Hold off on that lenovo purchase !!

dbit

http://countermeasures.trendmicro.eu/superfish-and-chips-or-super-phish/#.VOXC-lXP3us.twitter

BoB_BoT

If you bought a ThinkPad you're in the clear :P

http://news.lenovo.com/article_display.cfm?article_id=1929

Has a list of models with Superfish installed on it. Also has a link to removing Superfish and the certificate.

dbit

It really is getting out of hand, nothing is sacred anymore. I feel myfingers receeding into my hands at the thought of using modern electronics. tee heee.

Hotblack Desiato

Disgraceful that even a vendor of consumer-level equipment would treat the trust of their customers with such disregard.

All windoze OEMs supply bloatware, but installing a dodgy root CA is going beyond the pale, especially as it leaves all 'encrypted' traffic on these systems open to compromise.

Massive own goal for Lenovo as many people are already uncomfortable with Chinese vendors (which other vendors can be trusted is an open question.)

syklops

Hotblack Desiato wrote: »

Disgraceful that even a vendor of consumer-level equipment would treat the trust of their customers with such disregard.

All windoze OEMs supply bloatware, but installing a dodgy root CA is going beyond the pale, especially as it leaves all 'encrypted' traffic on these systems open to compromise.

Massive own goal for Lenovo as many people are already uncomfortable with Chinese vendors (which other vendors can be trusted is an open question.)

Installing bloatware is one thing. Compromising the cryptographic security of your system is something else entirely. I read the Erata Security blog on reversing the bloatware and getting the password for the certificate. A 7 letter, lower case password. Cracking it took 3 hours.

I am/was a big Lenovo fan. My laptop and tablet are Lenovo and i was considering upgrading my phone to a lenovo. I'm assuming Superfish was the brainchild of some idiot marketing manager who presumeably has been shown the door, but this news has shaken my loyalty.

obsidianclock

Presumably if you wipe the HDD and soon as you get it and install Linux on your laptop you're safe enough? :-D

dbit

obsidianclock wrote: »

Presumably if you wipe the HDD and soon as you get it and install Linux on your laptop you're safe enough? :-D

Nope they are embedding this into ROM !!!!!! i don't need to explain the obvious .
Someone else showed images of interception centers that take your shipped en-route order into they're work shop and perform a wee flash or two on your product before it reaches you , some terrifying stuff . For a vendor to be caught doing this red handed is not good though.

obsidianclock

dbit wrote: »

Nope they are embedding this into ROM !!!!!! i don't need to explain the obvious .
Someone else showed images of interception centers that take your shipped en-route order into they're work shop and perform a wee flash or two on your product before it reaches you , some terrifying stuff . For a vendor to be caught doing this red handed is not good though.

Oh I see, it's just that the article states you can just remove the software and goes onto recommend that customers have the option to buy a machine without OS preinstalled. Is this Superfish then in the firmware of the machine, not an application?

Just looked on BBC : http://www.bbc.com/news/technology-31565368 - this does seem to be an App - a clean install of Windows/Linux should be sufficient to remove it in that case. As to whether your machine is then free of hardware loggers though...!

dbit

Hmmmm I'd agree , only i see George W trying to do that famous "Fool me once", quote !. Its only a matter of time before we see the hardware planes being sniffed out in full for most vendors . Still they did it and that's enough for me . Our developers have spotted evidence of hardware ROM based man in the middle type approaches . As and when i am allowed post that stuff i will.

obsidianclock

dbit wrote: »

Hmmmm I'd agree , only i see George W trying to do that famous "Fool me once", quote !. Its only a matter of time before we see the hardware planes being sniffed out in full for most vendors . Still they did it and that's enough for me . Our developers have spotted evidence of hardware ROM based man in the middle type approaches . As and when i am allowed post that stuff i will.

Hi dbit,

There actually is another thread about this here in Information Security.

This seems to be a problem with smartphones and also routers - the solution doesn't seem clear unless you want to build your machine from scratch e.g by having a Raspberry Pi!

dbit

Pi is fun, i use it for Kodi (XBMC) and all the free TV stuff , i don't subscribe to any other tv service, tis the job for the kids and all . Sorry if i double posted , I did look before posting it (Obv not hard enough).
Modular building stuff may still be open to attacks like these though and maybe the Cheap Chinese options can really burn you in the ass , we've seen ecig chargers carrying malware and all , Digital picture frames . Basically anything that is USB from china avoid avoid avoid. In china at least USB means something totally different lolz universal security breech . devices that on the outside appear to be mundane and have no practical use for client software installs yet they ...........

The other side of this is the topic elsewhere in here i mentioned as well about the fact that OS vendors seem to think HID is not an avenue of attack , when in all reality windows seems to think ok, 3 thousand lines of code in 5-6 seconds , yup thats a human alright ??????? OS vendors need ot close the door on the trust aspect of HID as it stands now any pc can be rubber duckied. (Tail gaters will use these methods to get in .)

Khannie

dbit wrote: »

Our developers have spotted evidence of hardware ROM based man in the middle type approaches . As and when i am allowed post that stuff i will.

I fully expected the router project that I'm a member of to be tampered with in transit (especially given the nature of the device), but it appears that didn't happen. We're reflashing anyway, but it was an indication that it's not happening wholesale. I would guess that interception and tamper is a fairly targeted thing.

dbit

Khannie wrote: »

I fully expected the router project that I'm a member of to be tampered with in transit (especially given the nature of the device), but it appears that didn't happen. We're reflashing anyway, but it was an indication that it's not happening wholesale. I would guess that interception and tamper is a fairly targeted thing.

A Friggin modified ED 209 is required to police the police at this stage.

dbit

12 more apps found using superfish !!!!
http://thehackernews.com/2015/02/superfish-vulnerability.html


Removal tools linked in page issues by lenvovo themselves !!! pants down , slapped arse.

obsidianclock

I don't want to wonder too much off topic but is a closed source OS like Windows the best way forward if you really want privacy?

Personally whenever I buy a Windows machine I do as outlined above and simply wipe it and install a version of Linux (currently using Linux Mint which is very user friendly and works with most media formats e.g MP3, DVD out of the box).

Although malware does exist for Linux it's much rarer and also just by installing an OS of your own by definition you'd be erasing any harmful programs preinstalled by the manufacturer.

That said I understand some people are more comfortable installing Windows and that this Superfish malware isn't Microsoft's fault!

dbit

obsidianclock wrote: »

I don't want to wonder too much off topic but is a closed source OS like Windows the best way forward if you really want privacy?

Personally whenever I buy a Windows machine I do as outlined above and simply wipe it and install a version of Linux (currently using Linux Mint which is very user friendly and works with most media formats e.g MP3, DVD out of the box).

Although malware does exist for Linux it's much rarer and also just by installing an OS of your own by definition you'd be erasing any harmful programs preinstalled by the manufacturer.

That said I understand some people are more comfortable installing Windows and that this Superfish malware isn't Microsoft's fault!

The real problem for me is the myriad of gunk out there thats available to attack any platform, these days your linux ports hanging in the wind online is enough for any decent kali newb to find your vulnerabilities and own most platforms.

I hate saying this but these days and abacus and some damp sand and a stick is the only true secure platform.

Khannie

dbit wrote: »

these days your linux ports hanging in the wind online is enough for any decent kali newb to find your vulnerabilities and own most platforms.

Ah I think this is a gross exaggeration of reality. If your linux box isn't updated regularly then maybe. In fairness if that's how you roll then you should expect to get punished for it.

dbit

You would not believe what you can find on upc networks open to abuse hanging in the wind , I once found garda owned cameras systems monitoring shopping center areas , Peoples private web servers and a tonne of web console enabled on modems with default passwords, All of this is found using Nmap and just pure curiosity . Metasploit and Mantra returned a horde of unpatched and vulnerable systems.

Thats only one isp ............

Updates simply are not done by the masses , corporate are still just as bad.

eddiehen

dbit wrote: »

You would not believe what you can find on upc networks open to abuse hanging in the wind , I once found garda owned cameras systems monitoring shopping center areas , Peoples private web servers and a tonne of web console enabled on modems with default passwords, All of this is found using Nmap and just pure curiosity . Metasploit and Mantra returned a horde of unpatched and vulnerable systems.

Thats only one isp ............

Updates simply are not done by the masses , corporate are still just as bad.

I take it you had explicit permission to scan those address spaces.... :pac:

obsidianclock

eddiehen wrote: »

I take it you had explicit permission to scan those address spaces.... :pac:

Also no reason that you can't do the same to your own router to check it's secure!

syklops

dbit wrote: »

You would not believe what you can find on upc networks open to abuse hanging in the wind , I once found garda owned cameras systems monitoring shopping center areas , Peoples private web servers and a tonne of web console enabled on modems with default passwords, All of this is found using Nmap and just pure curiosity . Metasploit and Mantra returned a horde of unpatched and vulnerable systems.

Thats only one isp ............

Updates simply are not done by the masses , corporate are still just as bad.

Yeah but thats the usual insecurities you see all the time. Default passwords, VNC with no authentication, telnet on routers. Ive a private server, running SSH. You are welcome to try and break in.

obsidianclock

syklops wrote: »

Yeah but thats the usual insecurities you see all the time. Default passwords, VNC with no authentication, telnet on routers. Ive a private server, running SSH. You are welcome to try and break in.

Nice one skylops.

I use FreeOTP with Google Authenticator when SSH'ing into my VPS (please forgive all the acronyms!), I think 2FA (there I go again) is the best way forward to stop unsympathetic men from breaking in.

dbit

I am not here to break into anything , Im simply pointing out that companies/individuals who treat IT as an expenditure and not a necessity will suffer in the long run . It doesn't take a whole lot to penetrate those who hold that mindset.

Nothing i have ever done was in light of causing destruction or damage, more a crusade on learning and practicing techniques I came across at that time. Mods here have my ip from work and from home so feel free to attack away also. Anything i found i left as is , and moved on .

I stand over my statement , it is still beyond belief the amount of stuff left in the state that they are.
Returning to topic :-
The embedding of malware and the likes in manufacturer produced platforms should be illegal and punishable by full force of the law .

dbit

eddiehen wrote: »

I take it you had explicit permission to scan those address spaces.... :pac:

Not so much , again nothing happened as a one off scan generally yields no action , multiple scans , then the attracted attention is more so.

syklops

dbit wrote: »

The embedding of malware and the likes in manufacturer produced platforms should be illegal and punishable by full force of the law .

Fidelma Healy-Eams on line 2.

Khannie

dbit wrote: »

Mods here have my ip from work and from home

Just in case people think this is the case - it's not. Only admins get access to IP records. Mods can see if your IP matches other users, but they can't see the IP itself.

Anyway, my point was that IMO Kali's a great learning tool, but I'd guess that the number of boxes that are script kiddy + kali-able and haven't already been ridden to death by the Americans, Russians and Chinese is probably close to zero.