Superfish Security Certificate Password Cracked, Creating New Attack Vector 144
In a followup to today's news about junk software included with Lenovo computers, an anonymous reader writes Robert Graham at Errata Security has published an article announcing his success in extracting the SuperFish self-signed security certificate from the adware which has caused Chinese computer manufacturer Lenovo such embarrassment in the last day. Since SuperFish is already capable of carrying out man-in-the-middle attacks over secure connections on the Lenovo machines which use the certificate, the disclosure of the certificate's password presents hackers with a 'a pre-installed hacking environment' which would be difficult to arrange by other means. The password, "komodia," is also the name of the Komodia Redirector framework, which allows its clients to manipulate TCP/IP network sessions "with a few simple clicks."
Re:Nice try (Score:4, Interesting)
Think it through...
1) Drive F/W gets infected.
2) Drive infects OS and UEFI on boot.
3) You detect malware, but don't realise it's in the F/W of the drive. You disinfect the drive and reboot.
4) You notice the malware is still evident, but can't find any trace of it on the drive. You detect it in the UEFI and flash that to get rid of it.
5) You notice it's STILL there, so you assume it must be so deep in the UEFI that you can't get rid of it (which many would consider far more plausible than it being in the DRIVE F/W!). You therefore replace the whole PC, but swap the disk over as you believe the drive (which you have now "securely" wiped) is safe.
6) Guess what's now infected!?!
OR (more likely) you infect an external hard disk and find that you're still spreading malware from machine to machine throughout the PCs of your company/family/friends/whatever, even after you have "securely" wiped it.
Re: (Score:2)
Think it through...
1) Drive F/W gets infected.
2) Drive infects OS and UEFI on boot.
3) You detect malware, but don't realise it's in the F/W of the drive. You disinfect the drive and reboot.
4) You notice the malware is still evident, but can't find any trace of it on the drive. You detect it in the UEFI and flash that to get rid of it.
5) You notice it's STILL there, so you assume it must be so deep in the UEFI that you can't get rid of it (which many would consider far more plausible than it being in the DRIVE F/W!). You therefore replace the whole PC, but swap the disk over as you believe the drive (which you have now "securely" wiped) is safe.
6) Guess what's now infected!?!
OR (more likely) you infect an external hard disk and find that you're still spreading malware from machine to machine throughout the PCs of your company/family/friends/whatever, even after you have "securely" wiped it.
Ive been using Fedora Linux for 10 years (yup, that long). I also do no financial transactions with any operating system. I rarely purchase items from the web, as local stores are competitive and often selling at lower cost (That means you newegg, tiger direct, etc. area not competitive)
Re: (Score:2)
If we remove the clock battery from the motherboard, do we just kill the set up params within the clock chip or the viru code as well.
Can Lenovo Be Sued? (Score:2)
Re:Can Lenovo Be Sued? (Score:4, Insightful)
Of course they can be sued. Can you actually win? Probably not. I would assume there's some agreement somewhere when you unwrap the computer saying you accept the software that's installed.
Re: (Score:2)
If the law sees it that way then you need to start selling to businesses and include small print that says "by accepting these goods you sign over all property, goods, chattels and monies under your or the accepting company's ownership, stewardship or control to us without let or hindrance from the date and time noted".
The court then to remain consistent would need to ensure that this small print is held to be equally valid ...
Re: (Score:2)
Worst case scenario, you lose half a day and get nothing, and spend ~$100 on court fees.
But there is a chance, especially with a jury, that you will get reimbursed the laptops cost, and either way Lenovo will spend thousands of dollars in legal fees.
Re: (Score:2)
Every computer you own has security vulnerabilities. Huge ones. Right now there are zero-day vulnerabilities in Windows that we don't know about. Same with Linux. Even OpenBSD probably has some remote vulnerabilities in there (though not many).
If you could win a lawsuit based on vulnerable software, every software company would go out of business.
Re: (Score:2)
Not really, there's a difference between putting a vulnerability in like this and having exploitable bugs.
They didn't purposely put the vulnerability in any more than Microsoft purposely puts its vulnerabilities in. They did purposely try to spy on users, figure out which website they go to, but if that were a crime, basically every Google exec would be in jail right now.
Re: (Score:2)
NSA secret spying software discovered by Russian researchers
Doesn't have "hard drive" in the title. It's a classic example of misdirection, focusing people on the nationality of the researchers that discovered the software, rather than the real issues. You should be ashamed for being part of the coverup!
Well that escalated quickly. (Score:2)
But then I always wiped my Lenovo to install Ubuntu anyway.
Time for a gov't-ordered safety recall??? (Score:2)
Now that the vendor knows this, they may be legally obligated to do a "voluntary" factory recall or face a government-mandated involuntary recall.
mot all moneygrubbing is benign (Score:2)
so, we have a for-profit load of a known attack system with name = password from Lenovo.
what was the trade name of this series of laptops, GOTCHA? "New, the GOTCHA from Lenovo, because we want your other financial information, too." great tag line. when do the TV ads start?
HEY! YOU HACKED OUR HACK! (Score:3, Funny)
What's next:
LENOVO: "Hey! You can't exploit or exploit! DMCA DMCA!"
Re: (Score:1)
*our* exploit
Soo soo tired..... (Score:5, Insightful)
Anybody else work in IT and is starting to get depressed?
I am just soo tried of trying to keep up with all the hacking, spying & stealing going on.......
Constantly feeling attacked from all sides (gov, corporations etc.)
Who can you even trust anymore?
I would like to take a more active role in protecting my privacy and personal data, however I do not see how this is possible without completely abandoning all electronic gadgets and the internet?
Re: (Score:2)
Like, who cares?
I mean, it's important and all, but there's different levels of issues. Heartbleed and shellshock are one thing- this is a sketchy manufacturer doing something sketchy. Certainly, it should put them on the level of Sony as Never Ever Buy A PC From Them- they are willing to actively subvert your rights to your own hardware, in ways that the rest of the industry would (presumably) not dream of.
IMO if you bought Lenovo, you didn't give a shit anyway. That doesn't mean you deserve it, but it
Re: (Score:2)
I think the backdoor accusations make them a sketchy company. It's just accusations (well, until this one, lewl!), but I wouldn't trust them personally.
Re: (Score:2)
Why do you assume that Dell, HP or Acer would be any better than Lenovo?
If they are not doing the same, they soon will be. Even if they did not want to do it for moral reasons, the market and capitalism will force them to or risk losing revenue.....
And even if we do sue them and win...they will just come back with 2 new methods to do the same, only this time a little more careful not to get caught.
Re: (Score:2)
Well, there's the fact that Dell, HP, Acer, etc are NOT doing this. That, I feel, is a pretty good indicator.
It's clear that many companies feel obligated to bundle shitware, but that doesn't make it inevitable nor ok. I think it's a good indication that Lenovo is alone on this branch.
Re: (Score:3)
Did you miss the part about how this software breaks the whole certifcate validation process? This is worse than Heartbeat for anyone who has an infected laptop. Any HTTPS website can masquerade as another HTTPS website and, because of the way Superfish works, the browser won't detect anything wrong.
Re: (Score:3)
It's worse than other bugs for anyone who has an infected laptop... but to get an infected laptop, you'd have to buy it from Lenovo and then not purge the disk promptly. It's not an issue because most people aren't ever going to have a Lenovo laptop, nor a bank who uses one, nor a common website that relies on it. Amazon isn't going to lose your credit card number because they run Lenovo laptops or whatever. Unlike the actual real bugs that cause problems, this one is just something that blights consume
Re: (Score:2)
Couldn't agree more, the only time I ever used a Lenovo was when it was handed to me at work. Look's like a pregnant brick, weight's more than a pregnant brick, and generally suck in all ways considering the pricetag. Besides, I ALWAYS format a new laptop, drivers are usually out of date when it lands in your lap, so you may as well DL the latest ones and make a clean start. Look, what they are doing is wrong, and retarded, when this news goes main
Re: (Score:3, Insightful)
Start down that road, and you'll discover many a companion. Don't lose hope.
Here's one example [prism-break.org]. I'm sure there would be many others.
Re: (Score:2)
Hypothetically this does seem like a good idea.
