Zero Day Weekly: Lenovo's poison Superfish, Netgear vuln, SIM card spying, Obama's encryption follies

A collection of notable security news items for the week ending February 20, 2015. Covers enterprise, controversies, application and mobile security, malware, reports and more.

world.jpg

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending February 20, 2015. Covers enterprise, controversies, reports and more.

This week Lenovo poisoned its own PCs with dangerous Superfish adware, US and UK spies hacked SIM card manufacturer master keys to decrypt mobile data worldwide, Obama got encryption wrong, Netgear router issues could allow auth bypass, Android malware fakes phone shutdown to steal data, Kaspersky has reported that bank hackers stole over $1 billion, and much more.

  • In the wake of the discovery that Lenovo had surreptitiously installed the Superfish adware on consumer notebook products shipped between September and December, the Decentralized SSL Observatory reports it has found 44,000 man-in-the-middle certificates, all signed by the same Superfish root certificate.
  • Netgear, not great: A warning has been issued about what appears to be a serious security issue affecting several Netgear WiFi routers, and could result in hackers stealing sensitive information, including admin passwords and wireless keys. Details of the vulnerability were published (alongside proof-of-concept exploit code) by security researcher Peter Adkins, who explained that the flaw lay in the SOAP service embedded inside the vulnerable Netgear routers.
  • Microsoft has opened its fifth global Cybercrime Satellite Centre in Singapore to support its cybercrime efforts in Asia-Pacific, which is increasingly a hot target for hackers. The facility is the third in the region where there are similar centers in Beijing and Tokyo, and will lend its services to Southeast Asian economies including India, South Korea, Australia, and New Zealand. The other two global sites are in Berlin and Washington, the latter of which was where the first was launched in November 2013.
  • President Obama met with business leaders at a summit on cybersecurity and consumer protection on Feb. 13 at Stanford University in Palo Alto, Calif. The president tried to walk a fine line on encryption, but the technical aspects of encryption actually are quite black and white, experts say, adding that the example Obama used to illustrate the risks of encryption doesn't match up with how tech companies are deploying the security measure for customers.
  • SIM card spying goes nuclear: According to top secret documents made public Thursday, US and UK spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe. The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world.
  • On Monday at the Kaspersky Labs Security Analyst Summit, the firm unveiled research concerning the existence of a cyberattack team dubbed The Equation Group. The group, which Kaspersky Lab Global Research and Analysis Team (GReAT) members dub the "ancestor" of Stuxnet and Flame operators, has been in operation dating back to 2001 and possibly as early as 1996. A long list of almost superhuman technical feats illustrate Equation Group's extraordinary skill, painstaking work, and unlimited resources, including spiking conference CD's with very refined malware.
  • A particularly devious new strain of Android malware can make calls or take photos even if you shut the device down, according to security research firm AVG. To achieve this, the malware hijacks the shutting down process - making it appear as though your Android device is shutting down. You see the animation, the screen goes black, but the phone is actually still on.