New Flaws Identified in Lenovo’s System Update Service

By   ISBuzz Team
Writer , Information Security Buzz | May 13, 2015 05:05 pm PST

Statement from Kevin Bocek, Vice President, Security Strategy & Threat Intelligence at Venafi

IoActive’s researchers have identified some new flaws in Lenovo’s system update service that can be used by hackers to create fake certificates for executable files. Please see statement from Kevin Bocek at Venafi below on this breaking news.

“The system of trust that runs the Internet is very fragile. Failing to validate a certificate properly gives bad guys the powerful weapons they need to circumvent security controls. Lenovo joins many others in not being prepared to secure the trust that’s established by keys and certificates. Lenovo like Fandango, Kredit Karma, and an estimated 40 percent or more of mobile application developers were not able to validate if certificates were from a trusted authority. With every Global 2000 organization reporting attacks on keys and certificates, according to the Ponemon Institute, the Internet needs an immune system to evaluate what’s really trusted or not. Lenovo is certainly not alone in their inability to properly validate digital certificates – this is just the tip of the iceberg. And as this vulnerability shows, if you can compromise certificates, other security controls break down. With a compromised or forged certificate, you can masquerade as a trusted service, hide in encryption, and go undetected. Using keys and certificates attempted to solve the first security problems on the Internet – what can I trust and what can be private. But with the rapid rise in vulnerabilities and attacks, now more than ever is the time to take protecting keys and certificates seriously.”

By Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi

BIO : Kevin Bocek is responsible for security strategy and threat intelligence at Venafi. He brings more than 16 years of experience in IT security with leading security and privacy leaders including RSA Security, Thales, PGP Corporation, IronKey, CipherCloud, nCipher, and Xcert. He is sought after for comment by the world’s leading media such as Wall Street Journal, New York Times, Washington Post, Forbes, Fortune, BBC, Süddeutsche Zeitung, USA Today, Associated Press, Guardian, and Telegraph along with security press including SC Magazine, Dark Reading, and Network World.

About Venafi

Venafi is the market-leading cybersecurity company in Next Generation Trust Protection (NGTP). As a Gartner-recognized Cool Vendor, Venafi delivered the first Trust Protection Platform™ to secure cryptographic keys and digital certificates that every business and government depends on for secure communications, commerce, computing, and mobility. With little to no visibility into how the tens of thousands of keys and certificates in the average enterprise are used, no ability to enforce policy, and no ability to detect or respond to anomalies and increased threats, organizations that blindly trust keys and certificates are at increased risk of costly attacks, data breaches, audit failures, and unplanned outages.