1.Superfish replaces legitimate site certificates with its own in order to compromise the connections so it can install its adverts. This means that anyone affected by this adware cannot trust any secure connections they make.
2.Users will not be notified if the legitimate site’s certificate has been tampered with, has expired or is bogus. In fact they now have to rely on Superfish to perform that check for them. Which it does not appear to do.
3.Because Superfish uses the same certificate for every site it would be easy for another hostile actor to leverage this and further compromise the user’s connections.
4.Superfish uses a deprecated SHA1 certificate. SHA1 has been replaced by SHA-256 because attacks against SHA1 are now feasible with ordinary computing hardware. This is insult on top of injury. Not only are they compromising peoples SSL connections but they are doing it in the most cavalier, insecure way possible.
5.Even worse, they use crackable 1024-bit RSA!
6.The user has to trust that this software which has compromised their secure connections is not tampering with the content, or stealing sensitive data such as usernames and passwords.
7.If this software or any of its control infrastructure is compromised, an attacker would have complete and unrestricted access to affected customers banking sites, personal data and private messages.
If Lenovo had preinstalled Linux, they could have pulled the same stunt.
And then there's the bits of hardware that are virtually impossible for you to affect: UEFI, microcode in the CPU, the entire RF subsystem in your phone...
A user can mistakenly recognize Computrace as malicious software because it uses so many tricks popular in modern malware: anti-debugging and anti-reverse engineering techniques, injection into memory of other processes, establishment of secret communications, patching system files on disk, keeping configuration files encrypted, and dropping a Windows executable right from the BIOS/firmware.
Kamluk and Sacco noted in their Black Hat talk that Computrace, though it acts like malware in a number of ways, is not detected by antivirus engines. And there are a number of good reasons for that, not the least of which is that Computrace is a well-known piece of software that is whitelisted by most antivirus companies, trusted by large numbers of hardware companies and developed by a legitimate business.
The problem with Computrace isn’t that it’s outright malicious, but rather that vulnerabilities in it can turn the useful tool into a powerful weapon for cybercriminals.
We have analyzed the Computrace BIOS agent and documented some design vulnerabilities that allow the agent's reporting address to be controlled.
As a result, the anti-theft agent allows a highly persistent and stealth form of rootkit that can re-utilize many existing features that come pre-installed in BIOS firmware and can survive operating system reinstallation and hard disk wiping or replacement
Note that #Superfish testing websites are NOT VALID ON FIREFOX. You must test using Internet Explorer or Chrome.
It's not clear Firefox is safe: EFF notes "The fact that there are significant numbers of Firefox victims somewhat contradicts the speculation that Firefox is safe because it doesn't use the Windows root store.".
Superfish tells us it stands by Lenovo’s assessment. “Superfish is completely transparent in what our software does and at no time were consumers vulnerable—we stand by this today.” a company spokeswoman said. “Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrong doing on our end.”
Superfish was only preinstalled on Lenovo PCs, not other devices, she said. “This was a small scale test to see if consumers would like the feature.”
AT&T says it tracks "the webpages you visit, the time you spend on each, the links or ads you see and follow, and the search terms you enter... AT&T Internet Preferences works independently of your browser's privacy settings regarding cookies, do-not-track, and private browsing. If you opt-in to AT&T Internet Preferences, AT&T will still be able to collect and use your Web browsing information independent of those settings."
Even worse than that is the fact that anyone can use that information to certify that malicious executables come from anyone they want, up to and including Lenovo or Microsoft.
A security researcher who goes by the Twitter handle @TheWack0lian said an additional piece of software known as SecureTeen also installed Komodia-enabled certificates. Over the weekend, the researcher also published findings documenting rootkit technology in Komodia code that allows it to remain hidden from key operating system functions.
According to Facebook's Richard, more than a dozen software applications other than Superfish use Komodia code. Besides Trojan.Nurjax, the programs named included:
CartCrunch Israel LTD
Say Media Group LTD
Over the Rainbow Tech
Objectify Media Inc
Catalytix Web Services
A security researcher who goes by the Twitter handle @TheWack0lian said an additional piece of software known as SecureTeen also installed Komodia-enabled certificates.
(a) Any person who, by means of any machine, instrument, or
contrivance, or in any other manner, intentionally taps, or makes any
unauthorized connection, whether physically, electrically,
acoustically, inductively, or otherwise, with any telegraph or
telephone wire, line, cable, or instrument, including the wire, line,
cable, or instrument of any internal telephonic communication
system, or who willfully and without the consent of all parties to
the communication, or in any unauthorized manner, reads, ...
« Older Medium is the message | not safe for work ❤ Newer »
This thread has been archived and is closed to new comments