Ars: SSL-Busting Code That Threatened Lenovo Users Found In a Dozen More Apps

Ars Technica reports on the continuing revelations about the same junkware that Lenovo has shipped on their computers, but which is known now to be present in at least 14 pieces of software. The list of software known to use the same HTTPS-breaking technology recently found preinstalled on Lenovo laptops has risen dramatically with the discovery of at least 12 new titles, including one that's categorized as a malicious trojan by a major antivirus provider. ... What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove," Matt Richard, a threats researcher on the Facebook security team, wrote in Friday's post. "Furthermore, it is likely that these intercepting SSL proxies won't keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic."

List 'em in the summary, slashdot.

List 'em in the summary, slashdot.

Re:List 'em in the summary, slashdot.

[DarkOx]

        CartCrunch Israel LTD
        WiredTools LTD
        Say Media Group LTD
        Over the Rainbow Tech
        System Alerts
        ArcadeGiant
        Objectify Media Inc
        Catalytix Web Services
        OptimizerMonitor

Re:List 'em in the summary, slashdot.

That's supposed to be the list? Thanks, Ars Technicrap. Nnot only is that not "at least 12", the few things on that list that are actual software are already known to be malware.

Re:List 'em in the summary, slashdot.

[Deathlizard]

So basically, all of the names make it look like it's an Adware firm. Awesome.

Is this really news to the security community at this point? I've been saying that Adware is a virus for almost a decade now and they're finally starting to see it?

Does this mean that the AV Firms (MS, Mcafee, Norton, ETC) are finally going to get tough on adware infections? Something tells me no. I'll believe it when Conduit, Dealio, Wajam and the like get flagged my more than 1/2 of the AV Vendors out there.

Mossad connection

CartCrunch Israel LTD
        WiredTools LTD
        Say Media Group LTD
        Over the Rainbow Tech
        System Alerts
        ArcadeGiant
        Objectify Media Inc
        Catalytix Web Services
        OptimizerMonitor

Hey look, there's Israel again (at least 3 times in fact). This Komodia/Superfish crap is likely Mossad sponsored. That would also help explain why Homeland Security put out urgent guidance to remove the crapware and even Microsoft added detection directly to their anti-malware tools. NSA doesn't like being upstaged on its own turf.

Re:Mossad connection

[wiredlogic]

They're a paper ally because they provide a convenient way to funnel our "aid" money into domestic arms production. A state that is always at war always needs bullets and we're only too happy to buy them on the American taxpayer's behalf, "gratis". This helps float the MIC when we're in between wars. Holocaust guilt prevents any criticism from gaining public traction.

Re:Mossad connection

[msauve]

OK, if you say so.

Re:Mossad connection

[Severus+Snape]

Hey look, there's Israel again (at least 3 times in fact). This Komodia/Superfish crap is likely Mossad sponsored. That would also help explain why Homeland Security put out urgent guidance to remove the crapware and even Microsoft added detection directly to their anti-malware tools. NSA doesn't like being upstaged on its own turf.

I love a good conspiracy as much as the next one but calm yourself. No idea why you got the + mod points. Jumping to random conclusions based on conjecture is silly. That said, I'm sure MOSSAD likes to get up to all kinds of evil shit. Just like their Five Eyes, Russian, and Chinese colleges do. Homeland Security and Microsoft reacted to Superfish because the information was in the public domain. In the same way we are reacting to it by discussing it right now.

Re:Mossad connection

[cavreader]

They are an ally because they have developed several weapons technologies that the US military uses. They are US allies because the US intelligence community comes in a distant second place when it comes to collecting data in that part of the world and need Israel to provide the information they are incapable of collecting on their own. They are US allies because it is the only thing keeping Israel from selling their weapons technology on the open market. China has already shown interest in the Israeli missile and drone technologies. And countries do not have friends they have interests and the Israeli and US interests are pretty well aligned most of the time.

Re:Mossad connection

[Demonoid-Penguin]

Hey look, there's Israel again (at least 3 times in fact). This Komodia/Superfish crap is likely Mossad sponsored.

Yep. Definitely Mossad. Coz who else would use Komodia as the certificate password. Not enough proof? The guy who runs Komodia used to be a programmer for Mossad. (till they gave him the boot for being a moron)

In other news, spyware modules in an attack against a movie studio prove it was North Korea - obviously pissed about an intelligent blockbuster satire that threatened to provoke a rebellion. Don't listen to those communists like Krebbs who pedal the SAAS malware lie.
Still not convinced it's all a simple plot even an idiot with the attention span of a goldfish on amphetamines in a shopping centre sees right through? Those North Korean (commie bastards) used the same IP addresses to launch their attack (don't listen to the commie lies about how they are commonly used anonymous proxies)

Komodia is a woody word! And so is Disney! AND Komodia == comode == toilet. And we all know what Walt used glass tables for!
Seven Dwarfs == Seven Secret Agencies! Those damn shape-shifting lizard people are pissing with us!

P.S. Do not believe those commie "false flag" lies either... (compilation time stamps can't be faked).

As the guy living in the local bus shelter told me " IT's all connected. And he would know.

Re:Mossad connection

[PlusFiveTroll]

Gentlemen, you can't fight in here! This is the War Room!

If the software is this bad

[fustakrakich]

I would contend there are problems in the hardware also. This one runs deep. Everything on the market needs further inspection. More so now with all the governments demanding backdoors.

Re:If the software is this bad

[jones_supa]

It's becoming too complicated to verify everything. Last week it was revealed how NSA has a spyware kit for firmwares of all HDD brands. It's getting pretty crazy.

Re:If the software is this bad

Sure, but in the bigger picture, the lion's share of all these security problems lay firmly in Window's lap. It's almost impossible to imagine an app with this kimodia garbage getting signed by Apple, or inserted into a Linux/BSD repo.

We're not even talking about PEBKAC here, it's an extraordinarily serious issue that affects the entire Windows ecosphere because it's prepackaged. Every box that ships with Windows comes from a vendor who only cares about making a few extra cents per unit.

Notice I didn't necessarily say Microsoft was to blame, just that using Windows is like playing Russian roulette with your financial and social well-being. "It's getting pretty crazy" because just by booting up a Windows system means 5 of the 6 chambers have a bullet.

Legality

[BitZtream]

I'm fairly certain just installing this software is illegal.

Its not protected by some EULA because the device is sold before the EULA can be read, which courts have already ruled invalidates the EULA.

It violates the same laws that were used to put Kevin Mitnick in jail (and lets be clear, he deserved it), unauthorized access to a computer system and unauthorized access to data flowing across a network.

Hang'em high, I say. Bring Lenovo's leaders out to the chopping block, as well as the leadership of the companies who made any other software that works like this. Its a scam from the very beginning, theres no 'well, maybe its not bad' or 'maybe it was an accident' to it. This is outright bullshit behavior by companies trying to sell a product to someone and then turn that someone into the product for someone else. The entire legal system AND THE PUBLIC need to come down on this like a ton of bricks and make it clear that its unacceptable and will not be tolerated. And by not tolerated I mean 'you will be jailed, not fined'.

Re:Legality

[Dunbal]

The law does not and should not shield you from breaking the law.

Re:Legality

[oodaloop]

Hang'em high, I say. Bring Lenovo's leaders out to the chopping block, as well as the leadership of the companies who made any other software that works like this

Yeah! And while we're at it, I'd like a pony. A white one.

Re:Legality

[DarkOx]

Yes it would in fringe on your freedoms. Its the MMU's job to enforce the Law not big brother Compilers.

Re:Legality

git: 'gud' is not a git command. See 'git --help'.

Re: Legality

[jd2112]

Careful. That pony could be a Trojan Horse. Albeit a small one.

Re:Legality

[gnasher719]

Its not protected by some EULA because the device is sold before the EULA can be read, which courts have already ruled invalidates the EULA.

Says who?

What is confusing you is that the sale isn't completed until you accept the EULA. It may be true that you can't read the EULA when you hand over the money, but in that case you can take the computer or software home, read the EULA, decide that you don't want to accept it, take the computer back to the store and get your money back.

That said, a computer which allows a third party to read for example a credit card number that I enter into my browser, is not "fit for purpose", and on these grounds you should be able to return it to the seller and get your money back if you live in the EU or some other places.

Block off programmatic access to cert trust.

[mysidia]

The browsers/OSes should harden by eliminating the ability for 3rd party software to automatically install a certificate or CA as trusted into the system database. They should also remove any functionality that allows a 'globally' wildcarded certifacte to be deployed to the browser

Basically, when the computer's hostname is assigned, or during user profile creation, the trusted certificate store should be reinitialized with only stock certificates approved by the OS maker or browser vendor.

A machine-specific keypair should be generated and used to stamp all the certificates with a local trust signature.

Any access to the machine keypair / stamp should be available only through an interactive approval process.

Sysprep'ing an image or changing the product key should invalidate the local trust mark and require manual re-approval of all certs not in the browser vendor's official trust list.

Re:Block off programmatic access to cert trust.

[BitZtream]

And if your machine can automatically do all those things ... so can third party software because in order for you to do everything you want to do, there has to be a pragmatic way to do so, and if the OS can do it, so can any other software that has admin rights.

Either way, you don't want to put that sort of power into the vendors hands, since it means they effectively have created the Apple App store, and if thats what you really want, just buy a Mac and stop using Windows (your first mistake).

The only way to prevent this sort of thing is by not installing software that does it.

But lets ignore all the problems with what you're suggesting and assume it works ... Lenovo would have just approved the certs before they shipped the machine. Or the machine would prompt the user, who would blindly do so on boot, just like all the other things users blindly do.

If you want to prevent this from happening, put the people who do this AND the people who make the decisions to do this, IN JAIL.

Both the developers who write the code to do it and the management who tells them to do so. Assign some personal responsibility for this shit and watch how it suddenly changes. The problem in America is that anyone in a company can basically do whatever they want and hide behind 'the company' who then gets some minor fine (Relatively) and the guy who did it doesn't care one bit.

Microsoft's fault

[countach]

Microsoft needs to grow a pair and lay down the law to any company that wants to be an OEM for their products. Apple wouldn't let the carriers pull this stunt on their phones.

Re:Microsoft's fault

[Solandri]

Microsoft needs to grow a pair and lay down the law to any company that wants to be an OEM for their products. Apple wouldn't let the carriers pull this stunt on their phones.

I think Apple prohibiting carriers from doing this sort of stuff is more about keeping competitors under their thumb, not about protecting users. They're not above pulling this crap themselves at their users' expense. They surreptitiously slurped up users' location and wifi SSID data to build their own wifi map (the following year, they dumped the company they'd been paying to lease such a map). You know, the same thing Google got in trouble for because they went to the trouble to try to do it the right way, and had their own employees drive around doing the data gathering (not their Android users), then found out later they'd recorded a lot more than SSID.

Your mean "Code you own"?

[l2718]

This is a software issue, not a hardware issue. Unless you propose to personally code the entire operating system and every application program, that is not practical.

That said, replacing the preinstalled OS with a free one is my first step when buying a new computer. Most recently I managed to buy a PC without an OS at all, but that's rare,

Dude, we want a UNICORN pony!

[billstewart]

Not just any boring vanilla pony - we want a unicorn pony and rainbows and the whole bit!

Lenovo probably will fire somebody, for embarrassing them, but it won't change the number of vendors of crapware out there. Lenovo's certainly not going to take the kind of financial hit that Gemalto did when the public found that the GCHQ had pwned all the SIM cards they sold. Maybe one or two adware companies will lose a non-trivial percentage, but there's a market for sleazy advertising and there's a market for having software companies pay to Add Valuable Features to your hardware.

Re:Superfish is present in Flash Video Downloader

[operator_error]

You may be right, I don't know. I just want to point out an open-source javacript is called superfish, and I'm pretty sure this library is something else entirely, and benign. http://users.tpg.com.au/j_birc...

Re:Mossad connection is a red herring

[DrXym]

Besides, if it really was Mossad, they'd have done a much better job.

If it was really Mossad they'd be installing the code onto PCs used by their enemies for intelligence gathering. They wouldn't be installing it onto new PCs so they could popup ads for penis enlargement pills.

Re:Superfish is present in Flash Video Downloader

[jorgevillalobos]

The version of Superfish included in Firefox add-ons (at least the ones on addons.mozilla.org) don't do any cert store manipulation. All they do is inject scripts into shopping sites to show offer ads.

Re:Superfish is present in Flash Video Downloader

[ColdWetDog]

This is the top of the superfish.js listing. Not that I understand Javascript very well (where are the line numbers?) but it seems fairly innocuous...

*
  * Superfish v1.4.8 - jQuery menu widget
  * Copyright (c) 2008 Joel Birch
  *
  * Dual licensed under the MIT and GPL licenses:
  * http://www.opensource.org/lice...
  * http://www.gnu.org/licenses/gp...
  *
  * CHANGELOG: http://users.tpg.com.au/j_birc...
  */ ;(function($){
        $.fn.superfish = function(op){

                var sf = $.fn.superfish,
                        c = sf.c,
                        $arrow = $([' '].join('')),
                        over = function(){
                                var $$ = $(this), menu = getMenu($$);
                                clearTimeout(menu.sfTimer);
                                $$.showSuperfishUl().siblings().hideSuperfishUl();
                        }, .....