I would like to believe that this situation with Lenovo and Superfish is an isolated incident, but given the profitability of selling load space at the PC factory level, I would imagine there are several other pieces of malicious software installed on other manufacturer hardware. These linked articles and the embedded Youtube video can give you a bit more information about this problem and how to address it on your hardware. At the end of the day, the best practice for any new PC purchase is to re-image the device and start with a clean slate, but this is not always an option for the less technically inclined.
This is disturbing considering the potential impact on financial institutions relying on the US Secret Service for financial fraud investigations and the overall need for protections around our nation’s critical infrastructure. There are certain fights worth fighting in our nation’s capital, but these are not the chips I would choose to gamble with.
As someone who until recently had to file an annual state income tax return, this type of fraud is concerning, specifically because of the potential lag between the actual offense and its discovery. States must quickly build fraud deterrents into their programs or this problem will only grow.
I am a proponent of the work being done by FIDO and their authentication standard. That said, I am not sure Microsoft has complete bought in to the process. They tend to go their own way or only adopt portions of standards to meet their needs. I hope I am wrong in this case and Microsoft meets or exceeds the new FIDO 2.0 standard.
This article is a great take on cyber espionage and its affect on corporate America. We can no longer assume we are not a target. Everyone is a target.
I am particularly intrigued by this article from Dark Reading because of the perspective it provides concerning the US Cyber Spying/Hacking program in the context of the mission statements of the NSA, CIA, and United States Cyber Command. Regardless of the definitive statements made by many on both sides of this debate, this issue is both complex and nuanced and should not be dismissed off hand.
A good daily recap from the team at Akamai.
These are a couple of articles detailing a discovery by the team at Kaspersky concerning hard drive embedded malware. Though unproven, the NSA is suspected, adding to the ongoing debate of exactly how much surveillance tech is embedded into our daily lives by the federal government. It is certainly an interesting conversation.
The debate continues around zero-day vulnerabilities and how they should be reported and addressed. Google has backed off a bit from their initial strict 90-day for remediation and reporting. Regardless of which side of this argument you support, the debate is worthwhile and is moving the patch process forward for critical software.
This is an excellent explanation of the changes announced by the Payment Card Council (PCI) concerning the use of SSL as a form of strong cryptography. Please take note of Mr. Man’s explanation and the impacts these changes will have on compliance efforts.