The Register, as well as many other news sources, is reporting a new security vulnerability in Lenovo products.
Security researchers at IOActive uncovered a mechanism that would have allowed hackers to create a fake certificate authority in order to sign executables. The trick could be used to replace legitimate Lenovo programs with malware by hackers on the same untrusted wireless network, of the type commonly found in coffee-shops, pubs and transport hubs, as IOActive explains:
Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications. These applications will then be run as a privileged user. The System Update downloads executables from the Internet and runs them.
Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable.
You could find a more-to-the-point article on this, but The Register’s writing makes this story much more fun.
Last week, IBM Security reported on an active cyberheist campaign using a variant of the Dyre Trojan that has successfully stolen more than $1 million at a time from targeted enterprise organizations.
This is not an issue with any IBM software, rather an interesting innovation from the once-simple Dyre malware by adding advanced social engineering tactics geared to circumvent two-factor authentication. In recent incidents, organizations have lost staggering amounts of $500,000 and $1.5 million to this sophisticated criminal cyber gang.
It’s the “social engineering” portion that shows organizations that no matter how sophisticated your defenses, your users are now, and probably always will be, the weakest link in your security efforts. I’m sure that training your users against social engineering is not a very high priority, but it should be at the top of your security efforts.
IBM is very clear as to what you need to do to combat spearfishing and social engineering:
Organizations will remain only as strong as their weakest link. Proactive end-user education and security awareness training continue to be critical in helping prevent incidents like the one described in this advisory. It is highly recommended to have periodic training for end-users on the types of threats they are likely to encounter and what actions they should or should not take, especially those users with access to corporate banking credentials. Users should be informed of the common techniques used by attackers, SPAM and phishing campaigns, as well as what actions the organization expects of them if and when they receive unusual emails, phone calls or other communications. Users should know how and who to contact to quickly report anomalies.
Consider doing periodic unannounced mock phishing exercises where the users receive emails or attachments that simulate malicious behavior. Metrics can be captured on how many potential incidents would have happened if it had been real.
You may read the full report here.
From the LinkedIn blog:
Last year, LinkedIn acquired Rapportive, an email company that I co-founded. Since then, we have been furiously working together to build a groundbreaking mobile product: LinkedIn Intro.
The growth of mobile email is simply staggering. Four years ago, less than 4% of emails were read on mobile. Today, half of all emails are read on a mobile device!
So we set ourselves the challenge: bring the power of LinkedIn, and the technology of Rapportive, straight to the Apple Mail app on your iPhone.
We call it… LinkedIn Intro.
As friendly and useful as that sounds, many security firms are recommending against this new service. One such example is Bishop Fox. From their blog:
Intro reconfigures your iOS device (e.g. iPhone, iPad) so that all of your emails go through LinkedIn’s servers. You read that right. Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn’s servers. LinkedIn is forcing all your IMAP and SMTP data through their own servers and then analyzing and scraping your emails for data pertaining to…whatever they feel like.
“But that sounds like a man-in-the-middle attack!” I hear you cry. Yes. Yes it does. Because it is. That’s exactly what it is. And this is a bad thing. If your employees are checking their company email, it’s an especially bad thing.
Why is this so bad? Here’s a list of 10 reasons to start:
I think I’ll pass on Intro, thank you very much.
(Thanks for the link, Chris)