Last week Lenovo grabbed headlines for all the wrong reasons following the discovery that the company had pre-loaded adware onto PC’s sold between September 2014 and January 2015. The ‘Superfish’ software monitors users’ online activity and analyses the images that appear on their screens, tailoring subsequent advertising to match their browsing history. That information is gathered without the permission of the user, and until now, the software had been difficult to remove. The program effectively carries out a ‘man-in the middle’ style attack as it decrypts secure traffic, inserts its own ads, and then re-encrypts the traffic. The program is able to function in this fashion as Lenovo added Superfish’s digital signature to Window’s list of trusted root certificates.
In addition to the alarming privacy concerns, the Superfish software has raised several security issues. The US Department of Homeland Security is urging Lenovo customers to uninstall the software as it creates a significant vulnerability that could be exploited by malicious actors. Robert Graham at Errata security has already shown how quickly PCs with Superfish can be compromised.
The Turkish government has announced this week that it’ll launch a Cyber Security Operation Centre constructed entirely on nationally-built software. The CSOC will gather various existing cyber programs and functions carried out by the government and organise them under a ‘single operating system’. To assist in that effort Turkey’s defence procurement office is establishing a unit purely dedicated to cyber security and has already offered to lend ‘every support…to all potential Turkish companies keen to develop solutions’.
Whilst nation-states and private companies are ramping up their defensive efforts against outside attacks, it’s always wise to keep an eye on those inside the tent. A report from PwC looking at global crime found that over half of those wanting to commit fraud against a company actually worked at the company in question. Criminals acting from within organisations are often much harder to spot as they have an advanced knowledge of systems and processes that are in place and where loopholes exist. These types of crimes are therefore often more subtle, longer-term and harder to combat than large, forceful, external attacks.
Lieutenant General Edward C. Cardon, commander of U.S. Army Cyber Command and Second Army recently gave an interesting and wide ranging talk at Georgetown University on the evolution of the cyber landscape. He called not only for a cross-service and cross-government approach, but one that draws in the private sector and international partners. He also spoke about the difficulties surrounding terminology in the cyber world. ‘There’s a real challenge here’. Cardon said. ‘When you say “attack in cyberspace”, what does that really mean? [From a policy standpoint], when you say “attack”, there are a lot of treaties in place that say, “We’ll come in defense of an attack”, so you can instantly start to see how complex this could become rapidly.’
Wrapping up this week, we received the following comment from the Department of the Prime Minister and Cabinet after our ASPI Cyber wrap posted on 18 Feb referenced this article. “The media incorrectly reported this week that the Government’s Cyber Security Review won’t deliver its full findings until the end of the year. The Review is still on track and will report in the six month timeframe announced by the Prime Minister last November. This will be followed by the release of a public strategy outlining practical initiatives to improve our national security, and practical ways government can work with business to make online commerce more secure.” You can also check out the Cyber Security Review’s new web page here.