Dramatic information security incidents and news were unfortunately fairly common in February – we will shortly remember three of the most interesting ones.
Most attention was probably gained by a story about an alleged theft of massive amount of encryption keys used in mobile communication from the network of Dutch company Gemalto (a major SIM card supplier) by NSA and GCHQ. The keys could be used to decrypt live communication and also, for example, remotely inject malicious code into end devices. Source of the story has been The Intercept, citing a document from 2010 which was acquired by Edward Snowden, formerly from the NSA. After the news went public Gemalto stock took a serious hit. The company responded couple of days later by a press release admitting that operation by NSA and GCHQ resulting in penetration of internal company network probably happened, but emphasizing that the penetration “could not have led to a massive theft of encryption keys”. Gemalto further stated that “in the case of eventual key theft, the intelligence services would only be able to spy on second generation 2G mobile network” since “3G and 4G networks are not vulnerable to this type of attack”.
Another high impact February news has been that the Superfish adware (which is used to inject ads into viewed web pages based on analysis of viewed pictures) which Lenovo used to preinstall on their laptops installed a self-signed root certificate. Using that, the adware could generate certificates for web pages which user viewed using encrypted connections, replacing the legitimate certificates and compromising security of communication between the user and the web page. Superfish was then able to analyze and alter the SSL encrypted communication. Furthermore, since the root certificated seems to have been always the same and itself not very secure, its presence in a system constitutes a vulnerability which can be used quite easily by a potential attacker. Since discovering this, lawsuits have been filed against Lenovo and web pages of the company have been defaced.
It should also be noted that in the course of February, after being criticized by Microsoft (among others), Google decided to change the policy of its Project Zero – an initiative which, after a vulnerability has been discovered in an application, gave 90-day deadline to its developers to work on a patch. After the deadline has passed the vulnerability was made public regardless of existence of a patch or its planed later release. This has been the case for Microsoft and a vulnerability in Windows 8.1 when the 90-day deadline ended two days before planned release of a patch during Patch Tuesday, regular release of updates and patches by Microsoft. Google now grants developers up to 2 weeks reprieve after the deadline has passed, provided they are actively working on patching the vulnerability.