However I cannot spend the hours and hours necessary to make sure everything is completely secure 100% of the time. And even though the products you linked claim to protect my privacy, the ONLY way I can be 1000% sure is to review each and every line of code myself, look at every chip and circuit on my own. Which is obviously impossible to do.
So that means I have to have faith in others that they are not lying to me (or possibly are compromised and just not awa
Re: (Score:2)
There has never been such a thing as absolute security, only risk management. Reduce your risk to the lowest acceptable level for your needs and/or budget, and insure against catastrophe. That's life.
Re: (Score:2)
Windows computers are a commodity. People will generally buy the cheapest one that would suit them, so the profit margins are going to be low. This means there's a lot of pressure to scare up an additional few dollars per machine, and since most manufacturers do this it won't turn customers away.
Apple computers are not a commodity, being made by only one company, and can have a good-sized profit margin. Apple sells on overall experience, and knows that putting crapware on will hurt the experience and
Re:Soo soo tired..... (Score:5, Funny)
You need some military-grade ICE, man. Smooth as glass... it will flatline any intruder in the blink of an eye.
Re: (Score:2)
Worse than that: there are stories out there that some keybaords & mouses have been compromised and record every keystroke, every mouse movement.
Even if somehow you manage to secure your hardware somehow, if you HAVE to use the Internet, you are screwed.......even with strong encryption, you might secure your data as it transits through the internet, however the receiving party on the other end can just as easily leak it via their compromised machines.
And then there are some technologies where strong en
Re: (Score:2)
I know for a fact I am not on top of things.
If somebody (capable that is) decides they are going to target me or my workplace, it's game over I already lost.
And TBH ANYBODY other than the NSA (and even them I am not sure) makes the claim they can secure your data, THEY ARE FULL OF SHIT.
NOBODY, NOT EVEN HUGE GOV AGENCIES, have the resources to adequately protect themselves. Think about it, Apple, Microsoft and Sony where all recently in the news for having been hacked...We are talking about the guys who MAK
Re: (Score:2)
On the other hand I've worked for several agencies that were protected quite adequately. And some companies too. But I agree that the majority was leaking like a sieve.
But you get what you pay for. Sony has always been horrible when it comes to IT, so I was not surprised there. Especially as they made themselves big targets for hackers worldwide. Apple and Microsoft are more surprising.
Re: (Score:2)
I have rethought them, in that light. I know of at least one government agency and one very large company whose core systems would not have been vulnerable to those attacks, because they expect zero-day vulnerabilities to exist in all of their software, as well as bugs planted by state actors, and deal with security accordingly.
It's bloody expensive if you have to implement that later on, but if you build your IT infrastructure from the ground up it can be done quite effectively.
Of course you can (Score:2)
Cut things into segments small enou
Re: (Score:2)
(Note: I'm the grandparent AC.)
Right, half the point of this would be to defeat the Ken Thompson hack (which is what you're talking about) by cross-compiling with three different, independently-developed systems, or "ideally... by writing a simple bootstrapping C compiler in assembly (and an assembler in machine language) yourself." Maybe I wasn't clear above: the goal is not to compile three different sets of software using the three machines; the goal is to use disparate hardware and software to compile b
Re: (Score:2)
The KTH cannot exist, because the KTH can't possibly recognize all instances of "a compiler," and/or "a login." If it could, it could be used to solve the halting problem.
Therefore one need only evade detection in order to produce a clean binary from an infected compiler, which should, in practice, be trivially done by obfuscating the code. With obfuscation, detection would have to rely on algorithm detection, but that's easily avoided as well, much to the bane of antivirus software.
But, for the sake of a
Re: (Score:2)
If microsoft won't let you do a clean install with the same license key, then its linux mint for the unfornate souls who need it to "just work"
Re:Soo soo tired..... (Score:5, Informative)
I was setting up a PC for a friend yesterday and needed to install a popular shareware archival app that has been recognized as the best in its category and has never been bundled with any crap.
I opened up Firefox and typed the name in the search bar which had Yahoo set as the default search provider - as Firefox have notably done recently. I clicked on the first link that appeared, which for all intents and purposes appeared to be the link from the actual creator of said application.
