Forgot your password?
typodupeerror
Opera Security

Hackers Steal Opera-Signed Certificate Through Infrastructure Attack 104

Posted by samzenpus
from the protect-ya-neck dept.
wiredmikey writes "Norwegian browser maker Opera Software has confirmed that a targeted internal network infrastructure attack led to the theft of a code signing certificate that was used to sign malware. 'The current evidence suggests a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser,' Opera warned in a brief advisory. The Opera breach signals a growing shift by organized hacking groups to target the internal infrastructure network at big companies that provide client side software to millions of end users."
This discussion has been archived. No new comments can be posted.

Hackers Steal Opera-Signed Certificate Through Infrastructure Attack

Comments Filter:
  • A growing shift? (Score:5, Insightful)

    by Anonymous Coward on Wednesday June 26, 2013 @09:57PM (#44118985)

    Does this really signal a growing shift? Or are we just saying that whatever happens in a news story must signal a "growing shift" toward that thing to induce widespread panic?

    • My guess is that you probably nailed it with the "to induce widespread panic" part. Nothing new here, hackers will use any method possible to trick people and conceal their true intentions, move along.

    • by Anonymous Coward

      if bad guys are doing it, the governments are doing it.

      the whole idea of SSL is based around the trust of the certificate and signing infrastructure. it is a growing shift away from the assumption that SSL=safe+secure when shit like this keeps happening over and over.

    • by Anonymous Coward

      For a company that just laid off most of its developers and resigned itself to being a rebranded Google Chrome, this cannot be coincidental.

      The only vestige of any use from the former Opera Software is Fastmail.fm, and the developers struggle mightily to keep that branch as separate as possible from the Mother Ship.

      Now this cert-signing issue, which on the surface seems petty, but signals a larger problem of a lack of focus on security and a neglected infrastructure. Layoffs will do that. I'm curious if O

      • by hkmwbz (531650)

        For a company that just laid off most of its developers and resigned itself to being a rebranded Google Chrome, this cannot be coincidental.

        Laid off most of its developers? Opera had nearly a thousand employees, and hundreds of people working on the browser. 90 people left or were fired, and only about half were engineers (meaning programmers or testers). So if we assume that around half of the engineers who left were developers, something like 20-25 out of several hundred developers are now gone.

        Most of it

    • Does this really signal a growing shift? Or are we just saying that whatever happens in a news story must signal a "growing shift" toward that thing to induce widespread panic?

      Criminal gangs and individual crackers have been growing more sophisticated in their computer crime activity for some time. If you're going to move up the food chain of commercially valuable exploits, this is exactly the sort of thing that you would expect. It makes it much easier to get malware accepted on a system, which means it makes it easier to extract some sort of value from the system. (Stolen data, botnet, spam host, etc.)

      • by DarkOx (621550)

        The real tragedy of the non-user-controllable code signing features being baked into some popular operating systems. It does not make us safer but it dose create a barrier to entry in the market place for legitimate software developers.

        • Some people, such as a PlayStation fan on Slashdot who will remain nameless, would argue that a barrier to entry is a good thing. It ensures that anybody who wants to distribute software to the public is serious about creating quality software. It's a fallacy, but like other fallacies, appeal to accomplishment [wikipedia.org] springs from a heuristic: companies that have successfully published quality works in the past are more likely to publish quality works in the future. The example he likes to trot out is the North Ame
    • by Ryanrule (1657199)

      I had a growing shift happen the other night while dancing with a girl at a club.

    • Does this really signal a growing shift?

      The shift already happened a few years back when all RSA SecureID tokens were compromised. [arstechnica.com]

      What happened here with Opera is small potatoes compared to the SecureID fiasco.

  • Microsoft Update?

  • by Anonymous Coward on Wednesday June 26, 2013 @10:13PM (#44119059)

    Whenever the topic of security comes up, there are always a bunch of people who go on and on and on about how certificates are always the answer to security problems.

    How do we fix security problems with email? "Certificates!", they say.

    How do we fix security problems with HTTP? "Certificates!", they blurt out.

    How do we fix security problems with DNS? "Certificates!", they scream.

    How do we fix security problems with passwords? "Certificates!", they yell.

