Hacker News new | comments | show | ask | jobs | submit login
Opera breached, has code cert stolen, possibly spreads malware (sophos.com)
172 points by JoeCoo7 1610 days ago | hide | past | web | 36 comments | favorite

Ow. That's really, really bad.

Opera is already a pretty small actor so stuff like this probably hurts them more than the bigger guys. This incident will probably show in the bottom-line later on.

Hope they get their things sorted out, and I really hope they learn enough to avoid having anything like this happening in the future. Things like this are never OK if there is a second time around.

Opera is still big on mobile, there's still nothing quite like Opera Mini, they should be careful at defending this.

What do you mean nothing quite like it? It may be the very best at supporting more platforms and raw speed, but Amazon Silk [0] and Chrome Mobile [1] are hot on their heals. There are a lot of advantages (eg. how CSS and JS aren't hamstrung) to the later two, and not having to traverse to SWE networks has to be advantageous -- anecdotal.

[0] http://en.wikipedia.org/wiki/Amazon_Silk [1] https://developers.google.com/chrome/mobile/docs/data-compre...

Opera Mini supports a shitload of platforms, offering a bandwidth-saving, smooth (well..), fast browsing experience. What other browser offers this?

I'm not much of a Opera fan, but we need to give credit where credit is due.

I don't mean to discredit Opera Mini, and I did give it credit for platform compatibility and maybe raw speed. There are numerous reasons the Chrome solution is better for modern, web apps. I can't say for sure about speed, but anecdotal evidence and an educated guess would have me believe talking through a more local proxy and with SPDY it outweighing Mini's "binary" protocol.

Of course, with the web moving towards HTTPS, technologies like SPDY are forward thinking and proxies get shelved.

Of course, you are right, but for now most of the phones on the planet do not support "modern" browsers or have access to high speed internet.

As the other commenter outlined, for these kind of devices Opera is a keyhole to the internet.

And you will notice that even on modern hardware with good access to the internet, Opera works smoother/faster than other browsers (it's at least the case on my android tablet).

Yeah, it works on my terrible featurephone, and delivers a really extraordinarily good web experience all things considered. It's like a keyhole to the internet, except it renders everything more or less perfectly, unlike every other featurephone browser ever.

This is really bad, but it depends who the attacker is, I wouldnt hold it against them if it was a government (or government sponsored entity).

A government (or government sponsored entity) probably wouldn't be so brazen to start using the stolen certificate to distribute malware on Opera's site.

I would imagine that keeping this a secret would be worth a lot more to the right people.

Perhaps this has happened to many other software firms, and the malware, is all undetected, perhaps they just screwed up their tracks this time.

The article claims the official story is unclear, but I disagree. As a potential customer, I've learnt everything I need to know to protect myself from vulnerabilities. (Though the inner hacker would like to hear how their infrastructure was compromised and whether it can have any effect on related services, such as Fastmail.)

Opera also states the security breach has been handled on their end, so I see nothing wrong with the announcement's title either.

It would be unfortunate if the situation got out of hand, with recent fundamental changes to their browser, Opera now needs 100% focus to stay competitive.

FastMail runs on completely separate infrastructure and there were no indications of a compromise.

However to be on the safe side we've taken a number of precautions including blowing away every machine (fai-project.org FTW!) and updating credentials everywhere.

There's another possibility: Maybe opera has an internal service that accepts software uploads and automatically signs them. That way an attacker might have spread malware without having stolen the certificate.

"...may automatically have received and installed the malicious software..."

That is nice. Automatic installation of malware. It's the way to go :)

Just count how many apps, devices (firmware), programs etc. there are which do not use any certs at all. Using automatic updates is very real danger. I just think most uses / admins do not think how common it actually is.

This is a pretty compelling argument against silent automatic updates.

No, it isn't, this would've affected all manual, silent/or visible automatic updates.

Users checking for updates or visible automatic update prompts during that timeframe that Opera said was offering the infected update would still get the malware.

People assume that getting automatic update prompts would allow them to stop the update if they heard about an infected update. The problem with that logic is that by the time the companies know about a breach, they would've shut down the automatic update FIRST and then fix the breach, then resume it. Customers would rarely know about that breach in advance, so the prompt wouldn't change anything here.

No, it wouldn't have. Manual updating:

- Spreads the exposure time, creating a much larger window in which updates may be deployed, reducing the number of systems affected, and reducing the likelihood of a targeted attack succeeding.

- Prevents targeted 'midnight' updates in which an attacker can deploy code at-will to target systems during hours that nobody will be around to see them.

- Requires producing reasonable looking update notes, which will likely be noticed by everyone involved in the release process, resulting in an additional warning to those that can detect the issue.

A silent update can go out without anyone knowing that an update was even deployed.

This argument works the same way in reverse. If an exploit is discovered, manual updating spreads the update time, creating a much larger window in which exploits may be deployed, increasing the number of systems affected, and increasing the likelihood of a targeted attach succeeding.

A big difference is that the exploit can't be pushed to every single device in the world that is running the software in question and phoning home for updates.

How would this be any different if a dialog box popped up asking you to install a new update? I bet most people (including you?) would just click "Continue".

How so? The alternative is people got a pop-up, then click install without verifying it (how could they?). It's functionally the same thing almost all the time.

So should I trust the update that apt-get shows me? There is a 12.16.1760 in the deb.opera.com repository while the opera main page gives a download for version 12.15!

Until we know more it would be folly to upgrade, I would recommend using a different browser for the time being.

From the Sophos article the malware spread is Zeus which is Windows based.

Zeus? As in banking-details-stealing trojan horse Zeus?

As someone who has Opera installed on their home machine, which they also use for banking, how worried should I be?

Would Malwarebytes be enough to find and remove the trojan?

EDIT: http://malwaretips.com/blogs/zeus-trojan-virus/

Virus scan FTA: https://www.virustotal.com/en/file/8ecbca0de44c82d1c7ffced28...

That shows MalwareBytes detecting it as Trojan.Downloader.szb, and it does appear to be Zeus or a close variant. I'd be concerned.

> It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software.

At least for me, Opera always asks for Administrator privileges before installing anything, so if you didn't happen to install updates in the timeframe given, you should be fine.

I wonder if this impacted Fastmail as well... ;_;

Ah. Thanks for the pointer.

The signing keys are the weakest link in the security infrastructure and are essentially the keys to the kingdom. We have seen this happen repeatedly, I think it's time for all companies to build a lot of safeguards around the use of their private signing keys, like making employees input it manually everytime, or even split it across multiple employees. For Opera at least, I don't think they do releases that frequently.


I guess you're completely ignorant of how widely used their software is. I really need to get enough points to downvote :<

Alas, that wide usage barely shows up in stats. Desktop version has significant market share in some USSR countries (Belarus, Ukraine, Russia), but in others is a couple percents at best. They do brag about the large install base on the mobile, but let's face it: Opera may be the best way to browse the web on your feature-phone, but the experience is still terrible, and Opera does not really show on the mobile traffice map. So while the deleted comment was unfair Opera's fans shouldn't overdo the effort to portray it as something it was not.

You can click on link and then flag it if you think it's appropriate.

"If you think something is spam or offtopic, flag it by going to its page and clicking on the "flag" link. (Not all users will see this; there is a karma threshold.)" - http://ycombinator.com/newsguidelines.html

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact