Superfish – Should you be worried?

Note: Not the same Superfish....
Note: Not the same Superfish….

Last week security researchers discovered a major vulnerability caused by a program that was bundled with new Lenovo computers.  The program in question, made by a company named Superfish, is designed to inject ads into web pages you are visiting, based on your web browsing activity.

“Injecting” ads into web pages is pretty ethically questionable anyway, especially one that tracks your activity on any web page you visit, but it gets worse.  Most sites, like Google, Amazon, Twitter, Facebook, and others use encryption to secure your connection, so that unsavory characters can’t just listen in and track you.  Naturally, if Superfish can’t listen in on your web traffic, they can’t track and/or inject ads into those pages.

So, Superfish devised a method to insert themselves into those secure websites too.  Usually referred to as a Man-In-The-Middle attack (because it is an attack), the idea is to create a faux connection from the customer (you, in this case) and the website you want to use (anything that uses encryption).

A man-in-the-middle attack
A man-in-the-middle attack

Of course, the magic of the encryption used to secure web pages requires you to have the public key (usually called the certificate) and the private key (kept strictly private).  As you can imagine, Google doesn’t lend their private key out to interested parties, so the solution is to create your own certificate, install it on the victim, I mean customer’s, computer, and then you can sit right in the middle of that “secure” connection, present a certificate for any site to the customer (which your browser will happily trust – it’s installed as “trusted”, after all!), and watch everything going back and forth.

You are probably asking yourself what the big deal is.  Here’ the problem: the certificate that Superfish installed on your computer, just so that they can inject ads into your web browser, can be used by other attackers too.  Remember that private key we mentioned earlier?  Turns out that the Superfish crew used the same one on ALL of the computers the software was installed on.  An attacker who found the private key would have the ability to impersonate ANY website visited by someone with this software installed.

Just like a password, it doesn't matter how complex the private key is if everyone knows it....
Just like a password, it doesn’t matter how complex the private key is if everyone knows it….

Recognizing now that perhaps this is a bad idea, Lenovo has released a removal tool, that not only removes the Superfish software, but also pulls out the certificates that were installed along with it.  Kudos to them for doing so.  You can find the removal tool here:

http://support.lenovo.com/us/en/product_security/superfish_uninstall

So, should you be worried about Superfish?  If you bought one of the following Lenovo computers between September 2014 and January 2015, then you probably have it installed right now.

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30]

The Thinkpad line from Lenovo was not shipped with the Superfish adware installed, according to Lenovo.

If you have a company issued laptop (especially if you are an Enterprise Integration customer), your machine was likely reloaded with a purpose-built Microsoft Windows image that does not have any of this type of software installed.  If you purchased a Lenovo for yourself or your family, you should take a few moments and try the removal tool from Lenovo.

The bigger question that remains: How many more Superfish situations exist, and how can you protect yourself from these unknowns?  We’ll address that in a follow up post.

Thanks for reading, and stay safe out there!

More information can be found here:

http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/

The Equation Group

Equation Group Activities from Kaspersky Report
Equation Group Activities from Kaspersky Report

On Feb 16th the Kaspersky security group (www.kaspersky.com) released a Q&A around the espionage software designed and utilized by a group they call the “Equation Group”. The name was given based on the propensity for the use of mathematical encryption algorithms that mask the existence of the malware and it’s data transmissions. All of the previous “advanced” malware we’ve seen to this point (Stuxnet, Flame, Regin, and others) seems simplistic compared to this. At this point Kaspersky engineers have found that the exploits created can actually reprogram the Hard Drive Firmware of most every major brand of Hard Drive currently on the market. The AV software running on your computer right now can’t see that firmware to detect it, and even re-installing your computer from scratch won’t help. To date the use of the malware appears to be very focused on high value government targets which leads Kaspersky and others to believe it is somehow affiliated with a government agency.

The full document can be found at http://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

Although the average corporate employee would not be a likely target today, copy-cat hackers may begin to develop their version of this complex software. We’ve likely only begun to learn about this talented government-backed agency that has managed to avoid detection by any known antivirus software on the market today.

More information can be found here http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/