    How do we fix security problems with application executables? "Certificates!", they exclaim.

    Yet we see so many stories about certificates getting compromised in one way or another. And then the infrastructure surrounding them is always so goddamn awful. They cause just as many, if not more, problems than they actually manage to partially solve.

    It's time for the certificate advocates to stop and think. They need to look at the big picture. They need to realize that while certificates may have their place in some very specialized situations, they are not the ultimate solution that we so desperately need.

    • by BitZtream (692029) on Wednesday June 26, 2013 @10:29PM (#44119127)

      The problem is that implementations that are checking the certificate are not requiring third party authenticated signing timestamps.

      If the implementations checking certificates required a trusted root signed timestamp with the digital signature in any of those implementations, then expired certificates would be useless.

      Certificates can be compromised, but they are far better than passwords people use.

      There has yet to be an actual problem with certificates, just bad implementations.

      I would love for you to point me at some software that has never had any implementation faults.

      • by MightyMartian (840721) on Wednesday June 26, 2013 @11:17PM (#44119325) Journal

        Perhaps if people took better care of private keys, this wouldn't bloody happen at all.

        • by cgimusic (2788705)
          They paid so much for the certificate would it really be that costly to them to keep the private key on a machine not connected to a network?
      • by DarkOx (621550)

        The problem with code signing certificates though is what should the validate rule actually be? Should an executable no longer be considered trusted when the cert expires?

        I bet certain segments of the software industry would love that. Talk about planed obsolesce.

        Maybe the binary should be trusted as long as the create or modify dates are prior to the certificates expiry?

        This wont do anything because anyone sophisticated enough to create malware can just manipulate the date stamps before signing.

        I know O

    • by Anonymous Coward

      Whenever the topic of security comes up, there are always a bunch of people who go on and on and on about how certificates are always the answer to security problems.

      How do we fix security problems with email? "Certificates!", they say.

      How do we fix security problems with HTTP? "Certificates!", they blurt out.

      How do we fix security problems with DNS? "Certificates!", they scream.

      How do we fix security problems with passwords? "Certificates!", they yell.

      How do we fix security problems with application executables? "Certificates!", they exclaim.

      Yet we see so many stories about certificates getting compromised in one way or another. And then the infrastructure surrounding them is always so goddamn awful. They cause just as many, if not more, problems than they actually manage to partially solve.

      It's time for the certificate advocates to stop and think. They need to look at the big picture. They need to realize that while certificates may have their place in some very specialized situations, they are not the ultimate solution that we so desperately need.

      Are you saying "certificate" when you mean "PKI"?

      This might be taken as evidence that you know very little about security...

    • They need to realize that while certificates may have their place in some very specialized situations, they are not the ultimate solution that we so desperately need.

      Certificates!
      Clearly the solution is to sign these old certificates with new certificates so that they become more secure.

  • There will always be people who want to commit crimes of theft.

    However, we can thin their ranks a bit. Support the death penalty for cyberthieves (at least in Texas).

    • by Nyder (754090)

      There will always be people who want to commit crimes of theft.

      However, we can thin their ranks a bit. Support the death penalty for cyberthieves (at least in Texas).

      I support a cyber death penalty for cyber thieves. But out right kill them? Seriously? I can think of a lot better type of people to put to death in Texas, starting with the lawyers and judges then moving on the politicians.

    • Did you recently ...
      - copy any html codes from someone else's website?
      - save any pictures or files from the web?
      - cut and paste an article or link it to a friend?
      - take any screenshots of any interesting pages you found?
      - download any movies, music or porn?

      Congrats, you may be a cyberthief. This way please, for your appointment with Mr. Noose.

    • There will always be people who want to commit crimes of theft.

      However, we can thin their ranks a bit. Support the death penalty for cyberthieves (at least in Texas).

      Congratulations on making the USA more like China!

    • That's right, cyber criminals must be made to eschew all technology post-1800 and be consigned to an Amish paradise for life and have sex with real women. No more computers, microwave ovens and clothes with buttons and zippers. Oh, and they have to go to Church too.
  • by Michalson (638911) on Wednesday June 26, 2013 @10:44PM (#44119205)
    Well of course, this only affects people that would run software signed by Opera and they have already taken steps to notify both of them of the situation.
    • Opera is not the first nor the last victim of certificate theft. There is evidence that the use of digitally signed malware is increasing [techworld.com] since the Stuxnet incident gave this attack vector worldwide exposure.

      Both Kaspersky Lab and BitDefender have confirmed seeing a steady increase in the number of malware threats with digitally signed components during the last 24 months. Many use digital certificates bought with fake identities, but the use of stolen certificates is also common, Craiu and Botezatu said.

      A

      • by richlv (778496)

        i'm wondering about "The only effect of the revoke process is that the bad guys will not be able to sign any further malware with it." in the cited article. how would revocation prevent further signing ?
        using crl would (should ?) prevent signed software from working, but signing with a key already in somebody's possession wouldn't be impacted

  • and doing it in ASL was never a real improvement

  • by Camael (1048726) on Wednesday June 26, 2013 @11:17PM (#44119329)

    Reading the advisory from Opera, the only information on the possible consequences of the breach is that :-

    It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software. To be on the safe side, we will roll out a new version of Opera which will use a new code signing certificate.

    Are users of other OSes similarly exposed to malicious software, such as those using Mac, Lunix, Android or iOS?

    • Apart from platforms that use OpenPGP, such as .deb-based GNU/Linux platforms, each platform has a separate signing certificate. OS X has its own, Android has its own, iOS has its own, and Windows has two: Authenticode for desktop applications and the Windows Store developer license for immersive applications. For small developers, it's a hassle to keep all of them renewed, but for companies big enough to draw targeted attacks like this, it's a benefit.
  • All they do now is recompile Chromium with their branding.

    • by hkmwbz (531650)
      That's not true at all. They have made their own user interface on top of Chromium.
      • by citizenr (871508)

        So they are UI company now. Still not a browser company,

        • by hkmwbz (531650)
          No, they are still a browser company. They are even contributing to Webkit (now Blink). Anyway, you should at least admit that the claim you made turned out to be false.
          • by citizenr (871508)

            Its not false and it wont be false until I can right click in Opera >=15 and see "edit site preferences"

            • by hkmwbz (531650)

              So if they removed that option from Opera 12, they would no longer be a browser company? That setting is what defines a browser company? Come on... you are making a fool of yourself

              Admit it, you messed up. You claimed that all they do is to recompile Chromium, which is wrong since they've made their own UI. You then admitted that you were wrong but now insisted that they were just a UI company. I then pointed out that they are contributing to Webkit/Blink, and now you're just trying to change the subject.

              • by citizenr (871508)

                But they didnt remove anything. They STOPPED MAKING browsers. Now they take Chromium codebase, add their skin and call it a day.
                As a user I dont care about them contributing to some rendering engine if the end product is no longer a browser I was using.

                • by hkmwbz (531650)

                  You are extremely confused. That it's not the same browser you were using still doesn't mean they stopped making browsers. Are you trolling?

                  Again: You claimed that all they do is to recompile Chromium, which is wrong since they've made their own UI. You then admitted that you were wrong but now insisted that they were just a UI company. I then pointed out that they are contributing to Webkit/Blink, and now you're just trying to change the subject.

                  Now you repeat a claim you know is false (that they just add

                  • by citizenr (871508)

                    You are boring and arguing for the sake of arguing.
                    Opera made innovative fully customizable browser. Now they are just google's bitch making clone of Chrome.

                    • by hkmwbz (531650)

                      You keep changing your claims.

                      You first claimed that all they do is to recompile Chromium, which is wrong since they've made their own UI. You then admitted that you were wrong but now insisted that they were just a UI company. I then pointed out that they are contributing to Webkit/Blink, and you changed your claim to Opera only making a skin, which is obviously wrong again since they coded their own UI.

                      Now you've moved the goalpost again. This is getting pathetic.

                      Of course, your latest claim is demonstrab

  • The Opera breach signals a growing shift by organized hacking groups to target the internal infrastructure network at big companies

    That's just great! Now all of those snooty Opera users will be able to brag about having another feature before all of the other browsers.

Genius is ten percent inspiration and fifty percent capital gains.

Working...