Category Archives: Windows

Superfish (and chips) or Super Phish?

 

Image credit: seekeraftertruth[.]com

UPDATE: The private key and associated password which enable 3rd party (i.e. attacker) MITM attacks have successfully been extracted. This means that an attacker on the same network as a compromised machine will be able to intercept any supposedly SSL encrypted traffic.

UPDATE 2: Trend Micro detects the associated files as ADW_LOADSHOP and ADW_SUPERFISH. Compromised machines where a detection is made will still need to manually remove the Superfish certificate as detailed at the end of this post.

UPDATE 3: Lenovo have now posted their own advisory on the “Superfish vulnerability” containing details of which models are affected and removal instructions for both the application and the associated certificate.

UPDATE 4: Lenovo have made support tools available to remove both the Superfish application and the certificate

___________________________________________________________________________________________________

When the bad-guys get into the production line it’s really bad news, and rightly so. We’ve already seen stories about the e-cig charger that ships with malware preinstalled, the digital photo frame and many others. But what about when the manufacturers themselves start acting like bad-guys, whether out of malice or ignorance?

User reports are now emerging online that PC manufacturer Lenovo is shipping certain versions of its consumer laptops with the ironically named software “Superfish Visual Discovery” preinstalled at the factory, and that this software has capabilities far beyond the simple “adware” that you may have (unfortunately) come to expect from some manufacturers out there.

This spyware (we’ll discuss my use of that term in a second) has been shipping with Lenovo laptops for some time, in fact back in January a Social Media Program Manager at Lenovo confirmed that Lenovo was putting a “temporary” hold on shipping this spyware, due to “some issues”. Of course that doesn’t stop units already in the distribution chain from shipping pre-compromised.

What does Superfish do that is SO worrying?

Among it’s bag of usual adware type tricks, Superfish also installs its own self-signed Root Certificate Authority. In layman’s terms this means that Superfish can generate any certificate it wants, which will be trusted by your browser as entirely legitimate, allowing it to impersonate any destination on the internet. These sites are normally protected by strong encryption for your security,  and usually only the other party in the conversation, your bank, facebook, your email account or an online store for example, is able decrypt this privileged content.

By generating self-signed certificates, Superfish is able to perform a Man-in-the-Middle attack, masquerading as any of these secure destinations, and intercepting otherwise privileged communications. All this without ringing a single visual (or other) alarm bell on your PC or in your browser because it is acting as a “trusted” root certificate authority. Worse still, the certificate they install uses SHA-1 (deprecated since 2011) and 1024 bit RSA keys (outdated since 2013), and it uses the same Root CA private key on *every* Lenovo laptop opening up the possibility of attacks against the certificate itself for widespread criminal abuse.

Images are already cropping up on Twitter showing the potential implications of this functionality.

Worse still it seems that a simple removal of Superfish does not remove this associated root certificate, leaving the computer open to further compromise such as eavesdropping or phishing, though misuse or misappropriation of the certificate’s private key.

Affected users will need to first manually remove the Superfish application and subsequently to revoke and remove the Superfish root certificate, Here is a list of root certificates that are necessary for Windows and a link to certificate removal instructions.

Longer term, I believe manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option i.e. with no operating system pre-installed. Not only would this reduce cost to the user, it would also increase freedom of choice of Operating System and hand full control back to the owner of the device.

How do I keep the Spooks out of my inbox?

image courtesy of khrawlings under creative commons

Note: The answer to this question is FREE and it’s at the end of this post.

Digitally signing an email is a way of assuring the recipient that the content, while not encrypted, has not been modified in transit, it’s effectively a personal cryptographic certification of the content and attributes of the mail. If the “From:” address is re-written, for example a signed mail is sent to a distribution list and then forwarded on to each of the members of the list with a new “From:” address (usually the address of the list) then the contents will have been modified and the signature will no longer match. The same is true of any content within the mail, if it is intercepted and modified in transit, then the end-user should receive a warning that the signature no longer matches. In a post-PRISM world though, more people are beginning to pay attention to how they can secure their email communication completely from prying eyes. Simply signing will not achieve this, as mails not encrypted – merely “certified” – are still sent in the clear. Full-blown mail encryption is the answer, as Edward Snowden asserted in his recent Q&A, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on“.
Continue reading

Triskaidekaphobia? Predictions for 2013

Happy New Year?It’s that time of year again; snow thick on the ground, mistletoe in my back pocket, mulled wine to warm your hands and of course security predictions for 2013.

Trend Micro today released Security Threats to Business, the Digital Lifestyle, and the Cloud, our security predictions for 2013 and beyond. At first glance, the headline prediction may sound surprising; the volume of malicious and high-risk Android apps will hit 1 million in 2013. However, when you consider that our prediction for total Android malware by the end of 2012 has been constantly revised up throughout the year and now stands at over a quarter of a million, maybe it no longer sounds so fanciful.
Continue reading