The Lenovo Problem is NOT just Lenovo

I wrote the other day (see post) about malware (called Superfish) that Lenovo intentionally installed on their computers in the name of improving your customer experience.  Well, they admit that it was poorly thought out, but only for one of the two reasons I am concerned about.

They admit that snooping on your private conversations to present you with ads is probably not a good plan.  The bigger problem is the Komodia software is a security train wreck.

Marc Rogers, the guy who tipped us to the problem, has done more research on Komodia and the problem is much bigger.  Komodia makes a bunch of products that eavesdrop on your traffic for a bunch of different reasons and they all have the same issue.  Some of the products that use this same toolkit include:

  • Komodia’s “Keep My Family Secure” parental control software.
  • Qustodio’s parental control software
  • Kurupira Webfilter
  • Staffcop (version 5.6 and 5.8)
  • Easy hide IP Classic
  • Lavasoft Ad-aware Web Companion
  • Hide-my-ip (note: this package does not appear to utilize the SSL MITM, and the certificate is slightly different from the one found in other packages however it still utilizes an unrestricted root certificate with a simple plaintext password.

All of these products suffer from some common illnesses which include:

  • They intercept your private communications
  • The secret key for the software is embedded in the software and it is the same for every one of the installations around the world (no hacker would ever take advantage of that)
  • The password for the secret key, which is also embedded in the software, is also the same for everyone and it is a stupid password – Komodia .  I guess that is better than using 123456, but not much better.
  • The Komodia software which negotiates a connection with, say, your bank on your behalf, allows a whole bunch of weak cryptographic methods that are old, weak and modern browsers eliminated them years ago.  That means that on top of everything else, your traffic is susceptible to hacking.
  • The Komodia software does not check (not correctly, anyway) whether the certificate of the web site you are going to is valid.  This means, that, on top of everything else, you might be sent to a bogus web site and not even know it.

The web site that I reported last week (link above) has a test to see if the Superfish software is installed on your computer.  The site has been updated to reflect this news and the address is: 

If you do have this software on your computer, not only do you need to remove the software, but you also need to remove their certificate (basically, a skeleton key into your computer) as well.  Marc has instructions for doing that on his web site.

All I can say is ARGH!!!!!

As I have said before, the internet merchants want to fool you into believing that SSL is secure.  It is less unsecure when you implement it correctly, but is totally unsecure when you implement it the way Komodia implemented it.  Worse than being unsecure, Komodia puts your computer at risk because of their actions.

The U.S. Computer Emergency Readiness Team (part of DHS, but run by intelligent people at Carnegie Mellon University) is now involved as well, so we may yet see more news about this.

If you are using any of these products, I would definitely uninstall them and remove the root certificate as well.



The simplest hack

CSO Magazine is reporting on an experiment conducted by the Ponemon Institute.  They sent researchers disguised as temporary employees, with temporary badges, into 43 offices belonging to 7 companies.  The management was aware of the plan but the office staffs were not aware.

The researchers went into the offices, wandered around, took pictures of computer screens, picked up documents marked confidential and put them in their briefcases.  The researchers even brought spreadsheets up on their computer screens and took pictures of the screens.  All in full view of the office staff.

The security industry calls these ops red teams.  Been there.  Done that.  I know they work.  Almost 100% of the time.

And the results ….

But out of 43 trials, the researcher was confronted by a company employee only seven times when taking pictures of the screen, only four times when it looked like they were stealing confidential documents, and only twice when wandering around looking at things on people’s desks, computer monitors, and at printers, copiers and fax machines.
And there was only one case where the strange behavior was actually reported to management.

In a little over two percent of the cases, someone spoke up.  97 percent of the time, they told no one.

The information they collected included staff directories, customer information, financial information, confidential documents and access credentials.

Open layout offices were easier to compromise than traditional offices.  Customer service, marketing and sales were the easiest targets;  legal and finance were the hardest.  IT was in the middle.

The sponsor was 3M and the mission was to see if their computer privacy screens made a difference – the answer is not much.

Things did make a difference included clean desk policies, standardized shredding policies and mandatory training.

And, they did not need to be in the offices so long.  They spotted their first target information in the first 15 minutes.

The moral of the story is that we need to deal with the simple stuff before we deal with the impossible.  If we fail at the simplest security tasks, there is no way that we will defeat an advanced persistent threat.


GCHQ Pilfers Encryption Keys To Cell Phones

We have known for a long time that the encryption on cell phone calls and text messages was relatively weak, but apparently, cracking that was more work than GCHQ, the British version of the NSA, wanted to do.

People have been beating up the NSA for being, well, the NSA.  I have said, whether we agree with them or not, they are just doing what they have been told to do and maybe they are a little smarter than some other spy agencies, but they are not doing anything that the other spy agencies are or want to do.

So now it is GCHQ’s turn in the spotlight.  Dark Reading is reporting (see article and article) that GCHQ, with NSA’s help, broke into the world’s largest SIM card manufacturer, Gemalto,   Gemalto’s cards are used by AT&T, Verizon, Sprint and T-Mobile, as well as bank cards, passports and other identity cards around the world.  Just to make sure they weren’t missing anything, they also had a project to break into the cell phone companies and grab their encryption keys as well.  The source of this information is … you guessed it … Edward Snowden.

The breaking in to the cell phone companies core networks also allowed them to supress charges that might have raised suspicions and have access to customer data.

Gemalto makes two billion SIM cards a year, all “owned” by GCHQ and the NSA.  Along with whoever else they shared this with.

The stolen keys give GCHQ and NSA the ability to read any text message or listen to any phone call without the need to have to crack the crypto involved.

Using very standard phishing attacks, GCHQ planted malware on Gemalto’s network that gave them complete remote access to the network.

Possession of these keys allows the spies to send fake text messages, sign malicious Java apps and set up fake cell towers, along with listening to all phone calls.

One question to ask, of course, is whether GCHQ and NSA are the only organizations who could and did do this – did any hackers do the same thing?  The only real answer is who knows, but from what is being reported, this hack did not require James Bond;  it is a relatively run of the  mill hack of a large organization with typical (i.e. poor) security.  In Gemalto’s defense, protecting any large organization from a well designed spear phishing attack is hard.

Having the encryption keys also relieves the spy agencies of the necessity of ask the FISA court, the secret court that the spies go to and ask permission to, well, spy, and ask for a warrant.  With warrant in hand they go to the cell phone company and ask for the data.  Now they don’t have to bother with that.  Convenient.

An interesting thought.  If these chips are used in passports and a hacker had done the same thing that Snowden reports GCHQ did, they could creat fake passports for terrorists.  They also could create fake chip and pin credit cards or hack real ones.

This is one reason why an enterprise risk assessment is so important.  An assessment would identify the company’s crown jewels (in this case, the encryption keys) and try to make that data more resistant to attack.

Now that is is known, it is unclear what the cell phone and identity card companies will do.

What this does point to is that the only encryption that is likely to have any remote chance of being secure is end to end encryption where you manage the keys and no provider has access to the keys.  Encryption provided by phone companies, dropbox, Facebook, Google and Microsoft is likely completely compromised.  This type of encryption is also the most inconvenient way for users to manage encryption – they would prefer to snap their fingers and have it be secure.  While the work of GCHQ and the NSA has privacy concerns, if they could do this, so could the Chinese, Russians and probably at least a large handful of hackers.  Among others.  THAT is a big concern.


State Department Still Pwned

Homeland Security Today and others are reporting that three months after the State Department admitted that hackers had gotten into their unclassified email system, the hackers are still there.  (see article)

While it is always fun to beat up government bureaucracies, it points out that sometimes getting hackers out is a hard thing to do.

There have to be a bunch of questions being asked at Foggy Bottom these days, such as:

  • How did the hackers get into the email in the first place – have we closed that door?
  • Where else are the hackers hiding that allow them to reinfect email?
  • Are there insiders helping the hackers?  Even unwittingly.

And so forth.

The article says that even though the NSA and outside contractors have been working on the problem, it is still a problem and it is not fixed.

Still, State Department employees are using that breached email system.  It is possible that NSA is watching what is going out – maybe – and that might make them feel better.  It is also possible that the NSA knows who the hackers are.  Hopefully, they have moved the more sensitive but still unclassified traffic to a different network.

As we watch Sony and Target and Home Depot and all the others wrestle with breaches and we look at the resources available to the State Department,  the fact that State can’t fix this problem after three months should make people concerned about what they would do if they were breached.

The statistics are that 60% (Experian) to 70% (First Data) of the small and medium size businesses that have a breach go out of business within six months.  I am certain that State is spending a LOT of money trying to get these guys out.  Without success.  What chance does the average business have of recovering from a significant breach?


Watch Those SLAs When You Move To The Cloud

Network World wrote about a company that experienced an outage with Microsoft Office 365 cloud email.  Users could not get to their email from Outlook or on their phones for 24 hours and it affected users in the U.S. and overseas (see article).

The company filed a claim with Microsoft for breaching the SLA but Microsoft said that since webmail was still working,the system was not down.  The fact that users could not access mail was apparently not important.

This is not news – vendors have often twisted reality to suit their financial needs, but as more companies move more services to the cloud, as part of your enterprise risk assessment, you need to understand what the impact of an outage is and what your recourse is.  If your cloud vendor goes down for two days and you lose your biggest customer, it is not much consolation that they will give you a 25% credit on your next bill.  You lost a customer that generates a $100k a month and they give you a $2,000 credit.  Woop-ti-do.

The article goes into more detail and this should be part of your enterprise risk assessment, but here is a list of some things to consider when migrating to the cloud:

  1. Read everything the vendor sends – contract, attachments, addendums – everything.
  2. SLA breaches often have to be reported in order to get a credit and have to be reported quickly.
  3. An SLA of 99.9% uptime still allows for 8 hours a year downtime.
  4. Usually, each service has it’s own SLA, so if you have a Virtual Machine in the cloud and it also uses a cloud database, each of those could be down 8 hours and still be within the SLA, even though each outage takes your users down.
  5. Sometimes you have to run virtual machines in more than one region or availability set in order for the vendor to breach the SLA.  Two instances means twice the monthly cost, probably.
  6. Switching from one region to another might cause your application to fail – that is not covered by the SLA.
  7. Maybe the problem is your application or the network or some component that the vendor doesn’t cover under the SLA.  No refund in that case.
  8. The terms often change in real time.  Unless it says that they cannot change the terms except in writing and signed by both parties, you are standing on a floating dock.  Unless you are really big, good luck getting them to agree to that.
  9. Planned downtime often does not count against SLAs, so for example, when Verizon took their cloud down for a planned 48 hour outage, that probably didn’t count against the SLA.
  10. Finally, preview or beta versions usually are not covered by the SLA.  Of course, you should not be using them for production anyway.

The moral of this story is that if your systems are important to your users and your customers, an enterprise risk assessment should be conducted every year or maybe more often.


Beware Lenovo Users

Marc Rogers (white hat hacker and principal security researcher for Cloudflare) wrote about an interesting problem Lenovo users have.  (see article)

What is not clear is how long Lenovo has been doing this.  The good news is that a friend of Marc’s has created a test to see if your Lenovo laptop is infected.

The short version is this.  Lenovo has partnered with a company named superfish to serve up ads to and steal data from your laptop.  They do this by creating a man in the middle attack inside your laptop – submitting fake SSL certificates to your bank (or any other site) and reflecting the data back to you.  If you look at the SSL certificate, which no one does, it is signed by Superfish, not your bank.

They did this by installing a SSL signing certificate in the certificate store that has God power and use that to generate certificates on the fly for any web site that you visit.  That requires that the password for this certificate is hard coded into the software on your laptop and that password is Komodia – for every laptop they sell.  Komodia is the name of a company that makes SSL software.  Not so secure.

The site that Marc’s friend created to test for the Superfish malware is:

If you are infected, Lenovo has created instructions for removing the superfish software, the link for which is in Marc’s blog post above.  However, that removal does not remove the God like certificate in the computer and Marc has additional instructions to do that.

A smarter move, given we have no idea what other ‘bugs’ are hidden in the software, would be to wipe the disk and reinstall the software from a known good version of Windows (NOT the one that came with the laptop) and then reinstall all the applications and finally restore your data.

China has been getting rid of Cisco network gear because they say that they can’t trust it.

It is time for the U.S. to get rid of Lenovo computers for the same reason.  If you want to understand how really dangerous what Lenovo did is, you will need to read Marc’s blog, but for those of you who are not techies, trust me (and Marc) – it is pretty serious.

But here is the real question – they got caught doing this.  What else are the Chinese doing?  I took Lenovo off my buy list as soon as IBM sold it to the Chinese.  I get to be vindicated now – we have real evidence.

If you need help, feel free to contact me.