What the Lenovo Malware Debacle Means

As has been widely reported, Lenovo had shipped consumer laptops with software on it that made it vulnerable to a so-called man-in-the-middle attack, namely, the software intercepted inbound web data, decrypted it, inserted advertising, recoded it, issued a new security certificate (based on a pre-installed “root” certificate) and then sent it along to the browser which accepted the data as trusted.   It works with outbound data, too.  Equally bad, because the makers of the malware were sloppy (and why wouldn’t they be?) they used the same certificate on many machines, used a weakly encrypted certificate and used a password that was easily guessable (not cracked, guessed).  This created ready-made entrance for other attackers to insert themselves as a person-in-the-middle and compromise every transaction.

The upshot?  The user of an infected machine can have zero confidence that the websites they go to (banks, corporate, etc) are real. Security experts warn that no web-based transaction from an infected machine can be deemed to be secure.

What if the user of such a compromised machine was working with your data, on your network?  How can you even assess whether data has been stolen?  Simply, you cannot.

Does this mean that BYOD is a bad idea?  That is open to debate.  On the one hand, by inviting any computer, any smartphone, any device onto your network is inviting a host of security problems across multiple platforms.  In short, you get what you pay for.  On the other hand, even the purchase of company-owned equipment is no guarantee that an employee will not download bad software or use bad hardware (see, for instance, this piece on malware in firmware) to your network.

Whatever the answer, I do think that this attack begs employers to think “defense-in-depth,” that is, layering defenses and even anticipating that an attacker will succeed (perhaps even without your knowledge).  That layering has to include limiting the impact of an attacker once your network is penetrated.  As I have argued elsewhere (herehere and elsewhere) cyber-resiliency includes physically segregating unrelated data and having excellent detection and response plans.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s