December 23, 2024

US Police Grapple With Rise of ‘Swatting’ Pranks

Posted on March 23, 2015 by in Security

When Florida police got a call from a man who said he shot four people at rapper Lil Wayne’s house this month, they responded as they are trained to.

Heavily armed, flanked in body armor and accompanied by sniffer dogs, officers surrounded the Miami mansion after the alleged shooter told the 911 dispatch: “I’m killing whoever else I see…”

But police found no shooter at the house, and no victims. Lil Wayne was not there either.

The rapper was the target of a “swatting” prank, a phenomenon gaining popularity in the United States and creating public safety risks and budget strains for law enforcement.

The stunt — a modern-day and much more serious version of a prank call — involves a call to emergency services claiming a crisis.

When police arrive, the alarmed victim is often greeted by angry bangs at the door from screaming officers with cocked guns.

Special weapons and tactics (SWAT) units are usually dispatched — which the term swatting comes from — because they are trained to deal with serious emergencies swatters typically falsely report, such as hostage taking, mass shootings, bomb threats and domestic violence.

Following the false alarm at Lil Wayne’s mansion, Miami police said on Twitter: “Unfortunately this appears to be a ‘Swatting’ call. No victims /no injuries /no subject at 94 LaGorce.”

Police are obliged to respond to emergency calls, but say such pranks are a waste of resources.

“Fortunately in terms of no one hurt yes. Unfortunate in the waste of resources for a hoax that we have to treat seriously,” Miami Police tweeted.

Lil Wayne is not the only celebrity swatting victim.

Famous Hollywood prankster, Ashton Kutcher, host of the hoax show “Punk’d,” has been swatted, along with Justin Bieber, Rihanna, P. Diddy, Justin Timberlake, Tom Cruise and Miley Cyrus.

Swatters have also hit politicians, journalists and schools.

Live-stream swatting

The phenomenon of swatting was first reported to the Federal Bureau of Investigation in 2008, and has steadily gained popularity since.

Officials estimate about 400 swattings occur every year, but many no longer report incidents to prevent copycat acts and to avoid giving swatters publicity.

The hoax is popular in the online gaming community, where swatters target online rivals who are live-streaming a game. When police arrive, the stunt is broadcast in real-time.

Swatting videos show victims at their computers when they are interrupted by loud bangs at the door followed by heavily armed police storming their homes.

Perpetrators target online rivals and access their addresses by hacking their computers.

Police consider the act a dangerous crime, and say swatting is a serious public safety issue.

“The swatting practice is extremely dangerous and places first responders and citizens in harm’s way,” the FBI said in a statement.

“It is a serious crime, and one that has potentially dangerous consequences.”

Beyond being a waste of resources, police say swatting creates major risks.

Some hapless victims were carrying objects that could be mistaken for a weapon. Others grabbed a real gun, mistaking law enforcement for intruders

Police are at risk too — in one incident an officer was injured in a car accident while responding to a swatting hoax.

“It’s only a matter of time before somebody gets seriously injured as a result of one of these incidents,” the FBI said.

Seeking tough laws

But tracking perpetrators is tough, as callers use software to disguise the call origin or place the calls from untraceable Internet sites.

Though there is no federal swatting legislation in place, punishment can be tough for swatters who are caught.

In 2009, 19-year-old Matthew Weigman was sentenced to 11 years in prison for orchestrating several swattings. The blind phone hacker who was a member of a swatting ring had been making the fake calls to police for five years.

Some politicians are pushing for tougher laws to deal with the crime.

California Congressman Ted Lieu introduced legislation in his state that was adopted in 2014, forcing convicted swatters to pay for costs related to fake calls, which can be as much as $ 10,000.

Lieu, himself a victim of swatting, said the bill protects the public and prevents police resources from being wasted.

Despite moves to strengthen punishments, the phenomenon continues to gain momentum, both on US soil and abroad.

Last week, French television host Enora Malagre was a victim of swatting when a man called police claiming he stabbed her and threatened to shoot at police.

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013


SecurityWeek RSS Feed

Vulnerability Found in Yoast’s Google Analytics WordPress Plugin

Posted on March 21, 2015 by in Security

Yoast has released a new version of its popular Google Analytics plugin for WordPress to address a persistent cross-site scripting (XSS) vulnerability that could have been exploited to execute arbitrary code.

Google Analytics by Yoast has been downloaded nearly 7 million times. The application allows WordPress administrators to monitor website traffic by connecting the plugin to their Google Analytics account.

The vulnerability was identified by Jouko Pynnonen, the CEO of Finland-based IT company Klikki Oy. Earlier this month, the expert reported identifying several vulnerabilities in the WPML premium WordPress plugin.

According to the researcher, an attacker can leverage a flaw in Google Analytics by Yoast to store arbitrary code in a targeted administrator’s WordPress dashboard. The code is executed as soon as the administrator opens the plugin’s settings panel.

The attack involves two security bugs. First, there is an access control flaw that allows an unauthenticated attacker to connect the plugin installed on the targeted website to his own Google Analytics account by overwriting existing OAuth2 credentials.

The second stage of the attack relies on the fact that the plugin renders an HTML dropdown menu based on data from Google Analytics. Because this data is not sanitized, an attacker can enter malicious code in the Google Analytics account and it gets executed when the targeted administrator views the plugin’s settings panel.

“Under default WordPress configuration, a malicious user can exploit this flaw to execute arbitrary server-side PHP code via the plugin or theme editors,” Pynnonen said in an advisory. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target site.”

The security issues have been addressed with the release of Google Analytics by Yoast version 5.3.3. The update also fixes a flaw that allowed administrators to launch XSS attacks against other administrators. This vulnerability was publicly disclosed back in February by Kaustubh G. Padwad and Rohit Kumar.

This isn’t the first time someone finds a vulnerability in a plugin from Yoast. Last week, UK-based researcher Ryan Dewhurst uncovered a blind SQL injection vulnerability in WordPress SEO by Yoast.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

HP Fixes Vulnerabilities in ArcSight Products

Posted on March 18, 2015 by in Security

HP has released software updates to address several vulnerabilities affecting ArcSight Enterprise Security Manager (ESM) and ArcSight Logger, products that are part of the company’s enterprise security portfolio.

An advisory published by the CERT Coordination Center at Carnegie Mellon University on Tuesday shows that a total of five security holes have been uncovered by Poland-based security researcher Julian Horoszkiewicz in the two HP ArcSight products.

One of the vulnerabilities affecting ArcSight Logger can be exploited by a remote, authenticated attacker to upload arbitrary files to the affected system. A malicious actor might be able to execute scripts on the server with the application’s privileges. Uploading arbitrary files is possible because the product’s configuration import feature does not sanitize file names, CERT said.

Another Logger issue can be exploited by an authenticated attacker to modify sources and parsers. The weakness exists because all users are allowed to access certain configuration features, such as input, search, and content management.

Horoszkiewicz has also found that the XML parser in Logger’s content import section is vulnerable to XML External Entity Injection attacks. A malicious actor could leverage the bug to execute arbitrary scripts on the server.

The HP ArcSight vulnerabilities identified by the researcher are a cross-site scripting (XSS) flaw that could allow an attacker to disrupt or modify rules and resources on the system, and a cross-site request forgery (CSRF) that can be exploited to modify data on the system. Since these types of vulnerabilities are exploited by tricking the victim into clicking on a maliciously crafted link, the extent of the damage that an attacker can cause depends on the privileges of the targeted user.

HP says the vulnerabilities impact ArcSight ESM prior to version 6.8c, and ArcSight Logger prior to version 6.0P1.

CERT’s advisory shows that CVE identifiers are pending for each of the flaws. However, HP’s own advisory reveals that an identifier, CVE-2014-7885, has been assigned to multiple vulnerabilities in HP ArcSight ESM, and a second identifier, CVE-2014-7884, has been assigned to multiple flaws in HP ArcSight Logger.

Horoszkiewicz has uploaded a proof-of-concept for the ArcSight Logger file upload vulnerability to Offensive Security’s Exploit Database. The researcher said he had sent a vulnerability report to HP in late August 2014, and new versions containing the fix were released on January 21, 2015.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

PayPal Buys Cybersecurity Firm, Creates Israel Hub

Posted on March 10, 2015 by in Security

Online payments group PayPal announced Tuesday it was acquiring Israeli cybersecurity firm CyActive and establishing a new security hub in Israel.

The terms of the deal were not announced, but some reports this week said PayPal, which is being spun off by online giant eBay, was paying $ 60 million for CyActive.

“Our goal is to extend our global security leadership, and bolster our efforts in predictive threat detection and prevention,” said PayPal chief technology officer James Barrese in a blog post.

“The acquisition of CyActive will bring great talent and immediately add ‘future-proof’ technology to PayPal’s world-class security platform. With CyActive, we’ll have even more ways to proactively predict and prevent security threats from ever affecting our customers.”

The move comes with the finance sector increasingly under attack from hackers. In recent months, major companies have disclosed data breaches affecting tens of millions of customers, with credit card or financial information leaked in some cases.

CyActive, which launched in 2013, specializes in “predictive cybersecurity,” or heading off online attacks before they happen.

The company’s website claims it has “an unprecedented ability to automatically forecast the future of malware evolution, based on bio-inspired algorithms and a deep understanding of the black hats’ hacking process.”

Online retail giant eBay unveiled plans last September to spin off PayPal, aiming to help the unit compete better in the fast-moving online payments segment.

According to eBay, PayPal facilitates one in every six dollars spent online today.

And PayPal has moved into mobile payments with the acquisition of the payment processing group Braintree, boosting its own mobile platform called OneTouch.

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013


SecurityWeek RSS Feed

CIA to Boost Cyber Capability in Sweeping Overhaul

Posted on March 7, 2015 by in Security

The CIA plans to radically overhaul operations, ramping up its capability to deal with cyber threats while boosting integration between departments via a network of new units.

Central Intelligence Agency director John Brennan outlined the proposed changes to the agency in a message to staff on Friday described as a “Blueprint for the Future” covering four key areas.

Brennan said the US espionage agency would set up a new “Directorate of Digital Innovation” to reflect the rapidly evolving cyber landscape.

“We must place our activities and operations in the digital domain at the very center of all our mission endeavors,” Brennan wrote.

“To that end, we will establish a senior position to oversee the acceleration of digital and cyber integration across all of our mission areas.”

The changes reflect the increasing emphasis on cybersecurity by the United States after a series of high-profile digital breaches in recent years, such as the Sony Pictures hack blamed on North Korea.

Director of National Intelligence James Clapper last month told lawmakers that foreign cyberattacks represented a bigger threat to national security than terrorism.

US media reports said Brennan’s sweeping changes would affect thousands of employees at the agency.

‘Bold steps’

A centerpiece of the overhaul would be the establishment of 10 new “Mission Centers” aimed at enhancing integration between departments.

“Never has the need for the full and unfettered integration of our capabilities been greater,” Brennan said in his message. “We must take some bold steps toward more integrated, coherent and accountable mission execution.”

Analysts said the introduction of Mission Centers was intended to eliminate divisions between traditional departments covering the Middle East, Africa and other regions.

Several media reports said the new units would be modeled on the CIA’s Counterterrorism Center, which grew exponentially in the years after the September 11, 2001 attacks on US soil.

The new centers will “bring the full range of operational, analytic, support, technical and digital personnel and capabilities to bear on the nation’s most pressing security issues,” Brennan said.

Each new center would be led by an assistant director who would be accountable for overall mission accomplishment in the field or geographic region assigned to their unit.

According to The Wall Street Journal, the overhaul follows an exhaustive review led by senior CIA veterans that identified several “pain points.”

