"

Please replace the variables specified under <variable name>. A short description of expected variable is given below.

<file path>: This is where you provide the path of file that you want to sign. Example C:\<Folder_name>\<File_name>. Make sure you have provided a file name with the proper extension.

<key name>This refers to the cryptographic key used to sign the code. Example: evcodesigning

<certificate location>: An example of what can be put in this field is C:\testing.pem. The certificate.pem file MUST be included in this input. You can generate a pem file of the certificate for codesigning, if you have the key name using, ECSigningKSP. For doing so follow the commands below:

In your device where you have ECSigningKSP installed and configured, navigate to the folder of ECSigningKSP, which is usually present in “C:\Program Files\Encryption Consulting\SigningKSP”

In your command prompt reach to this directory.

Then use following command to get pem file of the certificate.

ECGetCert.exe <Key_Name> (example: ECGetCert.exe evcodesigning)

Provide the location of the certificate saved.

<hashing algorithm>: You need provide the name of hashing algorithm such as SHA256, SHA384, or SHA512. It must be one of these three values.

<time stamp server>: A timestamp server provides proof that a digital signature was performed at a specific time, allowing verification in the future that a file was signed at a particular time. The one we generally use is http://timestamp.digicert.com

The Command I used for signing was

signtool sign /csp "Encryption Consulting Key Storage provider" /kc evcodesigning /fd SHA256 /f "C:\Users\Administrator\Desktop\ForTesting\evcodesigning.pem" /tr http://timestamp.digicert.com /td SHA256 "C:\Users\Administrator\Desktop\ForTesting\AgentService.exe"

The Script I used was:

 name: Code Signing
on:
  push:
    branches: [ Github_Actions ]

jobs:
  build:
    runs-on: runner
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Sign code
        run: |
         signtool sign /csp "Encryption Consulting Key Storage provider" /kc evcodesigning /fd SHA256 /f "C:\Users\Administrator\Desktop\ForTesting\evcodesigning.pem" /tr http://timestamp.digicert.com /td SHA256 "C:\Users\Administrator\Desktop\ForTesting\AgentService.exe"

Once you’ve edited your script, click on commit. You can commit directly to your default branch or commit to a new branch. Make sure you update the name of your branch inside the code. After committing the job will run.

Conclusion

Encryption Consulting provides you with codesigning solution known as CodeSign Secure. You can contact us to get your hands on the SigningKSP as well as keyname. Codesigning Using Github Actions is a simple process. A user will just have to configure the runner and run your script. You can contact us at [email protected] for any assistance.

Nvidia Code Signing Certificates Stolen by Ransomware Group: How to Protect Yourself

In early 2021, it was reported that a ransomware group had stolen code signing certificates from NVIDIA, a leading graphics processing unit (GPU) manufacturer. Code signing certificates play a vital role in ensuring the legitimacy and reliability of software, and their theft can result in significant repercussions for both individuals and companies. In this article, we will explore what code-signing certificates are, how they are used, the risks associated with their theft, and what steps you can take to protect yourself.

“NVIDIA Code Signing Certificates Theft: A Wake-up Call for Robust Security Measures.”

The theft of code signing certificates from NVIDIA is a significant security breach that highlights the vulnerability of digital certificates and the importance of securing them. NVIDIA is a leading GPU manufacturer with a global customer base that relies on its software and products for various applications. With the theft of its code signing certificates, there is a risk that attackers could use them to distribute malware that appears to be from NVIDIA, which could have severe consequences for individuals and organizations. This incident underscores the need for robust security measures and the importance of implementing best practices to protect against cyber threats.

What are Code Signing Certificates?

Code signing certificates are digital certificates issued by trusted third-party certificate authorities (CAs) used to sign software. When a code signing certificate is used to sign software, it provides assurance that the software has not been tampered with or modified since it was signed and came from a trusted source.

Code signing certificates usually include the name of the software publisher, a timestamp, and a unique serial number. During the installation of software that has been signed with a code signing certificate, the user’s computer conducts an authenticity check by verifying the certificate’s digital signature against the certificate authority’s public key.

The Risks of Stolen Code Signing Certificates

The theft of code signing certificates can have serious consequences. With a stolen certificate, an attacker can sign their malware and make it appear legitimate. This can deceive both users and security software, allowing the attacker to obtain confidential data or take control of a victim’s system.

In the case of NVIDIA, the REvil ransomware group stole three code-signing certificates that were used to sign drivers for NVIDIA’s GPUs. While there is no evidence that the certificates have been misused yet, the theft could allow attackers to sign and distribute malware that appears to be from NVIDIA. This could have serious consequences for individuals and organizations that rely on NVIDIA’s Software.

How to Protect Yourself from Code Signing Certificate Theft

To protect yourself from the theft of code signing certificates, there are several steps you can take:

Keep Software Up to Date

It is a necessary step in protecting yourself from attacks. It is imperative to ensure that the latest versions of the software, which have been signed with code signing certificates and contain the latest security patches, are being utilized.
Verify Certificate Authenticity

When you are installing software, make sure to verify the authenticity of the code signing certificate. This can be done by checking the publisher’s name, the timestamp, and the unique serial number against the certificate authority’s public key. If any of these do not match, This might imply that the certificate has been tampered with or is invalid.
Use Multi-Factor Authentication

Multi-factor authentication adds an extra security layer to your accounts by requiring more than one authentication method. It will make it difficult for attackers to gain access to your accounts even if they have stolen your code signing certificate.
Protect Your Private Keys

Code signing certificates are only effective if the private key used to sign the software is kept secure. Make sure to protect your private keys with strong passwords, and consider storing them in a secure hardware device such as a smart card or USB token.
Monitor for Suspicious Activity

Regularly monitor your systems for suspicious activity, such as unexpected software installations or network traffic. This can help to identify potential attacks early and allow you to take action to mitigate the damage.

Conclusion

By proactively protecting yourself from the theft of code signing certificates, you can help mitigate the risks and keep your systems and data secure. While staying ahead of cyber threats can be challenging, taking these steps can significantly reduce your risk and give you peace of mind. As technology continues to advance, it’s essential to stay informed and adapt your security practices accordingly. Remember to stay vigilant and stay up to date with the latest security best practices to protect yourself from the ever-evolving threat of cyber-attacks.