Whats It Take To Trust A Digitally Signed Program?

Last weeks Opera attack stokes fears over digitally signed programs from potentially compromised vendors

The Opera Software breach that came to light last week after attackers compromised Operas network in order to steal an expired certificate and use it to sign malware for distribution dredges up some serious concerns from security professionals about the amount of trust that organizations put into legitimately signed programs.
In particular, the attack brought up fears about auto-updating processes given that this particular strike used Operas updating infrastructure to automatically push out updates to customers.
Attacks that subvert the methods used to validate programs and their updates are very troubling, says Jean Taggart, senior researcher at Malwarebytes. They serve as a strong reminder to practice defense in depth.
The Opera attack is hardly an exception in todays malicious hacking standard operating procedures.
Its become clear that certificate-based attacks have become the attack vector of choice, says Jeff Hudson, CEO of Venafi. [The] Opera Software security breach paints a clear picture of how a single digital certificate can be misused to allow a malicious actor to penetrate a network, go undetected, and carry out their nefarious activities without working up a sweat.
[How does HTML5 increase risk? See
Beware of HTML5 Development Risks
.]
Attackers are increasingly using the security industrys certificate trust model against the organizations that depend on it, agrees Jerome Segura, senior researcher for Malwarebytes, pointing to
an attack that his organization found in February that embedded in a fake PDF invoice signed by a valid DigiCert certificate
as one piece of evidence of a growing trend. More similar to the Opera attack,
last year Adobe was compromised
by attackers who targeted a build server with access to the software vendors code signing infrastructure. Attackers then leveraged that access to sign password-extracting malware with a valid Adobe signature.
It is an ongoing problem with the bad guys either stealing from legitimate certificate authorities or setting up fake businesses to digitally sign malware, Segura says.
According to Johannes Ullrich, CTO of SANS Internet Storm Center, the Opera attack demonstrates ITs position between a rock and a hard place with regard to trust during the auto-update process.
Features like auto-updates and trusting digital signatures are necessary to survive with nonexisting patch windows, says Ullrich, who in a recent
blog
echoed the defense in depth message while postulating on some methods that could have helped in this case. There may be other controls to make sure the software behaves as expected -- for example, if software calls out to other sites. Sadly, for a Web browser [as in the case of Opera], outbound connections are expected and hard to verify.
Ullrich says that even whitelisting would have a difficult time picking up this kind of attack because often valid signatures from specific vendors are the exact thing that organizations use to place software on the approved list.
Also, in this case, you may have added an exception thinking that the update to Opera was legitimate as it came from a legitimate Opera server and was signed, he says.
He suggests that network-based controls may well be the best way to avoid an attack from compromised third-party vendor resources.
But properly configuring network based controls is tricky. You are likely still relying on signatures, and the signature may come too late in this case after the malware installed additional tools that no longer match the original signature, he says. But a well-tuned IDS is probably your best bet to detect this.
In addition to igniting dialogue from the industry about how to avoid being infected through vendor compromises that manipulate the certificate infrastructure, the Opera attack also serves as a wake-up call for vendor organizations entrusted with protecting certificates.
Vendors should take note that malicious actors understand the value of these certificates, Taggart says. We can only hope that this incident will act as a wake-up call, both to Opera and to others.
Unfortunately, many vendor organizations are as compliance-focused as the typical enterprise, says Jason Thompson, director of global marketing for SSH Communications Security.
Right now vendors mainly react post-exploit as best practices are just now being created, and compliance mandates are just now starting to include specific languages around keys, tokens, and certificates, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps