SAN FRANCISCO: A new malware has been found in the notebook series of Lenovo launched between October 2014 and January 2015. The malware has been named as Superfish security risk. Lenovo acknowledges the risks of Superfish adware, as new details emerge on how widespread other vendors’ use of the underlying technology is.
Lenovo is now changing its stance on the Superfish adware that was bundled on some of its PCs between October 2014 and January 2015. Initially, Lenovo claimed there was no security risk from Superfish, but as it turns out, the risk is real and it extends beyond just Lenovo.
The discoveries are the latest in a string of revelations that indicate that as traditional security defenses have begun fully to surround the outer layers of our devices, criminals, nation-states’ hackers and apparently advertisers have turned their focus inward, to the very heart of the machine, where their code is easily concealed.
Perhaps it’s improbable that your sites are affected, but a Pandora’s box has been opened. Consider that if it was this easy to insert root certificates that can spoof away at will, are your cloud and other host certificates legitimate? How would you know? Are your security people taking vacations soon?
I get the nagging feeling that this might be the tip of an iceberg. How many super cracks have you seen in the past 30 days? Imagine a hapless user, hopefully NOT your CFO, opening a benign email with a payload that monkeys with his/her root cert cache, or worse, your organization’s root/CA cache. It’s script kiddies from there. They’ll eat your lunch between cartoon shows.
Worse still, your builds might be compromised. It’s something that few people check. Hey, Ernie, did you and Kate check that build for its browser root certs? Say what?
This is bad news. We need a cert for our certs. We need an impenetrable method of guaranteeing that top-level certs, or even subsidiary certs, aren’t corrupted or surreptitiously appended.