But in fact it was not. It was some sleazebag site which basically bundles a load of crapware into the installer. Even when I carefully unselected all the crapware it was trying to profer, it still installed a PUP IE addon that Malwarebytes picked up. In short, Yahoo has descended to the level of pushing shading companies which install malware on people's computers and hijack the installers of legitimate shareware products. And Firefox have descended to making this company (Yahoo) their default search provider.
This is total shit. The model of the Internet as some kind of enhanced TV experience which tracks everything people do and targets and infiltrates them has got to stop.
You are totally right in seeing that there is no qualitative difference between what corporations are doing, what governments are doing, and what scammers are doing. We have moved from an age of true innovation to one of scamming. Hence why banking and investment are so big.
Re: (Score:2)
Anybody else work in IT and is starting to get depressed?
Starting to? Been going on for a while, for me. But it isn't the computers nor the internet which are rotting away it's the companies behind it all -- and the Governments which the companies run!
How to get out of this mess? I fear the only way is to go off the grid as much as possible.
Or a global revolution, and not the it's-morning-in-america-hold-hands-sing-kumbaya good-hearted revolution, I'm talking pitchforks, torches and worse, far worse.
It's gotten to where I just don't read the news much anymore,
No words (Score:5, Insightful)
Preloading advertising spyware with a new computer while knowingly disabling all https and code signing security.
There is selfish, there is stupid, there is dumb and there is criminal batshit insanity.
Having been a fan of Lenovo for years I sincerely hope they are sued into oblivion and face criminal prosecution. No need wasting your time wondering if I will ever buy anything from them again.
Re: (Score:3)
Re:No words (Score:5, Insightful)
Re: (Score:2)
Any sufficiently shocking display of stupidity is indistinguishable from malice
Re:No words (Score:4, Interesting)
Re: (Score:3)
I sincerely hope they are sued into oblivion and face criminal prosecution
I'm sure you'll find this feature listed in their terms of service. Sued ... maybe... Sued in to oblivion? Sued and likely to lose a single case? Probably not.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Lenovo didn't learn from Sony's root kit (Score:2)
I simply don't any long term value in selling out your customers to other unknown companies.
Re: (Score:2)
Sure they did! Sony still exists, after all, which means they learned that big companies can do whatever the fuck they want with no real, lasting repercussions whatsofuckingever!
Re: (Score:1)
Re: (Score:3, Informative)
legitimate question: what slashdotter still uses the stock OS on a laptop they purchase?
If by "OS" you mean the factory-installed crypto-signed firmware/bootloader/OS stack which can't be changed without keys the end-user doesn't have, then the answer is "probably more than we would like to think."
Re: (Score:1)
Re: (Score:2)
I bought an HP 8510W (Business workstation) Laptop. It came with a DVD with Windows 7, full install. When I re-installed it (bought the Samsung EVO850 SSD - teehee :) ), it was a clean install, with much less hassle. My previous HP gave you the option to burn a Windows Image to DVD.
I'm pretty happy with HP in this area, and for the last 6 years my laptops have been HP's.
Re: (Score:2)
I'm not sure what models you're referring to. My last three or four laptops have been Lenovos, and I never experienced any roadblocks installing Linux on them. I think the BIOS on at least one of these supported a whole-disk encryption but that doesn't even try to prevent you from reformatting and installing an OS.
My vague understanding is that Superfish is Windows software, not part of BIOS or the Windows bootloader, and certainly not grub. You can also apparently uninstall superfish: http://www.cnet.com/h [cnet.com]
Re: (Score:2)
Should I instead hope that Microsoft has a generic driver that will work with whatever fancy new hardware features exist?
Or should I instead wipe out whatever software they pre-installed, and then circle right back around to the manufacturers website, to re-install their driver software after navigating 20 different subpages to find the right version?
Here's my legitimate question back- are you buyi
This name.... (Score:2)
this thing is called really "Superfish"?
At first i thought its a made up name by the security guys to resemble "Superphish".....
Re:This name.... (Score:5, Funny)
superfish is the hidden, non-user interface version.
note, the lesser known, CLI version is called shellfish
(thank you, I'll be here all night.)
Re: (Score:3)
Frankly, I'm having a hard time seeing how Lenovo recovers from this.
Internet 3 (Score:2)
Re: (Score:2)
Here you go: https://geti2p.net/en/ [geti2p.net]
Best I've found so far.
Truecrypt does not help (Score:1)
I thought for a minute that Truecrypt could help, as all the data on the HD is encrypted, but firmware malware can easily substitute the truecrypt boot sector with an identically looking keylogging version.
Microsoft cert revocation (Score:2)
I sincerely hope that Microsoft pushes an immediate revocation of the certificate and an updated removal kit that removes Superfish altogether over Windows update.
Re: (Score:1)
I sincerely hope that Microsoft pushes an immediate revocation of the certificate and an updated removal kit that removes Superfish altogether over Windows update.
Too bad the certificate is self signed.
Update to Windows Defender? (Score:2)
Whether Lenovo is engaged or not, it seems Microsoft may wish to issue a purging through a Windows defender update. This would probably be the healthiest thing for all around.
Hopefully this will be a lesson to all the vendors about the risks of taking money for shovelware....
Thanks for the info. (Score:3)
I missed the previous article. Just checked my son's laptop that I bought him for Christmas and had to remove this crap. Thanks to whoever exposed this.
That was my first and last Lenovo ever (as in "my first Sony"). What were they thinking.
Official Statement (Score:2)
In the mean time, Lenovo made an official Statement on the 3rd Party "Experience Enhancement Software"...
http://news.lenovo.com/article... [lenovo.com]
Also listed at the end of the statement, the affected models.
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
Re: (Score:3)
> At Lenovo, we make every effort to provide a great user experience for our customers
> In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish
PR words are beyond amazingness; when did this became a supreme art like that ? ... anything ?
Is this message really usefull to
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
It doesn't take government operatives... At this point, it's a dupe. I already raised both the issue of all current manufacturers being affected and the fact that not enough actual information was released. It's not a conspiracy in this case, it's just bad reporting being moderated as such.
If someone submits the Kaspersky article, maybe it'll get more traction. Instead, we keep getting submissions that are all hype and no substance, filled with editorialization and almost zero facts. People have tried t
Re: (Score:2)
Personally I couldn't care less about this story - I'm guessing a lot of people that took the time to find and read the original Kaspersky articles will think the same. It's extremely rare to find that malware in the wild, and of those were it was found, Kaspersky only ever found 3 instances were it had been used.
TL;DR: your harddisk is vulnerable when your machine has already been taken over. I think we already knew that. It sucks that you have to buy a new disk, but since it's still incredibly rare to be
Re: (Score:1)
I also notice that we don't have a bunch of articles about how snipers can kill you while you cross the street -- ANY STREET. The truth is that the HD angle isn't really news, beyond being a novel bootkit variant. There are sites trying to spin it into something bigger, but they generally don't understand what's happening in the first place.
Oh, and you can also be infected via the BIOS, and even on UEFI devices during the initial stages of hardware negotiation (which is likely where this stuff sneaks in an
Re: (Score:2)
This is why you use VMs. If malware hits the disk, it is going to find a generic HDD, like a VMWare Virtual drive, and that vector of attack stops for good right there.
We are almost at a point where we should virtualize everything, and what sits at the bare metal is a hypervisor, where there is a definite layer of separation between the OS and devices. This way, a compromise on the OS level won't allow hardware to be tampered with. If there is a firmware update needed, then it should be made available fo
Re: (Score:1)
There *is* malware out there that actively exploits known VMs (mostly VMWare, but also VirtualBox) and escapes the VM by knowing where it hooks the host. The nasty part about these is that since they're exploiting the VM, they effectively act like a rootkit once they hit the host; you're not likely to notice what they're actually doing until it's too late.
On the other side, most malware can either be contained by a VM, or in many cases, will have AntiVM code baked-in, so it won't even run if it notices it'
Re: (Score:1)
The fun thing is, I don't really mind being called a damage control operative, unlike the real ones :) The reason it sounds like I'm deliberately trying to downplay it is because it's not the issue many are making it out to be. I'm all for exploring what *could* happen (my post history will attest to that) but at the end of the day, it's not really much of an issue.
Re: (Score:2)
Slashdot: Olds for nerds, stuff.