Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Steal Opera-Signed Certificate Through Infrastructure Attack

Posted by samzenpus on from the protect-ya-neck dept.

wiredmikey writes "Norwegian browser maker Opera Software has confirmed that a targeted internal network infrastructure attack led to the theft of a code signing certificate that was used to sign malware. 'The current evidence suggests a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser,' Opera warned in a brief advisory. The Opera breach signals a growing shift by organized hacking groups to target the internal infrastructure network at big companies that provide client side software to millions of end users."

12 of 104 comments (clear)

  1. A growing shift? by Anonymous Coward · · Score: 5, Insightful

    Does this really signal a growing shift? Or are we just saying that whatever happens in a news story must signal a "growing shift" toward that thing to induce widespread panic?

    1. Re:A growing shift? by cold+fjord · · Score: 2

      Does this really signal a growing shift? Or are we just saying that whatever happens in a news story must signal a "growing shift" toward that thing to induce widespread panic?

      Criminal gangs and individual crackers have been growing more sophisticated in their computer crime activity for some time. If you're going to move up the food chain of commercially valuable exploits, this is exactly the sort of thing that you would expect. It makes it much easier to get malware accepted on a system, which means it makes it easier to extract some sort of value from the system. (Stolen data, botnet, spam host, etc.)

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
  2. The certificate crowd is proven wrong yet again. by Anonymous Coward · · Score: 4, Insightful

    Whenever the topic of security comes up, there are always a bunch of people who go on and on and on about how certificates are always the answer to security problems.

    How do we fix security problems with email? "Certificates!", they say.

    How do we fix security problems with HTTP? "Certificates!", they blurt out.

    How do we fix security problems with DNS? "Certificates!", they scream.

    How do we fix security problems with passwords? "Certificates!", they yell.

    How do we fix security problems with application executables? "Certificates!", they exclaim.

    Yet we see so many stories about certificates getting compromised in one way or another. And then the infrastructure surrounding them is always so goddamn awful. They cause just as many, if not more, problems than they actually manage to partially solve.

    It's time for the certificate advocates to stop and think. They need to look at the big picture. They need to realize that while certificates may have their place in some very specialized situations, they are not the ultimate solution that we so desperately need.

  3. Re:The certificate crowd is proven wrong yet again by BitZtream · · Score: 4, Informative

    The problem is that implementations that are checking the certificate are not requiring third party authenticated signing timestamps.

    If the implementations checking certificates required a trusted root signed timestamp with the digital signature in any of those implementations, then expired certificates would be useless.

    Certificates can be compromised, but they are far better than passwords people use.

    There has yet to be an actual problem with certificates, just bad implementations.

    I would love for you to point me at some software that has never had any implementation faults.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  4. Quote: current evidence suggests a limited impact by Michalson · · Score: 4, Funny

    Well of course, this only affects people that would run software signed by Opera and they have already taken steps to notify both of them of the situation.

  5. Re:How do you know what gets stolen? by Yomers · · Score: 2

    By seeing malware signed by your certificate?

  6. Re:no. the NSA is probably doing this by Anonymous Coward · · Score: 5, Insightful

    if bad guys are doing it, the governments are doing it.

    You repeated yourself

  7. Re:The certificate crowd is proven wrong yet again by MightyMartian · · Score: 4, Insightful

    Perhaps if people took better care of private keys, this wouldn't bloody happen at all.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  8. Are Opera users on other platforms also exposed? by Camael · · Score: 2

    Reading the advisory from Opera, the only information on the possible consequences of the breach is that :-

    It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software. To be on the safe side, we will roll out a new version of Opera which will use a new code signing certificate.

    Are users of other OSes similarly exposed to malicious software, such as those using Mac, Lunix, Android or iOS?

  9. The Opera intrusion is only the tip of the iceberg by Camael · · Score: 2

    Opera is not the first nor the last victim of certificate theft. There is evidence that the use of digitally signed malware is increasing since the Stuxnet incident gave this attack vector worldwide exposure.

    Both Kaspersky Lab and BitDefender have confirmed seeing a steady increase in the number of malware threats with digitally signed components during the last 24 months. Many use digital certificates bought with fake identities, but the use of stolen certificates is also common, Craiu and Botezatu said.

    Also, unless I'm mistaken, revoking stolen certificates do not prevent malware signed with it from running. Most casual users I think tend to trust certificates (that is what it's for, after all, to certify that its from a trusted source). Not many will bother to check the authenticity of the certificate.

    1. I heard Microsoft and Verisign revoked the stolen Realtek certificate, does it mean I’m safe now?

    Due to the way certificates work, a revoked certificate doesn’t mean the malware will not run anymore. You will still get infected by Stuxnet and the driver will still load without any warning. The only effect of the revoke process is that the bad guys will not be able to sign any further malware with it.

    It might be premature to talk about its impact being limited until the full scope of the intrusion and loss of data is made known, and the number of users affected by the intrusion (not disclosed so far).

  10. Unlikely by formfeed · · Score: 5, Funny

    There are three things that I don't believe you:
    (1) Dancing (2) Girl (3) Club

  11. Its ok - Opera stopped making browsers a month ago by citizenr · · Score: 2

    All they do now is recompile Chromium with their branding.

    --
    Who logs in to gdm? Not I, said the duck.