Hackers Steal Opera-Signed Certificate Through Infrastructure Attack 104
wiredmikey writes "Norwegian browser maker Opera Software has confirmed that a targeted internal network infrastructure attack led to the theft of a code signing certificate that was used to sign malware. 'The current evidence suggests a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser,' Opera warned in a brief advisory. The Opera breach signals a growing shift by organized hacking groups to target the internal infrastructure network at big companies that provide client side software to millions of end users."
A growing shift? (Score:5, Insightful)
Does this really signal a growing shift? Or are we just saying that whatever happens in a news story must signal a "growing shift" toward that thing to induce widespread panic?
Re: (Score:2)
My guess is that you probably nailed it with the "to induce widespread panic" part. Nothing new here, hackers will use any method possible to trick people and conceal their true intentions, move along.
no. the NSA is probably doing this (Score:1)
if bad guys are doing it, the governments are doing it.
the whole idea of SSL is based around the trust of the certificate and signing infrastructure. it is a growing shift away from the assumption that SSL=safe+secure when shit like this keeps happening over and over.
Re:no. the NSA is probably doing this (Score:5, Insightful)
if bad guys are doing it, the governments are doing it.
You repeated yourself
Re: (Score:2)
Heh... that was actually pretty funny, because there is some truth to it. Good one.
Re: (Score:1)
Opera is DOOMED (Score:1)
For a company that just laid off most of its developers and resigned itself to being a rebranded Google Chrome, this cannot be coincidental.
The only vestige of any use from the former Opera Software is Fastmail.fm, and the developers struggle mightily to keep that branch as separate as possible from the Mother Ship.
Now this cert-signing issue, which on the surface seems petty, but signals a larger problem of a lack of focus on security and a neglected infrastructure. Layoffs will do that. I'm curious if O
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Laid off most of its developers? Opera had nearly a thousand employees, and hundreds of people working on the browser. 90 people left or were fired, and only about half were engineers (meaning programmers or testers). So if we assume that around half of the engineers who left were developers, something like 20-25 out of several hundred developers are now gone.
Most of it
Re: (Score:3)
Does this really signal a growing shift? Or are we just saying that whatever happens in a news story must signal a "growing shift" toward that thing to induce widespread panic?
Criminal gangs and individual crackers have been growing more sophisticated in their computer crime activity for some time. If you're going to move up the food chain of commercially valuable exploits, this is exactly the sort of thing that you would expect. It makes it much easier to get malware accepted on a system, which means it makes it easier to extract some sort of value from the system. (Stolen data, botnet, spam host, etc.)
Re: (Score:2)
The real tragedy of the non-user-controllable code signing features being baked into some popular operating systems. It does not make us safer but it dose create a barrier to entry in the market place for legitimate software developers.
Advantages of a barrier to entry (Score:2)
Re: (Score:2)
I had a growing shift happen the other night while dancing with a girl at a club.
Unlikely (Score:5, Funny)
There are three things that I don't believe you:
(1) Dancing (2) Girl (3) Club
Re: (Score:2)
Well it was moving, not sure most would call it dancing. It was with a girl, or what appeared to be mostly (90%?) a girl, and by club he means his mother's basement.
Re: (Score:2)
Does this really signal a growing shift?
The shift already happened a few years back when all RSA SecureID tokens were compromised. [arstechnica.com]
What happened here with Opera is small potatoes compared to the SecureID fiasco.
next? (Score:1)
Microsoft Update?
The certificate crowd is proven wrong yet again. (Score:4, Insightful)
Whenever the topic of security comes up, there are always a bunch of people who go on and on and on about how certificates are always the answer to security problems.
How do we fix security problems with email? "Certificates!", they say.
How do we fix security problems with HTTP? "Certificates!", they blurt out.
How do we fix security problems with DNS? "Certificates!", they scream.
How do we fix security problems with passwords? "Certificates!", they yell.
How do we fix security problems with application executables? "Certificates!", they exclaim.
Yet we see so many stories about certificates getting compromised in one way or another. And then the infrastructure surrounding them is always so goddamn awful. They cause just as many, if not more, problems than they actually manage to partially solve.
It's time for the certificate advocates to stop and think. They need to look at the big picture. They need to realize that while certificates may have their place in some very specialized situations, they are not the ultimate solution that we so desperately need.
Re:The certificate crowd is proven wrong yet again (Score:4, Informative)
The problem is that implementations that are checking the certificate are not requiring third party authenticated signing timestamps.
If the implementations checking certificates required a trusted root signed timestamp with the digital signature in any of those implementations, then expired certificates would be useless.
Certificates can be compromised, but they are far better than passwords people use.
There has yet to be an actual problem with certificates, just bad implementations.
I would love for you to point me at some software that has never had any implementation faults.
