Skip navigation

Effective October 28, 2019 Duo Security will be transitioning to Cisco's Privacy Statement. View the Duo Privacy Data Sheet.

Duo Labs

The Weekly Ink #27

THE WEEKLY INK

The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate and entertain on security happenings and culture.

If you have links that you think would be interesting for inclusion and commentary, send them our way at labs@duosecurity.com.

Super Fishy (And Not Superficial): Lenovo Embeds TLS MITM Adware in Consumer Laptops

There's so much to say here that we wrote a separate post.

The Hidden Equation

Security researchers at Russian firm Kaspersky published details of "a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades" earlier this week.

The group is generally believed to be the National Security Agency based on the correlation of code names and malware samples to Der Spiegel-published government leaks.

The piece of information that got the most traction in the public was IRATEMONK, malware that persisted itself in hard drive firmware from many vendors and targeted individuals worldwide for surveillance.

That's not the only thing we learned about government spooks this week, though...

Intercepting Your Calls? SIMple.

The Intercept published information on how the NSA and GCHQ orchestrated a world-wide hacking and espionage program targeting employees of security hardware vendor Gemalto with the aim of stealing SIM card private keys.

Millions of keys, stolen. Millions of phones that can theoretically have their communications intercepted.

This is depressing, but not unexpected. I personally wonder if they violated CFAA by accessing any US-based service providers in the course of this campaign (they reportedly accessed Yahoo! and Google mail accounts), but it doesn't really matter -- government has no incentive to hold itself accountable for this.

Hopefully phone carriers will offer replacement SIMs, but how does anyone know the keys for those aren't compromised? For situations where secure communication over cell phones is desired, using additional encryption mechanisms besides those provided by the cell networks is clearly necessary. And the "metadata problem" still exists: even if using additional encryption means the contents of messages wouldn't be visible, associated data like whom was being contacted and when would still be available.

It seems James Mickens' advice for dealing with state threats still applies and we should all seek out magical amulets and submarines:

I'll end this dark edition of the Weekly Ink with a cute cat sleeping:

Have a great weekend, everybody!