Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Encryption Windows

Ars: SSL-Busting Code That Threatened Lenovo Users Found In a Dozen More Apps 113

Ars Technica reports on the continuing revelations about the same junkware that Lenovo has shipped on their computers, but which is known now to be present in at least 14 pieces of software. The list of software known to use the same HTTPS-breaking technology recently found preinstalled on Lenovo laptops has risen dramatically with the discovery of at least 12 new titles, including one that's categorized as a malicious trojan by a major antivirus provider. ... What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove," Matt Richard, a threats researcher on the Facebook security team, wrote in Friday's post. "Furthermore, it is likely that these intercepting SSL proxies won't keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic."
This discussion has been archived. No new comments can be posted.

Ars: SSL-Busting Code That Threatened Lenovo Users Found In a Dozen More Apps

Comments Filter:
  • by Anonymous Coward on Sunday February 22, 2015 @05:39PM (#49107675)

    List 'em in the summary, slashdot.

    • by DarkOx ( 621550 ) on Sunday February 22, 2015 @06:04PM (#49107751) Journal

              CartCrunch Israel LTD
              WiredTools LTD
              Say Media Group LTD
              Over the Rainbow Tech
              System Alerts
              ArcadeGiant
              Objectify Media Inc
              Catalytix Web Services
              OptimizerMonitor

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        That's supposed to be the list? Thanks, Ars Technicrap. Nnot only is that not "at least 12", the few things on that list that are actual software are already known to be malware.

      • The last time I checked a version of Superfish was installed in the Flash Video Downloader for Android available from the official Mozilla Addons download website.

        In the FVD source I have locally, the files of interest are superfish_titles.txt and superfish.js which are both in the modules/ directory.

        I can't remember if the same source kit is used for desktop Firefox.

      • So basically, all of the names make it look like it's an Adware firm. Awesome.

        Is this really news to the security community at this point? I've been saying that Adware is a virus for almost a decade now and they're finally starting to see it?

        Does this mean that the AV Firms (MS, Mcafee, Norton, ETC) are finally going to get tough on adware infections? Something tells me no. I'll believe it when Conduit, Dealio, Wajam and the like get flagged my more than 1/2 of the AV Vendors out there.

  • Mossad connection (Score:4, Interesting)

    by Anonymous Coward on Sunday February 22, 2015 @05:44PM (#49107691)

    CartCrunch Israel LTD
            WiredTools LTD
            Say Media Group LTD
            Over the Rainbow Tech
            System Alerts
            ArcadeGiant
            Objectify Media Inc
            Catalytix Web Services
            OptimizerMonitor

    Hey look, there's Israel again (at least 3 times in fact). This Komodia/Superfish crap is likely Mossad sponsored. That would also help explain why Homeland Security put out urgent guidance to remove the crapware and even Microsoft added detection directly to their anti-malware tools. NSA doesn't like being upstaged on its own turf.

    • Re: (Score:1, Funny)

      by Anonymous Coward

      But Israel is an ally.

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        Israel is an "ally" only to the extent we allow them to be in order to serve our own interests. Mossad isn't a friend so much as the (irresponsible and unhinged) enemy of an enemy.

        • Ziva David is still hot though, right?

        • The relationship "is an enemy of an enemy" is so far reaching that Israel is an enemy of an enemy of Iran, Iran is an enemy of an enemy of the US and the US is an enemy of an enemy of Israel. So, Iran and the US should ally to destroy Israel, or US and Israel should ally to destroy Iran, or Iran and Israel should ally to destroy the US. Or have everyone kill each other, but it isn't easy to ensure total destruction of everyone in this scenario. More satisfying solutions are "do nothing" (no one dies), or ev

      • by wiredlogic ( 135348 ) on Sunday February 22, 2015 @07:06PM (#49107985)

        They're a paper ally because they provide a convenient way to funnel our "aid" money into domestic arms production. A state that is always at war always needs bullets and we're only too happy to buy them on the American taxpayer's behalf, "gratis". This helps float the MIC when we're in between wars. Holocaust guilt prevents any criticism from gaining public traction.

        • They are an ally because they have developed several weapons technologies that the US military uses. They are US allies because the US intelligence community comes in a distant second place when it comes to collecting data in that part of the world and need Israel to provide the information they are incapable of collecting on their own. They are US allies because it is the only thing keeping Israel from selling their weapons technology on the open market. China has already shown interest in the Israeli miss

        • by jafac ( 1449 )

          oooh. someone "gets it". Finally.

      • Re: (Score:3, Interesting)

        by msauve ( 701917 )
        OK [wikipedia.org], if you [wikipedia.org] say so [newsweek.com].
    • Israel doesn't have a lot of revenue sources or natural resources, so high-tech products like software are important to them, even more so than growing oranges on Palestinian land. And everybody has to serve in the army, except a few specially exempted groups, so just about everybody with a college education has been in the Army before they got that high-tech job, and a lot of them did computer jobs in the Army as well as marching around with Uzis, because every army these days needs computer technology.

      • by DrXym ( 126579 )

        Besides, if it really was Mossad, they'd have done a much better job.

        If it was really Mossad they'd be installing the code onto PCs used by their enemies for intelligence gathering. They wouldn't be installing it onto new PCs so they could popup ads for penis enlargement pills.

      • Not actually true. Ultra-orthodox Jews do not (yet) have to serve in the army.

        <sarcasm>After all, the ultra-orthodox never provoke any trouble with the Palestinians, so why should they contribute to defence?</sarcasm>

    • by Severus Snape ( 2376318 ) on Sunday February 22, 2015 @10:49PM (#49108973)

      Hey look, there's Israel again (at least 3 times in fact). This Komodia/Superfish crap is likely Mossad sponsored. That would also help explain why Homeland Security put out urgent guidance to remove the crapware and even Microsoft added detection directly to their anti-malware tools. NSA doesn't like being upstaged on its own turf.

      I love a good conspiracy as much as the next one but calm yourself. No idea why you got the + mod points. Jumping to random conclusions based on conjecture is silly. That said, I'm sure MOSSAD likes to get up to all kinds of evil shit. Just like their Five Eyes, Russian, and Chinese colleges do. Homeland Security and Microsoft reacted to Superfish because the information was in the public domain. In the same way we are reacting to it by discussing it right now.

    • Hey look, there's Israel again (at least 3 times in fact). This Komodia/Superfish crap is likely Mossad sponsored.

      Yep. Definitely Mossad. Coz who else would use Komodia as the certificate password [marcrogers.org]. Not enough proof? The guy who runs Komodia used to be a programmer for Mossad. (till they gave him the boot for being a moron)

      In other news, spyware modules in an attack against a movie studio prove it was North Korea - obviously pissed about an intelligent blockbuster satire that threatened to provoke a rebellion. Don't listen to those communists like Krebbs who pedal the SAAS [marcrogers.org] malware lie.
      Still not convinced it's all a sim

  • by fustakrakich ( 1673220 ) on Sunday February 22, 2015 @05:46PM (#49107699) Journal

    I would contend there are problems in the hardware also. This one runs deep. Everything on the market needs further inspection. More so now with all the governments demanding backdoors.

    • by jones_supa ( 887896 ) on Sunday February 22, 2015 @06:55PM (#49107945)
      It's becoming too complicated to verify everything. Last week it was revealed how NSA has a spyware kit for firmwares of all HDD brands [engadget.com]. It's getting pretty crazy.
      • Sounds like computer cleanup is a great business opportunity.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        Sure, but in the bigger picture, the lion's share of all these security problems lay firmly in Window's lap. It's almost impossible to imagine an app with this kimodia garbage getting signed by Apple, or inserted into a Linux/BSD repo.

        We're not even talking about PEBKAC here, it's an extraordinarily serious issue that affects the entire Windows ecosphere because it's prepackaged. Every box that ships with Windows comes from a vendor who only cares about making a few extra cents per unit.

        Notice I didn't ne

  • Legality (Score:5, Interesting)

    by BitZtream ( 692029 ) on Sunday February 22, 2015 @05:51PM (#49107717)

    I'm fairly certain just installing this software is illegal.

    Its not protected by some EULA because the device is sold before the EULA can be read, which courts have already ruled invalidates the EULA.

    It violates the same laws that were used to put Kevin Mitnick in jail (and lets be clear, he deserved it), unauthorized access to a computer system and unauthorized access to data flowing across a network.

    Hang'em high, I say. Bring Lenovo's leaders out to the chopping block, as well as the leadership of the companies who made any other software that works like this. Its a scam from the very beginning, theres no 'well, maybe its not bad' or 'maybe it was an accident' to it. This is outright bullshit behavior by companies trying to sell a product to someone and then turn that someone into the product for someone else. The entire legal system AND THE PUBLIC need to come down on this like a ton of bricks and make it clear that its unacceptable and will not be tolerated. And by not tolerated I mean 'you will be jailed, not fined'.

    • by Dunbal ( 464142 ) *
      The law does not and should not shield you from breaking the law.
    • Hang'em high, I say. Bring Lenovo's leaders out to the chopping block, as well as the leadership of the companies who made any other software that works like this

      Yeah! And while we're at it, I'd like a pony. A white one.

      • by jd2112 ( 1535857 ) on Sunday February 22, 2015 @07:52PM (#49108153)
        Careful. That pony could be a Trojan Horse. Albeit a small one.
      • Not just any boring vanilla pony - we want a unicorn pony and rainbows and the whole bit!

        Lenovo probably will fire somebody, for embarrassing them, but it won't change the number of vendors of crapware out there. Lenovo's certainly not going to take the kind of financial hit that Gemalto did when the public found that the GCHQ had pwned all the SIM cards they sold. Maybe one or two adware companies will lose a non-trivial percentage, but there's a market for sleazy advertising and there's a market for

        • by mlts ( 1038732 )

          In my experience, the average person buying a system with crapware on this doesn't care about it, provided it doesn't slow their machine down. It is just like the people who spill their lives onto social networks. They don't care who reads it, so likely wouldn't care to be tracked by "marketing browser experience enhancement" software.

          The real takeaway from this is for people to pack their own parachute -- image off the drive's original software (just in case), wipe the drive [1], then install the OS from

    • by gnasher719 ( 869701 ) on Sunday February 22, 2015 @08:33PM (#49108327)

      Its not protected by some EULA because the device is sold before the EULA can be read, which courts have already ruled invalidates the EULA.

      Says who?

      What is confusing you is that the sale isn't completed until you accept the EULA. It may be true that you can't read the EULA when you hand over the money, but in that case you can take the computer or software home, read the EULA, decide that you don't want to accept it, take the computer back to the store and get your money back.

      That said, a computer which allows a third party to read for example a credit card number that I enter into my browser, is not "fit for purpose", and on these grounds you should be able to return it to the seller and get your money back if you live in the EU or some other places.

    • Its not protected by some EULA because the device is sold before the EULA can be read, which courts have already ruled invalidates the EULA.

      Do you have a citation for that. I'm pretty sure the courts have ruled nothing of the sort. Now I've heard the ruling that someone can't refuse a refund in full for a product where the EULA could not be ready before the purchase, but I have never heard of a EULA being invalidated unless there was no way to signify acceptance. What I mean by that is "By turning this product on you agree to our EULA" is invalid, but turning the product on, being presented with the EULA and then being given the option to accep

    • Hang'em high, I say.

      Sorry, they are too big to fail.

  • by Anonymous Coward

    Which is why you should always build your own system.

    Woz was right.

    • This is a software issue, not a hardware issue. Unless you propose to personally code the entire operating system and every application program, that is not practical.

      That said, replacing the preinstalled OS with a free one is my first step when buying a new computer. Most recently I managed to buy a PC without an OS at all, but that's rare,

  • by mysidia ( 191772 ) on Sunday February 22, 2015 @06:21PM (#49107819)

    The browsers/OSes should harden by eliminating the ability for 3rd party software to automatically install a certificate or CA as trusted into the system database. They should also remove any functionality that allows a 'globally' wildcarded certifacte to be deployed to the browser

    Basically, when the computer's hostname is assigned, or during user profile creation, the trusted certificate store should be reinitialized with only stock certificates approved by the OS maker or browser vendor.

    A machine-specific keypair should be generated and used to stamp all the certificates with a local trust signature.

    Any access to the machine keypair / stamp should be available only through an interactive approval process.

    Sysprep'ing an image or changing the product key should invalidate the local trust mark and require manual re-approval of all certs not in the browser vendor's official trust list.

    • by BitZtream ( 692029 ) on Sunday February 22, 2015 @06:36PM (#49107893)

      And if your machine can automatically do all those things ... so can third party software because in order for you to do everything you want to do, there has to be a pragmatic way to do so, and if the OS can do it, so can any other software that has admin rights.

      Either way, you don't want to put that sort of power into the vendors hands, since it means they effectively have created the Apple App store, and if thats what you really want, just buy a Mac and stop using Windows (your first mistake).

      The only way to prevent this sort of thing is by not installing software that does it.

      But lets ignore all the problems with what you're suggesting and assume it works ... Lenovo would have just approved the certs before they shipped the machine. Or the machine would prompt the user, who would blindly do so on boot, just like all the other things users blindly do.

      If you want to prevent this from happening, put the people who do this AND the people who make the decisions to do this, IN JAIL.

      Both the developers who write the code to do it and the management who tells them to do so. Assign some personal responsibility for this shit and watch how it suddenly changes. The problem in America is that anyone in a company can basically do whatever they want and hide behind 'the company' who then gets some minor fine (Relatively) and the guy who did it doesn't care one bit.

      • by mysidia ( 191772 )

        and if the OS can do it, so can any other software that has admin rights.

        What would cause you to think that?

