Microsoft’s Cyber Defense Operations Center shares best practices

Today, a single breach, physical or virtual, can cause millions of dollars of damage to an organization and potentially billions in financial losses to the global economy. Each week seems to bring a new disclosure of a cybersecurity breach somewhere in the world. As we look at the current state of cybersecurity challenges today, we see the same types of attacks, but the sophistication and scope of each attack continues to grow and evolve. Add to these the threats of nation-state actors seeking to disrupt operations, conduct intelligence gathering, or generally undermine trust.

Signing executables with Microsoft SignTool.exe using AWS CloudHSM-backed certificates

Code signing is the process of digitally signing executables and scripts to confirm the software author and to demonstrate that the code has not been altered or corrupted since it was signed. Packaged software uses branding and trusted sales outlets to assure users of its integrity, but these guarantees are not available when code is transmitted on the internet. Additionally, the internet itself cannot provide any guarantee about the identity of the software creator.

To solve this issue, many companies turn to Microsoft SignTool, a command-line tool that digitally signs files, verifies signatures in files, or time stamps files. The certificate allows end users to trust that software is signed by the author, so long as the private key that is used to sign is only available to that author. A common problem, however, is that the private key and the certificate used in the signing process are located on the same machine. If an attacker compromises the server and steals both the private key and certificate, they can sign malicious code while posing as the trusted author. To protect against this, some companies move their private keys to offline devices. But this means that the keys need to be brought online for each new signing request, or in batches, prolonging the amount of time it takes to sign. The offline devices also need to be stored and backed up in separate, physically secure locations to prevent tampering. A more efficient solution is to use AWS CloudHSM to provide secure storage and backup for these private keys. In this post, I’ll show you how.

Prerequisites and assumptions

This walkthrough assumes that you have a working knowledge of Amazon EC2, AWS CloudHSM, the administration of Windows Server, as well as the basics of certificates and public key infrastructure.

Before you follow this walkthrough, you should first complete the steps in the walkthrough Configure Windows Server as a Certificate Authority (CA) with AWS CloudHSM, and have an example unsigned Windows PowerShell script .ps1 file. After you’ve completed the set-up of your Windows Server CA, you’ll have all the major components ready to start signing your code: the AWS CloudHSM cluster in an Active state, Crypto Users (CU) created on your CloudHSM to manage keys, and the necessary client packages installed on the Windows instance within the same VPC as your AWS CloudHSM.

Important: You will incur charges for the services used in this example. You can find the cost of each service on the corresponding service pricing page. For more information, see
AWS CloudHSM Pricing and Amazon EC2 Pricing.

Out of scope

The focus of this blog post is how to use AWS CloudHSM to store the keys that are used by certificates that will sign binaries used by Microsoft SignTool.exe. It is not intended to represent any best practices for implementing code signing or running a Certificate Authority. For more information, see the NIST Cybersecurity Whitepaper
Security Considerations for Code Signing.

Architectural Overview


Figure 1: Architectural overview

This diagram shows a virtual private cloud (VPC) containing an Amazon EC2 instance running Windows Server 2012 R2 that resides on a public subnet. This instance will run both the CloudHSM client software and Windows Server CA. The instance can be accessed via the Internet Gateway. It will also have security groups that enable RDP access for your IP. The private subnet hosts the Elastic Network Interface (ENI) for CloudHSM cluster that has a single HSM.

Step 1: Install SignTool.exe as part of the Microsoft Windows SDK

Download and install one of the following versions of the Microsoft Windows Software Development Kit (SDK):

You should install the latest applicable Windows SDK package for your operating system. For example, for Microsoft Windows 2012 R2 or later versions, you should install the Microsoft Windows SDK 10.
SignTool.exe is part of the Windows SDK Signing Tools for Desktop Apps installation feature. You can omit the other features to be installed if you don’t need them. The default installation location is:

C:\Program Files (x86)\Windows Kits\<SDK version>\bin\<version number>\<CPU architecture>\signtool.exe

Step 2: Create a signing certificate using the KSP integration

Now that you’ve installed the software required to sign your files, you can start creating a key pair in AWS CloudHSM, along with the corresponding certificate. You can do this with the Certreq application that’s included with Windows Server. The end result from Certreq is a Certificate Signing Request (CSR) that you can submit to a CA. In this example, you’ll submit it to the Microsoft Windows CA you created in the prerequisite section. Certreq supports the KSP (Key Storage Provider) standards, which allows you to specify the name of the KSP created by Cavium specifically for AWS CloudHSM. This is included and installed as part of the AWS CloudHSM client installation.

Create a file named request.inf that contains the lines below. Note that the Subject line may wrap onto the following line. It begins with Subject and ends with Washington and a closing quotation mark (“). Replace the Subject information with your own company information. See Microsoft’s Documentation for an explanation of the sections, keys, and values.

[Version] Signature= $Windows NT$ [NewRequest] Subject = "C=US,,O=Information Technology,OU=Certificate Management,L=Seattle,S=Washington" RequestType=PKCS10 HashAlgorithm = SHA256 KeyAlgorithm = RSA KeyLength = 2048 ProviderName = Cavium Key Storage Provider KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE" MachineKeySet = True Exportable = False

CISO Intro by Jeremiah Grossman

Chief. Information. Security. Officer. The person in charge of protecting an organization’s information assets. The job title sounds so simple, even straight forward, and once upon a time it might have even been an accurate description of the role. It used to be enough to make sure all patches were up to date, network firewalls were in place, intrusion detection set-up, anti-virus installed, and everything on the network properly configured, locked down, and hardened. Being a CISO was primarily technical in nature, but times have changed. Realistically, the only thing unchanged about the CISO job is the title.

The App Approval Workflow Keeps Enterprise Security in Check Without Disrupting Productivity

Mobile applications have become a part of our everyday lives. We use them to get where we’re going, stay in constant communication with others and get the information we need to be productive. Apps are no longer a novelty for today’s workforce; they’re a necessity. And with that necessity comes risk. Just like any enterprise technology, it’s crucial to take security measures to prevent data loss, threats and breaches.

Fuzzing an API with DeepState (Part 2)

Alex Groce, Associate Professor, School of Informatics, Computing and Cyber Systems, Northern Arizona University

Introducing one bug by hand is fine, and we could try it again, but “the plural of anecdote is not data.” However, this is not strictly true. If we have enough anecdotes, we can probably call it data (the field of “big multiple anecdotes” is due to take off any day now). In software testing, creating multiple “fake bugs” has a name, mutation testing (or mutation analysis). Mutation testing works by automatically generating lots of small changes to a program, in the expectation that most such changes will make the program incorrect. A test suite or fuzzer is better if it detects more of these changes. In the lingo of mutation testing, a detected mutant is “killed.” The phrasing is a bit harsh on mutants, but in testing a certain hard-heartedness towards bugs is in order. Mutation testing was once an academic niche topic, but is now in use at major companies, in real-world situations.

There are many tools for mutation testing available, especially for Java. The tools for C code are less robust, or more difficult to use, in general. I (along with colleagues at NAU and other universities) recently released a tool, the universalmutator, that uses regular expressions to allow mutation for many languages, including C and C++ (not to mention Swift, Solidity, Rust, and numerous other languages previously without mutation-testing tools). We’ll use the universalmutator to see how well our fuzzers do at detecting artificial red-black tree bugs. Besides generality, one advantage of universalmutator is that it produces lots of mutants, including ones that are often equivalent but can sometimes produce subtle distinctions in behavior — that is, hard to detect bugs — that are not supported in most mutation systems. For high-stakes software, this can be worth the additional effort of analyzing and examining the mutants.

Installing universalmutator and generating some mutants is easy:

pip install universalmutator mkdir mutants mutate red_black_tree.c --mutantDir mutants

Anchorage emerges with $17M from A16z for ‘omnimetric’ crypto security

I’m not allowed to tell you exactly how Anchorage keeps rich institutions from being robbed of their cryptocurrency, but the off-the-record demo was damn impressive. Judging by the $17 million Series A this security startup raised last year led by Andreessen Horowitz and joined by Khosla Ventures, Max Levchin, Elad Gil, Mark McCombe of Blackrock, and AngelList’s Naval Ravikant, I’m not the only one who thinks so. In fact, crypto funds like Andreessen’s a16zcrypto, Paradigm, and Electric Capital are already using it.

Quantify Third-Party Risk in Real Time With Our New Module

At Recorded Future, our mission has been to empower our users to defend themselves against cyber threats at the speed and scale of the internet. Empowerment means giving you the capabilities necessary to understand and manage your own risk environment — and the Recorded Future® Platform helps you measure and understand your own risk environment in real time, with full transparency to original sources of risk data. First-party risk reduction remains our first and foremost goal, and in today’s world, that means managing third-party risk, as well.

Fugue Closes Out a Strong 2018, Carries Momentum into 2019

Frederick, MD – January 22, 2019Fugue, the company automating enterprise cloud security and compliance enforcement to prevent data breaches, enters 2019 on a mission to transform how organizations leverage the cloud at scale, safely and in adherence with policy. The company plans to build on the momentum of 2018 that included significant new enterprise customers and the launch of Risk Manager, a Software-as-a-Service product that makes it easier than ever to realize the benefits of Fugue’s breakthrough self-healing cloud infrastructure solution.