While one would like to assume that when it comes to security vendors act in the best interest of their customers, this is not always the case.
Three news developments this week highlight that while vendor trust can be easily lost, it is not always easily regained.
The Superfish that's super scary
In a Lenovo Group Ltd. forum post from Jan. 23, 2015, Lenovo Social Media Services Program Manager Mark Hopkins said the Superfish Visual Discovery browser add-on that came preinstalled on consumer Lenovo products had been temporarily removed from systems until the company behind the add-on was able to release a fix. In the same post, Hopkins said the preinstalled software was created to help users search for images "without knowing exactly what an item is called or how to describe it." Superfish does not, Hopkins said, profile nor monitor user behavior or record user information.
The vulnerability allows Superfish software to install a self-signed root HTTPS certificate that enables the software to intercept encrypted traffic, a process only security-savvy users would detect. When a user visits an HTTPS website, the site certificate is signed and controlled by Superfish, so it is able to inject malvertisements and collect user information.
Expert Graham Cluley explained that Superfish is "designed to intercept all encrypted connections -- things it shouldn't be able to see. It does this in a poor way that leaves the system open to hackers or NSA-style spies."
The vendor has posted instructions on its website for removing Superfish. Hopkins wrote, "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."
Yet as one user commented on the forum, the fix does not remove the fake root certificate that can be used to intercept encrypted connections.
To its credit, Lenovo owned up to the faux pas. Lenovo CTO Peter Hortensius told IDG News Service Thursday that the company "messed up badly," and that his embarrassed team of engineers flat out "missed this" issue with Superfish.
Microsoft adds user-friendly features
Shortly after backlash from the security community following the discontinuation of its public Patch Tuesday Advanced Notification Service (ANS), Microsoft announced that its upcoming Windows 10 release would support biometric authentication.
In a Windows blog post last week, Microsoft Group Program Manager and Fast Identity Online (FIDO) Alliance President Dustin Ingalls wrote about Microsoft's input to the FIDO 2.0 Specification Technical Working Group, and discussed how Windows 10 will offer a culmination of the group's efforts.
"Identity is one of the greatest challenges that we face in online computing," Ingalls wrote. "We believe FIDO authentication is the pathway to success."
Microsoft joined the FIDO Alliance in 2013. The non-profit's group focus is to replace the security-riddled password with more user-friendly authentication methods.
In the blog, Ingalls said, "For the very first time, Windows devices and Microsoft-owned and partner SaaS services supported by Azure Active Directory authentication can be accessed end-to-end using an enterprise-grade two-factor authentication solution -- all without a password."
Microsoft announced Jan. 8 that it was limiting its ANS to only premium -- or paying -- members. The news was met with much criticism, as many in the security industry have found the previews extremely helpful in preparing for and prioritizing the software giant's upcoming patch bulletins.
In its adoption of the FIDO standard and biometric authentication, Microsoft is offering its support not only of user-friendly technologies, but is also seeking to foster the advancement of strong authentication measures.
Walled garden = improved security or lost freedom?
In a blog post last week, Mozilla Add-Ons Developer Relations Lead Jorge Villalobos said the change will greatly improve security.
"Extensions that change the homepage and search settings without user consent have become very common," Villalobos said, "Just like extensions that inject advertisements into webpages or even inject malicious scripts into social media sites."
While Mozilla previously established a list of add-on guidelines that developers must adhere to, the company admits it is impractical and difficult to keep the add-ons in line.
Extensions will be subject to "extension singing" -- a process that involves developers submitting the add-on to Firefox's AMO (its website repository of add-ons) for review. Once cleared, the add-on will be made available via the AMO.
While the change aims to improve website security, it has been met with some criticism.
A number of workarounds will be available to users, but some Mozilla loyalists see this as an unnecessary additional step -- and hassle -- in order to develop add-ons for Firefox, which has traditionally been seen as the most widely used "open" browser.
Comments on Mozilla's blog show that users are "sick of the Internet police stopping technical people form doing what they know and understand is safe."
One user commented, "We have very different concepts of users' trust models," while another said, "All you do is make it harder for legit users and developers of browser additions."
In other news
- While the FBI attributed last year's Sony Pictures Entertainment hack to North Korea in December, security firm CrowdStrike emerged with new evidence this week to back up the claim. During a public demonstration webcast Tuesday, CrowdStrike CTO Dmitri Alperovitch revealed similarities in code between the wiper malware used in the Sony attack and malware deployed against South Korea and United States by a group dubbed Silent Chollima. Alperovitch found the code shared the same typo: "security" was written "secruity." Code can be reused during attacks, Alperovitch said, but the chances of this code being reverse engineered and reproduced with the same typo is "highly implausible." Late Thursday, Admiral Mike Rogers, director of the NSA, also confirmed that its own analysis had identified North Korea as the source of the SPE attack.
- Visa Inc. and MasterCard Inc. separately announced plans this week to boost cardholder data security. MasterCard said it would invest an additional $20 million in cybersecurity measures this year, including the launch of its Safety Net initiative this spring, which will use algorithms to spot and block fraudulent transactions as they take place. The company will also partner with First Tech Federal Credit Union on a pilot program to improve authentication using biometrics such as fingerprint, facial and voice recognition. Visa announced the expansion of its Visa Token Service, which first launched in October 2014, to reduce the risk of cardholder data theft by replacing account numbers with digital identification numbers that do not reveal sensitive account details. The company also plans to incorporate tokenization for online transactions with retailers using its Visa Checkout service.
- In separate Visa news, the company will reportedly begin asking members to opt into a new feature that allows users to be tracked when making a transaction based on the location of their mobile device. The Visa Mobile Location Confirmation service, which Visa will make available to banks and credit card issuers, is touted as a travel convenience, as it will reduce the chances of a transaction being declined when travelling by nearly 30%. While some users aren't keen on the idea of tracking, privacy experts are applauding Visa's effort -- if the feature can be used properly.
- According to an international study by the U.K.'s Information Commissioner's Office (ICO) published Tuesday, while the average cookie is programmed to expire after one to two years, some can last up to 7,984 years. Researchers found three cookies set by websites would not expire until Dec. 31, 9999. The study, which reviewed 478 websites, also found that the average website placed 34 cookies on a device during a person's first visit, and 70% of cookies were third-party cookies (30% were first-party cookies).
Learn more about the lack of trust in security vendors.
Will Chip and PIN boost cardholder data security? Learn more here.