Slashdot Mirror
Superfish Security Certificate Password Cracked, Creating New Attack Vector
In a followup to today's news about junk software included with Lenovo computers, an anonymous reader writes Robert Graham at Errata Security has published an article announcing his success in extracting the SuperFish self-signed security certificate from the adware which has caused Chinese computer manufacturer Lenovo such embarrassment in the last day. Since SuperFish is already capable of carrying out man-in-the-middle attacks over secure connections on the Lenovo machines which use the certificate, the disclosure of the certificate's password presents hackers with a 'a pre-installed hacking environment' which would be difficult to arrange by other means. The password, "komodia," is also the name of the Komodia Redirector framework, which allows its clients to manipulate TCP/IP network sessions "with a few simple clicks."
the Chinese goto the end user. Wasn't their news of Lenovo wanting to open a US based facility to be able to eligible to compete for US government contracts...
I mean, even without this, they were performing man-in-the-middle attacks on their customers. Doesn't something like the DMCA apply when you're hijacking banking websites?
is like "NSA for Dummies"
“You can use our stuff for free as long as we get to choose the password.”
Um, already discussed. http://yro.slashdot.org/story/...
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
But then I always wiped my Lenovo to install Ubuntu anyway.
=^..^= all your rodent are belong to us
Now that the vendor knows this, they may be legally obligated to do a "voluntary" factory recall or face a government-mandated involuntary recall.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Slashdot isn't hiding anything. It just takes 5-10 business days for them to talk about something current. I consider Slashdot a Wayback Machine that I can interact with...my very own time machine to the past.
so, we have a for-profit load of a known attack system with name = password from Lenovo.
what was the trade name of this series of laptops, GOTCHA? "New, the GOTCHA from Lenovo, because we want your other financial information, too." great tag line. when do the TV ads start?
if this is supposed to be a new economy, how come they still want my old fashioned money?
What's next:
LENOVO: "Hey! You can't exploit or exploit! DMCA DMCA!"
Your thin skin doesn't make me a troll
Slashdot: Olds for nerds, stuff.
Anybody else work in IT and is starting to get depressed?
I am just soo tried of trying to keep up with all the hacking, spying & stealing going on.......
Constantly feeling attacked from all sides (gov, corporations etc.)
Who can you even trust anymore?
I would like to take a more active role in protecting my privacy and personal data, however I do not see how this is possible without completely abandoning all electronic gadgets and the internet?
Preloading advertising spyware with a new computer while knowingly disabling all https and code signing security.
There is selfish, there is stupid, there is dumb and there is criminal batshit insanity.
Having been a fan of Lenovo for years I sincerely hope they are sued into oblivion and face criminal prosecution. No need wasting your time wondering if I will ever buy anything from them again.
I simply don't any long term value in selling out your customers to other unknown companies.
legitimate question: what slashdotter still uses the stock OS on a laptop they purchase? not even businesses, arguably lenovos primary audience, maintain the original image in most cases. most bloatware just existed as testament to the hubris and aggrandized perspective most laptop manufacturers have of themselves anyhow. extra assistants, widgets, software with limited documentation and no tenable lifecycle outside the make and model of pc or tablet a customer purchased basically made the OS a moot point of the purchase at best.
I get that the adware is bad, the introduction of a zero day attack vector however is even worse, but i wonder what if any damage this will do to Lenovo.
Good people go to bed earlier.
So the Chinese now have the user names and passwords of all the corporations (US and International) who still use their laptops mistakenly thinking they're just like the old IBM ones. Also, any personal account information of course.
China thinks long term. Collecting US debt, buying companies, manufactoring the components of other companies. Their not being nice, they have a plan. Maybe its just to serve ads. But maybe, just maybe, its something bigger.
Summaries don't contain *all* the words (that's what makes them summaries rather than articles). Even dumb Americans know that.
this thing is called really "Superfish"?
At first i thought its a made up name by the security guys to resemble "Superphish".....
This is why you don't buy "computers" at Best Buy.
*all* the words? Are you retarded? All hard drives are vulnerable and there is not even ONE mention of "hard drive" in the summary?
Fuck off. You can't spin this shit. The story kept getting deleted, this OP went from "Score:1, Interesting" to "Score:0, Offtopic".
There are special teams in NSA/GCHQ hired to monitor all major sites and discussion boards and control their narratives. Don't act stupid and pretend they don't exist here.
This is why you build your own boot disk images, stripped down and hardened version.
Never use bloated retail installs.
Please tell me some academics / F/OSS folk / people who truly believe in rights and privacies are working on a clean-sheet, Security is Job One replacement for the now nearly useless sieve well call the Internet.
What a fucking idiot, that article wasn't used as an excuse to keep deleting the bigger story.
Who the fuck would protect the NSA anyway, are you one of those fat fucks working in NSA basement dumbing down Americans?
New Snowden Doc Reveals How GCHQ/NSA Use The Internet To 'Manipulate, Deceive And Destroy Reputations'
Don't act like slashdot isn't crawling with these fuckers (I am looking at you TsuruchiBrian).
I thought for a minute that Truecrypt could help, as all the data on the HD is encrypted, but firmware malware can easily substitute the truecrypt boot sector with an identically looking keylogging version.
I sincerely hope that Microsoft pushes an immediate revocation of the certificate and an updated removal kit that removes Superfish altogether over Windows update.
Was this whole Lenovo disgrace found out by security research? Or did a whistleblower tip someone off?
Because if it was the latter then, while those who rightly tipped us off deserve immense respect, it's a depressing view of the future where we cannot trust devices.
Whether Lenovo is engaged or not, it seems Microsoft may wish to issue a purging through a Windows defender update. This would probably be the healthiest thing for all around.
Hopefully this will be a lesson to all the vendors about the risks of taking money for shovelware....
XML is like violence. If it doesn't solve the problem, use more.
An exploit like this has existed since the dawn of Unix.
I believe Ritchi or Kernighan had a piece of code injected in their ancient C-compiler that added a backdoor when ever the compiler detected it was making a login-type program. The code I believe was not in the compiler source, but got passed on, when the compiler detected it was making a compiler.
I believe that particular backdoor was in a good few years of the infancy of Unix.
'twas a story someone told me, can't be bothered to google it for fact checking, so take with a grain (or rock?) of salt.
Moral of the story: such a time probably never existed, but chances of being clean of such stuff probably is highest around the end 80s?
Also the truely paranoid might look into reviving a c128, amiga500 or similar atari. With tons of aftermarket expansions (the fatally paranoid will try to get boarddesigns/source and build himself/herself...) you get connect those Old Ones to the 'net and email/maybe even do some light surfing? Lynx-style.
In fact I seem to remember some case of some kidnapper who held his captive as a slave for multiple years making the case hard for law enforcement because he did all his computing with such a beast and a forensic expert with solid knowledge of the system was not readily at hand.
To reiterate: my memory might be playing tricks on me, don't blindly trust my account here.
Tbh, at least that time Sony Online Entertainment got hit, it turned out they seemed to only have had paper thin, lip service, keep the CEO out of prison type "security".
Seems even they didn't really have it in their hearts to even try.
(Note: I'm the grandparent AC.)
Right, half the point of this would be to defeat the Ken Thompson hack (which is what you're talking about) by cross-compiling with three different, independently-developed systems, or "ideally... by writing a simple bootstrapping C compiler in assembly (and an assembler in machine language) yourself." Maybe I wasn't clear above: the goal is not to compile three different sets of software using the three machines; the goal is to use disparate hardware and software to compile bit-for-bit identical sets of software that can be trusted because three different machines are telling you it's correct.
In other words, the hope is that even if one of the systems is infected with a compromised compiler, not all three are and thus you can detect that it's trying to insert the backdoor in the output by comparing it against the compilers whose output is clean.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Leave it to PC makers to allow such junk on their new PC's without any vetting process to protect customers. This is why I bought a Apple Mac. Not because I love Apple or because I think OS X is the best. No I bought a Mac to run Windows on it because I know that Windows is clean from all the crap software and a second advantages is having paid for software and hardware I want and not line the pockets of PC makers who accept bribes to allow this crap to be installed on their PC's.
I've lost count how many times Slashdot allowed secondary copy click baits and poorly worded sensational articles on the front page, this is one of the biggest IT story and now all of a sudden you're getting all academic?
When everyone's hard drive is and have been vulnerable for over a decade and there are no solution in place to detect and remove the back doors, that fact is like 9/11, it is sensational by itself, unless you're deliberately trying to down play it.
That article you claimed is a dupe to, is a sensational article itself, who cares about some hacker group when my hard drives are vulnerable? That problem takes priority, unless again, you're delibrately trying to down play it, like a good little damage control operative.
On the other hand I've worked for several agencies that were protected quite adequately. And some companies too.
That you know of. Equation Group and the other constant stream of revelations should make everybody rethink their opinions about security.
Personally I couldn't care less about this story - I'm guessing a lot of people that took the time to find and read the original Kaspersky articles will think the same.
Personally I think you're full of shit and is stupid enough to think other criminals won't pick up on it and start exploiting it. What you care doesn't fucking matter, the problem exists and there are no workable solutions, and it will be exploited, on a massive scale.
your harddisk is vulnerable when your machine has already been taken over.
That's not what the anti-virus companies are claiming. If virus can stay in harddisk firmware forever, why bother fucking "removing" it from the disk platter?
It's extremely rare to find that malware in the wild.
Because people didn't know where to look, now that they do, it'll be reverse engineered and applied, more will be discovered down the road, stop down playing it, the problem still exists and EVERY DISK is vulnerable to it.
You think nobody else will pickup on it and is smart enough to write malware for it? What are you fucking stupid? Load one bad ad on a phone and it'll infect the phone, which will infect the PC, then the harddisk, where it'll stay in the firmware, which will infect your new phone, how would you know when to replace your hardware? How would you even know the virus is there? It doesn't fucking announce itself.
Basically you're saying "Everything is fine.", you've got to be a damage control operative or a really stupid geek.
Another idiot who thinks this won't be reverse engineered by black hats and reapplied on a massive scale.
By your logic the Snowden revelation doesn't matter, because it won't happen to you and the gov has been at it for decades.
Right?
Fuck off retard.
I have rethought them, in that light. I know of at least one government agency and one very large company whose core systems would not have been vulnerable to those attacks, because they expect zero-day vulnerabilities to exist in all of their software, as well as bugs planted by state actors, and deal with security accordingly.
It's bloody expensive if you have to implement that later on, but if you build your IT infrastructure from the ground up it can be done quite effectively.
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
The minute I heard China bought IBM's PC line. This was inevitable. They do it to their own citizens. Why not citizens of other countries?
:-
Yeah, I'm just still trying to figure out what "spyware" in your hard drive firmware would really accomplish...?
I mean, does your drive have an ethernet connector on it? Wi-fi built on it? Any possible way to communicate with any other device other than the ATA/SATA/fiber/whatever connection to your actual computer?
And, if not, then... wouldn't any data "spied on" by the firmware actually be easier to get via the operating system, or at worst the actual controller interface on the system? Why would you go through the hassle of trying to modify the drive firmware, risking other issues of course, if the only route there is for data to go on/off of it is via the computer itself? Or are you going to hack the drive firmware to send back data via modifications to the ATA/SATA/etc protocols, to a hacked controller card, that then passes that hacked data off to a hacked UEFI bios... ... and wouldn't it just be simpler to hack the UEFI bios?
I don't get it. Or is it hacking it to insert a backdoor when someone boots off the drive? You know it's boot because the drive just powered on?
Seems awfully complex to me, and more easily done in other ways.
The KTH cannot exist, because the KTH can't possibly recognize all instances of "a compiler," and/or "a login." If it could, it could be used to solve the halting problem.
Therefore one need only evade detection in order to produce a clean binary from an infected compiler, which should, in practice, be trivially done by obfuscating the code. With obfuscation, detection would have to rely on algorithm detection, but that's easily avoided as well, much to the bane of antivirus software.
But, for the sake of argument, even if KTH could reliably infect all compilers, disassemblers, and debuggers produced with an infected compiler, it would still be detectable through dumping memory and/or debugging, because lying about the contents of memory or the step of execution takes time, and you can't lie about how long it takes to complete an operation. You could try to hide it by throwing in NOOPs, but you can't lie about it, and any deviation between the number of actual and expected operations to complete a task would raise a huge red flag. In fact, if KTH existed in the wild, the effects of its existence would have been detected by now through performance testing and/or timing exploits. The fact that unexplained universal slowdowns haven't been observed in the wild, and that timing exploits do in fact work seems to be conclusive evidence that KTH does not exist.
Security is an arms race to be sure, and I would bet my life that there are, and will always be, undetected hacks in the wild, but there is no such thing as an *undetectable* hack. If someone is looking, they can find it. Even the "Equation" turned up once someone bothered to look.
https://www.eff.org/https-everywhere
like, totally. also: more meaningless words please.
Think it through...
1) Drive F/W gets infected.
2) Drive infects OS and UEFI on boot.
3) You detect malware, but don't realise it's in the F/W of the drive. You disinfect the drive and reboot.
4) You notice the malware is still evident, but can't find any trace of it on the drive. You detect it in the UEFI and flash that to get rid of it.
5) You notice it's STILL there, so you assume it must be so deep in the UEFI that you can't get rid of it (which many would consider far more plausible than it being in the DRIVE F/W!). You therefore replace the whole PC, but swap the disk over as you believe the drive (which you have now "securely" wiped) is safe.
6) Guess what's now infected!?!
OR (more likely) you infect an external hard disk and find that you're still spreading malware from machine to machine throughout the PCs of your company/family/friends/whatever, even after you have "securely" wiped it.
Just my $0.03 (At current exchange rates, my £0.02 is worth more than your $0.02)
I missed the previous article. Just checked my son's laptop that I bought him for Christmas and had to remove this crap. Thanks to whoever exposed this.
That was my first and last Lenovo ever (as in "my first Sony"). What were they thinking.
This is not the sig you're looking for.
It only gets difficult to secure stuff once things get large enough that you can't keep track of what is going in or out. Need a port open for this person X, for that for person Y, for someone else with antivirus that phones home via the port only the mail server has legit business using, then all kinds of shit tunnelling trough port 80 - that's when things get out of control and people end up hosting spambots on their networks and only find out when they get blacklisted.
Cut things into segments small enough that you don't lose track of what's going on and you can secure that chunk, then the next, then the one after.
The smaller the target the easier to stop someone hitting it.
Says due to DDOS, more like the Slashdot effect.
In the mean time, Lenovo made an official Statement on the 3rd Party "Experience Enhancement Software"...
http://news.lenovo.com/article...
Also listed at the end of the statement, the affected models.
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
Since this is to enable reading all HTTPS connections, could SuperFish be a front company for some spy agency?
Think it through...
1) Drive F/W gets infected.
2) Drive infects OS and UEFI on boot.
3) You detect malware, but don't realise it's in the F/W of the drive. You disinfect the drive and reboot.
4) You notice the malware is still evident, but can't find any trace of it on the drive. You detect it in the UEFI and flash that to get rid of it.
5) You notice it's STILL there, so you assume it must be so deep in the UEFI that you can't get rid of it (which many would consider far more plausible than it being in the DRIVE F/W!). You therefore replace the whole PC, but swap the disk over as you believe the drive (which you have now "securely" wiped) is safe.
6) Guess what's now infected!?!
OR (more likely) you infect an external hard disk and find that you're still spreading malware from machine to machine throughout the PCs of your company/family/friends/whatever, even after you have "securely" wiped it.
Ive been using Fedora Linux for 10 years (yup, that long). I also do no financial transactions with any operating system. I rarely purchase items from the web, as local stores are competitive and often selling at lower cost (That means you newegg, tiger direct, etc. area not competitive)
Leslie Satenstein Montreal Quebec Canada
Cool story, bro.
If we remove the clock battery from the motherboard, do we just kill the set up params within the clock chip or the viru code as well.
Leslie Satenstein Montreal Quebec Canada