The week in security: Root-certificate stuff-ups send Dell, device makers scrambling
- 30 November, 2015 10:27
Just as most people believe they are safer drivers than the people around them, new research suggests that most Australians believe they are safer online than they really are – or must be, given that cybercrime is costing Australia more than $1.2 billion annually. No wonder security analysts continue to argue that CISOs and CEOs must find a way to work together towards common objectives.
Growing mobile and cloud usage – particularly in Australia, where secured Wi-Fi networks are becoming front-line tools – are driving the need for secure identity-management frameworks that will increasingly link services through the use of smart APIs, one industry technologist believes. With cloud initiatives fundamentally changing many security models, however, such strategies will need to avoid issues such as poor key handling – as was found in the reuse of SSH and TLS crypto keys across millions of devices, leaving them all open to the same attack. Also in the doesn't-work-like-it's-supposed-to files, a bug in some VPN services was identified as allowing the identification of users' real IP addresses.
In a throwback to the recent Superfish dramas from Lenovo – which was again forced to patch serious vulnerabilities in a system-update tool – Dell computers were found to be shipping with a potentially dangerous root certificate authority installed directly on the laptops, allowing attackers to sniff traffic from the systems to any secure Web site.
The magnitude of the problem grew wider as researchers investigated further, with Dell admitting what it had done was a bad idea. Turns out it was done in an attempt to improve customer service – and, as investigators discovered, that there was more than one questionable certificate on the systems – and that even older Dell devices are affected.
Such events will likely increase consumer interest in the SAFECode program – designed to help guide purchases of safe software. There is, after all, a lot of unsafe software floating around: a popular adware program called Vonteera, it turns out, can stop users from installing security products by manipulating Windows' digital certificates. Microsoft began offering the ability to detect unwanted software within its anti-malware products – and targeted Dell's dodgy certificates – while researchers discovered two more ransomware threats for Linux-based Web servers.
News agencies had gained status as targets for cybercrime attacks in Asia, where cybercriminals were also following the surge in payment-card fraud. Little wonder, with a hacker-built device able to figure out Amex numbers automatically – little consolation for retailers that already face a new threat from ModPOS malware, just in time for the holiday shopping season. The Dridex botnet financial-credential stealer was targeting computers in the US, UK, and France. And, in a slightly different change of tack, hackers targeted toy maker Vtech and stole data on up to 4.8m parents and 200,000 of their children.