Security's Disastrous Week, From Superfish to Unstoppable, Hard Drive-Killing Malware

Superfish. Untrustworthy hardware. Easily hacked cars. FreeBSD's random number generator. This week was an utter disaster for security.

hack security malware
5 days of terror

Security’s been in the spotlight ever since Edward Snowden’s revelations about the NSA’s extensive spying program, but by every measure, this week was a doozy. There were no fewer than four—count them, four—major, critical security issues revealed over the past few days. Any one would’ve been a major deal by itself. Together, it’s enough to make you want to curl up in a ball in the corner.

Got you tinfoil hat ready? You’re going to need it. Let’s start with the security disaster that popped up first: Utterly unstoppable malware that can’t be stopped by anything short of physically destroying your hard drive.

toshiba hard drive remove 100568508 large
Hard drive hell

Late Monday, Kaspersky Lab revealed details about the Equation Group, an incredibly advanced team of hackers that have been operating for at least a decade. Equation’s attacked targets in dozens of countries across the globe—including the U.S.—and evidence strongly suggests it’s state-sponsored. But the terrifying part is its sophisticated malware.

Equation uses malware that actually digs deep into the firmware of your physical hard drive, and is impossible to remove once installed. Installing a clean operating system or fully formatting your drive doesnothing. The only way to rid yourself of the malware is to hammer a spike through the drive and chuck it in the trash. PCWorld’s Equation Group report has more details, including information about susceptible drive models.

security numbers
FreeBSD's random number generator

While the world was still reeling from that revelation, another security disaster struck Tuesday. It turns out that the bleeding-edge version of FreeBSD, dubbed –CURRENT, had been using a borked random number generator that spit out not-so-random numbers for the past four months.

So what? Well, encryption tools rely on that RNG to create keys that unlock the encryption. Any cryptographic keys created during the affected time frame have to be considered unsafe due to the non-random material, and regenerated. Fortunately, the flaw was plugged at the time the announcement was made and the stable version wasn't affected.

lenovo yoga pro 2
Superfishy

On Wednesday, researchers discovered that since mid-2014, Lenovo PCs had adware called Superfish preinstalled on them. Superfish itself is a mere nuisance; the true risk came from a self-signed root certificate it installed in Windows to essentially hijack all secure internet traffic to inject ads on webpages. That’s known as a man-in-the-middle attack, folks. Worse, all infected PCs used thesame certificate on every affected system, using a weak, discontinued form of encryption; unsurprisingly, researchers quickly cracked it. Malicious hackers could easily use the vulnerability to attack you. The US government issued an alert telling users to remove Superfish.

Lenovo’s contrite CTO quickly released a tool to remove Superfish and its rogue cert. Other vendors, including Microsoft, did the same, though not all fully eliminate the infection. PCWorld’s guide to Superfish removal can walk you through full, manual eradication.

shutterstock 82832002 100046942 large
All your SIMS are belong to us

In the midst of the Superfish furor, a new Snowden bombshell dropped Thursday. A joint team comprised of U.S. NSA and U.K GCHQ agents have hacked into the computer network of Gemalto, the world’s biggest maker of smartphone SIM cards, and swiped the encryption keys for those cards. And they’ve been inside Gemalto’s network for years, as the Snowden slide was from 2010.

With those keys, government agents would be able to monitor mobile communications without warrants, wire taps, or approval from foreign governments or carriers. They can listen to almost anything without outside permission, essentially. Roughly 450 mobile carriers, including AT&T, T-Mobile, Verizon Wireless, and Sprint, use Gemalto’s SIM cards.

bmw remote valet parking assistant scanner detail 100539715 large
Hand over the car!

Friday was pretty quiet on the security front, and understandably so, given the events of the four days prior. But one smaller scale, yet no less terrifying incident blipped on the radar: PCWorld reported how a 14-year old teen built a device from $15 worth of parts from Radio Shack that was able to wirelessly connect to a car’s internal computer network and control various functions.

Maybe it’s a good thing Radio Shack’s shutting its doors. (Actually, it’s still a shame.) Regardless, repeated demonstrations like this are why we keep clanging the warning bell about smart device security concerns.

ultimatefreesecuritysuite primary 100056549 large
Stay safe(r)

Don’t let all this bad news make you feel powerless. Take an active role in keeping malicious attackers out of your PC. PCWorld’s guides to building the ultimate free security suite and protecting your PC against devious security traps can help you brush up on everything you need to know.

Being absolutely honest, the tips and tools in those articles wouldn’t have protected you from any of the incredibly sophisticated attacks listed in these articles. But they’d definitely help against the vast majority of everyday attacks you can run into on the web. That’s the truly important thing… right?