Opera Software has become the latest company to suffer a security breach due to an expired digital certificate.
On June 26, Opera released an advisory statement about the breach that was discovered on June 19, stating in part:
The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser.
While it doesn’t generate the same press as a DDoS attack or other types of breaches, hackers are more steadily using stolen and/or expired certificates to spread malware. And, as Jeff Hudson, CEO of Venafi, told me in an email, it is a surprisingly easy way for the hackers to break in:
Organizations’ failure to control and protect cryptographic keys and certificates, the foundation of digital security and online trust, leaves the front doors open for attackers to enter at will and pilfer whatever sensitive data they want, whenever they want. The Opera Software security breach paints a clear picture of how a single digital certificate can be misused to allow a malicious actor to penetrate a network, go undetected and carry out their nefarious activities without working up a sweat.
It looks like the hackers may have the advantage on this type of breach. A Ponemon Institute study released earlier this year found that 51 percent of organizations don’t know how many digital certificates and keys are in use. According to the study, that number averages over 17,000. Attacks that take advantage of those unknown, expired, or forgotten certificates can cost enterprise an average of $35 million every two years.
As Hudson told me:
Unplanned outages from expired certificates can no longer be viewed as an inconvenient IT operations issue, rather these common outdates are symptomatic of much larger security vulnerabilities. It’s become clear that certificate-based attacks have become the attack vector of choice. Organizations must implement effective controls to ensure the safety of their network.