Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/3/2013
08:33 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

What's It Take To Trust A Digitally Signed Program?

Last week's Opera attack stokes fears over digitally signed programs from potentially compromised vendors

The Opera Software breach that came to light last week after attackers compromised Opera's network in order to steal an expired certificate and use it to sign malware for distribution dredges up some serious concerns from security professionals about the amount of trust that organizations put into legitimately signed programs.

In particular, the attack brought up fears about auto-updating processes given that this particular strike used Opera's updating infrastructure to automatically push out updates to customers.

"Attacks that subvert the methods used to validate programs and their updates are very troubling," says Jean Taggart, senior researcher at Malwarebytes. "They serve as a strong reminder to practice defense in depth."

The Opera attack is hardly an exception in today's malicious hacking standard operating procedures.

"It's become clear that certificate-based attacks have become the attack vector of choice," says Jeff Hudson, CEO of Venafi. "[The] Opera Software security breach paints a clear picture of how a single digital certificate can be misused to allow a malicious actor to penetrate a network, go undetected, and carry out their nefarious activities without working up a sweat."

[How does HTML5 increase risk? See Beware of HTML5 Development Risks.]

Attackers are increasingly using the security industry's certificate trust model against the organizations that depend on it, agrees Jerome Segura, senior researcher for Malwarebytes, pointing to an attack that his organization found in February that embedded in a fake PDF invoice signed by a valid DigiCert certificate as one piece of evidence of a growing trend. More similar to the Opera attack, last year Adobe was compromised by attackers who targeted a build server with access to the software vendor's code signing infrastructure. Attackers then leveraged that access to sign password-extracting malware with a valid Adobe signature.

"It is an ongoing problem with the bad guys either stealing from legitimate certificate authorities or setting up fake businesses to digitally sign malware," Segura says.

According to Johannes Ullrich, CTO of SANS Internet Storm Center, the Opera attack demonstrates IT's position between a rock and a hard place with regard to trust during the auto-update process.

"Features like auto-updates and trusting digital signatures are necessary to survive with nonexisting patch windows," says Ullrich, who in a recent blog echoed the defense in depth message while postulating on some methods that could have helped in this case. "There may be other controls to make sure the software behaves as expected -- for example, if software 'calls out' to other sites. Sadly, for a Web browser [as in the case of Opera], outbound connections are expected and hard to verify."

Ullrich says that even whitelisting would have a difficult time picking up this kind of attack because often valid signatures from specific vendors are the exact thing that organizations use to place software on the approved list.

"Also, in this case, you may have added an exception thinking that the update to Opera was legitimate as it came from a legitimate Opera server and was signed," he says.

He suggests that network-based controls may well be the best way to avoid an attack from compromised third-party vendor resources.

"But properly configuring network based controls is tricky. You are likely still relying on signatures, and the signature may come too late in this case after the malware installed additional tools that no longer match the original signature," he says. "But a well-tuned IDS is probably your best bet to detect this."

In addition to igniting dialogue from the industry about how to avoid being infected through vendor compromises that manipulate the certificate infrastructure, the Opera attack also serves as a wake-up call for vendor organizations entrusted with protecting certificates.

"Vendors should take note that malicious actors understand the value of these certificates," Taggart says. "We can only hope that this incident will act as a wake-up call, both to Opera and to others."

Unfortunately, many vendor organizations are as compliance-focused as the typical enterprise, says Jason Thompson, director of global marketing for SSH Communications Security.

"Right now vendors mainly react post-exploit as best practices are just now being created, and compliance mandates are just now starting to include specific languages around keys, tokens, and certificates," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
7/4/2013 | 11:30:34 AM
re: What's It Take To Trust A Digitally Signed Program?
="Attackers are increasingly using the security industry's certificate
trust model against the organizations that depend on it, agrees Jerome
Segura"

One should read Phil Zimmerman's original essay on PGP particularly on PROTECTING KEYS

it's not something someone is going to do for you: you have to participate. generate a keypair. authenticate and then sign those certificates and set trust levels.

all these CA services have made a mess of a perfectly good tool.
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...