Hackers Steal Opera-Signed Certificate Through Infrastructure Attack 104
wiredmikey writes "Norwegian browser maker Opera Software has confirmed that a targeted internal network infrastructure attack led to the theft of a code signing certificate that was used to sign malware. 'The current evidence suggests a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser,' Opera warned in a brief advisory. The Opera breach signals a growing shift by organized hacking groups to target the internal infrastructure network at big companies that provide client side software to millions of end users."
A growing shift? (Score:5, Insightful)
Does this really signal a growing shift? Or are we just saying that whatever happens in a news story must signal a "growing shift" toward that thing to induce widespread panic?
The certificate crowd is proven wrong yet again. (Score:4, Insightful)
Whenever the topic of security comes up, there are always a bunch of people who go on and on and on about how certificates are always the answer to security problems.
How do we fix security problems with email? "Certificates!", they say.
How do we fix security problems with HTTP? "Certificates!", they blurt out.
How do we fix security problems with DNS? "Certificates!", they scream.
How do we fix security problems with passwords? "Certificates!", they yell.
How do we fix security problems with application executables? "Certificates!", they exclaim.
Yet we see so many stories about certificates getting compromised in one way or another. And then the infrastructure surrounding them is always so goddamn awful. They cause just as many, if not more, problems than they actually manage to partially solve.
It's time for the certificate advocates to stop and think. They need to look at the big picture. They need to realize that while certificates may have their place in some very specialized situations, they are not the ultimate solution that we so desperately need.
Re:no. the NSA is probably doing this (Score:5, Insightful)
if bad guys are doing it, the governments are doing it.
You repeated yourself
Re:The certificate crowd is proven wrong yet again (Score:5, Insightful)
Perhaps if people took better care of private keys, this wouldn't bloody happen at all.