Lenovo, Superfish, Komodia: a Man In The Middle story

Lenovo has made this week the headlines with the alleged malware: superfish.   Lenovo delivered  some PCx loaded with “bloatware” Superfish.  Superfish provides solution that performs visual search.  Seemingly, Superfish designed a software that allowed to place contextual ads on the web browsing experience.   To perform this highjacking, superfish uses a software stack from Komodia:  SSL Digestor.  According to the site of Komodia:

Our advanced SSL hijacker SDK is a brand new technology that allows you to access data that was encrypted using SSL and perform on the fly SSL decryption. The hijacker uses Komodia’s Redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning.

How does Komodia do the decryption without triggering the certificate validation of the browser?   The CERT has disclosed on Thursday the trick with its vulnerability note VU#529496.

Komodia Redirector with SSL Digestor installs non-unique root CA certificates and private keys, making systems broadly vulnerable to HTTPS spoofing

Komodia install stealthily its own root certificate within the browsers’ CA repository.   The stack holds its private key. This allows to ‘self-sign’ certificate to forge SSL connection.  The software then generates a typical Man In The Middle.   Despite the private key was encrypted, it was possible to extract some corresponding private keys (easy to guess the password; komodia).  This means that as long as the root key is not erased from browsers’ repository, an attacker may use the corresponding private key.  The attacker may sign malware that would be accepted by the machine, and generate phony certificates for phishing.   In other words, other principals than Superfish may use the hack for infecting Lenovo computers.

Lenovo provided a patch that removed the Superfish application.   Unfortunately, the patch does not erase the malicious certificate.  Microsoft provided such patch, and Mozilla should soon revoke it.

This is a perfect example of supply chain attack. The main difference is that the supplier voluntarily infected its product.    Do never forget law 4: Trust No One.

PS:  at the time of writing, the Komodia site was down, allegedly for a DOS.  It may also be because too many people try to visit the site.

Social engineering and catastrophes

Recently, I visited a security company. They presented their new impressive Security Operational Centers. The security analysts had a continuous update of the sanity of their networks, the most prominent threats and the a wealth of other useful security indicators on three huge displays. In the bottom right corner, info channels, as well as selected tweets were continuously updated. They explained that it was key to be aware of breaking news as they may impact the threat environment.

They are right. A good social engineer may use the current breaking news and the morbid curiosity of users. With the advent of social networks and its vector to disseminate latest news, news have been common tools of attacks. For a few years, every major catastrophe has seen mushrooming spams and fake sites pretending to collect charities for the victims of the catastrophe. In 2014, it even started to become a vector for Advanced Persistent Threat (APT).

On 2014 March 8, Malaysian authorities announced that they had no news of the flight MH370 to Beijing. It took several weeks before having confirmation that this flight crashed in the sea. Meanwhile, this topic was used for spying political instances. Two days later, members of a government of the Asian Pacific region received a spear phished mail with an attachment titled “Malaysian Airlines MH370.doc”. Of course, this document was empty but contained a Poison Ivy malware]. It was sent by Admin@338″: a Chinese hacking group. The same attacking group sent on 2014 March 14, a different spear-phished email to a US think tank with an attachment titled “Malaysian Airlines MH370 5m Video.exe”. Once more, the attachment was a malware.

Many other malwares used the same catastrophe without being part of an APT, but rather generic random attacks. Some phishing sites, mimicking Facebook look, were used to collect data from spoiled users. The sites supposedly presented a video of the supposed discovery of the missed plan. Before viewing the video, the site proposed the users to share the video with their friends. After the site asked the users to answer some questions such as age. In other words, the phishing sites scammed the curious tricked users.

This trend exists since a few year and uses every widely covered catastrophe. Thus be aware, charity may be a threat vector.

Toilet DOS

A humorous news today as we are in holiday period.

imageJapanese toilets are known to be extremely sophisticated.  Company LIXIL sells Bluetooth powered toilets under the brand name SATIS.  There is even an application (My Satis) available on Google Play that drives your toilet from your android phone.You can select the music played by the toilets, open or close the lid, and managed many other features. 


Where is the relation with security?  Security company, Trustware Spiderlabs, issued on August 1 a security advisory about LIXIL Satis Toilet!  The application uses a hardcoded PIN at ‘0000’.   In other words, any body with the application and in the range of the toilet can take control over the toilet.   I let you imagine interesting hacking scenarios…  According to the security advisory,

Attackers could cause the unit to unexpectedly open/close the lid, activate
bidet or air-dry functions, causing discomfort or distress to user.

In other word, a new breed of Denial Of Service… Sarcastic smile

What I would like to understand is how a security analyst decided to have a look at the security of a toilet?  Nevertheless, it shows that security is not taken seriously today in most of consumer devices, although they are more and more connected.  As a proof, LIXIL did not react to this advisory for more than six weeks.

Thanks to MY for the pointer Open-mouthed smile

Top threats for cloud computing

The Cloud Security Alliance released a document listing the nine top threats of cloud computing: “The Notorious Nine”.  The top nine threats are:

  1. Data breaches; an attacker may access your data
  2. Data loss; the loss may result either from an attack, a technical problem or a catastrophe.   The document wisely highlights the issue raised by encryption (to protect against threat 1)
  3. Account hijacking
  4. Insecure APIs;  this one is extremely important, especially for system designers.  It is not necessarily unique to the cloud, but it is clearly exacerbated with a cloud infrastructure.
  5. Denial of service
  6. Malicious insiders
  7. Abuse of cloud services;  using the cloud for nefarious actions such as password cracking. Well, every coin has two sides.
  8. Insufficient due diligence; jumping in the cloud wagon without enough preparation may be an issue.  This is not proper to the cloud. It is true for any new paradigm.  BYOD (Bring your own device) is a perfect illustration of such problem.
  9. Shared technology vulnerability; As you share components, pieces of software with not necessarily enough isolation, a single vulnerability may impact many players.

Each threat is described and illustrated by a real world example of an attack.  A risk matrix allows to compare them.

This list has been established by conducting a survey of industry experts.  Unfortunately, the document does not give details about the number of surveyed experts, their locations, and their qualifications.

Good document to read.

DDos as a form of free speech

Dykan K. (from Eage, Wisconsin) stared on January 7 an online petition to ask the Obama administration that

Make, distributed denial-of-service (DDoS), a legal form of protesting.

With the advance in internet techonology, comes new grounds for protesting. Distributed denial-of-service (DDoS), is not any form of hacking in any way. It is the equivalent of repeatedly hitting the refresh button on a webpage. It is, in that way, no different than any “occupy” protest. Instead of a group of people standing outside a building to occupy the area, they are having their computer occupy a website to slow (or deny) service of that particular website for a short time.

Many newspaper claim it is issued by Anonymous.  Nevertheless,  I was not able to find a related tweet issued by @AnonNews (if somebody spotted it, please send me the pointer).

Is it a legitimate demand?  Obviously, some DDos actions were used to protest against authorities, resented actions…  For instance, when MegaUpload was closed, Anonymous organized such attack (see http://eric-diehl.com/megaupload-is-down/).   Nevertheless, DDos is also used for black mailing or just simple malevolence.   Therefore, we can foresee the answer of the Obama administration.   To receive an official answer, the petition must score more than 25,000 signatures in one month.   At writing time, it was at 4,255.

Update 16-jan:  Since Tuesday, the White House has raised the threshold from 25,000 signatures up to 100,000 signatures.  At writing time, it was at 4,855.  Of course, this rising is not correlated to this petition (rather to secessionist petitions)

UBISOFT re-torpedoed

The use of a new type of DRM for its new games “Silent Hunter 5” and “Assassin Creed II” raised a violent reaction against Ubisoft. The software was cracked in less than 24 hours.

But this time, the story did not stop there. Last week, Ubisoft was under a serious Denial Of Service (DOS) attack. Thus, the legitimate gamers were not able to play! These games require online connection for initial authentication but also to save the game! It seems that this weekend a new salvo of DOS was launched from Russia against Ubisoft’s servers. These DOS attacks make the hacked version more attractive (that’s the limit!  :Sad: )

Furthermore, some players confirmed on forums that the hacked game was complete (which initially Ubisoft denied).

Lesson: When designing a DRM, we should check what occurs if some context environments fail (such as network connection. The impact should be minimal for the legit customer.