Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Superfish Security Certificate Password Cracked, Creating New Attack Vector 144

In a followup to today's news about junk software included with Lenovo computers, an anonymous reader writes Robert Graham at Errata Security has published an article announcing his success in extracting the SuperFish self-signed security certificate from the adware which has caused Chinese computer manufacturer Lenovo such embarrassment in the last day. Since SuperFish is already capable of carrying out man-in-the-middle attacks over secure connections on the Lenovo machines which use the certificate, the disclosure of the certificate's password presents hackers with a 'a pre-installed hacking environment' which would be difficult to arrange by other means. The password, "komodia," is also the name of the Komodia Redirector framework, which allows its clients to manipulate TCP/IP network sessions "with a few simple clicks."
This discussion has been archived. No new comments can be posted.

Superfish Security Certificate Password Cracked, Creating New Attack Vector

Comments Filter:
  • I mean, even without this, they were performing man-in-the-middle attacks on their customers. Doesn't something like the DMCA apply when you're hijacking banking websites?
    • by Anonymous Coward on Thursday February 19, 2015 @02:40PM (#49089947)

      Of course they can be sued. Can you actually win? Probably not. I would assume there's some agreement somewhere when you unwrap the computer saying you accept the software that's installed.

      • by pbhj ( 607776 )

        If the law sees it that way then you need to start selling to businesses and include small print that says "by accepting these goods you sign over all property, goods, chattels and monies under your or the accepting company's ownership, stewardship or control to us without let or hindrance from the date and time noted".

        The court then to remain consistent would need to ensure that this small print is held to be equally valid ...

      • Small claims court- You don't need to pay a lawyer, you can just present your side of the story to a judge or jury
        Worst case scenario, you lose half a day and get nothing, and spend ~$100 on court fees.
        But there is a chance, especially with a jury, that you will get reimbursed the laptops cost, and either way Lenovo will spend thousands of dollars in legal fees.
    • Think of it like this:

      Every computer you own has security vulnerabilities. Huge ones. Right now there are zero-day vulnerabilities in Windows that we don't know about. Same with Linux. Even OpenBSD probably has some remote vulnerabilities in there (though not many).

      If you could win a lawsuit based on vulnerable software, every software company would go out of business.
  • But then I always wiped my Lenovo to install Ubuntu anyway.

  • Now that the vendor knows this, they may be legally obligated to do a "voluntary" factory recall or face a government-mandated involuntary recall.

  • so, we have a for-profit load of a known attack system with name = password from Lenovo.

    what was the trade name of this series of laptops, GOTCHA? "New, the GOTCHA from Lenovo, because we want your other financial information, too." great tag line. when do the TV ads start?

  • by arfonrg ( 81735 ) on Thursday February 19, 2015 @02:45PM (#49089991)

    What's next:

    LENOVO: "Hey! You can't exploit or exploit! DMCA DMCA!"

  • Soo soo tired..... (Score:5, Insightful)

    by dablow ( 3670865 ) on Thursday February 19, 2015 @02:46PM (#49090013)

    Anybody else work in IT and is starting to get depressed?

    I am just soo tried of trying to keep up with all the hacking, spying & stealing going on.......

    Constantly feeling attacked from all sides (gov, corporations etc.)

    Who can you even trust anymore?

    I would like to take a more active role in protecting my privacy and personal data, however I do not see how this is possible without completely abandoning all electronic gadgets and the internet?

    • by cfalcon ( 779563 )

      Like, who cares?

      I mean, it's important and all, but there's different levels of issues. Heartbleed and shellshock are one thing- this is a sketchy manufacturer doing something sketchy. Certainly, it should put them on the level of Sony as Never Ever Buy A PC From Them- they are willing to actively subvert your rights to your own hardware, in ways that the rest of the industry would (presumably) not dream of.

      IMO if you bought Lenovo, you didn't give a shit anyway. That doesn't mean you deserve it, but it

      • by dablow ( 3670865 )

        Why do you assume that Dell, HP or Acer would be any better than Lenovo?

        If they are not doing the same, they soon will be. Even if they did not want to do it for moral reasons, the market and capitalism will force them to or risk losing revenue.....

        And even if we do sue them and win...they will just come back with 2 new methods to do the same, only this time a little more careful not to get caught.

        • by cfalcon ( 779563 )

          Well, there's the fact that Dell, HP, Acer, etc are NOT doing this. That, I feel, is a pretty good indicator.

          It's clear that many companies feel obligated to bundle shitware, but that doesn't make it inevitable nor ok. I think it's a good indication that Lenovo is alone on this branch.

      • I mean, it's important and all, but there's different levels of issues. Heartbleed and shellshock are one thing- this is a sketchy manufacturer doing something sketchy.

        Did you miss the part about how this software breaks the whole certifcate validation process? This is worse than Heartbeat for anyone who has an infected laptop. Any HTTPS website can masquerade as another HTTPS website and, because of the way Superfish works, the browser won't detect anything wrong.

        • by cfalcon ( 779563 )

          It's worse than other bugs for anyone who has an infected laptop... but to get an infected laptop, you'd have to buy it from Lenovo and then not purge the disk promptly. It's not an issue because most people aren't ever going to have a Lenovo laptop, nor a bank who uses one, nor a common website that relies on it. Amazon isn't going to lose your credit card number because they run Lenovo laptops or whatever. Unlike the actual real bugs that cause problems, this one is just something that blights consume

      • IMO if you bought Lenovo, you didn't give a shit anyway
        Couldn't agree more, the only time I ever used a Lenovo was when it was handed to me at work. Look's like a pregnant brick, weight's more than a pregnant brick, and generally suck in all ways considering the pricetag. Besides, I ALWAYS format a new laptop, drivers are usually out of date when it lands in your lap, so you may as well DL the latest ones and make a clean start. Look, what they are doing is wrong, and retarded, when this news goes main
    • Re: (Score:3, Insightful)

      by webanish ( 1045264 )
      Between ignorance and despair is action...
      Start down that road, and you'll discover many a companion. Don't lose hope.

      Here's one example [prism-break.org]. I'm sure there would be many others.
      • by dablow ( 3670865 )

        Hypothetically this does seem like a good idea.

        However I cannot spend the hours and hours necessary to make sure everything is completely secure 100% of the time. And even though the products you linked claim to protect my privacy, the ONLY way I can be 1000% sure is to review each and every line of code myself, look at every chip and circuit on my own. Which is obviously impossible to do.

        So that means I have to have faith in others that they are not lying to me (or possibly are compromised and just not awa

        • There has never been such a thing as absolute security, only risk management. Reduce your risk to the lowest acceptable level for your needs and/or budget, and insure against catastrophe. That's life.

    • by MetalliQaZ ( 539913 ) on Thursday February 19, 2015 @03:07PM (#49090175)

      You need some military-grade ICE, man. Smooth as glass... it will flatline any intruder in the blink of an eye.

    • If microsoft won't let you do a clean install with the same license key, then its linux mint for the unfornate souls who need it to "just work"

    • by execthis ( 537150 ) on Thursday February 19, 2015 @05:24PM (#49091393)

      I was setting up a PC for a friend yesterday and needed to install a popular shareware archival app that has been recognized as the best in its category and has never been bundled with any crap.

      I opened up Firefox and typed the name in the search bar which had Yahoo set as the default search provider - as Firefox have notably done recently. I clicked on the first link that appeared, which for all intents and purposes appeared to be the link from the actual creator of said application.

      But in fact it was not. It was some sleazebag site which basically bundles a load of crapware into the installer. Even when I carefully unselected all the crapware it was trying to profer, it still installed a PUP IE addon that Malwarebytes picked up. In short, Yahoo has descended to the level of pushing shading companies which install malware on people's computers and hijack the installers of legitimate shareware products. And Firefox have descended to making this company (Yahoo) their default search provider.

      This is total shit. The model of the Internet as some kind of enhanced TV experience which tracks everything people do and targets and infiltrates them has got to stop.

      You are totally right in seeing that there is no qualitative difference between what corporations are doing, what governments are doing, and what scammers are doing. We have moved from an age of true innovation to one of scamming. Hence why banking and investment are so big.

    • Anybody else work in IT and is starting to get depressed?

      Starting to? Been going on for a while, for me. But it isn't the computers nor the internet which are rotting away it's the companies behind it all -- and the Governments which the companies run!

      How to get out of this mess? I fear the only way is to go off the grid as much as possible.

      Or a global revolution, and not the it's-morning-in-america-hold-hands-sing-kumbaya good-hearted revolution, I'm talking pitchforks, torches and worse, far worse.

      It's gotten to where I just don't read the news much anymore,

  • No words (Score:5, Insightful)

    by WaffleMonster ( 969671 ) on Thursday February 19, 2015 @02:48PM (#49090029)

    Preloading advertising spyware with a new computer while knowingly disabling all https and code signing security.

    There is selfish, there is stupid, there is dumb and there is criminal batshit insanity.

    Having been a fan of Lenovo for years I sincerely hope they are sued into oblivion and face criminal prosecution. No need wasting your time wondering if I will ever buy anything from them again.