“One of the things we’re trying to do here is to think about the agency operating in a way so that there are less of those… frictions that build up over time, and to have a more streamlined, a more efficient agency so we can, frankly, produce more, do a better job in some of the areas where we need to do better,” Brennan was quoted by the Journal as saying.

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013


SecurityWeek RSS Feed

Identity Fraud Cost U.S. Consumers $16 billion in 2014

Posted on March 4, 2015 by in Security

Identity thieves were busy during 2014, but a new study estimates that U.S. consumers actually suffered fewer losses than in the past.

According to the 2015 Identity Fraud Study from Javelin Strategy & Research, the number of identity fraud victims decreased slightly last year, dropping by three percent from 2013. All totaled, Javelin estimates 12.7 million U.S. consumers were victimized in identity theft in 2014, compared to 13.1 million the previous year. Total fraud losses fell as well, dropping from $ 18 billion in 2013 to $ 16 billion in 2014.

In another bright spot in the report, new account fraud – where a scammer opens a new account in the name of the victim – appears to have hit a record low in 2014. The good news does not go much further than that however. The report also found that victims of new account fraud are three times more likely to take a year or more to discover that their identities were misused than victims of other types of fraud.

Additionally, while incidents of identity fraud may have declined, they had a lasting impact on the spending habits of some of the victims. According to the survey, 28 percent of the 5,000 people surveyed said they avoided merchants after being victims of fraud. In addition, individuals whose credit or debit cards were breached in the past year were nearly three times more likely to be an identity fraud victim.

While students were the least concerned about fraud, Javelin found students were actually the most impacted. Though 64 percent said they were unconcerned with fraud, the group reported feeling more impact when fraud occurred, with 15 percent classifying it as moderate or severe. Students are also the least likely to detect identity fraud themselves. Some 22 percent said they were notified of the situation by a debt collector or when they were denied credit, three times higher than the average fraud victim.

“Despite the headlines, the occurrence of identity fraud hasn’t changed much over the past year, and it is still a significant problem,” said Al Pascual, director of fraud & security, Javelin Strategy & Research, in a statement. “Consumers, financial institutions and retailers are all taking aggressive steps, yet we must remain vigilant. The criminals will continue to find new ways to commit fraud, so taking advantage of available technology and services to protect against, detect and resolve identity fraud is a must for all individuals and corporations.”

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Silent Circle Unveils Enterprise Platform, New Devices

Posted on March 2, 2015 by in Security

Silent Circle Launches Enterprise Platform and New Devices Including Blackphone 2 and Blackphone+ Tablet

Silent Circle today unveiled two new devices as part of its Blackphone product line, along with a with new enterprise platform that combines devices, software and services into a privacy and security focused mobile architecture.

New hardware unveiled by the company includes the Blackphone 2 and the privacy focused tablet, Blackphone+.

Scheduled to be available in the second half of 2015, Blackphone 2 and offers hardware improvements over its predecessor, including a faster 8-core processor, three times more RAM, a longer lasting battery, the company said. The smartphone also integrates with existing Mobile Device Management systems and comes with a larger Full HD display.

Arriving later in 2015, the Blackphone+ tablet will offer privacy for mobile workers, the company said.

News of the enterprise platform and new hardware offerings comes just days after the company announced that it had agreed to buy out a joint venture with Geeksphone, giving Silent Circle a 100 percent ownership stake in SGP Technologies and full ownership of the privacy and security focused Blackphone product line. 

Offerings and enhancements coming as part of the new platform include:

PrivatOS 1.1 – The first major upgrade to the Android-based operating system created by Silent Circle introduces Spaces, an OS-level virtualization and management solution that enable devices to separate work from play. Geared specifically for the enterprise, PrivatOS allows users to keep enterprise and personal apps separate, while enabling IT administrators to lock and wipe enterprise managed ‘Spaces’ when necessary.

PrivatOS can also now integrate with several Mobile Device Management (MDM) platforms as a result of partnerships with Citrix, Soti and Good Technology.

Silent Suite, a set of core applications with peer-to-peer key negotiation and management, now includes Silent Meeting, a new, secure conference calling system that supports multiple participants. 

Aditional services offered as part of the enterprise platform include:

Silent Store – Installed on all Blackphone devices, the world’s first privacy-focused app store features apps from the developer community vetted by Silent Circle.

Silent World – An encrypted calling plan that lets users communicate privately with those who don’t have Silent Phone. Silent Worlds allows users to call anyone within the Silent Circle coverage areas privately, with no roaming charges or extra fees.

Silent Manager – Silent Manager gives enterprises a simple web based solution for managing plans, users and devices.

“Traditional security solutions have failed global enterprise in a mobile world and make data and privacy breaches feel inevitable to most enterprises,” said Mike Janke, Co-Founder and Chairman of the Silent Circle Board at a press conference held at Mobile World Congress 2015 this morning. “What’s more, these breaches have evolved and have much broader impact. They now put every customer, employee and partner at risk. They are eroding the trust people have in enterprises. They have moved privacy firmly to the top of the boardroom agenda.”

“Enterprises have been underserved when it comes to privacy,” said Bill Conner, President and CEO of Silent Circle. “Traditional approaches to security have failed them. We’re here to fix that. We have to understand that to achieve real privacy now requires security plus policy. That new equation is driving everything we do in building the world’s first enterprise privacy platform.”

In May 2014, Silent Circle announced that it had decided to move its global headquarters from the Caribbean island of Nevis to Switzerland, in order to take advantage of the country’s privacy laws. 

Last week, the company also announced that it had raised approximately $ 50 million in a private, common equity round to support accelerated growth.

Subscribe to the SecurityWeek Email Briefing

view counter

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

Network Vision Fixes Code Injection Vulnerability in IntraVUE Software

Posted on February 27, 2015 by in Security

Organizations that use the IntraVUE network visualization software from Network Vision are advised to update their installations as soon as possible because older versions of the solution are plagued by a critical vulnerability.

A code injection flaw (CVE-2015-0977) has been found in IntraVUE by Jürgen Bilberger from Daimler TSS GmbH, a security researcher who has discovered and reported vulnerabilities in several industrial control system (ICS) products over the past years.IntraVUE by Network Vision

According to an advisory from ICS-CERT, a remote, unauthenticated attacker can exploit the vulnerability to execute arbitrary operating system commands that could impact the availability, integrity, and confidentiality of affected servers.

This is a high-severity vulnerability with a CVSS base score of 10. Even an attacker with low skill could leverage the bug, but there is no evidence that an exploit is publicly available, ICS-CERT noted.

The security hole affects all Windows versions of IntraVUE prior to 2.3.0a14. The issue has been addressed with the release of IntraVUE 2.3.0a14 on February 9. In the meantime, Network Vision also released version 2.3.0a16, which brings some functionality improvements.

“It is recommended that the new version be applied as soon as possible. Users who have software support contracts with Network Vision can upgrade to the newest version at no cost,” reads the advisory from ICS-CERT.

Network Vision is a Newburyport, Massachusetts-based company that provides industrial Ethernet solutions for sectors such as automation, critical manufacturing, transportation, and water systems.

IntraVUE, the company’s flagship product, is designed to provide Ethernet device visualization and enable organizations to quickly identify issues affecting devices deployed in distributed and hostile environments. The solution can be used to identify duplicate MAC and IP addresses, connection or application faults, device or cable moves, and unauthorized connections.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

U.S. Offers $3 Million Reward for Russian Cybercriminal

Posted on February 24, 2015 by in Security

U.S. Offers $ 3 Million Reward for Russian Sought in Bank Hack

Washington – The United States on Tuesday offered a $ 3 million reward for information to apprehend a Russian national sought in a major hacking enterprise that stole some $ 100 million.

The State Department made the announcement of the reward for information on Evgeniy Mikhailovich Bogachev, believed to be the administrator of the group that created the “GameOver Zeus” malware that enabled thieves to break into bank accounts in 12 countries.

