Lenovo completely undermines user-vendor trust

Looking for a computer? Thinking about a Lenovo?

I strongly advise that you reconsider your choice due to an issue that has just come to the general attention of the InfoSec community. A couple of months ago, Lenovo was caught allowing VisualSearch, one of the companies that provides adware for the consumer line of its computers, to install an update to a program called Superfish. This update installed an unrestricted root certificate authority (CA) into the certificate store.

Before I get to the explanation, if you have a Lenovo system, please check to see if you have Superfish installed. If so, remove it. It will reportedly take this bad root CA with it.  But it will not restore trust in Lenovo.  Update 1: The certificate stays behind, and it’s the same private key on every installation, meaning that someone who gets hold of it from one compromised system can use it on another.  No trust left in Lenovo whatsoever.  Update 2: To see if you have the cert installed, go to https://www.canibesuperphished.com/.  If you don’t get a warning, then you are vulnerable.

Back to the issue. It is almost impossible to understate how bad this is. Lenovo essentially allowed flat-out attack software to be installed on a huge number of systems. With this root CA, the Superfish program replaced real certificates (like on banks, shopping sites, health sites, and anything else protected by HTTPS) with its own certificates so it could see every piece of data that you sent or received. If you went to a site in a browser, it showed a perfectly normal(-looking), perfectly secure(-looking) green lettering or bar, even though Superfish could see everything that transpired.  It is a fundamental violation of the trust between purchaser and vendor.

That’s not hyperbole. This is attack software, even if their stated purpose (to allow comparison shopping) is benign. But it does so using what’s called a man-in-the-middle attack, one of the holy grails of attack methods. Further, the certificate can be used to sign software, applets, or documents, allowing them to be recognized by Windows as safe. Anything can be run, and it will look perfectly legitimate.

That also means that anything that could subvert it could completely subvert the system, and do so with you trusting it.  It could point you to a site under an attacker’s control and convince you it was your bank.  It could ask you to install a software update and convince you that it was issued by the software vendor.  It could see everything you do, everything that left and entered your system, and report it back to somewhere else with no alerts because it would all appear completely legitimate.

I understand that sometimes companies make mistakes. They even sometimes make security mistakes. Security is hard. But this is an unfathomably bad decision by a company that should know better, especially given the attention and fear generated by their purchase of IBM’s computer lines. I was not fond of them before, and now what little doubt I had has been shattered.

Update 3: I should have included removal instructions. Here they are for Vista/7/8:

1. Open the Start Menu/Screen and type “certmgr.msc” to find the Certificate Manager. Click on it or press Enter to open it.
2. In the left pane, open the Trusted Root Certification Authorities folder.
3. In the right pane, open the Certificates folder.
4. Look for “Superfish, Inc.” in the list of certificates.
5. If it’s present, right-click on it and select Delete.
6. Click Yes to the prompt that appears.

At this point, the risk for this certificate has been removed.

Safer browsing without too much annoyance

One of the biggest challenges right now comes in keeping secure while we’re constantly connecting to systems of unknown trustworthiness.  Even when I connect to this site, on a server that I built and administer myself, which I pay for entirely from my own pocket, there’s still that little doubt in my mind.

Most other sites provide much stronger reasons to doubt them, least of all because I have zero clue how good or bad they may be.  There are companies that I trust more to maintain secure networks, and some I trust less.  My experience as a pen tester has informed this a bit further, such that about a year ago I changed how I handle my browsing.

Continue reading “Safer browsing without too much annoyance”

Fix for Wireshark locking up in Windows 8.1

I’ve been puzzling over why Wireshark seems to lock up when launching on Windows 8.1 and dumpcap.exe sits in the background even after Wireshark is forced to close.  Some experiments from the command line showed that any time dumpcap.exe tries to use some aspect of its capture behavior (including just listing interfaces), it locks up.  Various tools suggested that it was waiting for some external event to allow it to close.

I finally learned from an Ask Wireshark post that it was due to WinPCAP not starting on demand.  The solution is simple:

  • Change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Start to value 0x03 (SERVICE_DEMAND_START).
  • Reboot.
  • Enjoy packet capturing goodness.

I believe this is an issue with WinPCAP and not Wireshark.  There’s an alternate solution of running Wireshark in Windows 7 compatibility mode, but I try not to run things in compatibility mode unless there’s really no other way to do it.

BadBIOS: Worst fears realized or just fearing the worst?

Last week, word hit about a piece of malware referenced as BadBIOS.  Reported by Dragos Ruiu, founder of the Pwn2Own contest and a respected member of the security community, it’s said to be able to communicate with other infected systems by the sound hardware, similar in some ways to a modem.

There are still a TON of questions about this. As far as I’ve read, few if any other people have seen the hardware, but the researcher himself is considered trustworthy. I’ve seen a lot of reports that get the information wrong, like a report that BIOS was infecting BIOS via the sound capabilities, which is not (so far as I can tell) what is being claimed. It seems that what is present is an incredibly resilient and persistent malware that can communicate to other similarly-infected systems via the sound card, and apparently to affect more than one operating system, having successfully affected Apple’s OS X and Windows, as one might expect, but also Linux and even OpenBSD, the latter of which is a very unusual target.

This is, in some ways, what was feared by many when Intel said it wanted to move from BIOS to EFI/UEFI.  Intel had some very good reasons for this as the capabilities of BIOS were interfering in general computing hardware advancement, but when you put what amounts to an operating system in the firmware with room to expand, there stands a good chance that it’s going to be abused.  UEFI sits under everything, and while it’s not quite a virtual machine host (yet), it has many of those same capabilities as it can read what’s going between hardware easily, giving it the ability to alter data at many points.  It also makes it extremely difficult to pry out as few if any malware detection mechanisms can look into the hardware.

Based on a recent (mediocre) book series I’ve been reading, the thought crossed my mind that it may have been secretly sent to one or more researchers so that they would find it specifically in order to derail some secret capability developed by a state-sponsored agency or group. That’s getting into conspiracy theory, something I don’t tend to do, but those happen online more than they happen in meatspace.

In any case, it’s still something I’m watching, and I’m sure there are researchers working to develop similar capabilities. It’s not something I worry about hitting my systems, because the complexities of doing so are enormous. Most computer hardware is built to handle very specific information, but the microphones still start and speakers still end as analog, and the quality of both diverges significantly from one system to the next, even within the same model of hardware. I can see how data can be delivered via sound–we’ve done it for decades with modems–but aside from targets picked very carefully, I have difficulty believing that this could be used for something widespread, especially since the infection mechanism needs a different entry point.

It’s an interesting piece of targeted malware (if real), but it’s not going to take over the world.

Free Microsoft e-books

Here are some links I found a while back to free ebooks from Microsoft on a ton of topics including Windows (desktop and server), SQL Server, SCCM, Sharepoint, and application development.  The selection covers the range from beginners to advanced.

Large collection of Free Microsoft eBooks for you, including: SharePoint, Visual Studio, Windows Phone, Windows 8, Office 365, Office 2010, SQL Server 2012, Azure, and more.

Another large collection of Free Microsoft eBooks and Resource Kits for you, including: SharePoint 2013, Office 2013, Office 365, Duet 2.0, Azure, Cloud, Windows Phone, Lync, Dynamics CRM, and more.

Huge collection of Free Microsoft eBooks for you, including: Office, Office 365, SharePoint, SQL Server, System Center, Visual Studio, Web Development, Windows, Windows Azure, and Windows Server

Setting up gpg4win on Windows 8

A few weeks ago, when building my new computer, I decided to go with Windows 8, primarily for the under-the-hood improvements.  I won’t get into the overall experience, but I did run into a few issues getting security software installed, especially gpg4win, which I chose to enable PGP e-mail encryption.

The OpenPGP specification (encapsulated in RFC 4880) was created by Phil Zimmerman back in 1991 and is pretty much the standard for encrypting messages sent via the Internet.  However, implementing encryption is hard, and implementing encryption implementations isn’t always easy, either.  While Linux has several options built into most distros to handle this, Windows ends up with two primary options: PGP and gpg4win.  We’ll have a look at them and how to install the latter after the break.

Continue reading “Setting up gpg4win on Windows 8”

Some critical software end-of-life dates

In my last post on Java, I mentioned that versions of Java older than Java 6 have been end-of-life (or unsupported) for some time.  This invariably starts people wondering about end-of-life dates for other major software products, so here are a few of note.  It’s not comprehensive, but hits some of the software that’s most commonly used.  Not all of the products listed are unsupported: some are currently supported but the vendors have published end-of-life dates, sometimes (but not always) far into the future.  If you’re using something unsupported, you really should try to move to something on the support list (and preferably not something in yellow on the chart).  For things like Office that may be expensive, there are usually options such as LibreOffice that are free to use.

A couple of points of note:

  • Windows XP is coming up on its last patches in April 2014, about 15 months away and soon after Patch Tuesday for that month (Office 2003 support ends on Patch Tuesday for that month).  I hope you’re all planning to be ready for that day.
  • I couldn’t find specific end-of-life dates for Flash.  I did find that the basic supported versions are 10.3 and 11.5, except that there’s also support for 11.3 on Windows 8 (presumably the Flash version built into IE10) and 11.2 for Linux.  Anything else is considered unsupported.
Vendor Product Line Product Version End-of-Life Date
Microsoft Windows Windows 3.1 31 Dec 2001
Windows 95 31 Dec 2001
Windows 98/98SE/ME 11 Jul 2006
Windows 2000 13 Jul 2010
Windows XP 18 Apr 2014
Windows Vista 11 Apr 2017
Windows 7 14 Jan 2020
Windows 8 10 Jan 2023
Windows Server Windows Server 2003 14 Jul 2015
Windows Server 2008 14 Jan 2020
Windows Server 2012 10 Jan 2023
Office Office 95 31 Dec 2001
Office 97 28 Feb 2002
Office 2000 14 Jul 2009
Office XP 12 Jul 2011
Office 2003 08 Apr 2014
Office 2007 and later Not yet set
Adobe Flash Flash Player Unclear; always update to current
Reader Reader 7 28 Dec 2009
Reader 8 03 Nov 2011
Reader 9 26 Jun 2013
Reader X 18 Nov 2015
Reader XI Not yet set
Oracle Java Java 2 Std Ed (J2SE) 1.3 11 Dec 2006
J2SE 1.4 30 Oct 2008
J2SE 5 30 Oct 2009
J2SE 6 Feb 2013
J2SE 7 Jul 2014

Key:

  • White: Still supported for some time
  • Yellow: Still supported, end of support within the next 18 months
  • Red: No longer supported