Opera Software Attacked, Code Signing Cert Stolen
Browser vendor is breached, but is it an SSL issue?
Browser vendor Opera Software has revealed that it was the victim of an infrastructure attack. The incident was discovered on June 19 and publicly disclosed by Opera on June 26.
As part of the attack, a code signing certificate was stolen, exposing several thousand Opera users to potential risk.
"We recently uncovered a targeted attack on our internal network infrastructure," Opera spokesperson Falguni Bhuta told eSecurity Planet. "This attack has now been halted and contained, and there is no evidence that user data has been compromised."
Bhuta noted that the current evidence suggests limited exposure, but the attackers were able to obtain at least one old and expired Opera code signing certificate.
"Malicious software that has been fraudulently signed by Opera Software has been discovered," Bhuta said. "This software uses an out of date certificate from Opera Software to trick users into thinking that they are installing a genuine software program from Opera Software."
Bhuta added that Opera is updating its product line with new certificates, and the company has also taken internal measures to restore the security of affected systems.
"It is our top priority to make sure users of Opera's products are safe; all other priorities are second to us" Bhuta said.
Security experts react
While SSL Certificate Authorities have been the target of attackers in recent years, Ivan Ristic, Director of Engineering at Qualys, doesn't see the Opera breach as likely being SSL-related.
"It looks like someone gained access to their critical systems and then attacked their code distribution architecture," Ristic told eSecurity Planet.
While security breaches are never a good thing, Ristic did praise Opera's response.
"It seems that they detected the malware pretty quickly -- they removed it after only 36 minutes and the incident took place in the middle of the night," Ristic said. "So good score on the reaction."
Jeff Hudson, CEO of certificate management vendor Venafi, had a different viewpoint on the Opera breach.
"Organizations' failure to control and protect cryptographic keys and certificates, the foundation of digital security and online trust, leaves the front doors open for attackers to enter at will and pilfer whatever sensitive data they want, whenever they want," Hudson said. "Today’s Opera Software security breach paints a clear picture of how a single digital certificate can be misused to allow a malicious actor to penetrate a network, go undetected and carry out their nefarious activities without working up a sweat."
Hudson and his company have long been advocates for certificate management. In 2012, an Osterman Research study commissioned by Venafi found that a large number of organizations don't have an accurate inventory of their SSL certificate population.
"It has become clear that certificate-based attacks have become the attack vector of choice," Hudson said. "Organizations must implement effective controls to ensure the safety of their network."
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.