Bogachev is already on the FBI “cyber’s most wanted” list and is believed to be living in Russia.

“This reward offer reaffirms the commitment of the US government to bring those who participate in organized crime to justice, whether they hide online or overseas,” a State Department statement said.

Bogachev was charged last year with 14 counts including conspiracy, computer hacking, bank fraud and money laundering, after the FBI said it dismantled the operation with the help of technology companies such as Microsoft and Symantec.

According to investigators, the scheme used emails to infect up to one million computers, which could then be controlled by the hackers to gain bank login credentials to steal funds.

Some security experts said the malware re-emerged shortly after the FBI action.

Related: Gameover Zeus Most Prevalent Banking Trojan of 2013: Dell SecureWorks

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013

Tags:


SecurityWeek RSS Feed

Feedback Friday: Lenovo Preinstalled Superfish Adware on Laptops – Reactions

Posted on February 22, 2015 by in Security

For a period of several months, Lenovo shipped numerous laptop models with a piece of adware that broke HTTPS browsing and put users at risk. Now, the company has apologized to customers and provided them with instructions on how to remove the application.

Lenovo preloaded the WindowShopper browser add-on from Superfish thinking that customers would enjoy its features. However, many users were annoyed by it and started complaining on the Chinese manufacturer’s forums. After security researchers analyzed the software, they realized that it poses serious risks.

The adware injects ads into web pages by using a local proxy and a self-signed root certificate. Superfish actually replaces legitimate certificates with its own, making connections that should be secure untrusted.

Industry reactions to Superfish incident

Even more worrying is the fact that researchers have managed to extract the certificate’s private key. The private key can be used to sign potentially malicious websites and software that would be trusted on affected Lenovo notebooks.

Industry professionals pointed out that Lenovo should have known better not to install such software on its computers. Experts also noted that while this is a common practice, they hope that manufacturers will learn from the Superfish incident.

And the feedback begins…

Martijn Grooten, Editor at Virus Bulletin:

“Like most people working in security, I’m not very keen on the idea of ads in general and running third-party code on your computer or inside your browser in particular. But then, I accept that ads are part of the ecosystem and that pre-installing software that, as it is euphemistically called, “enhances user experience” makes laptops significantly cheaper.

Now injecting ads into a browser is bad enough, doing so by running an HTTPS proxy on the machine is a lot worse. HTTPS shouldn’t be touched unless it is for a very good reason – inserting ads is never a good reason.

But what makes it still orders of magnitude worse than that, is that their proxy uses the same certificate on all affected (or, perhaps more accurate, infected) PCs. Hence anyone can obtain the private key of the certificate – which, as people have already showed, isn’t rocket science – and use this to man-in-the-middle HTTPS traffic without the Lenovo user being aware.

The industry of bundled apps and programs is a complicated one and finding out what all the programs installed on the PCs you sell are up to might not be as easy as security researchers may suggest. But Lenovo should have been able to detect Superfish adding a SSL root certificate to the computer, as well as it running an HTTPS proxy on the local machine.”

George Baker, Director of Professional Services at Foreground Security:

“This was clearly a questionable design decision by Lenovo. Trusted manufacturers should know that building in a ‘man-in-the-middle’ feature is just that… highly questionable, regardless of the claimed benefit. And weak protection on the Superfish software’s own private key further undermines the system’s root of trust. If the software is present and trusted by the operating system, a knowledgeable attacker can exploit it at will.

That said, it’s good that it was caught early, after four months of production, and that Lenovo is taking some action. That should at least limit the number of users – and the amount of their private data – who are exposed.”

ThreatStream CTO Greg Martin:

“The latest Superfish debacle highlights the current strategy for device manufacturers across the electronics ecosystem looking to get their slice of the billion-dollar advertising revenue market that has made Google and others so successful. Unfortunately, like the case with Lenovo and many others, users’ privacy and security are compromised – often in secret – leaving them extremely vulnerable to malicious hackers who leverage the this type of tracking technology against them.

