Superfish – Should you be worried?

Note: Not the same Superfish....
Note: Not the same Superfish….

Last week security researchers discovered a major vulnerability caused by a program that was bundled with new Lenovo computers.  The program in question, made by a company named Superfish, is designed to inject ads into web pages you are visiting, based on your web browsing activity.

“Injecting” ads into web pages is pretty ethically questionable anyway, especially one that tracks your activity on any web page you visit, but it gets worse.  Most sites, like Google, Amazon, Twitter, Facebook, and others use encryption to secure your connection, so that unsavory characters can’t just listen in and track you.  Naturally, if Superfish can’t listen in on your web traffic, they can’t track and/or inject ads into those pages.

So, Superfish devised a method to insert themselves into those secure websites too.  Usually referred to as a Man-In-The-Middle attack (because it is an attack), the idea is to create a faux connection from the customer (you, in this case) and the website you want to use (anything that uses encryption).

A man-in-the-middle attack
A man-in-the-middle attack

Of course, the magic of the encryption used to secure web pages requires you to have the public key (usually called the certificate) and the private key (kept strictly private).  As you can imagine, Google doesn’t lend their private key out to interested parties, so the solution is to create your own certificate, install it on the victim, I mean customer’s, computer, and then you can sit right in the middle of that “secure” connection, present a certificate for any site to the customer (which your browser will happily trust – it’s installed as “trusted”, after all!), and watch everything going back and forth.

You are probably asking yourself what the big deal is.  Here’ the problem: the certificate that Superfish installed on your computer, just so that they can inject ads into your web browser, can be used by other attackers too.  Remember that private key we mentioned earlier?  Turns out that the Superfish crew used the same one on ALL of the computers the software was installed on.  An attacker who found the private key would have the ability to impersonate ANY website visited by someone with this software installed.

Just like a password, it doesn't matter how complex the private key is if everyone knows it....
Just like a password, it doesn’t matter how complex the private key is if everyone knows it….

Recognizing now that perhaps this is a bad idea, Lenovo has released a removal tool, that not only removes the Superfish software, but also pulls out the certificates that were installed along with it.  Kudos to them for doing so.  You can find the removal tool here:

So, should you be worried about Superfish?  If you bought one of the following Lenovo computers between September 2014 and January 2015, then you probably have it installed right now.

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30]

The Thinkpad line from Lenovo was not shipped with the Superfish adware installed, according to Lenovo.

If you have a company issued laptop (especially if you are an Enterprise Integration customer), your machine was likely reloaded with a purpose-built Microsoft Windows image that does not have any of this type of software installed.  If you purchased a Lenovo for yourself or your family, you should take a few moments and try the removal tool from Lenovo.

The bigger question that remains: How many more Superfish situations exist, and how can you protect yourself from these unknowns?  We’ll address that in a follow up post.

Thanks for reading, and stay safe out there!

More information can be found here:

The Equation Group

Equation Group Activities from Kaspersky Report
Equation Group Activities from Kaspersky Report

On Feb 16th the Kaspersky security group ( released a Q&A around the espionage software designed and utilized by a group they call the “Equation Group”. The name was given based on the propensity for the use of mathematical encryption algorithms that mask the existence of the malware and it’s data transmissions. All of the previous “advanced” malware we’ve seen to this point (Stuxnet, Flame, Regin, and others) seems simplistic compared to this. At this point Kaspersky engineers have found that the exploits created can actually reprogram the Hard Drive Firmware of most every major brand of Hard Drive currently on the market. The AV software running on your computer right now can’t see that firmware to detect it, and even re-installing your computer from scratch won’t help. To date the use of the malware appears to be very focused on high value government targets which leads Kaspersky and others to believe it is somehow affiliated with a government agency.

The full document can be found at

Although the average corporate employee would not be a likely target today, copy-cat hackers may begin to develop their version of this complex software. We’ve likely only begun to learn about this talented government-backed agency that has managed to avoid detection by any known antivirus software on the market today.

