[David Strom's Web Informant] February 19, 2015: If you own a Lenovo PC, read this asap

David Strom david at strom.com
Thu Feb 19 10:53:26 EST 2015


Web Informant, February 19, 2015: If you own a Lenovo PC, read this asap!

Lenovo has been shipping its PCs with built-in malware that is a new level
of insidiousness and nasty. Before I explain what it does, if you have a
Lenovo machine, or know someone who does, go now to this site and see what
it says <https://filippo.io/Badfish/>.

What is going on? It turns out that Lenovo, either by design or by sheer
stupidity, has included a piece of software called a root certificate, from
this company Superfish. Now, if you aren't a computer expert, this is
probably meaningless to you. So let me break it down. With this Superfish
certificate, every site that you go to in your browser using the HTTPS
protocol is subject to being exploited by some bad guys. Chances are, it
may not happen to you.

Back in those innocent days of the early Web, we use to say add the S for
security when you were browsing. This forces an encrypted connection
between you and the website that you are visiting, so your traffic over the
Internet can't be captured and exploited.

But having a bad certificate turns this completely around: with it, you can
decrypt this traffic, indeed, you can manipulate the web browsing session
in such a way that you might not even realize that you are going to
ThievesRUs.com instead of your trusted BankofWhatever.com. While no one has
yet reported that this has happened, it is only a matter of time. There is
a great article explaining this exploit on ArsTechnica here
<http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/>
.

Certificates are the basic underpinnings of secure infrastructure, they are
used in numerous other situations where you want to make sure that someone
is who they say they are. By using a bad certificate, such as the one from
Superfish, you throw all that infrastructure into disarray.

To get an idea of how many certs you use in your daily life, open up your
browser's preferences page and click on over to the Certs section, there
you will dozens if not hundreds of suppliers. Do you really trust all of
them? You probably never heard of most of them. On my list, there are certs
from the governments of Japan and China, among hundreds of others. You
really have no way of knowing which of these are fishy, or even superfishy.

This isn't the first time that bad certs have popped on on the Intertubes.
There have been other situations where malware authors have signed their
code with legit certs, which kinda defeats the whole purpose of them. And
back in 2012, Microsoft certificates were used to sign the Flame malware
<http://www.securityweek.com/microsoft-unauthorized-certificate-was-used-sign-flame-malware>;
the software vendor had to issue emergency instructions on how to revoke
the certs. And in 2011, the Comodo Group had issued bogus certs so that
common destinations could have been compromised
<https://www.schneier.com/blog/archives/2011/03/comodo_group_is.html>.

It is getting harder to keep track of stuff and stay ahead of the bad guys,
even when they don't have the auspices of a major PC manufacturer behind
them.

Comments always welcome here: http://blog.strom.com/wp/?p=4733
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.webinformant.tv/pipermail/webinformant_list.webinformant.tv/attachments/20150219/e4cbe197/attachment-0002.html>


More information about the WebInformant mailing list