You Had One Job, Lenovo

[Locutus]

And it didn’t involve sneaking malicious adware onto your customers’ computers.

When Lenovo preinstalled Superfish adware on its laptops, it betrayed its customers and sold out their security. It did it for no good reason, and it may not even have known what it was doing. I’m not sure which is scarier. The various news reports of this catastrophe don’t quite convey the sheer horror and disbelief with which any technically minded person is now reacting to Lenovo’s screw-up. Security researcher Marc Rogers wrote that it’s “quite possibly the single worst thing I have seen a manufacturer do to its customer base. … I cannot overstate how evil this is.” He’s right. The Lenovo Superfish security hole is really, really bad.

To recap: Since at least September, Lenovo has been shipping OEM Windows laptops preloaded with Superfish “adware,” which would rudely inject its own shopping results into your browser when you searched on Google, Amazon, and other websites. This sort of behavior is associated more with spyware than with factory-shipped operating-system installs, and by itself would be a new low for Lenovo. But Superfish is more than just pesky. It’s the most virulent, evil adware you could find.

By installing a single self-signed root certificate (trust me: That’s really bad) across all of Lenovo’s affected machines, Superfish intentionally pokes a gigantic hole into your browser security and allows anyone on your Wi-Fi network to hijack your browser silently and collect your bank credentials, passwords, and anything else you might conceivably type there. As Errata Security’s Robert Graham put it, “I can intercept the encrypted communications of SuperFish’s victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot.” If you have a Lenovo laptop that has Superfish on it (try Filippo Valsorda’s Superfish test to see), I would advise nothing short of wiping the entire machine and installing vanilla Windows—not Lenovo’s Windows. Then change all of your passwords.

more

Lenovo Superfish scandal: Why it’s one of the worst consumer computing screw-ups ever.

 

[petros]

Not surprising from a Chinese company.

 

[Locutus]

From Lance in the comments.


This isn't just a reply to Occam, but to everyone comparing this incident to so-called company violations of consumer privacy.
You have no idea how bad this could be.

First, a basic understanding of how HTTPS works is necessary. Go here.

So in that link, under the "SSL in Action" part, what has been compromised on these machines is step 3.3 and on.

Step 3.3 compromise: the private key part of the root CA certificate on your computer is known.


A scenario off the top of my head:

I can set up a web page called, 'rbc.com.en.sk.ca' or something, make it look like rbc.com and then email spam a bunch of rbc customers to go there. I would create my own SSL certificate (easy) and sign it with the compromised root CA certificate.
I would then use the compromised root certificate on your computer so that your computer thinks its using a secure and trusted website. Done right, I could get your card and password for your actual rbc account. Guess what happens then?

This isn't just about Leonva adding crap to their OEM installs. You're right, they all do that to a degree, what this is about is that the install completely opens your machine to HTTPS spoofing and you don't even know about it.

Now. that's bad. It gets worse. What makes it worse is what Superfish does.

Via: US-CERT:

This software intercepts users' web traffic to provide targeted advertisements. In order to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA certificate for Superfish. All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user's browser by the application - a classic man-in-the-middle attack.​

The program is a proxy for all web traffic on the machine. Worse, uninstalling the program doesn't 'fix' the problem, you also have to remove the Root CA key from your machine and this isn't something that 'joe user' can do. (Although I'm sure patches to IE, Firefox, Opera and Chrome will be out soon to remove the trust of that Root CA.)

Okay. Think that's bad? It is. Now, take it a step further. Like the article states, I'm sitting in a web-cafe with Wi-Fi. I've cracked the WEP/WPA Wi-Fi keys (simple) and am just watching packets. I notice Joe is visiting RBC and he's got a Lenova laptop. I start capturing his packets. Now, on my hard drive I can later decrypt all of that supposedly secure traffic using the compromised root key.
I now have complete access to Joe's RBC account. And don't even mention how many machines your traffic goes through on the internet to begin with. Sitting at home going to RBC probably passes through at _least_ ten machines. That's potentially ten strangers who have access to the packets.

This Is Awkward - Small Dead Animals

 

[MHz]

While looking at a dead mouse the elephant is sneaking past.
Watching Everyone: NSA Hides Snooper Spyware on Gov't Hard Drives Worldwide / Sputnik International
MOSCOW (Sputnik) — Spying software has been hidden on computer hard drives in countries all over the world, targeting governments and financial institutions, among other victims, says new research by Kaspersky Lab, a Moscow-based antivirus and internet security software company. Kaspersky calls hackers behind the espionage program the 'Equation Group', and in the security firm's estimation, the group's malware has infected computers in more than 30 countries, including Afghanistan, China, Iran, Pakistan, Syria, and Russia.
While Kaspersky Lab has not linked the Equation Group to any organization in particular, Reuters reported on Monday that the US National Security Agency (NSA) was responsible for the spyware. Kaspersky noted only that the spying campaign was strongly linked to Stuxnet, an NSA cyberweapon once used to to carry out cyberattacks on Iran's nuclear program. A former NSA operative told Reuters that concealing spyware on computer hard drives made by firms such as Digital Corp, IBM, Micron, Samsung, Seagate, Toshiba, and Western Digital had become a "prized technique" of the NSA, with another ex-intelligence employee saying that the security agency valued these programs very highly.

The victims of the spying software consist of the PCs of over 500 organizations worldwide, including government and military institutions, telecommunications firms, companies in the energy sector, nuclear researchers, financial institutions, media, and cryptography companies, as well as Islamic activists, Kaspersky Lab said. Along with Iran, Russian government and military institutions and energy companies are believed to have been among the most active targets of the malware. The Kaspersky report, released Monday, revealed that some of these spyware programs trace back nearly fifteen years, lodged in the firmware of computers, enabling it to infect machines repeatedly. The US National Security Agency has been under intense scrutiny at home and abroad since 2013, when NSA whistleblower Edward Snowden confirmed massive global surveillance programs conducted without a warrant and the agency's habit of sifting through databases in search of information on private US and foreign citizens, as well as that of leaders of allied countries.

Read more: Watching Everyone: NSA Hides Snooper Spyware on Gov't Hard Drives Worldwide / Sputnik International
​

​

The last time they got accused of something it happened to tie into the time Intel opened it's processor plant in Israel. Good thing they would never think of planting any back-doors.