More information can be found here

BSides JAX – Who Should Use PowerShell? You Should Use Powershell!

B-Sides Jax LogoI was fortunate enough to present at the recent BSides Jacksonville Information Security conference.  What an awesome event that was.  We’ll be posting more about BSides Jax in the very near future, but a few kinds souls have asked for the slidedeck to my presentation “WHo SHould Use Powershell? You Should Use Powershell!” in some consumable form, so here it is!

Thanks to everyone who came out to the conference, and to Jess Hires and the entire BSides Jacksonville team for putting on an awesome event!



Heartbleed, but for Windows – MS14-066 – Critical Vulnerability in Schannel Could Allow Remote Code Execution

This week’s Microsoft Security Bulletin includes a critical patch for interesting and dangerous vulnerability discovered in Windows.  Interesting because it was found by Microsoft’s internal code review team. Dangerous because, much like the some of the well publicized vulnerabilities from earlier this year (HeartBleed or Shellshock) it could enable an attacker to execute malicious code remotely.  Not many details have been released yet, but we do know that it effects servers and desktops/laptops in the same way.  Basically, if the system accepts incoming encrypted communications, it can be vulnerable.

We are expediting the testing and roll-out of the patch for all customers, and working with our various vendors to develop and implement any additional protection mechanisms we may have at our disposal, such as host-based IPS and firewalls.

We have no reports of any attacks “in the wild” using this vulnerability at this point, and will continue to monitor the situation closely.  Microsoft has not released any proof-of-concept code for this vulnerability, which of course makes it harder for the bad guys to weaponize, but also makes it a slower process for other defense mechanisms to build signatures for protecting against it. Not releasing vulnerabilities can be a double-edge sword, but we do have a patch that resolves the issue already issued from Microsoft.

If you’re interested in the deeper technical details, please read on.  As always, should you have any questions, please don’t hesistate to reach out with your concerns.  EI customers should expect to hear shortly on any issues we run into accelerating the patch rate for this vulnerability.

Additional Technical Details

assmblrThe vulnerability can be exploited by sending a specially crafted packet to a vulnerable server. If successful , a memory corruption may create an adequate condition to execute an arbitrary payload remotely. This vulnerability affects SChannel which is a Microsoft’s SSL/TLS library, counterpart to Linux’s OpenSSL.

Microsoft security research team rated this vulnerability at 1, which means that exploit is very likely but have not been see in the wild. The only higher exploitability rating is 0 which  means that an attack has already happened and someone has a working exploit (not the case with MS14-066 yet).

Based on the following criteria,  it is recommended to patch all Windows systems right away.  This vulnerability:

  • affects every Windows OS
  • available from public Internet
  • does not require authentication
  • may result in remote code execution.

Since Microsoft did not specify any workarounds other then patching the affecting systems and after the patch is released, a working exploit may be released soon as well, so this vulnerability’s risk rating could escalate from 1 to 0 very soon.

Just because the bulletin only mentions one vulnerability, doesn’t mean the patch doesn’t actually fix multiple related vulnerabilities. According to Cisco Security blog “While it is covered by only a single CVE, there’s actually multiple vulnerabilities, ranging from buffer overflows to certificate validation bypasses.”

Reboot is required for this update, so better get your change control request in soon!

Microsoft’s official release on this patch:

Thanks for reading, and stay safe out there!

Offender’s Advantage Series – Introduction

“… Dear Defender,

Your castle’s walls are high and your moats are wide. Your soldiers are many and their swords are sharp. You seem impenetrable.

But I have something that you lack. Time, dear defender, is on my side. I will continue to strike every inch of your walls from afar until I find a crack in the brick that I can exploit. I will locate every builder of your castle and find every blueprint. Your moats may be very wide but they are not deep throughout.  There are shallow places that in the dark of the night I can cross. Time will pass and your walls will begin to wear out and crumble. Cracks will start to form and your walls will be weakened.

And most importantly, your repairs are many. You cannot keep up with time. As you patch the cracks in the walls, new ones appear. Old foundation is buried under the new one and while still holding the castle, it can no longer be repaired. You distract yourself with one “big” break in your wall while ignoring many others.

Your castle is populous. So many people have access to open your castle doors from the inside. Be careful, not all can be trusted. With time I can find one that has a weakness.

You built your castle to be strong, but you did not build it to last. Time destroys all and I, the offender have all the time. So that is why I say to you – the time is on my side.

Offender …”

While organization’s defenses may be at its strongest, the bigger the attack surface, the more there is a chance that a critical vulnerability is missed. With new vulnerabilities coming out every day and it seems like the critical ones, you know they ones that affect everyone and seem to be in everything, are at least one per month. It is only a matter of time before an attacker finds one that was missed, or one that just came out and have not yet been been patched. An attacker will always have the advantage of time. A determined attacker will find a way in. Its only a matter of time. All software is eventually outdated. The more devices there are on the network, the more patches there are to install. Most organizations, lack resources and time to patch every system. Systems are interconnected and new software has been developed to depend on old systems.
The battlefield has not changed since the middle ages into the cyber age. The problems are still the same and offenders always seem to have the upper hand. Defenders job is to continuously play catch up. Until we have new ways to build our castles and dig our moats and to educate our people, defenders will be behind the curve. The solution is in building security in from the beginning. Create systems that are based on security principles. We are are on our way but the journey will be long.
This offender’s advantage series will attempt to examine the ways of the attacker, whether it is a penetration tester or a malicious entity. I will attempt to draw a parallel between the cyberspace and historical battlefields to examine the offender’s advantage. I will try to explain some of the techniques in an easy to understand, non-technical language to provide insight into the hacker’s world in plain English.
Thanks for reading, and we look forward to sharing the rest of the series with you!

Wirelurker – Malware attacking iPhones and iPads

iOS devices targeted through the Apple computers they connect to

Researchers from Palo Alto Networks recently released a study where they found a new piece of malware targeting Apple Mac computers and iOS devices.  Dubbed “Wirelurker”, this piece of malware is not terribly sophisticated, but does operate differently than previous malware.  So is this a serious threat, or the malware du jour?

Early signs are that this particular malware attack is not likely to infect your Apple Mac or iOS device, but the attack method it is using is pretty new, and definitely worth looking into.

Wirelurker targets iOS devices through the Apple computers they connect to.  Basically, the trojan is bundled into pirated versions of software (in this case, mostly in China).  When the pirated software is installed on a Mac, it sits and waits for an iPhone or iPad to be connected.

When an iOS device does connect to the infected computer, the Wirelurker software captures the device serial number, the phone number, the iTunes identifier (the email address you sign into the Apple App Store with), and other identifying information.  This information is only available when you’ve enabled the “Trust This Computer” option, which you have to in order to sync with iTunes.  The captured information is uploaded to various Command and Control (C&C) servers on the Internet.

The Wirelurker software also attempts to install malicious versions of normal looking applications on your iOS device.  If your phone is jailbroken, then the attack is much worse, as many of the protection features in a jailbroken device are either disabled or easily over-riden.  If you have a standard iOS device, the Wirelurker software will attempt to use the Enterprise Provisioning feature of iOS to install applications.

So far it appears that this information is being used to identify people installing pirated software.  Odds are that if you haven’t downloaded and installed any pirated Chinese software for your Mac, you’re OK.  The security researchers who examined this malware have noted that while not terribly complex, the attack vector is likely to be copied by more skilled attackers.

So what can you do to protect yourself?

Unless you are absolutely certain, never use the "Anywhere" option.
Unless you are absolutely certain, never use the “Anywhere” option.

First, be very careful when downloading and installing ANYTHING from the Internet.  If you are using a Mac, check to see if the application you are looking for is published in the App Store first, as Apple manages and tests applications that are available there.  That is not to say that it is impossible for malware to be in the Apple App store, but odds are better that it will be discovered and removed.   Mac OS X doesn’t allow installation of software without a valid code signing certificate, and disabling that check with significantly reduce the security of your system.   By the way, this attack could work just as easily with a Windows machine, and will no doubt begin cropping up there as well in the future.

Palo Alto Networks has developed a Wirelurker Checker for Apple Mac systems, to quickly check for the presence of Wirelurker on your system.  That software can be found here:

Those awesome themes should make up for having a phone that is easily compromised....
Those awesome themes should make up for having a phone that is easily compromised….

Don’t jailbreak your iOS device.  While it does provide an awesome array of apps and functionality not present in the stock version of iOS, your security is greatly compromised.  Virtually every strain of malware impacting iOS devices that we know of requires the device to be jailbroken in order for the attack to succeed.

Using these kinds of public USB charging stations is a very bad idea.
Using these kinds of public USB charging stations is a very bad idea.

Be extremely careful when connecting your phone to a USB port you don’t own.  It has become very common for airports and other public places to install USB ports for recharging of phones and tablets.  I can not recommend more strongly that you never use one of those ports.  The simple fact is you do not know what is sitting on the other side of that connection.  Bring your AC adaptor and plug into a good old-fashioned electrical outlet.

Here’s a link to the original Palo Alto release on Wirelurker:

A great write-up by Jonathan Zdziarski, a malware researcher with lots of excellent iOS malware experience:

Thanks for reading, and stay safe out there!

Vulnerability in Bash – CVE-2014-6271 aka “ShellShock”


Last week a vulnerability in a common system component called Bash was released.  This vulnerability, nicknamed ShellShock, enables a unauthorized actor to execute commands on any affected system.  Bash (short for the Bourne Again SHell) is a common application on Unix and Linux based systems, and provides a number of services to the operating system.

While most well known as a “shell” ( a text based environment for interacting with a system) the Bash program also provides services to other common applications, like web servers, SSH servers, and mail servers.  Since those types of services are often Internet facing, this vulnerability is especially serious.

Since receiving the initial information about ShellShock, the EI Security Operations team have been evaluating the risk to our customers and have begun a review of all systems, starting with Internet facing systems and moving to the internal networks.

At this time no action is necessary on the part of our customers.   Your EI account director will be reaching out directly to each customer this week to let you know when we have either cleared the risk or identified any vulnerable systems

We will be providing regular updates on this vulnerability, and are always available if any customer has a specific question or concern.

Additional details can be found at:

How to keep yourself (and your wallet) safe

Obligatory opening shot of credit cards...  Boom!
Obligatory opening shot of credit cards… Boom!

In case you missed it, Home Depot has been in the news lately, the latest victim of an attack aimed squarely at their point of sale (POS) systems, looking to steal the credit card data of its customers.  We don’t have much in the way of details at the moment, and it took Home Depot a little over two weeks to respond publicly (see why covering up a breach typically backfires).  To their credit though, they do provide an update (actually an easy to find one on their front page).

Home Depot surely wasn’t the only major retailer to experience these attacks this year, and they (sadly) won’t be the last either.  So what can we do to stop these thieves?


On the merchant side, the latest version of the Payment Card Industry’s Data Security Standards (PCI DSS) go into effect on January 1, 2015.  The Payment Card Industry (PCI) Security Standards Council, a joint endeavor of the major credit cards brands in the world (Visa, MasterCard, American Express, JCB, and Discover), publishes these security standards for merchants processing credit card transactions.  While some have derided the PCI DSS as not going far enough, the purpose of these requirements is to create a minimum baseline for a security program, not the ideal end-state ceiling of total defense.

In version 3.0 of the PCI DSS, a few new items go into effect that should improve the overall security at these organizations.  Previous versions of the PCI DSS only required vulnerability assessments to be conducted internally.  Now organizations will be required to perform penetration testing both internally and externally.  The difference between a vulnerability assessment and a penetration test is vast: A vulnerability assessment is the equivalent of looking at a locked door to see if it’s locked, where in a penetration test we open the door and steal your XBox One.

Dramatic re-enactment....
Dramatic re-enactment….

In addition to providing detailed feedback on the methods an attacker would use, organizations will also get the benefit of a live training exercise to see how their own security teams can identify and stop these types of attacks in action.  A good step in the right direction indeed.

Be sure to check your statements regularly!
Be sure to check your statements regularly!

Personally, the best defense you can have to protect yourself is awareness.  Always check your credit and debit card statements.  If you didn’t make a purchase, you need to let your card issuer know immediately.  If they hassle you about returning the funds, perhaps it’s time to switch banks.  For every Home Depot and Target known breach, there are no doubt plenty of unknown breaches.  Don’t wait on external notifications to start looking.

If your information is compromised and you are offered free credit monitoring, take advantage of it!  Beware any emails you may recieve, as they may be scams.  Always check by going directly to the merchants website or calling their customer service numbers to confirm what monitoring programs they have for you first.

Some new technologies on the horizon may provide some relief too.  The credit card brands themselves are requiring breached merchants to implement the “chip-and-pin” system, or assume liability for future data breaches themselves.

Credit card with an embedded chip
Credit card with an embedded chip

The “chip-and-pin” system includes an embedded chip in the card that interacts with the payment terminal to create a unique code for each transaction.  It requires the card holder to use their PIN in order to activate the function, and provides additional security beyond the data stored in the standard magnetic strip that most cards in the US use today.


Electronic wallet technology has been advancing, and received a big boost yesterday when Apple announced their new offering in that space, dubbed Apple Pay.  The Apple Pay system eschews traditional passing of credit card numbers to merchants in exchange for one-time use tokens that authorize an individual purpose.  Stealing one of these tokens won’t provide any value to a thief.


Similar approaches by Google, Square, and others may provide the relief we (and companies like Home Depot) are hoping for!

Thanks for reading, and stay safe out there!


Exposed Celebrities – Cloud Security Edition


While most of America was 3 or 4 hot dogs into an outstanding Labor Day weekend, a few other individuals were working out how to access other people’s photos stored in Apple’s iCloud.  They succeeded, and promptly begin to advertise the existence of nude photos of various celebs they were now in possession of.  Which of course made the news.

I tend to glaze over the minute I hear “celebrity news” too, but stay with me for just a minute on this one.  To me, the big news isn’t the celebrity part, it’s that we keep forgetting that the “cloud” is really just someone else’s computer.  These computers aren’t magical, just running special services that enable all kinds of cool things, like constant over the air backups of your phone.

In this case, the attackers took advantage of a misconfiguration in the iCloud service that let them try big lists of potential passwords and usernames to find some matches.   And it worked.   An account lockout after a certain number of failed attempts, or using a two factor authentication would have prevented the attackers from gaining access.


Everyone who has an iPhone is a (potential) iCloud user.  Its possible to disable it altogether, but my guess is very very few folks ever do.  It’s so easy and convenient, and ensures you’ll always have access to your phone’s backup in case you need it.  This applies to Google if you’re an Android user, and Microsoft’s OneDrive if a Microsoft user.  We’ll never have control over these services, so perhaps we need to just adopt some new guidelines on using them.

1. Don’t take pictures you wouldn’t mind the whole world seeing.

2. Don’t use a simple password for your account.*

3. Enable 2-factor authentication whenever possible.

4. Don’t take pictures you wouldn’t mind the whole world seeing.

*Apple’s guide to enabling 2-factor authentication for iCloud is available here.

I’m reminded of an old analogy about email: Treat it like a postcard.  When a postcard goes through the mail, it is readable at every point of delivery.  If you need to keep something secret, send it a different way.  The same thing can apply to cloud services.  Leverage the benefits, but beware the risks.  If you do need to store some sensitive info, make sure you think carefully about where it should go.

Thanks for reading, and stay safe out there!


Going Public with a Data Breach – The Argument for Disclosure


The Wall Street Journal published a story in the beginning of August titled “Executives Rethink Merits of Going Public with Data Breaches” (link here).  It’s a fine piece of writing, and an intriguing point of view.  Unfortunately, it’s wrong.

I encourage you to read the article for yourself and draw your own conclusions but allow me to walk through some of the points outlined in the story.  Dawn-Marie Hutchinson, one of the subjects of the story and the head of information security at Urban Outfitters, kicks off the story by arguing that all data breach announcements do is create hysteria in the public.  To be fair, I understand why Ms. Hutchinson (and some of the other executives mentioned but not named in this story) would be opposed to disclosing breach activity: it is perceived as a direct reflection of their job performance.  The article indicates that disclosing a breach would be the equivalent of ringing the dinner bell for thousands of other potential attackers indicating a vulnerable network ripe for plundering.   And that may be true.  But I doubt it.

Since data breaches can come in so many colors and flavors, let’s narrow the definition for this discussion down to those involving sensitive customer data: credit card numbers, social security numbers, and usernames/passwords.  This type of data has value to the criminal element, since it enables credit card fraud (credit card numbers), identity theft (social security numbers) and online identity theft (email addresses with passwords).  While emails and passwords are nice, clearly the easiest path to money is through access to valid credit card numbers and social security numbers.

Let’s play the hypothetical game: You’ve been put in charge of information security, and discover that unauthorized persons accessed and stole some of your sensitive customer data.  Decision time.  You have two options: do nothing or disclose the breach.

If you chose nothing, then you leave the burden of discovery on your customers.  They will be the ones to discover the unauthorized charges on their credit card or the new credit line opened in their name or the spam originated from their email account.  You’ll be in violation of disclosure laws in at least 47 states (assuming you have customers there), and likely make a stronger case against yourself in all the civil litigation that is likely to follow.  After all, if the breach is of any significance, sooner or later someone else is going to find out and tell the world.  That’s what happened to Target.  Other people noticed the huge surge in stolen credit cards on the market, and did the footwork to find the source.  Target would have likely been forced to disclose anyways.  Instead they stayed silent for almost two weeks while the news media circulated stories about the massive breach.


On the other hand, if you disclose the breach, you alert your customers to the problem and enable them to be proactive.  Customers can implement locks on their credit file.  Banks re-issue credit cards.  Passwords are changed.  And you devalue the stolen information the attackers left with.

And de-valuing the stolen data is probably the best defense you can mount these days.  Remember, the motivation of the criminal group who looks to steal this information is to sell it.  Credit card numbers only have value if they are valid and social security numbers only have value if they connect to a person with a good credit rating.

The practice of defensive information security is very difficult.  Assuming that you are sophisticated enough to determine that a breach has actually occurred (not as easy as it sounds), trying to determine exactly who executed the attack is nearly impossible.  Even if you somehow get the attribution right, your options for stopping these attackers are pretty limited.  It’s like trying to stop a burglar with a paintball gun: each time you catch them they have to start over.  But they get to start over, and keep at it until they find what they are looking for.

I’m reminded of a quote from Bruce Schneier, a luminary and pioneer in the information security world: “I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually ‘Nothing, you’re screwed.'”



A common perception about data breach notifications is that once a company goes public with a security event, they face:

  • Stock price drop
  • Brand damage
  • Customer loss
  • Civil lawsuits

As very effectively put by Adam Shostack in his keynote presentation “Beyond Good and Evil: Towards Effective Security“, those perceptions are wrong.  While companies may experience a brief hit to their stock price, they generally bounce back within 2 or 3 days.  Not even a week.  Customers tend not to leave because the transparency encourages trust (always a good thing).  And the vast majority of civil lawsuits are dismissed before discovery, especially if the breach disclosure process is effectively executed, and provides those individuals effected with mitigating options like credit monitoring services.

And most importantly, effective sharing on data breaches is the only way we, as an industry, can get better.  Keeping quiet about a security event doesn’t help you, or your peers, get better at preventing these attacks.  It only helps your enemy the malicious attacker.  I think they’ve got enough of an advantage, don’t you?

Thanks for reading, and stay safe out there!

%d bloggers like this: