Slashdot Mirror
Superfish Security Certificate Password Cracked, Creating New Attack Vector
In a followup to today's news about junk software included with Lenovo computers, an anonymous reader writes Robert Graham at Errata Security has published an article announcing his success in extracting the SuperFish self-signed security certificate from the adware which has caused Chinese computer manufacturer Lenovo such embarrassment in the last day. Since SuperFish is already capable of carrying out man-in-the-middle attacks over secure connections on the Lenovo machines which use the certificate, the disclosure of the certificate's password presents hackers with a 'a pre-installed hacking environment' which would be difficult to arrange by other means. The password, "komodia," is also the name of the Komodia Redirector framework, which allows its clients to manipulate TCP/IP network sessions "with a few simple clicks."
I mean, even without this, they were performing man-in-the-middle attacks on their customers. Doesn't something like the DMCA apply when you're hijacking banking websites?
Um, already discussed. http://yro.slashdot.org/story/...
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
But then I always wiped my Lenovo to install Ubuntu anyway.
=^..^= all your rodent are belong to us
Now that the vendor knows this, they may be legally obligated to do a "voluntary" factory recall or face a government-mandated involuntary recall.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
so, we have a for-profit load of a known attack system with name = password from Lenovo.
what was the trade name of this series of laptops, GOTCHA? "New, the GOTCHA from Lenovo, because we want your other financial information, too." great tag line. when do the TV ads start?
if this is supposed to be a new economy, how come they still want my old fashioned money?
What's next:
LENOVO: "Hey! You can't exploit or exploit! DMCA DMCA!"
Your thin skin doesn't make me a troll
Slashdot: Olds for nerds, stuff.
Anybody else work in IT and is starting to get depressed?
I am just soo tried of trying to keep up with all the hacking, spying & stealing going on.......
Constantly feeling attacked from all sides (gov, corporations etc.)
Who can you even trust anymore?
I would like to take a more active role in protecting my privacy and personal data, however I do not see how this is possible without completely abandoning all electronic gadgets and the internet?
Preloading advertising spyware with a new computer while knowingly disabling all https and code signing security.
There is selfish, there is stupid, there is dumb and there is criminal batshit insanity.
Having been a fan of Lenovo for years I sincerely hope they are sued into oblivion and face criminal prosecution. No need wasting your time wondering if I will ever buy anything from them again.
I simply don't any long term value in selling out your customers to other unknown companies.
legitimate question: what slashdotter still uses the stock OS on a laptop they purchase?
If by "OS" you mean the factory-installed crypto-signed firmware/bootloader/OS stack which can't be changed without keys the end-user doesn't have, then the answer is "probably more than we would like to think."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Summaries don't contain *all* the words (that's what makes them summaries rather than articles). Even dumb Americans know that.
this thing is called really "Superfish"?
At first i thought its a made up name by the security guys to resemble "Superphish".....
Please tell me some academics / F/OSS folk / people who truly believe in rights and privacies are working on a clean-sheet, Security is Job One replacement for the now nearly useless sieve well call the Internet.
Frankly, I'm having a hard time seeing how Lenovo recovers from this.
Editor, A1-AAA AmeriCaptions
Yeah some of us are a little lazy.
It doesn't take government operatives... At this point, it's a dupe. I already raised both the issue of all current manufacturers being affected and the fact that not enough actual information was released. It's not a conspiracy in this case, it's just bad reporting being moderated as such.
If someone submits the Kaspersky article, maybe it'll get more traction. Instead, we keep getting submissions that are all hype and no substance, filled with editorialization and almost zero facts. People have tried to spin "custom targeted spyware inserted into firmware of targeted computers, regardless of drive manufacturer" into "firmware from all hardware vendors comes pre-loaded with spyware that reports back to the NSA"
I thought for a minute that Truecrypt could help, as all the data on the HD is encrypted, but firmware malware can easily substitute the truecrypt boot sector with an identically looking keylogging version.
I sincerely hope that Microsoft pushes an immediate revocation of the certificate and an updated removal kit that removes Superfish altogether over Windows update.
Whether Lenovo is engaged or not, it seems Microsoft may wish to issue a purging through a Windows defender update. This would probably be the healthiest thing for all around.
Hopefully this will be a lesson to all the vendors about the risks of taking money for shovelware....
XML is like violence. If it doesn't solve the problem, use more.
Personally I couldn't care less about this story - I'm guessing a lot of people that took the time to find and read the original Kaspersky articles will think the same. It's extremely rare to find that malware in the wild, and of those were it was found, Kaspersky only ever found 3 instances were it had been used.
TL;DR: your harddisk is vulnerable when your machine has already been taken over. I think we already knew that. It sucks that you have to buy a new disk, but since it's still incredibly rare to be a victim of it, I'll save my anxiety for something more pressing, like... climate change. Or neutron stars that may implode while aimed straight at us, killing everything for thousands of lightyears in that path.
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
(Note: I'm the grandparent AC.)
Right, half the point of this would be to defeat the Ken Thompson hack (which is what you're talking about) by cross-compiling with three different, independently-developed systems, or "ideally... by writing a simple bootstrapping C compiler in assembly (and an assembler in machine language) yourself." Maybe I wasn't clear above: the goal is not to compile three different sets of software using the three machines; the goal is to use disparate hardware and software to compile bit-for-bit identical sets of software that can be trusted because three different machines are telling you it's correct.
In other words, the hope is that even if one of the systems is infected with a compromised compiler, not all three are and thus you can detect that it's trying to insert the backdoor in the output by comparing it against the compilers whose output is clean.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
I bought an HP 8510W (Business workstation) Laptop. It came with a DVD with Windows 7, full install. When I re-installed it (bought the Samsung EVO850 SSD - teehee :) ), it was a clean install, with much less hassle. My previous HP gave you the option to burn a Windows Image to DVD.
I'm pretty happy with HP in this area, and for the last 6 years my laptops have been HP's.
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
Who uses the same stock OS that has the specific drivers for that exact model's hardware already loaded..?
Should I instead hope that Microsoft has a generic driver that will work with whatever fancy new hardware features exist?
Or should I instead wipe out whatever software they pre-installed, and then circle right back around to the manufacturers website, to re-install their driver software after navigating 20 different subpages to find the right version?
Here's my legitimate question back- are you buying new models with cutting edge hardware, and using those features?
And yes.. I regretfully write this on my month old Lenovo that I was strongly considering formatting with Ubuntu, but decided to keep on its stock Windows. Lesson learned.
I also notice that we don't have a bunch of articles about how snipers can kill you while you cross the street -- ANY STREET. The truth is that the HD angle isn't really news, beyond being a novel bootkit variant. There are sites trying to spin it into something bigger, but they generally don't understand what's happening in the first place.
Oh, and you can also be infected via the BIOS, and even on UEFI devices during the initial stages of hardware negotiation (which is likely where this stuff sneaks in anyway). Once again, this isn't news, no matter how many sites want to make it news to get ad impressions.
So I hope the GP stops trying to spin harder than the psyops he's sure are trying to silence this -- nobody's really interested once they understand the details.
This is why you use VMs. If malware hits the disk, it is going to find a generic HDD, like a VMWare Virtual drive, and that vector of attack stops for good right there.
We are almost at a point where we should virtualize everything, and what sits at the bare metal is a hypervisor, where there is a definite layer of separation between the OS and devices. This way, a compromise on the OS level won't allow hardware to be tampered with. If there is a firmware update needed, then it should be made available for manual flashing that takes a deliberate set of actions by the user (or via remote, using some administrator certificate) to ensure that a firmware update is authorized.
In fact, virtualization on newer machines is more of a "why not?" item, than a "why?" item. For example, Windows 8 and Windows 8.1 have Hyper-V available with a switch setting and a reboot. With a little bit of work, one can have one instance of Windows just for Web browsing, and the browser would be a seamless application. The advantage of doing this is that if/when something nails the Web browser and gets a user context, rolling back to a snapshot/checkpoint is pretty easy.
A good example of this was when I was browsing in a VM a certain social network without an ad blocking extension in the browser... 10 minutes later, that VM was slammed by malware, likely from an ad server that was serving up exploits. The fix was two clicks and a confirmation dialog away. Of course, if malware isn't detected, that is another story, but for browsing the Web, it is wise to just roll the VM back every so often anyway (at least every month for Patch Tuesday's festivities.)
What would be nice is if PC makers could allow one's choice of hypervisor to be installed on a dedicated SSD that either is physically set read-only and read-write by a DIP switch (with preferences and system info stashed on a separate writable partition), or similar functionality. The advantage of this is that the hypervisor would be pretty much static except for occasional updates (and the update mechanism can be made decently secure), and hardware would be isolated from the VMs.
If a device does need a firmware upgrade, a mechanism at the hypervisor level would address this.
I have rethought them, in that light. I know of at least one government agency and one very large company whose core systems would not have been vulnerable to those attacks, because they expect zero-day vulnerabilities to exist in all of their software, as well as bugs planted by state actors, and deal with security accordingly.
It's bloody expensive if you have to implement that later on, but if you build your IT infrastructure from the ground up it can be done quite effectively.
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
I'm not sure what models you're referring to. My last three or four laptops have been Lenovos, and I never experienced any roadblocks installing Linux on them. I think the BIOS on at least one of these supported a whole-disk encryption but that doesn't even try to prevent you from reformatting and installing an OS.
My vague understanding is that Superfish is Windows software, not part of BIOS or the Windows bootloader, and certainly not grub. You can also apparently uninstall superfish: http://www.cnet.com/how-to/len...
My current model is a T440, which is fine except for the tragicomical touchpad. It's by far the worst touchpad I've ever, well, touched. I keep a wireless mouse with me at all times because that pad is nearly useless. Previous models were good.
The KTH cannot exist, because the KTH can't possibly recognize all instances of "a compiler," and/or "a login." If it could, it could be used to solve the halting problem.
Therefore one need only evade detection in order to produce a clean binary from an infected compiler, which should, in practice, be trivially done by obfuscating the code. With obfuscation, detection would have to rely on algorithm detection, but that's easily avoided as well, much to the bane of antivirus software.
But, for the sake of argument, even if KTH could reliably infect all compilers, disassemblers, and debuggers produced with an infected compiler, it would still be detectable through dumping memory and/or debugging, because lying about the contents of memory or the step of execution takes time, and you can't lie about how long it takes to complete an operation. You could try to hide it by throwing in NOOPs, but you can't lie about it, and any deviation between the number of actual and expected operations to complete a task would raise a huge red flag. In fact, if KTH existed in the wild, the effects of its existence would have been detected by now through performance testing and/or timing exploits. The fact that unexplained universal slowdowns haven't been observed in the wild, and that timing exploits do in fact work seems to be conclusive evidence that KTH does not exist.
Security is an arms race to be sure, and I would bet my life that there are, and will always be, undetected hacks in the wild, but there is no such thing as an *undetectable* hack. If someone is looking, they can find it. Even the "Equation" turned up once someone bothered to look.
https://www.eff.org/https-everywhere
Think it through...
1) Drive F/W gets infected.
2) Drive infects OS and UEFI on boot.
3) You detect malware, but don't realise it's in the F/W of the drive. You disinfect the drive and reboot.
4) You notice the malware is still evident, but can't find any trace of it on the drive. You detect it in the UEFI and flash that to get rid of it.
5) You notice it's STILL there, so you assume it must be so deep in the UEFI that you can't get rid of it (which many would consider far more plausible than it being in the DRIVE F/W!). You therefore replace the whole PC, but swap the disk over as you believe the drive (which you have now "securely" wiped) is safe.
6) Guess what's now infected!?!
OR (more likely) you infect an external hard disk and find that you're still spreading malware from machine to machine throughout the PCs of your company/family/friends/whatever, even after you have "securely" wiped it.
Just my $0.03 (At current exchange rates, my £0.02 is worth more than your $0.02)
I missed the previous article. Just checked my son's laptop that I bought him for Christmas and had to remove this crap. Thanks to whoever exposed this.
That was my first and last Lenovo ever (as in "my first Sony"). What were they thinking.
This is not the sig you're looking for.
It only gets difficult to secure stuff once things get large enough that you can't keep track of what is going in or out. Need a port open for this person X, for that for person Y, for someone else with antivirus that phones home via the port only the mail server has legit business using, then all kinds of shit tunnelling trough port 80 - that's when things get out of control and people end up hosting spambots on their networks and only find out when they get blacklisted.
Cut things into segments small enough that you don't lose track of what's going on and you can secure that chunk, then the next, then the one after.
The smaller the target the easier to stop someone hitting it.
In the mean time, Lenovo made an official Statement on the 3rd Party "Experience Enhancement Software"...
http://news.lenovo.com/article...
Also listed at the end of the statement, the affected models.
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
There *is* malware out there that actively exploits known VMs (mostly VMWare, but also VirtualBox) and escapes the VM by knowing where it hooks the host. The nasty part about these is that since they're exploiting the VM, they effectively act like a rootkit once they hit the host; you're not likely to notice what they're actually doing until it's too late.
On the other side, most malware can either be contained by a VM, or in many cases, will have AntiVM code baked-in, so it won't even run if it notices it's in a VM. If you add a few code analysis tools to your VM, any moderately complex malware will think it is running on a malware analyst's system and immediately shut down, or do something useful instead of something malicious.
So yeah; running in a VM adds protection in a few different ways.
The fun thing is, I don't really mind being called a damage control operative, unlike the real ones :) The reason it sounds like I'm deliberately trying to downplay it is because it's not the issue many are making it out to be. I'm all for exploring what *could* happen (my post history will attest to that) but at the end of the day, it's not really much of an issue.
Think it through...
1) Drive F/W gets infected.
2) Drive infects OS and UEFI on boot.
3) You detect malware, but don't realise it's in the F/W of the drive. You disinfect the drive and reboot.
4) You notice the malware is still evident, but can't find any trace of it on the drive. You detect it in the UEFI and flash that to get rid of it.
5) You notice it's STILL there, so you assume it must be so deep in the UEFI that you can't get rid of it (which many would consider far more plausible than it being in the DRIVE F/W!). You therefore replace the whole PC, but swap the disk over as you believe the drive (which you have now "securely" wiped) is safe.
6) Guess what's now infected!?!
OR (more likely) you infect an external hard disk and find that you're still spreading malware from machine to machine throughout the PCs of your company/family/friends/whatever, even after you have "securely" wiped it.
Ive been using Fedora Linux for 10 years (yup, that long). I also do no financial transactions with any operating system. I rarely purchase items from the web, as local stores are competitive and often selling at lower cost (That means you newegg, tiger direct, etc. area not competitive)
Leslie Satenstein Montreal Quebec Canada
If we remove the clock battery from the motherboard, do we just kill the set up params within the clock chip or the viru code as well.
Leslie Satenstein Montreal Quebec Canada