April 2015

Volume 30 Number 4

Editor's Note - Fished Out

ByMichael Desmond | April 2015

Michael DesmondI remember one of the first IT articles I ever wrote. I was living in Chicago, writing occasional freelance articles for a weekly computing tabloid while working a temp job for a marketing outfit that shilled cigarettes in bars. Good times. The article was about a floppy disk-borne virus outbreak, which in itself was hardly news. Most malware at the time got onto PCs  via the 5.25- or 3.5-inch floppy disks used to move data and install applications. What was newsworthy was that the virus showed up on new diskettes sold by a local electronics store.

A quarter-century ago, malware-infected media was a byproduct of regrettable negligence by a manufacturer. Today, manufacturers infect hard drives for fun and profit.

Take the (rather egregious) example of computer maker Lenovo. The company had been outfitting its consumer line of Yoga laptops and convertibles with a pernicious bit of software called Superfish, which Lenovo has described as “visual discovery software,” whatever the heck that’s supposed to mean. In point of fact, Superfish was a man-in-the-middle (MITM) exploit used to monitor Lenovo users’ Web searches and inject its own ads into the results as they were returned back by the remote server. But with many searches now conducted over secure HTTPS links, Superfish had a problem. It needed a way into those encrypted conversations.

Which is when things went seriously off the rails at Lenovo. As part of the bundling deal, Lenovo pre-installed into the Windows trusted root store of each of its systems a self-signed, private root certificate from Superfish, essentially imbuing Superfish with all the powers of a certificate authority. The SSL certificates that Superfish presented to intercept traffic were chained to this root certificate, causing the browser to fully trust the certificates Superfish presented.

As Rick Andrews, senior technical director for Trust Services at Symantec, wrote in a blog soon after the Superfish deal blew up: “Pre-installing any root that does not belong to an audited Certificate Authority and marking it as trusted undermines the trust model created and maintained by platform vendors, browser vendors and Certificate Authorities.”

It sure does. Worse, the associated private key set up on each computer was encrypted using the same dead-simple password—komodia—which is literally the name of the company that provided the ad injection software for Superfish. I am not making this up. Robert Graham in his Errata Security blog (bit.ly/18mAiO0) describes how he was able to quickly extract the Superfish certificate and crack the private key password. Keep in mind, that password is the same for all affected Lenovo systems. Any PC with the Superfish certificate installed is vulnerable to having its Web communications intercepted.

Microsoft stepped in quickly, updating its Defender and Security Essentials tools to spot and remove Superfish installations, and Lenovo came to its senses a bit later with a removal tool of its own. None of which resolves the truly galling part of this episode. According to a Forbes report (onforb.es/1ErfZeR), Lenovo probably earned between $200,000 and $250,000 in the bundling deal—barely a rounding error on Lenovo’s $14.1 billion in revenue in the third quarter. Yet that was enough to motivate a first-line computer manufacturer to completely undermine the root-level security of its paying customers.

OK, so forget the profit. Maybe manufacturers are infecting hard drives just for the fun of it at this point.

Michael Desmond is the Editor-in-Chief of MSDN Magazine.