    • This needed to happen to a major vendor. Just so all the other computer makers can see how monumentally stupid an idea it is to let their Marketing division talk them into bypassing security for the sake of some ad revenue.
      • Re:No words (Score:5, Insightful)

        by SoCalChris ( 573049 ) on Thursday February 19, 2015 @05:58PM (#49091547) Journal
        Yes, this is monumentally stupid on their part. But I'll be shocked if there's any real consequences for it. The other manufacturers are all watching to see how much backlash there is, and how quickly people forget and move on to see if this is something that they'll want to do in the future as well. Consumers won't care about this, and business will carry on as usual soon enough.
    • Any sufficiently shocking display of stupidity is indistinguishable from malice

    • Re:No words (Score:4, Interesting)

      by Gr8Apes ( 679165 ) on Thursday February 19, 2015 @05:26PM (#49091407)
      It already happened to Sony, recall the CD rootkit incident? That was even more evil, as it wasn't just malware, but an actual attack. Sony's still around but they seem to be having some financial trouble of late or something. Karma sure can be a bitch.
    • I sincerely hope they are sued into oblivion and face criminal prosecution

      I'm sure you'll find this feature listed in their terms of service. Sued ... maybe... Sued in to oblivion? Sued and likely to lose a single case? Probably not.

    • by dbIII ( 701233 )
      A small business owner doing this would go to jail. Let's see the acrobatics used to justify why the people at Lenovo don't.
  • I simply don't any long term value in selling out your customers to other unknown companies.

    • Sure they did! Sony still exists, after all, which means they learned that big companies can do whatever the fuck they want with no real, lasting repercussions whatsofuckingever!

  • Comment removed based on user account deletion
    • Re: (Score:3, Informative)

      by davidwr ( 791652 )

      legitimate question: what slashdotter still uses the stock OS on a laptop they purchase?

      If by "OS" you mean the factory-installed crypto-signed firmware/bootloader/OS stack which can't be changed without keys the end-user doesn't have, then the answer is "probably more than we would like to think."

      • Yeah some of us are a little lazy.
      • by TopherC ( 412335 )

        I'm not sure what models you're referring to. My last three or four laptops have been Lenovos, and I never experienced any roadblocks installing Linux on them. I think the BIOS on at least one of these supported a whole-disk encryption but that doesn't even try to prevent you from reformatting and installing an OS.

        My vague understanding is that Superfish is Windows software, not part of BIOS or the Windows bootloader, and certainly not grub. You can also apparently uninstall superfish: http://www.cnet.com/h [cnet.com]

    • Who uses the same stock OS that has the specific drivers for that exact model's hardware already loaded..?
      Should I instead hope that Microsoft has a generic driver that will work with whatever fancy new hardware features exist?
      Or should I instead wipe out whatever software they pre-installed, and then circle right back around to the manufacturers website, to re-install their driver software after navigating 20 different subpages to find the right version?
      Here's my legitimate question back- are you buyi
  • this thing is called really "Superfish"?

    At first i thought its a made up name by the security guys to resemble "Superphish".....

  • Please tell me some academics / F/OSS folk / people who truly believe in rights and privacies are working on a clean-sheet, Security is Job One replacement for the now nearly useless sieve well call the Internet.
  • by Anonymous Coward

    I thought for a minute that Truecrypt could help, as all the data on the HD is encrypted, but firmware malware can easily substitute the truecrypt boot sector with an identically looking keylogging version.

  • I sincerely hope that Microsoft pushes an immediate revocation of the certificate and an updated removal kit that removes Superfish altogether over Windows update.

    • by Anonymous Coward

      I sincerely hope that Microsoft pushes an immediate revocation of the certificate and an updated removal kit that removes Superfish altogether over Windows update.

      Too bad the certificate is self signed.

  • Whether Lenovo is engaged or not, it seems Microsoft may wish to issue a purging through a Windows defender update. This would probably be the healthiest thing for all around.

    Hopefully this will be a lesson to all the vendors about the risks of taking money for shovelware....

  • by Rashdot ( 845549 ) on Thursday February 19, 2015 @08:30PM (#49092177)

    I missed the previous article. Just checked my son's laptop that I bought him for Christmas and had to remove this crap. Thanks to whoever exposed this.

    That was my first and last Lenovo ever (as in "my first Sony"). What were they thinking.

  • In the mean time, Lenovo made an official Statement on the 3rd Party "Experience Enhancement Software"...

    http://news.lenovo.com/article... [lenovo.com]

    Also listed at the end of the statement, the affected models.

    G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
    U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
    Y Series: Y430P, Y40-70, Y50-70
    Z Series: Z40-75, Z50-75, Z40-70, Z50-70
    S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
    Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
    MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
    YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
    E Series: E10-30

    • > At Lenovo, we make every effort to provide a great user experience for our customers
      > In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish

      PR words are beyond amazingness; when did this became a supreme art like that ?
      Is this message really usefull to ... anything ?

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...