The Need for Code Signing Certificate Protection & the ASUS Hack

  • Home
  • Blog
  • The Need for Code Signing Certificate Protection & the ASUS Hack

“We saw the updates come down from the Live Update ASUS server. They were trojanized, or malicious updates, and they were signed by ASUS,” said Liam O’Murchu, director of development for the Security Technology and Response group at Symantec.

Assuming ASUS properly implemented their signature validation, it seems likely that hackers may have stolen ASUS’ signing keys in order to accomplish this.  Signifying a lack in automation around code signing certificate protection.

In the last few years, we have seen a growing awareness around code signing, and an uptick in code signing and validation – which is great.  However, if you lose control of the private keys, the whole system falls apart.  And today very few organizations properly protect code signing certificates:  they’re on developers’ workstations, build servers, etc.  they should be carefully protected, and they’re usually not – because it’s hard to do.

Ted Shorter

Chief Technology Officer

The 2022 State of Machine Identity Management Report

Get actionable insights from 1,200+ IT and security professionals on the next frontier for IAM strategy — machine identities.

Read the Report →