Re:The certificate crowd is proven wrong yet again (Score:5, Insightful)
Perhaps if people took better care of private keys, this wouldn't bloody happen at all.
Re: (Score:2)
Re: (Score:2)
no one is going to be able to get pass that barrier without stealing private keys from Adobe, Oracle, Microsoft, etc.
So how should a legitimate software developer get its publisher certificate into your domain's "etc." list?
Re: (Score:2)
The problem with code signing certificates though is what should the validate rule actually be? Should an executable no longer be considered trusted when the cert expires?
I bet certain segments of the software industry would love that. Talk about planed obsolesce.
Maybe the binary should be trusted as long as the create or modify dates are prior to the certificates expiry?
This wont do anything because anyone sophisticated enough to create malware can just manipulate the date stamps before signing.
I know O
Re: (Score:1)
Whenever the topic of security comes up, there are always a bunch of people who go on and on and on about how certificates are always the answer to security problems.
How do we fix security problems with email? "Certificates!", they say.
How do we fix security problems with HTTP? "Certificates!", they blurt out.
How do we fix security problems with DNS? "Certificates!", they scream.
How do we fix security problems with passwords? "Certificates!", they yell.
How do we fix security problems with application executables? "Certificates!", they exclaim.
Yet we see so many stories about certificates getting compromised in one way or another. And then the infrastructure surrounding them is always so goddamn awful. They cause just as many, if not more, problems than they actually manage to partially solve.
It's time for the certificate advocates to stop and think. They need to look at the big picture. They need to realize that while certificates may have their place in some very specialized situations, they are not the ultimate solution that we so desperately need.
Are you saying "certificate" when you mean "PKI"?
This might be taken as evidence that you know very little about security...
Re: (Score:2)
Re: (Score:2)
SSH currently will do a key exchange using the first-time approach without a certification authority and we should use the same system for end to end email encryption.
When connecting for the first time, SSH shows the public key fingerprint of the host you're connecting to. If you don't bother to check it, you're leaving yourself wide open to a MITM attack (and in this case, the attacker doesn't even need access to any certificate authorities).
Your proposed email system that blindly accepts every public key upon first connection is even worse than using CAs -- with certificates, you can at least choose which authorities you want to trust.
Re: (Score:2)
There's nothing wrong with tracking prior public keys. That's a good option for knowledgeable users, but it's a no-starter for people who know nothing about cryptography.
See for example what would happen when a key is compromised or just lost. In this case you have to warn everyone that your key will change. Now think of how often will people receive the message "hey, my email key has changed, so the warning you'll get is not a MITM attack", and how soon will people start clicking "accept" without bothering
Re: (Score:2)
Re: (Score:2)
What would also need to be added to your proposal is to supplement with SRP or other secure password system that allows two users to easily exchange relatively insecure passwords out of band to verify the exchanged verifier. This also applies to SSH, especially when remotely connected to a box under your direct control.
You'd use this to supplement the base line protection of using a PKI system to verify the verifiers.
Once the public key has been reliably transferred, it can then safely be used to securely r
Re: (Score:2)
Or, you could use PGP and have encrypted e-mail today.
Re: (Score:2)
Re: (Score:2)
Key continuity management: MITM'd from day one (Score:2)
First time you get a public key from an email that you trust
How should one decide to trust a particular e-mail? The sender can spoof the From address.
SSH currently will do a key exchange using the first-time approach without a certification authority
Your SSH connection could be MITM'd from day one and you might not notice it.
Re: (Score:2)
What you describe is called "key continuity management".
First time you get a public key from an email that you trust
How should one decide to trust a particular e-mail? The sender can spoof the From address.
SSH currently will do a key exchange using the first-time approach without a certification authority
Your SSH connection could be MITM'd from day one and you might not notice it.
you could communicate a key id over another channel, (in person, via phone, mail, etc) with the id yo can grab the public key from a key server, like pgp uses.
In practice, hosts don't give a key out of band (Score:2)
you could communicate a key id over another channel, (in person, via phone, mail, etc)
But what providers of shared hosting or a virtual private server are willing to do this for a customer? I've asked the tech support departments of a few such hosts, and the answer was "Just say yes to whatever key fingerprint your SSH client shows."
Clearly the solution is...Certificates! (Score:2)
They need to realize that while certificates may have their place in some very specialized situations, they are not the ultimate solution that we so desperately need.
Certificates!
Clearly the solution is to sign these old certificates with new certificates so that they become more secure.
Theft will always be with us (Score:2)
There will always be people who want to commit crimes of theft.
However, we can thin their ranks a bit. Support the death penalty for cyberthieves (at least in Texas).
Re: (Score:2)
There will always be people who want to commit crimes of theft.
However, we can thin their ranks a bit. Support the death penalty for cyberthieves (at least in Texas).
