Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ars: SSL-Busting Code That Threatened Lenovo Users Found In a Dozen More Apps

Posted by timothy on from the keeps-on-giving dept.

Ars Technica reports on the continuing revelations about the same junkware that Lenovo has shipped on their computers, but which is known now to be present in at least 14 pieces of software. The list of software known to use the same HTTPS-breaking technology recently found preinstalled on Lenovo laptops has risen dramatically with the discovery of at least 12 new titles, including one that's categorized as a malicious trojan by a major antivirus provider. ... What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove," Matt Richard, a threats researcher on the Facebook security team, wrote in Friday's post. "Furthermore, it is likely that these intercepting SSL proxies won't keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic."

6 of 113 comments (clear)

  1. List 'em in the summary, slashdot. by Anonymous Coward · · Score: 5, Interesting

    List 'em in the summary, slashdot.

  2. Mossad connection by Anonymous Coward · · Score: 4, Interesting

    CartCrunch Israel LTD
            WiredTools LTD
            Say Media Group LTD
            Over the Rainbow Tech
            System Alerts
            ArcadeGiant
            Objectify Media Inc
            Catalytix Web Services
            OptimizerMonitor

    Hey look, there's Israel again (at least 3 times in fact). This Komodia/Superfish crap is likely Mossad sponsored. That would also help explain why Homeland Security put out urgent guidance to remove the crapware and even Microsoft added detection directly to their anti-malware tools. NSA doesn't like being upstaged on its own turf.

    1. Re:Mossad connection by msauve · · Score: 2, Interesting

      OK, if you say so.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  3. If the software is this bad by fustakrakich · · Score: 4, Interesting

    I would contend there are problems in the hardware also. This one runs deep. Everything on the market needs further inspection. More so now with all the governments demanding backdoors.

    --
    “He’s not deformed, he’s just drunk!”
  4. Legality by BitZtream · · Score: 5, Interesting

    I'm fairly certain just installing this software is illegal.

    Its not protected by some EULA because the device is sold before the EULA can be read, which courts have already ruled invalidates the EULA.

    It violates the same laws that were used to put Kevin Mitnick in jail (and lets be clear, he deserved it), unauthorized access to a computer system and unauthorized access to data flowing across a network.

    Hang'em high, I say. Bring Lenovo's leaders out to the chopping block, as well as the leadership of the companies who made any other software that works like this. Its a scam from the very beginning, theres no 'well, maybe its not bad' or 'maybe it was an accident' to it. This is outright bullshit behavior by companies trying to sell a product to someone and then turn that someone into the product for someone else. The entire legal system AND THE PUBLIC need to come down on this like a ton of bricks and make it clear that its unacceptable and will not be tolerated. And by not tolerated I mean 'you will be jailed, not fined'.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  5. Block off programmatic access to cert trust. by mysidia · · Score: 3, Interesting

    The browsers/OSes should harden by eliminating the ability for 3rd party software to automatically install a certificate or CA as trusted into the system database. They should also remove any functionality that allows a 'globally' wildcarded certifacte to be deployed to the browser

    Basically, when the computer's hostname is assigned, or during user profile creation, the trusted certificate store should be reinitialized with only stock certificates approved by the OS maker or browser vendor.

    A machine-specific keypair should be generated and used to stamp all the certificates with a local trust signature.

    Any access to the machine keypair / stamp should be available only through an interactive approval process.

    Sysprep'ing an image or changing the product key should invalidate the local trust mark and require manual re-approval of all certs not in the browser vendor's official trust list.