Man-in-the-Middle Attacks on Lenovo Computers

It's not just national intelligence agencies that break your https security through man-in-the-middle attacks. Corporations do it, too. For the past few months, Lenovo PCs have shipped with an adware app called Superfish that man-in-the-middles TLS connections.

Here's how it works, and here's how to get rid of it.

And you should get rid of it, not merely because it's nasty adware. It's a security risk. Someone with the password -- here it is, cracked -- can perform a man-in-the-middle attack on your security as well.

Since the story broke, Lenovo completely misunderstood the problem, turned off the app, and is now removing it from its computers.

Superfish, as well, exhibited extreme cluelessness by claiming its sofware poses no security risk. That was before someone cracked its password, though.

Three Slashdot threads.

EDITED TO ADD (2/20): US CERT has issued two security advisories. And the Department of Homeland Security is urging users to remove Superfish.

EDITED TO ADD (2/23): Another good article.

EDITED TO ADD (2/24): More commentary.

EDITED TO ADD (3/12): Rumors are that any software from Barak Weichselbaum may be vulnerable. This site tests for the vulnerability. Better removal instructions.

Posted on February 20, 2015 at 3:43 PM • 71 Comments

Comments

AnuraFebruary 20, 2015 4:01 PM

A lot of corporate organizations do this too. Where I work, every single computer has a corporate root certificate installed which allows them to perform a man in the middle against all SSL connections so they can scan the content. Now, they generate their own certificate. This is a much more stupid implementation in which everyone uses the same root certificate and the private key is accessible to anyone with access to a Lenovo, pretty much rendering signed certificates useless.

Ed BearFebruary 20, 2015 4:14 PM

@anura: How do you determine if there's a corporate root certificate on your machine?

splatFebruary 20, 2015 4:17 PM

firefox->preferences->advanced->certificates will give you a list of installed certificates.

AnuraFebruary 20, 2015 4:18 PM

@Ed Bear

If you are checking if your company is doing it, go to any https website and check the certificate. Any website I go to has my company name in the certificate as the issuer.

The Last Stand of FrejFebruary 20, 2015 5:46 PM

Isn't this breaking some law? Ones that say it's illegal to force a level of access not intended by the user or something like that? Something about circumventing security measures without the user's consent or knowledge?

DanielFebruary 20, 2015 7:08 PM

I would believe this was an executive misunderstanding if the company were not a computer hardware OEM. That's like saying banks didn't understand that bad mortgages were risky.

65535February 20, 2015 7:34 PM

It’s back to the old problem of “forged” SSL/TLS certificates. This time it is on a massive scale by a large corporation – in obscured fashion. This problem seems to be rampant.

It’s good that some body found out and out’d this large vendor of business computers.
I wonder how may other vendors of iphones, tablets, and mini-laptops, and laptops have this same type of SSL stripping built in from the factory.

It looks like “certificate pinning” doesn’t stop these attacks – or even notice them – oddly.

It would seem like there should be some technical solution that flags SSL stripping. The hash of the certificate should give away the problem – unless there is not real hash check [The hash of a fake cert should not match the real cert].

What ever happened to the Perspectives Firefox add on? Does it really work?

[Developer’s Comments]

6, “In case of doubt install the Perspectives or Convergence add-ons to make further checks on the credibility of a certificate. The downside of these add-ons is, you reveal who you communicate with to an external service — so better only use it when necessary. In theory you could have some tech savvy friends run notaries for you, the more the better, but would you want to expose your surfing habits to them?” – addons Mozilla org

https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/

Does anybody know which certificates are necessary in the “root certificate store” and which certs can be deleted? Any short lists of such absolutely needed certificates?

David LeppikFebruary 20, 2015 8:53 PM

With a name like Superfish, it couldn't possibly be an attempt to harvest personal information!

No Such AgencyFebruary 20, 2015 9:04 PM

This problems highlights why pre-installed software is a bad thing, and that you should always wipe the drive and do a clean install from clean sources yourself before using a system.

dead man's phoneFebruary 20, 2015 9:08 PM

Okay, there's a software problem which is being resolved.

Next, let's examine the hardware/firmware of the device. Or is that not possible?

Josh Townsend February 20, 2015 9:58 PM

The removal instructions you link to are incomplete (most of the ones out there are missing a step, including Lenovo's. These steps only have you removing it from the Local Computer certificate store. The Superfish cert also exists under the 'Current User' Trusted Root Authority store - you need to remove from there for each user account that has a profile on the machine. More here: http://vmtoday.com/2015/02/how-to-remove-superfish-adware-from-lenovo-laptops/

BuckFebruary 20, 2015 10:19 PM

@Mace Moneta

Ha! Though, I frankly can't imagine a better public statement from someone in his position. It genuinely sounds like they have absolutely no idea what they are talking about! Makes the theory that they were indeed finessed by Komodia or others much more plausible... Sure, still doesn't bode well for Superfish's future prospects, but I wonder if they shouldn't a bit more worried about potential lawsuits at this point.

There has been significant misinformation circulating about Superfish software that was pre-installed on certain Lenovo laptops. The software shipped on a limited number of computers in 2014 in an effort to enhance the online shopping experience for Lenovo customers. Superfish's software utilizes visual search technology to help users achieve more relevant search results based on images of products they have browsed.
"enhance the online shopping experience for Lenovo [... and other ...] customers" - pure comedy gold!

Stephen KauffmanFebruary 20, 2015 10:52 PM

More articles, http://www.slate.com/articles/technology/bitwise/2015/02/lenovo_superfish_scandal_why_it_s_one_of_the_worst_consumer_computing_screw.html

and

http://www.siliconbeat.com/2015/02/20/superfish-denies-blame-in-lenovo-security-mess/

"Superfish has been criticized since its inception for invading people’s computers and being little more than “crapware” that was designed to be very difficult to get rid of. [Adi] Pinhas, who founded the company in Israel in 2006, has connections to the surveillance industrial complex; Slate referred to him as a “shady surveillance veteran.” Pinhas has a background in digital video recording for the surveillance market, and told the Mercury News recently he is interested in using Superfish technology for facial recognition and installing the technology in every iPhone."

Hmm, I wonder if this Adi Pinhas and Barak Weichselbaum founder of komodia (another Israeli company) and once a programmer in Israel’s IDF’s Intelligence Core) know each other?

Soulless hacks who do not care how their bread is buttered?

ThomasFebruary 21, 2015 12:31 AM

@Anura
" pretty much rendering signed certificates useless."

The whole CA infrastructure is as useless as the most useless CA in your (very long!) list of root CAs.

Sure, this cluster-fsck has added an unusually insecure CA, but to be fair it hasn't done anything to make the infrastructure any more useless than it already was.

typed on a Lenovo running Debian.

Mike the Goat (horn equipped, redux)February 21, 2015 2:10 AM

Thomas: I absolutely agree with you there. The entire CA model needs to be discarded; it provides only the illusion of security and depends upon third parties to authenticate others for us. Unfortunately as we have seen in the past these third parties don't seem to take their jobs very seriously, as we've had root certs generated, *certs for .microsoft.com and .google.com, and hell even the disclosure of the CA's private key(s).

I think Moxie and his contemporary were on to a much better idea with convergence/perspectives, although these are obviously just extensions bolted onto a broken framework to make it slightly less broken.

I agree that the alternatives available may not be superior, for example a WoT - while effective in smallish circles - may not scale correctly; but with a little bit of thought a new solution could be implemented without too much headache.

BTW: Yes, I am rearing my head again! Not sure if I will have as much time as I used to dedicate to this blog and my site, but I will check and comment a lot more regularly.


AnuraFebruary 21, 2015 2:29 AM

I agree the CA model is flawed, however it does protect you against most low to medium strength attackers. With this system, running a Lenovo machine with the stock software leaves you vulnerable to most anyone. It's definitely a lot better than nothing except for the false sense of security it gives most people.

As for the windows certificate store, it also injects itself into Firefox's cert store, from what I have read, which is arguably much better managed.

AlexFebruary 21, 2015 3:59 AM

So, the Public Key Infrastructure (PKI) model does not give us what it promised - the security.
It gives profit to CAs instead.

Clive RobinsonFebruary 21, 2015 5:47 AM

@ Mike the Goat (horn equipped, redux),

Nice to see you are still around.

I trust you are settling into your new "manger" comfortably and now have a good supply source of "premium enrichment" to keep you in the style you wish to become accustomed to.

Hopfully you will be able to get a little time to pop up now and again to say a little more than you are still with us.

65535February 21, 2015 9:25 AM

“…the CA model is flawed, however it does protect you against most low to medium strength attackers.”- Anura

The current system of legitimate “CAs” has holes so large you could drive a 80 thousand pound big rig truck through them!

Our grossly expensive USA spy agency should have been able to stop the recent Boston bombings - let alone the huge amount of credit card skimming.

But no – it continues. Our spy agencies are only interested in their ever increasing budget.

either-or, the NSA is actively involved the huge bank swindles or just a “bystander” watching the crimes go down – anyway you look at it, there is no reason to spend a $1.05 per year on them Or, to get stripped of our data and our cash. The damage is done.

It is time for a significant budget cut in those agencies [say 40%] this year.

The money could be put to better uses. No amount of PR or K street posts on various forums will help at this point in time. That to you people at Fort Meade.

NotsurprisedFebruary 21, 2015 1:26 PM

So now there two reasons to not buy Chinese equipment: security threats by intent. Security threats by incomptence.

CanadianFishFebruary 21, 2015 2:23 PM

@Notsurprised

Maybe Lenovo are the clowns... but aren't they like the biggest PC vendor in the world?
Last year there was some controversy up here in the North when Lenovo offered Laptops at extreme Clearance sale prices, then refused to honor the orders after multi-thousands had their Credit cards charged and much time had elapsed.

At the time I suspected they were gathering data on savvy computer users and making network graphs and such,but who really knows. I do know that that not all customers had their orders cancelled though....wink wink.

How large are superfish and komodia in comparison? Komodia is probably one spook in a virtual office, yet the biggest computer vendor in the world can't do the due diligence necessary? Really? They don't even try for plausible deniability anymore...we NEED new laws.

65535February 21, 2015 6:31 PM

I see the Department of Homeland Security [partnered with the NSA] and its US-Cert, UNITED STATES COMPUTER EMERGENCY READINESS TEAM actually riding of the coat-tails of other researchers. They were one of last to publish information on SuperFish SSL stripping software. I doubt they did any real research themselves.

Take this line:

“Systems Affected”

“Lenovo consumer PCs that have Superfish VisualDiscovery installed and potentially others.”

https://www.us-cert.gov/ncas/alerts/TA15-051A

“…and others” is not very helpful – exactly what others?

Their Alert (TA15-051A) was initially published on February 20, 2015 the page was last up dated Saturday, February 21, 2015 2:49:54 PM

The ‘US-Cert Emergency Response team’ are late compared to open source information.

Bruce S. points to the Arstechnica article dated Feb 19, 2015 4:36 pm UTC; The Verge February 19, 2015 03:20 pm, Slashdot Thursday February 19, 2015 @08:47AM and so on. The US government’s “Emergency Response” team certainly did not break the news and was late to the game – this is what $1.05 Trillion per year buy us.

I can only guess what US-Cert will report of a cyber attack which melts-down a nuclear reactor.

“Systems Affected”

“Smoking Rubble of Crystal River Nuclear Power Plant and potentially others."

“Citizens Affected”

“A number of people in Florida and potentially others.”

@ Stephen Kauffman

Let me guess, the NSA and other “Agencies” of the USA intelligence community have be buying Barak Weichselbaum’s, [Komodia’s] products only to discover that said “Agencies” were actual being spied upon by the IDF.

Chris AbbottFebruary 21, 2015 8:55 PM

@daresa

I've been using Ubuntu (I like Xubuntu) for years and I now I feel stupid. I used the fix but then figured, oh it's just with Unity, doesn't affect me. But then after running

sudo apt-get remove unity-lens-shopping

I get:

"Note, selecting 'unity-scope-home' instead of 'unity-lens-shopping'"

So it's in all versions! Sad to realize Canonical is another corporate piece of shit.

@Everyone:

I would never buy a Lenovo for various other reasons, but this Superfish thing is just stupid, completely stupid. I think this is more than an amateurish mistake. PLA 61398 anyone? Oh and, anyone remember this story?

http://www.darkreading.com/risk-management/intelligence-agencies-banned-lenovo-pcs-after-chinese-acquisition/d/d-id/1110950?

And this:

http://www.bloomberg.com/news/articles/2014-04-04/lenovo-ibm-deal-probed-by-u-s-over-servers-at-pentagon

65535February 21, 2015 10:38 PM

@ Chris Abbott

After reading both links you provided I started to wonder where these IBM/Lenovo in 2006 year [and forward] were manufactured. I went into “donated computer” room where client’s dump computers too viruses-infested and unworthy of fixing at our hourly rate to find one.

I could found two IBM branded boxes but they were from late 2005 [the usual IBM crap, 1 hdd, 1 dvd, 3.4 Gz P4, DDR slots with a Gig of RAM and a dusty sticker on the bottom that indicated the box was made in Mexico]. It did have a valid XP Pro sticker on the side.

Note: I could not find a working IBM/Lenovo box from 2006 to present – but I didn’t try hard.

I hooked one up with a mouse, keyboard and screen. Sure enough the boot screen was Lenovo. I ran msconfig to see the whole systems properties and that indicated and IBM board and Bios – the firmware updates were from Lenovo.

Someone yanked the cat5 cable from the on board nic so I went to IBM to down load the driver [in-case it was corrupted] via and old nic in the parts pile [to get a good connection to the net]. And, IBM’s site switched me to Lenovo. I down found the board chip-set drivers and newer nic drivers and downloaded them – the were Lenovo.

I found that a new driver for the on board nic was not necessary – nor the chip set drivers. I then check for super fish using https://filippo.io/Badfish/ The box was clean. Download'd the web version of Kaspersky AV – no virus found.

Then I realized that if this client brought in the IBM/Lenovo box one of guys or myself reformatted it. So, it wasn’t representative – but I did find a program called Lenovo tool box in the program menu.

I am not sure if the box is simply too old to have that superfish style of SSL stripper on it. Nor am I convinced that some Lenovo bios up-date will not install a back door. It’s interesting that the box was manufactured in Mexico – yet had a Lenovo bios and boot screen.

I would guess that a majority of the chip set was made in China [could be ROC or Taiwan or the PRC, mainland China – the latter is communist].


65535February 22, 2015 6:38 AM

@ Stephen Kauffman

Good link.

Barak Weichselbaum has a reputation rating of 106 on Stackoverflow. He has +55 on his “Is it possible to interpet dns queries using LSP/SPI [Layered Service Provider, Winsock 2 Service Provider Interface]. He is no skiptkiddy. He appears to know his stuff.

“We have developed a LSP that can "intercept" DNS queries. The only way to do it is by hooking into all of the DNS functions, keep in mind there are a few challenges you need to solve:
"1.You need to use a good hooking library that will support both 32bit and 64bit code.
"2.The library license must be right for your application, there are some free libraries, but can be used freely only with free projects.
"3. When you hook the functions, you need to make sure not to modify certain values that are not IP based and defer the query to the real function.
“Intercepting UDP will not work since the queries are going out from MS DNS client, so unless you write a low level driver like: TDI, NDIS or WFP you must hook the functions (or write a NSP). NSLookup works for you because it creates the DNS queries itself." -stackoverflow

"Barak thank you for your fast response. When you say "hook" do you mean dll injection or LSP? My LSP supports both x86 and x64. No problem with that. – blac... -stackoverflow

When I say hook, I meant something like Microsoft detour library, just keep in mind you can't use it commercialy unless you purchase a 10k$ license... In Komodia we wrote our own library so we can resell without any license limitations. – Barak Weichselbaum" -stackoverflow

"Barak, how much do i need to pay to use your own library..." -stackoverflow

https://stackoverflow.com/questions/8319304/is-it-possible-to-intercept-dns-queries-using-lsp-spi/8319398#8319398

LSP/SPI description

"A Layered Service Provider (LSP) is a feature of the Microsoft Windows Winsock 2 Service Provider Interface (SPI). A Layered Service Provider is a DLL that uses Winsock “APIs to insert itself into the TCP/IP stack. Once in the stack, a Layered Service Provider can intercept and modify inbound and outbound Internet traffic...” –malware wiki

http://malware.wikia.com/wiki/Layered_Service_Provider

daresaFebruary 22, 2015 7:22 AM

@Chris Abbott
"I've been using Ubuntu (I like Xubuntu) for years and I now I feel stupid."

Fortunately, there still are plenty of good, clean, user-friendly Linux distros that are just an iso-installation away: Gentoo, openSuse, Arch Linux... to name a few. No need to put up with spyware.

JamesFebruary 22, 2015 4:10 PM

What a farce! My Lenovo laptop booted its very first time via an Ubuntu installation memory stick. I did reinstall Windoze into a virtual machine later (what the heck,I paid for it), but I downloaded a 'clean' copy from MS for that ...

Dirk PraetFebruary 22, 2015 5:40 PM

I do hope this affair serves as a serious warning not only to Lenovo but to other other manufacturers as well that they will be called out by the infosec community when they fail to exercise due diligence in their supply chain. As to Komodia, I wish them some serious class-action suits and a painful bankrupcy. Their site is still off-line.

@ 65535

The ‘US-Cert Emergency Response team’ are late compared to open source information.

Yes, indeed. So was Symantec. On the upside, M/S had a Defender update ready in about 24 hours.

@ Mike the Goat (horn equipped, redux)

BTW: Yes, I am rearing my head again! Not sure if I will have as much time as I used to dedicate to this blog and my site, but I will check and comment a lot more regularly.

Good to see you're back, mate!

IncredulousFebruary 22, 2015 7:12 PM

I recently noticed that after an update to the free Avast antivirus on my secondary windows machine...

(I would never use Windows for anything I wanted to really keep confidential anyhow)

...that Avast was generating and substituting its own self signed certs for https scanning. Frankly I don't remember whether https scanning is a default or whether I turned it on without realizing how it would be implemented.

It was easy enough to turn off. But it is also becoming clear that it might not be that easy to find all the avast certs to remove, or whether Avast will just reinstall them. I basically have decided to trust Avast at least at the windows level of confidentiality (I think it can be trusted at least as much as Microsoft can), and Mozilla has already installed certs from every Tomas, Djik and Ali CA around the world, so I guess the most important thing to remember is that the machine will leak like a sieve with or without the Avast cert. Though I did turn the https scanning off.

I had EFF HTTPS Everywhere installed, but the Observatory was not enabled. It's on now. I wonder if it will catch sneaky subs like this. I'd think it should.

When it comes to security, supposed security companies are like the shoeless cobbler's children: They often don't buy themselves what they appear to be selling.

ThothFebruary 22, 2015 9:32 PM

A broken PKI will not protect against a medium strength and above attacker and will be somewhat easy for low strength attackers to misuse if they know how to.

What is the take away lesson from this episode besides pointing fingers at that Lenovo software or some corporate root cert backdoored SSL/TLS communication ?

1.) Always be wary of the machine and it's state.
2.) Do not blindly trust the lock icon. Inspect the certificate.
3.) If you are using a corporate machine, do not directly use the internals but boot using a temporary and forgetful Live CD/DVD/Image like TAILS or simply use your own device.
4.) Never ever trust any corporate network as the corporate network is as problematic as the public network.

AdamFebruary 23, 2015 7:15 AM

What annoys me about buying a new PC is that virtually every major manufacturer packs it full of crapware and adware even before it leaves the factory. What a great way to instill trust guys.

It seems the more "cheap and cheerful" a PC is, the more junk gets added to it. Shopping toolbars and such like. Lenovo just took it that extra sleazy step. I guess Superfish were offering the biggest kickback and Lenovo promised to pocket the cash and look the other way. Hilariously they attempted to justify the software as something that could help users "discover" products, as if any person ever has asked for this crap to be preinstalled ever.

keinerFebruary 23, 2015 8:09 AM

Instead of buying a consumer-level piece of hardware, buy 2-3 y old leasing-return high-end hardware and throw away the HDD/SSD (and maybe the GPU). Buy a decent pair of HDDs, built a RAID1 and install the OS of your choice.

Much better and the hardware typical will stand 10 years and longer...

Pieter VerberneFebruary 23, 2015 9:41 AM

Is is true that the Superfish software redirects all https connections to their servers? Else, how could 'www.bankofamerica.com' show a Superfish certificate?

If that is true, Superfish has plain text access to all https traffic. That is just ridiculously rude and also very stupid.

NathanaelFebruary 23, 2015 11:57 AM

Does anyone *remotely* security-minded use preinstalled software?

If so, why?!?! I stopped doing that in the 1990s. If I'm using a preinstalled distribution, this indicates that this is a deliberately insecure machine.

ThothFebruary 24, 2015 12:13 AM

@Nathanael
Insecure Internet facing machines would simply be used for bloatware and soak up the beatings whereas if you want to do sensitive stuff, something like a OpenBSD installed machine would provide just a bit more assurance. I think most of us here would not be surprised that "the infection" usually goes deeper than it should be (into the close door hardware).

There is the Librem laptop (https://www.crowdsupply.com/purism/librem-laptop) that was pointed out but before we start pinning hopes on it's open nature which it promises, it should deliver results first.

Quite surprised that the Librem laptop doesn't support OpenBSD in it which is a much better choice than any other *nixes due to the security-centric nature of OpenBSD.

Even for an open door hardware design and specs like Librem, I am very sure the Warhawks and Powers That Be might find some way to sneak certain circuitry and we need something to handle that too.

Nick PFebruary 24, 2015 8:12 AM

@ Thoth, Nathanael

I like how the top two open laptops either use (a) a processor made in the U.S. by the top target of NSA subversion or (b) a processor made in U.S. by a defense contractor with a "DOD certified" fab. Both with blackbox's running in privileged mode. Yeah, that will keep the surveillance state out! ;)

They're still interesting choice if you're not worried about surveillance. Novena, in particular, because it has a Spartan-6 FPGA in it.

Clive RobinsonFebruary 24, 2015 11:23 AM

@ Nick P,

Did you also notice that they were having real problems finding an Intel CPU that would actually run without having to have a microcode update on booting...

And people wonder why I don't trust Intel further than I can spit them, and as my mum taught me long ago, I'd not put something that poisonous in my mouth in the first place, so trust not one micron let alone an inch.

Nick PFebruary 24, 2015 1:19 PM

@ Clive

Yeah, that was an entertaining read. The best part were how they thought they could convince Intel to open it's microcode a bit.

Intel: "You can certainly have the microcode... when hell freezes over."

65535February 25, 2015 11:57 PM

@ CallMeLateForSupper

"Rogers responded that it is a matter of law to do focused collection against a U.S. person. [...] NSA would have to get permission by showing a court a legal basis [...] 'It can’t just be, "we don’t like journalists”'
That is another non-answer answer. Test it yourself. Does any part of Rodger's reply say "We did" or "We did not" or "We might have" or even "I do not know"? Nope." -CMLFS

That is my poorly written point [in my post]. I am happy that you clearly stated the deception by Admiral Rogers.

@ Jones

‘In order to promote economy and efficiency in Federal procurement, it is necessary to secure broad-based competition [possibly from foreign companies] for Federal contracts…’
‘Executive Order 13005 - Empowerment Contracting (May 21, 1996)’ - Jones

Yes.

Such as trusting Barak Weichselbaum and his crew [IDF alumni] for NSA “Mission Critical” spy equipment – only to find said equipment spying on the NSA and sending the data back to the IDF.

If you do some googling, you will find Weichselbaum and crew involved in a number of CALEA projects and possibly NSA projects.

"Verint's products include speech analysis software (used for IVR systems) and IP surveillance cameras and "smart" video surveillance analysis software... Verint's RELIANT software provides law enforcement agencies with the ability to monitor and analyze voice, video, and data for a "vast number of targets" on all types of large, complex computer networks... to collect evidence for CALEA wiretaps. Multiple national governments including the U.S., U.K., and various European, Asian, and Pacific nations have purchased millions of dollars in Verint surveillance software and equipment. On January 27, 1997, Comverse Technology Inc. announced the formation of a new private equity fund in partnership with Quantum Industrial Holdings Ltd…" - Wikipedia

https://en.wikipedia.org/wiki/Verint#Products

[and]

"Like Narus, Verint was founded by in Israel by Israelis, including Jacob “Kobi” Alexander, a former Israeli intelligence officer. Some 800 employees work for Verint, including 350 who are based in Israel, primarily working in research and development and operations, according to the Jerusalem Post. Among its products is STAR-GATE, which according to the company’s sales literature, lets “service providers … access communications on virtually any type of network, retain communication data for as long as required, and query and deliver content and data …” and was “[d]esigned to manage vast numbers of targets, concurrent sessions, call data records, and communications.” …a rare and candid admission to Forbes, Retired Brig. Gen. Hanan Gefen, a former commander of the highly secret Unit 8200, Israel’s NSA, noted his former organization’s influence on Comverse, which owns Verint, as well as other Israeli companies that dominate the U.S. eavesdropping and surveillance market. “Take NICE, Comverse and Check Point for example, three of the largest high-tech companies, which were all directly influenced by 8200 technology,” said Gefen. “Check Point was founded by Unit alumni. Comverse’s main product, the Logger, is based on the Unit’s technology.”

http://www.wired.com/2012/04/shady-companies-nsa/all/

[and]

http://www.pcworld.com/article/2887253/superfish-vulnerability-traced-to-other-apps-too.html

@ entax "What about Comodo case ???"

If you dig around the web you will find that the SSL stripper in that product is from a company or subsidiary associated with Comverse, Verint, and Weichselbaum and associates [IDF].

@ steve37

Good links!

The real problem with these “security SSL stripping” such as Blue Coat, MS Forfront, Bit defender, Kaspersky, all CALEA programs and so on.

1] These companies depend upon a buried clause in their “EUL” or license agreement to trick you into allowing it to place a bogus “Trusted root certificate” – usually self signed on your computer. It’s another End User License Agreement scam.

2] Some sort of Certificate forging engine that always works in the background [companies are tight lipped about this forging engine]. This “engine” consumes computing resources and makes your machine less secure.

Gibson research claim that this certificate forging can be discovered by comparing the real Certificate’s finger print with the forged one. I just wonder if there is end-run around this hash [finger print] method.

https://www.grc.com/fingerprints.htm

@ Dirk Praet

“On the upside, M/S had a Defender update ready in about 24 hours.” –Dirk

That is interesting to know! Ms is out in front of the pack - who would have guessed.

@ Nick P, Thoth, Nathanael

‘I like how the top two open laptops either use (a) a processor made in the U.S. by the top target of NSA subversion or (b) a processor made in U.S. by a defense contractor with a "DOD certified" fab. Both with blackbox's running in privileged mode. Yeah, that will keep the surveillance state out! ;)’ – Nick P

Ugh, that is just great /

What are those two?

Tangentially, this thread brings up the Trust Computing platform.

“…Enforcing this behavior is achieved by loading the hardware with a unique encryption key inaccessible to the rest of the system. TC is controversial as the hardware is not only secured for its owner, but also secured against its owner. Such controversy has led opponents of trusted computing, such as free software activist Richard Stallman, to refer to it instead as treacherous computing, even to the point where some scholarly articles have begun to place scare quotes around "trusted computing"… Chip manufacturers Intel and AMD, hardware manufacturers such as HP and Dell, and operating system providers such as Microsoft all plan to include Trusted Computing in coming generations of products.... The U.S. Army requires that every new small PC it purchases must come with a Trusted Platform Module (TPM). As of July 3, 2007, so does virtually the entire United States Department of Defense." -wikipedia

https://en.wikipedia.org/wiki/Trusted_Computing

I would assume that in the future some clever hacker [possibly a state sponsored hacker] will discover the keys and copy them for hacking – as in the SuperFish case.

I would guess that all Intel and AMD product with these hidden keys embedded in the processor would eventually become a security risk – even to the NSA.

We are back to Nick P home brew platforms. What a circle.

Please excuses all of the grammar and other errors I am tight for time.

FigureitoutFebruary 26, 2015 12:24 AM

65535
Ugh, that is just great/ What are those two?
--Librem: https://www.crowdsupply.com/purism/librem-laptop

Uses a bunch of unverified and highly likely unsecure drivers and likely using insecure sourcing as security isn't a goal, but "freedom" (BIOS is "almost" freed, ok...). Intel i7-4470HQ CPU. Still pushing a decent software solution to trusting every vendor's chips and code and they're funded nearly 2X their crowdfunding goal. Much preferred form-factor as a regular slick laptop. Light on details.

--Novena: https://www.crowdsupply.com/kosagi/novena-open-laptop

3X funded over their crowdfunding goal. Insane hardware capabilities and sick add-ons. Same thing except way more upfront w/ shortfalls and issues, likely insecure drivers will be used. Bunnie is legit and so is Xobs. Freescale iMX6 CPU (props to Freescale for opensourcing a CPU and datasheets, located in US so compromised but I still work w/ them).

Nick P doesn't have a hardware solution nor does anyone else in the world, if they say they do they probably don't understand the problem and will wave their hands at real threats. RobertT called bullsh*t years ago and said all our efforts would fail due to all the vectors of attack, unfortunately I think he's right. It's an impossible problem to actually solve based on all the issues attacking the development process from every angle. Every single encapsulated chip is not secure, flat out. They're all black boxes, decap one chip, you don't know if the one you use from the same source is an actual copy of the other chip 100%.

WaelFebruary 26, 2015 12:37 AM

@Figureitout,

RobertT called bullsh*t years ago and said all our efforts would fail due to all the vectors of attack, unfortunately I think he's right

RobertT was right, but only if the attacker has physical access to the device.

FigureitoutFebruary 26, 2015 1:03 AM

Wael
--We've gone over superficially what it would take for an "under the radar" build. You need the best analog engineers (on our side) watching the process as it happens (so the fab needs to give the customer access to its internals for the build) and additionally someone like...me watching externally for "issues" that need further investigation during full extent of build (they can't hide from me). All current employees under investigation and any other unneeded individuals entering the premises. Nick P did mention one clever thing which makes sense (I use the principle in personal OPSEC) which is to make sure that purpose of build IS NOT security. That will give it a better odd of flying under radar and forcing active attackers to go after every IC in the world.

FigureitoutFebruary 26, 2015 1:10 AM

Wael
*Add-on*
--Additionally the premises must agree to an external and internal pen-test and then open up its computers to inspection. Probably no company would do that for a customer unless we got "fat stacks". So...we need money, which well...accumulating massive amounts of money is immoral to me as it inherently takes from others...

Nick PFebruary 26, 2015 1:18 AM

re "Nick P doesn't have a hardware solution"

Bullshit lol. I have several. The problem with hardware is funding, as usual. IBM just recently gave up their hardware business as there was no money in it despite them being IBM. My hardware solutions, like others, would take a tremendous amount of funding to develop with the customers accepting the loss of end-user or corporate functionality that couldn't be implemented securely. Needless to say, the market and the capitalists funding it are usually against such options. More recently, grant-writers too.

The result is the status quo continues regardless of what solutions I may have. Most parties involved don't give a shit about reality, from control of business to functional democracy. That's the problem. As I previously said, it's political and might be impossible to solve with technical solutions.

FigureitoutFebruary 26, 2015 1:25 AM

RE: "bullshit lol"
--Claiming to have a solution then repeating the same problem everyone else experiences that renders that a falsehood is not a solution.

Relying on political solutions (just look at the people there and compare intelligence)...just give up. Technical all the way, or no way.

ThothFebruary 26, 2015 1:39 AM

Regarding Trusted Computing, think of it as a Secure Element inside a CPU or as a co-CPU unit. It has the traditional crypto and key management (crypto-chip) and a hardware processing and access control logic unit. More advanced TC chips would allow you to load programs (like how a smartcard loads single or multiple applets) in a more "assured" and limited environment. If you want to defeat the TC chips, Ross Anderson's papers on tampering with secure chips are useful. In short, most "secure" chips only attempts to drag time on accessing the registry inside the chip containing the master key. Once you manage to get inside the chip, defeat it's tamper resistant traps and go for the keys (not as easy but not un-doable) by doing microprobing on the chip. The AEGIS security processor have shown a way to prevent the exflitration of master key if the security processor is designed in the AEGIS method properly and there is a way to verify it's correctness and integrity.

After all TC chips are untrusted and are developed behind close doors. Development usually requires NDAs as well.

@Nick P
Are there recommended university developed RISC chips that would be recommended for "open source" laptops and computers ?

ThothFebruary 26, 2015 1:45 AM

@Figureitout
What if the Govt/Warhawks/Powers That Be decides to outlaw "secure computing" unless registered (Orwellian scenario) and whomever possesses "secure computing" would be considered possession of "weapons of destruction/firearms/harm" ?

They could bring in bureaucracy and force to ensure development, possession or use of "secure computing" as illegal whenever they like because looking at their intelligence, would they not move to these decisions due to the amount of open defiance corporate and open community have to their decisions and policies to escrow "secure systems" ?

65535February 26, 2015 2:06 PM

@ Figureitout

Thanks. I got it:

--Librem
--Novena

The latter is a little on the expensive side but usable. I do have some reservations on any FreeScale products because of proprietary Memory Management Units – but I can live with them.

“Every single encapsulated chip is not secure, flat out. They're all black boxes, decap one chip, you don't know if the one you use from the same source is an actual copy of the other chip 100%.” - Figureitout

I hear you.

With hard evidence that HDD controllers can be rooted and have persistent threats on the chips, all chips are suspect. I can see a number of companies tossing USA tainted equipment because of this [what a waste – maybe a necessary waste – but still a waste].

Sorry about the disjointed post I tried to cram two posts into one and it did not work out well.

WaelFebruary 26, 2015 11:35 PM

@Figureitout,

That will give it a better odd of flying under radar and forcing active attackers to go after every IC in the world.

Perhaps so, but not guaranteed either.

WaelFebruary 26, 2015 11:57 PM

@Thoth,

Regarding Trusted Computing, think of it as a Secure Element inside a CPU or as a co-CPU unit.

No, Thoth. Don't think of them that way! They serve a different function than a Secure Element and have different capabilities. You may think of them as a "functional" Smart Card for the platform.

More advanced TC chips would allow you to load programs (like how a smartcard loads single or multiple applets) in a more "assured" and limited environment.

I'm not aware of these chips, you have an example?

Once you manage to get inside the chip, defeat it's tamper resistant traps and go for the keys (not as easy but not un-doable) by doing microprobing on the chip.

They are not crypto processors! They are not just a "safe HW key repository"! If you don't feel like reading the specs and links I shared previously, then watch some webcasts. You need to register (free)...

http://www.trustedcomputinggroup.org/resources/tcg_educational_webcasts

FigureitoutFebruary 27, 2015 12:59 AM

Thoth
What if...
--Companies following law would stop trying to make secure/safe products (like controllers for airplanes, cars, "smartgrid" controllers, etc.) and a black market would open up and thrive like it does for any outlawed activity.

65535 RE: freescale chip
--Yeah, whatever they do is going to be similar to other companies; I can't recall off top of head if TI's AM335x chip for beaglebone has a proprietary mmu as well even though it's an opensource board.

Wael
--Yep, always shadow of doubt depending on psychosis of attacker.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.