What's It Take To Trust A Digitally Signed Program?

Last week's Opera attack stokes fears over digitally signed programs from potentially compromised vendors

The Opera Software breach that came to light last week after attackers compromised Opera's network in order to steal an expired certificate and use it to sign malware for distribution dredges up some serious concerns from security professionals about the amount of trust that organizations put into legitimately signed programs.

In particular, the attack brought up fears about auto-updating processes given that this particular strike used Opera's updating infrastructure to automatically push out updates to customers.

"Attacks that subvert the methods used to validate programs and their updates are very troubling," says Jean Taggart, senior researcher at Malwarebytes. "They serve as a strong reminder to practice defense in depth."

The Opera attack is hardly an exception in today's malicious hacking standard operating procedures.

"It's become clear that certificate-based attacks have become the attack vector of choice," says Jeff Hudson, CEO of Venafi. "[The] Opera Software security breach paints a clear picture of how a single digital certificate can be misused to allow a malicious actor to penetrate a network, go undetected, and carry out their nefarious activities without working up a sweat."

[How does HTML5 increase risk? See Beware of HTML5 Development Risks.]

Attackers are increasingly using the security industry's certificate trust model against the organizations that depend on it, agrees Jerome Segura, senior researcher for Malwarebytes, pointing to an attack that his organization found in February that embedded in a fake PDF invoice signed by a valid DigiCert certificate as one piece of evidence of a growing trend. More similar to the Opera attack, last year Adobe was compromised by attackers who targeted a build server with access to the software vendor's code signing infrastructure. Attackers then leveraged that access to sign password-extracting malware with a valid Adobe signature.

"It is an ongoing problem with the bad guys either stealing from legitimate certificate authorities or setting up fake businesses to digitally sign malware," Segura says.

According to Johannes Ullrich, CTO of SANS Internet Storm Center, the Opera attack demonstrates IT's position between a rock and a hard place with regard to trust during the auto-update process.

"Features like auto-updates and trusting digital signatures are necessary to survive with nonexisting patch windows," says Ullrich, who in a recent blog echoed the defense in depth message while postulating on some methods that could have helped in this case. "There may be other controls to make sure the software behaves as expected -- for example, if software 'calls out' to other sites. Sadly, for a Web browser [as in the case of Opera], outbound connections are expected and hard to verify."

Ullrich says that even whitelisting would have a difficult time picking up this kind of attack because often valid signatures from specific vendors are the exact thing that organizations use to place software on the approved list.

"Also, in this case, you may have added an exception thinking that the update to Opera was legitimate as it came from a legitimate Opera server and was signed," he says.

He suggests that network-based controls may well be the best way to avoid an attack from compromised third-party vendor resources.

"But properly configuring network based controls is tricky. You are likely still relying on signatures, and the signature may come too late in this case after the malware installed additional tools that no longer match the original signature," he says. "But a well-tuned IDS is probably your best bet to detect this."

In addition to igniting dialogue from the industry about how to avoid being infected through vendor compromises that manipulate the certificate infrastructure, the Opera attack also serves as a wake-up call for vendor organizations entrusted with protecting certificates.

"Vendors should take note that malicious actors understand the value of these certificates," Taggart says. "We can only hope that this incident will act as a wake-up call, both to Opera and to others."

Unfortunately, many vendor organizations are as compliance-focused as the typical enterprise, says Jason Thompson, director of global marketing for SSH Communications Security.

"Right now vendors mainly react post-exploit as best practices are just now being created, and compliance mandates are just now starting to include specific languages around keys, tokens, and certificates," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Ericka Chickowski, Contributing Writer

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights