Lenovo completely undermines user-vendor trust

Looking for a computer? Thinking about a Lenovo?

I strongly advise that you reconsider your choice due to an issue that has just come to the general attention of the InfoSec community. A couple of months ago, Lenovo was caught allowing VisualSearch, one of the companies that provides adware for the consumer line of its computers, to install an update to a program called Superfish. This update installed an unrestricted root certificate authority (CA) into the certificate store.

Before I get to the explanation, if you have a Lenovo system, please check to see if you have Superfish installed. If so, remove it. It will reportedly take this bad root CA with it.  But it will not restore trust in Lenovo.  Update 1: The certificate stays behind, and it’s the same private key on every installation, meaning that someone who gets hold of it from one compromised system can use it on another.  No trust left in Lenovo whatsoever.  Update 2: To see if you have the cert installed, go to https://www.canibesuperphished.com/.  If you don’t get a warning, then you are vulnerable.

Back to the issue. It is almost impossible to understate how bad this is. Lenovo essentially allowed flat-out attack software to be installed on a huge number of systems. With this root CA, the Superfish program replaced real certificates (like on banks, shopping sites, health sites, and anything else protected by HTTPS) with its own certificates so it could see every piece of data that you sent or received. If you went to a site in a browser, it showed a perfectly normal(-looking), perfectly secure(-looking) green lettering or bar, even though Superfish could see everything that transpired.  It is a fundamental violation of the trust between purchaser and vendor.

That’s not hyperbole. This is attack software, even if their stated purpose (to allow comparison shopping) is benign. But it does so using what’s called a man-in-the-middle attack, one of the holy grails of attack methods. Further, the certificate can be used to sign software, applets, or documents, allowing them to be recognized by Windows as safe. Anything can be run, and it will look perfectly legitimate.

That also means that anything that could subvert it could completely subvert the system, and do so with you trusting it.  It could point you to a site under an attacker’s control and convince you it was your bank.  It could ask you to install a software update and convince you that it was issued by the software vendor.  It could see everything you do, everything that left and entered your system, and report it back to somewhere else with no alerts because it would all appear completely legitimate.

I understand that sometimes companies make mistakes. They even sometimes make security mistakes. Security is hard. But this is an unfathomably bad decision by a company that should know better, especially given the attention and fear generated by their purchase of IBM’s computer lines. I was not fond of them before, and now what little doubt I had has been shattered.

Update 3: I should have included removal instructions. Here they are for Vista/7/8:

1. Open the Start Menu/Screen and type “certmgr.msc” to find the Certificate Manager. Click on it or press Enter to open it.
2. In the left pane, open the Trusted Root Certification Authorities folder.
3. In the right pane, open the Certificates folder.
4. Look for “Superfish, Inc.” in the list of certificates.
5. If it’s present, right-click on it and select Delete.
6. Click Yes to the prompt that appears.

At this point, the risk for this certificate has been removed.

Safer browsing without too much annoyance

One of the biggest challenges right now comes in keeping secure while we’re constantly connecting to systems of unknown trustworthiness.  Even when I connect to this site, on a server that I built and administer myself, which I pay for entirely from my own pocket, there’s still that little doubt in my mind.

Most other sites provide much stronger reasons to doubt them, least of all because I have zero clue how good or bad they may be.  There are companies that I trust more to maintain secure networks, and some I trust less.  My experience as a pen tester has informed this a bit further, such that about a year ago I changed how I handle my browsing.

Continue reading “Safer browsing without too much annoyance”

Fix for Wireshark locking up in Windows 8.1

I’ve been puzzling over why Wireshark seems to lock up when launching on Windows 8.1 and dumpcap.exe sits in the background even after Wireshark is forced to close.  Some experiments from the command line showed that any time dumpcap.exe tries to use some aspect of its capture behavior (including just listing interfaces), it locks up.  Various tools suggested that it was waiting for some external event to allow it to close.

I finally learned from an Ask Wireshark post that it was due to WinPCAP not starting on demand.  The solution is simple:

  • Change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Start to value 0x03 (SERVICE_DEMAND_START).
  • Reboot.
  • Enjoy packet capturing goodness.

I believe this is an issue with WinPCAP and not Wireshark.  There’s an alternate solution of running Wireshark in Windows 7 compatibility mode, but I try not to run things in compatibility mode unless there’s really no other way to do it.