        Administrator is a user privilege level inside the operating system. Nothing says that an admin level user can necessarily do everything. You can even make an operating system that has no such thing as admin rights, if you want.

        You can certainly lockdown certain capabilities so they are available to the OS but not to 3rd party software.

        One thing they could require you to do would be to visit a

    • by Shados ( 741919 )

      Woo, and now a company can't have its own internal CA deployed automatically. And how would software with their own certificate store (ie: Firefox doesn't use the system store) be able to harden itself so much? Its just a piece of software like any other.

      And its probably not a "globally wildcarded certificate" that's deployed to the browser, its just a CA. And if a CA is trusted, it can sign arbitrary certificates. You want to be able to do this automatically at least in corporate environment, and manually

      • by mysidia ( 191772 )

        You want to be able to do this automatically at least in corporate environment, and manually for development tools.

        We buy certs for corporate resources. It's not necessary to have an internal CA, and from a security standpoint it's probably not very safe, since the CA is more likely to be compromised than a public CA which has more carefully implemented and audited controls.

        Woo, and now a company can't have its own internal CA deployed automatically.

        Why not? Just make it so that upon joining to a

        • by swb ( 14022 )

          We buy certs for corporate resources.

          Purchased certs are too expensive to buy for every possible thing you might want to encrypt without a certificate error. There's all manner of internally facing services that don't need public certificate verification and a perfectly useful method of distributing trust for those certificates.

          I would grant you, though, that there should be some kind of security setting that makes adding a root CA much more difficult for non-domain members. But don't make it impossible,

    • by nyet ( 19118 )

      That is a feature, not a bug. The whole point to Windows GP is to allow your boss to push bogus root CAs into your work machines' store (without you knowing it, let alone preventing it) so the corp proxy can MITM sniff all of your https traffic at will. Remove that ability, and expect your local PHB to whine incessantly.

      Never mind that the idiots running the IT dept have no clue how bad it is to deploy a CA that can automatically sign forged certs arbitrarily. And most employees are clueless enough to never

      • UGH. Dont use your work computer for personal stuff. TLS/SSL is a sham to you because you have the unreasonable expectation that the machine is yours to do with as you please.. Here's a clue, its not. Dont do YOUR computing on someone else's computer...
      • by mysidia ( 191772 )

        Unrestricted MS group policy push means all of TLS/SSL is a complete sham.

        Correct me if I am wrong.... but group policy is downloaded over CIFS via SYSVOL, and there is no encryption or digital signing of the file being downloaded, so a MITM could insert an altered group policy of the attacker's choice, including bogus certificates to be installed... of the attacker's choice.

  • Microsoft's fault (Score:4, Insightful)

    by countach ( 534280 ) on Sunday February 22, 2015 @07:58PM (#49108173)

    Microsoft needs to grow a pair and lay down the law to any company that wants to be an OEM for their products. Apple wouldn't let the carriers pull this stunt on their phones.

    • by Shados ( 741919 )

      Because somehow Apple doesn't get hit with anti-trust suits over it because anyone with the power to hit them is using an iphone and wouldn't want their convenience to take a hit.

      The rest of the world however, has to at least give the law some lip service.

      • Such is the price MS pays for being a convicted abusive monopolist... Apple doesnt get hit because they dont have an actual monopoly on anything so they cant abuse it.
    • by nyet ( 19118 )

      Allowing unrestricted remote access to your machine's trusted root CA list via GP is a feature of windows.

      Why would they remove it? It is for the "enterprise".

    • Microsoft needs to grow a pair and lay down the law to any company that wants to be an OEM for their products. Apple wouldn't let the carriers pull this stunt on their phones.

      I think Apple prohibiting carriers from doing this sort of stuff is more about keeping competitors under their thumb, not about protecting users. They're not above pulling this crap themselves at their users' expense. They surreptitiously slurped up users' location and wifi SSID data [wired.com] to build their own wifi map (the following year,

  • of at least 12 new titles, including one that's categorized as a malicious trojan by a major antivirus provider.

    Why aren't they all categorized as malicious trojans by all major antivirus providers?

  • [bypasses] secure sockets layer protections by modifying the network stack of computers that run its underlying code. Specifically, Komodia installs a self-signed root CA certificate

    Picking a nit:

    1. Installing a new CA certificate does not modify the network stack. Adding and removing CA certificates is an ordinary operation.

    2. All root certificates are self-signed. If your certificate is signed by something else, it's not a root certificate.

  • Couldn't browsers detect and warn you if you're using a self-signed root CA certificate?
  • So many damn funny/insightful posts in this thread, and my points expired at midnight....

No spitting on the Bus! Thank you, The Mgt.

Working...