Skip to main content
banner image
venafi logo

CCleaner and the Zombie Code Signing Apocalypse

CCleaner and the Zombie Code Signing Apocalypse

cleaner code signing vulnerability
October 28, 2019 | Eddie Glenn


My all-time favorite zombie book is Max Brooks’ “World War Z.” He took the zombie apocalypse to a global scale—covering what was happening in the U.S., China, North Korea, United Kingdom, Israel and even South Africa. The reader is fully immersed into the before, during and aftermath of a zombie apocalypse. There were several parts of his book where I had to pause reading and remind myself that it was fiction. It.Is.Not.Real.
 

The book shows how various world governments responded to the crisis. The United States did little to prepare because they were overconfident in their abilities to thwart the zombie threat. The North Korean population just simply disappeared, presumably to live in underground bunkers. Israel decided to build a tall border wall to keep all zombies out. A few countries took extreme measures at the expense of the lives of their non-infected citizens. Yet, other countries didn’t believe the threat was real and did nothing until it was too late. One of my favorite lines from the book is:
 

“Most people don't believe something can happen until it already has. That's not stupidity or weakness, that's just human nature.”

  • Max Brooks, World War Z: An Oral History of the Zombie War



So why am I reviewing a zombie book when this blog is supposed to be about code signing? Well, my blog guru said I needed to write a Halloween-themed post this week! But, as I started to investigate ideas for a scary-themed blog I realized that there were actually a large number of similarities between World War Z and code signing, especially in terms of how one responds to said threats.
 

I’ve talked to a lot of customers and prospects over the past year. It’s amazing to hear how different their responses to code signing threats are. Some choose to ignore the threat saying it won’t happen to them. Others have responded in extreme fashions by removing the ability for developers to sign ANY code and instead all requests need to go through InfoSec or PKI team (can we say BOTTLENECK???) See the similarities with World War Z???
 

But, let’s deep dive into a code signing breach that surfaced in the news this week. This time it was Avast and there was concern that their CCleaner utility was being targeted. Fortunately, this time, CCleaner wasn’t infected with malware as it was two years ago. Back then, hackers broke through the company’s ‘border wall’, found unprotected code signing keys, infected CCleaner with malware and then code signed it with the company’s legitimate code signing keys.


 

 

 

I read through Avast’s blog post about this latest incident, which provided a pretty thorough description of what they found and the measures they had taken, one thing struck me. It was the measure that they didn’t take, or at least didn’t mention taking in their blog post. And that is the critical measure of protecting their code signing process. Instead, it appears that most of their measures were around border wall security and looking for the infected. Folks, border walls don’t work for protecting code signing credentials. Hackers will find their way in somehow or some employee will be careless and let them in inadvertently.
 

And looking for the infected doesn’t help with preventing it in the first place!
 

In today’s digital world, it is imperative for businesses to protect their code signing process. Their brand reputation, revenue and market share all depend on it. Their customers depend on it too.
 

Keeping code signing keys safely locked up just isn’t enough anymore. (was it ever enough?) You need measures/processes in place that guarantee that keys are only used in authorized situations (authorized code, authorized certificates, authorized signers) with specific people required to approve the use of the code signing key. You need to have a segmentation of roles and responsibilities. You need to be able to track every code signing operation (know what code was signed, with what certificate, using which code signing tool, on what machine, by what person) that happens anywhere in your company so that you can quickly spot any anomalies.
 

"You need a code signing solution that appeals to your dev teams"


But, even doing this may not be enough. You also need a solution that is designed to appeal to your development teams. If they have to jump through hoops to use it, or if it delays what they are doing, or if they have to change the way they do things, they will find ways to bypass what you have put in place and keep a secret stash of code signing keys stored somewhere convenient. And when that happens, you’re back at square one with significant vulnerabilities in your code signing process.
 

Are your company's code signing processes secure? Find out on the webinar.
 

In World War Z, Israel was very proud of the tall border wall that they built to keep out the zombies. They started planning and building years before the zombie apocalypse became a global concern. They were ready. Or so they thought. They weren’t prepared for those few soldiers that bent the rules to let in a few infected people.
 

Unfortunately, unlike the World War Z zombie apocalypse, the code signing apocalypse is real. IT.IS.VERY.REAL. How is your company responding?


Eddie Glenn shares why code signing isn't just crucial for software companies anymore - it's critical for all businesses. Find it out why. 

 

 

Related posts

 

Like this blog? We think you will love this.
code-signing-abuse
Featured Blog

Study Shows Widespread Abuse of Code Signing Certificates

A study by Vi

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Eddie Glenn
Eddie Glenn

Eddie is the Product Marketing Manager over Code Signing at Venafi. A product marketing professional in SaaS, Enterprise, and Embedded Software, he has a strong technical background and experience with inbound and outbound marketing, business and marketing strategy, and marketing operations.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more