I support a cyber death penalty for cyber thieves. But out right kill them? Seriously? I can think of a lot better type of people to put to death in Texas, starting with the lawyers and judges then moving on the politicians.
Say hello to Mr. Noose (Score:2)
Did you recently ...
- copy any html codes from someone else's website?
- save any pictures or files from the web?
- cut and paste an article or link it to a friend?
- take any screenshots of any interesting pages you found?
- download any movies, music or porn?
Congrats, you may be a cyberthief. This way please, for your appointment with Mr. Noose.
Re: (Score:2)
There will always be people who want to commit crimes of theft.
However, we can thin their ranks a bit. Support the death penalty for cyberthieves (at least in Texas).
Congratulations on making the USA more like China!
Penalty for Cyber Crimes--Amish for life! (Score:1)
Quote: current evidence suggests a limited impact (Score:5, Funny)
The Opera intrusion is only the tip of the iceberg (Score:3)
Opera is not the first nor the last victim of certificate theft. There is evidence that the use of digitally signed malware is increasing [techworld.com] since the Stuxnet incident gave this attack vector worldwide exposure.
A
Re: (Score:2)
i'm wondering about "The only effect of the revoke process is that the bad guys will not be able to sign any further malware with it." in the cited article. how would revocation prevent further signing ?
using crl would (should ?) prevent signed software from working, but signing with a key already in somebody's possession wouldn't be impacted
I Hate Opera (Score:2)
and doing it in ASL was never a real improvement
Re: (Score:2)
Re: (Score:1)
---
Captain Obvious
Re: (Score:2)
I am the same AC that asked the original question but I meant how about other attacks that have happened in the past. Like personal user data stolen or something. So what your saying is that the only way to know if any data has been stolen is if your see it posted online somewhere?
some systems have access logs builts so that even if you manage to get the data, you might not be able to remove your log entries for doing so. varies case by case of course.
Re: (Score:2)
But its all supervised by judges!
(I guess, given the scale of it, this means all the spooks at the NSA are judges. Maybe they'll soon make all the street cops judges too, that would work out well I'm sure. Theres probably a cadet at the academy now who can't wait to have 'Judge' in front of his name. Cadet Dredd).
Re: (Score:2)
actually no, what they do "in" Norway isn't supervised by anyone.
and what I mean by "in" is that they do it while sitting in USA and argue that then it is not a crime for them to perform something that is a crime in Norway(try it the other way and they'll argue it's a crime that happened on US soil. fuckers.).
Are Opera users on other platforms also exposed? (Score:3)
Reading the advisory from Opera, the only information on the possible consequences of the breach is that :-
Are users of other OSes similarly exposed to malicious software, such as those using Mac, Lunix, Android or iOS?
Signing certificate per platform (Score:2)
Its ok - Opera stopped making browsers a month ago (Score:3)
All they do now is recompile Chromium with their branding.
Re: (Score:2)
Re: (Score:2)
So they are UI company now. Still not a browser company,
Re: (Score:2)
Re: (Score:2)
Its not false and it wont be false until I can right click in Opera >=15 and see "edit site preferences"
Re: (Score:2)
So if they removed that option from Opera 12, they would no longer be a browser company? That setting is what defines a browser company? Come on... you are making a fool of yourself
Admit it, you messed up. You claimed that all they do is to recompile Chromium, which is wrong since they've made their own UI. You then admitted that you were wrong but now insisted that they were just a UI company. I then pointed out that they are contributing to Webkit/Blink, and now you're just trying to change the subject.
Re: (Score:2)
But they didnt remove anything. They STOPPED MAKING browsers. Now they take Chromium codebase, add their skin and call it a day.
As a user I dont care about them contributing to some rendering engine if the end product is no longer a browser I was using.
Re: (Score:2)
You are extremely confused. That it's not the same browser you were using still doesn't mean they stopped making browsers. Are you trolling?
Again: You claimed that all they do is to recompile Chromium, which is wrong since they've made their own UI. You then admitted that you were wrong but now insisted that they were just a UI company. I then pointed out that they are contributing to Webkit/Blink, and now you're just trying to change the subject.
Now you repeat a claim you know is false (that they just add
Re: (Score:2)
You are boring and arguing for the sake of arguing.
Opera made innovative fully customizable browser. Now they are just google's bitch making clone of Chrome.
Re: (Score:2)
You keep changing your claims.
You first claimed that all they do is to recompile Chromium, which is wrong since they've made their own UI. You then admitted that you were wrong but now insisted that they were just a UI company. I then pointed out that they are contributing to Webkit/Blink, and you changed your claim to Opera only making a skin, which is obviously wrong again since they coded their own UI.
Now you've moved the goalpost again. This is getting pathetic.
Of course, your latest claim is demonstrab
More Ammo (Score:2)
That's just great! Now all of those snooty Opera users will be able to brag about having another feature before all of the other browsers.