Unfortunately this won’t be the last we see of this type of story, but hopefully the publicity from Superfish will be enough to warn other like-minded manufacturers to take a more transparent approach and offer their users opt-out capabilities on future products that include embedded ad-tracking tech. Because Superfish was developed and licensed to Lenovo, it will be interesting to find out which other manufacturers are leveraging the Superfish technology in their products.”

Patrick Belcher, Director of Security Analytics, Invincea:

“The Lenovo and Superfish unwanted software debacle should serve as notice that there are dozens of ad companies that push spyware and toolbars, many of which exhibit rootkit-like properties and siphon off local user information to sell to advertising companies.

These programs are delivered like Trojan horses, bundled into innocuous applications with the sole intent of spying on and generating revenue at the expense of the user’s privacy. The ad companies purchase this siphoned data to deliver targeted advertising, and sometimes, malvertising to specific groups of users of the Internet.”

Ian Amit, Vice President at ZeroFOX:

“The Lenovo laptops that shipped with “Superfish” adware capable of snooping through the user’s encrypted web traffic are a very tangible threat to consumers and companies. People posting about their new Lenovo laptop on social media makes it easy for attackers to find them. Consequently, mapping those users’ home, work, and local coffee shops enables attackers to confidently launch man-in-the-middle attacks by abusing how Superfish allows snooping of encrypted web traffic (i.e. online banking, shopping, email, VPNs, etc).

We recommend that companies ensure their threat intelligence provide contextual data on their exposure as related to this vulnerability (employees, partners, locations, etc).”

Simon Crosby, CTO and co-founder of Bromium:

“It is high time for PC OEMs to accept that adware and other junk software installed in consumer devices is precisely the opposite of what their customers want, and that delivering a secure, non-intrusive, high quality product is valued by consumers. The Microsoft Surface Pro 3 is perhaps the antidote to the foolish behavior of PC vendors. It delivers the best that Microsoft offers, with no hidden scams.”

Grayson Milbourne, Webroot Security Intelligence Director:

“Sadly this is common practice in the industry. Customers aren’t informed this type of software is installed, leaving many users wondering how they have an infection on their brand new laptop when an anti-virus program picks it up. Consequently, this breeds a level of mistrust between the offending company and its customer base. In this case, users have aired their frustrations over social media channels – and it’s completely distracting from the quality products Lenovo manufactures.

In the past couple weeks, Lenovo has been forced to expend valuable time and resources managing backlash from the security community and customers. Undoubtedly, this is hurting the company’s bottom line and opening the door for competitors to claim privacy superiority.

If there’s a silver lining, it’s that this story will be a wake-up call for consumers. Whether its unwanted adware from the manufacture or hackers using malicious apps, they need to take precautions to know who is watching them on their own device.”

Steve Lowing, Director of Product Development at Promisec:

“Preinstalled software, such as adware like Superfish, must go through the same scrutiny as the shipping company (in this case Lenovo) would do for their own software in order to prevent these kinds of brand impacting missteps from happening. While it’s not exactly uncommon to see adware or promotional-ware software on new laptops these days, the times have changed where these once opt-in based services are not forced on us by default.

Coupling this tactic with poorly designed software that can carry out a “man-in-the-middle” attack on what is expected to be secured data is a potential lawsuit waiting to happen. Companies like Lenovo should know better than to pre-install this kind of software in the first place.”

Mark Parker, Senior Product Manager, iSheriff:

“The practice of pre-installing 3rd party software on PCs delivered to retail establishments, and direct shipped to business customers, presents a considerable risk. Given the choice, most consumers and businesses would choose not to have the 3rd party software installed. In the case of Lenovo and Superfish, we see an indication of exactly how dangerous that can be.

The man-in-the-middle certificate used made it such that every secure session was no longer private. In a day and age where corporate breaches are increasing, we should be seeking ways to limit our exposure, not pre-installing software that can create an attack vector.”

Chris Schweigert, Security Operations Director at EiQ Networks:

“The recent discovery of the Superfish application on Lenovo PC’s brings up the old best practices of installing a known, respectable copy of an operating system on your computer when you take it out of the box. Commercial off-the-shelf (COTS) applications have long been scrutinized by major enterprise environments and you simply cannot trust what you get from a manufacturer.

As a best practice, organizations should have a gold build install of all the authorized software for each new computer that comes in. You have to nuke the manufacturer installed applications and then re-install what you know to be trusted. Another advantage here is the ability to more easily identify changes to that baseline configuration on all your systems.”

Randy Abrams, Research Director at NSS Labs:

“It is disconcerting that virtually no anti-malware products were detecting Superfish, however the difference between malicious adware and acceptable adware is not ‘black and white.’ Not all behaviors are expected to be detected without a level of inspection that is not possible with the amount of malware being released daily. Vendors like Superfish employ teams of researchers to evade anti-malware products.

There are very likely many other adware products performing the exact same activities as Superfish. The primary motivation Superfish has is advertising revenue. This could have gone much worse for Lenovo if theft was the motivation for backdoors in third party software.

It is incumbent upon C-Level IT professionals to make sure there are well-defined processes and procedures for releasing third-party software on any medium. This must include tracking and auditing of third party vendors, monitoring their reputations and malware scanning with multiple products.

Coincidentally, the newly-formed Clean Software Alliance (CSA) will help in preventing this type of adware to go undetected. The CSA is a coalition of antimalware vendors, download bundlers and other members of the ‘adware’ ecosystem that are cooperating to set meaningful standards for ‘adware.’ Superfish’s conduct would preclude CSA approval.”

Muddu Sudhakar, Caspida CEO:

“U.S. computer manufacturers are getting a lot of push back from other countries for their hardware sales after scrutiny from incidents like those tied to the NSA and Snowden. Hardware vendors need to show beyond reasonable doubt that they are shipping high quality, highly secure products, eliminating backdoors in hardware and operating systems.

We need new third party certifications for hardware vendors who ship desktops/laptops or servers such as Lenovo, IBM, HP, and Apple. The third party certification should be robust and should be done independently of vendor companies and independently of government agencies.”

John Hultquist, Senior Manager, Cyber Espionage Threat Intelligence at iSIGHT Partners:

“We have noticed a trend affecting the software supply chain. The places people go to download applications or updates have been compromised on several occasions recently by cyber espionage actors who trojanize the software with their own malware. Chinese and Russian operators have swapped out everything from SCADA software to computer games, targeting very specific users as well as some opportunistic victims.”

John Pirc, Chief Strategy Office and Co-founder of Bricata:

“Based on the information surfacing about Superfish, administrators should inspect for where this application is installed and remove it. If you are using cloud based applications such as Microsoft Office 365 for Business or Google Apps for Work, enabling 2-step authentication offers additional protection in case your log-in credentials have been exposed. In the event someone is able to get your username and password they might try and log-in from another system; 2-step authentication would protect you from becoming further compromised.

This could also complicate matters for the Lenovo install base if they have a significant footprint within the U.S. government or federal contractors. My same recommendations for businesses apply in these sectors. However, I would strongly recommend that anyone in the USG and contractor community who uses a Lenovo PC and is involved with any sensitive projects should have their system checked for Superfish. Having the app installed may not mean they are compromised, but again, the main objective is reducing your risk.

Lenovo is a great company and it is unlikely they would knowingly place ‘malware’ on a system. Lenovo should have caught the Superfish issues earlier, via discussions in their user forums and I’m sure they are addressing the matter. Still, this does not discount the risk facing those who are at risk of a man-in-the-middle attack.”

Greg Hoffer, senior director of engineering, Globalscape:

“We put a lot of trust in technology, but this event is a reminder for everyone: take nothing for granted, and remain ever vigilant with the products you develop, integrate and purchase. There are ample industry standards available for security development and testing, independent security experts available to validate performance, and well-established protocols for production and operations. Assume nothing and put into action the old axiom, ‘Trust, but verify.’”

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed