Tag Archives: Komodia

Maybe it is time to thank Lenovo?

I just wouldn’t buy their computers.

I wrote the other day about the problem Lenovo is having.  They contracted with a company called Superfish and installed some crapware on your computer (if you bought a Lenovo consumer grade computer) that shoved ads at you.

That wouldn’t be that much of a problem – everyone from Facebook to GMail does it – until it was discovered that Superfish used a library from Komodia that hacks into your SSL encrypted traffic to look at your banking traffic, along with everything else, to figure out what ads to show you.

That would have been bad enough if the way they hacked into your SSL (https) encrypted traffic didn’t completely compromise the security of your computer.

Here is the part where we need to thank Lenovo.  They shined a bright light on some digital cockroaches and there is a lot of scurrying.

Microsoft and other vendors have now, correctly, classified the Komodia software as spyware and flag, quarantine and/or delete it, depending on your system’s configuration.  What was discovered was that Komodia sold their software to lots of firms – not just Superfish – so that crap is all around you.  They said on their web site that they had over 100 development firms using their software.  They very blatently said that hacking your client’s SSL traffic is hard to do, so let us do it.

Now, ARS Technica, a well respected geek site, is reporting that researchers have found evidence of Komodia based attacks against users of GMail, Amazon, eBay and Twitter, among many other sites.

The details are very geeky, so I am not going to bore most people – click on the link above to read the ARS Technica article if you are interested.

Suffice it to say, Komodia is in a world of hurt, business wise.  Their site was down for a while and no one in the tech world will touch them with a 10 foot pole for fear, rightfully, of guilt by association.

Sadly, what they were trying to do is probably not much worse than what a lot of advertising brokers do – it is just that they took a few “shortcuts” that have come back to bite them in the rear.

The moral of the story is that security MUST be a key component of the development process and an outside advisor (advertisement: like me!) is probably requisite.  Otherwise, the fox (the developers) will be guarding the henhouse (the architecture and design) and that sometimes does not turn out well.

One last thought that requires that you put on your tin foil hat.  What if an unnamed three letter agency was interested in targeting your web traffic?  Getting you to install some Komodia based software under some guise would allow them to totally own your computer.  Note that I am not saying that Komodia is an NSA plot, but if they were smart, they would do something like this – and probably already have.

That means that you should not count on using SSL (Https) encryption for anything that you really want to be secure.  You need to use a completely different technique.  

p.s.  Now that people are looking, they have found another product – Privdog, from the SSL certificate company Comodo that has a similar problem.  That means that Comodo should be on your S**t list too.

Mitch

The Lenovo Problem is NOT just Lenovo

I wrote the other day (see post) about malware (called Superfish) that Lenovo intentionally installed on their computers in the name of improving your customer experience.  Well, they admit that it was poorly thought out, but only for one of the two reasons I am concerned about.

They admit that snooping on your private conversations to present you with ads is probably not a good plan.  The bigger problem is the Komodia software is a security train wreck.

Marc Rogers, the guy who tipped us to the problem, has done more research on Komodia and the problem is much bigger.  Komodia makes a bunch of products that eavesdrop on your traffic for a bunch of different reasons and they all have the same issue.  Some of the products that use this same toolkit include:

  • Komodia’s “Keep My Family Secure” parental control software.
  • Qustodio’s parental control software
  • Kurupira Webfilter
  • Staffcop (version 5.6 and 5.8)
  • Easy hide IP Classic
  • Lavasoft Ad-aware Web Companion
  • Hide-my-ip (note: this package does not appear to utilize the SSL MITM, and the certificate is slightly different from the one found in other packages however it still utilizes an unrestricted root certificate with a simple plaintext password.

All of these products suffer from some common illnesses which include:

  • They intercept your private communications
  • The secret key for the software is embedded in the software and it is the same for every one of the installations around the world (no hacker would ever take advantage of that)
  • The password for the secret key, which is also embedded in the software, is also the same for everyone and it is a stupid password – Komodia .  I guess that is better than using 123456, but not much better.
  • The Komodia software which negotiates a connection with, say, your bank on your behalf, allows a whole bunch of weak cryptographic methods that are old, weak and modern browsers eliminated them years ago.  That means that on top of everything else, your traffic is susceptible to hacking.
  • The Komodia software does not check (not correctly, anyway) whether the certificate of the web site you are going to is valid.  This means, that, on top of everything else, you might be sent to a bogus web site and not even know it.

The web site that I reported last week (link above) has a test to see if the Superfish software is installed on your computer.  The site has been updated to reflect this news and the address is:

https://filippo.io/Badfish/ 

If you do have this software on your computer, not only do you need to remove the software, but you also need to remove their certificate (basically, a skeleton key into your computer) as well.  Marc has instructions for doing that on his web site.

All I can say is ARGH!!!!!

As I have said before, the internet merchants want to fool you into believing that SSL is secure.  It is less unsecure when you implement it correctly, but is totally unsecure when you implement it the way Komodia implemented it.  Worse than being unsecure, Komodia puts your computer at risk because of their actions.

The U.S. Computer Emergency Readiness Team (part of DHS, but run by intelligent people at Carnegie Mellon University) is now involved as well, so we may yet see more news about this.

If you are using any of these products, I would definitely uninstall them and remove the root certificate as well.

SOOORRY!

Mitch