SSL-busting code that threatened Lenovo users found in a dozen more apps




The list of software known to use the same HTTPS-breaking technology recently found preinstalled on Lenovo laptops has risen dramatically with the discovery of at least 12 new titles, including one that's categorized as a malicious trojan by a major antivirus provider.

Trojan.Nurjax, a malicious program Symantec discovered in December, hijacks the Web browsers of compromised computers and may download additional threats. According to a blog post published Friday by a security researcher from Facebook, Nurjax is one such example of newly found software that incorporates HTTPS-defeating code from an Israeli company called Komodia. Combined with the Superfish ad-injecting software preinstalled on some Lenovo computers and three additional applications that came to light shortly after that revelation, there are now 14 known apps that use Komodia technology.
"What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove," Matt Richard, a threats researcher on the Facebook security team, wrote in Friday's post. "Furthermore, it is likely that these intercepting SSL proxies won't keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic."

Komodia, a company that brazenly calls one of its software development kits as an "SSL hijacker," is able to bypass secure sockets layer protections by modifying the network stack of computers that run its underlying code. Specifically, Komodia installs a self-signed root CA certificate that allows the library to intercept encrypted connections from any HTTPS-protected website on the Internet. This behavior is by no means unique to Komodia, Superfish, or the other programs that use the SSL-breaking certificates. Antivirus apps and other security-related wares often install similar root certificates. What sets Komodia apart from so many others is its reuse of the same digital certificate across many different computers.

Researchers have already documented that the password protecting most or all of the Komodia certificates is none other than "komodia". It took Errata Security CEO and whitehat hacker Rob Graham only three hours to crack this woefully weak password. From there, he used the underlying private key in the Komodia certificate to create fake HTTPS-enabled websites for Bank of America and Google that were fully trusted by Lenovo computers. Despite the seriousness of Graham's discovery and the ease other security researchers had in reproducing his results, Superfish CEO Adi Pinhas issued a statement on Friday saying Superfish software posed no security risk.

Comments

Post a Comment

Popular posts from this blog

NASA’s Super Guppy Gives Mars-Bound Spacecraft A Lift

Image
Today the Orion capsule, NASA’s spacecraft designed to bring humans to Mars, starts its next phase of development at Kennedy Space Center. The remarkable part is that just this morning, that large spacecraft was at NASA’s Michoud Assembly Facility in New Orleans. In order to carry Orion from New Orleans to Cape Canaveral, NASA recruited their Super Guppy aircraft. The Super Guppy has a cargo area that is 25 feet tall, 25 feet wide and 111 feet long. The jumbo plane can carry over 26 tons worth of cargo and is often used by NASA to ferry large components around the country that would take too long (or be impossible) to ship by land or by sea. The Super Guppy’s history dates back to the Apollo program. It was used in the 1960’s to carry parts of the Saturn V rocket from California to Florida. The other option NASA had was to ship rocket stages through the Panama Canal, which would often take weeks or months longer.
Read more

Dell XPS 13 2015 Review and Giveaway

Image
At Consumer Electronics Show 2015, Dell’s XPS 13 2015 edition swept the awards for laptops, particularly in the $800 price range. Considering the sheer quality of its competition, this was no easy feat. But, dude, are you getting a Dell? Read on to find out. Before going private, Dell’s sales weren’t doing great. It had slipped from the top PC seller to somewhere near sixth place in 2007. After a contested buyout in November of 2013, Dell’s future looked uncertain. However, its movements following the acquisition proved shrewd. Rather than releasing a deluge of models, as they had under public ownership, Dell refocused its efforts on building better products. The Dell XPS 13 2015 edition is part of the first line of laptops and tablets released following its departure from public ownership. The new line of Ultrabooks still use Dell’s made-to-order approach. Buyers configure their device online, selecting from a large number of parts and value-added options, with a base price of ...
Read more

Who To Follow On Twitter, According To Marc Andreessen

Image
Well-known Tweetstormer and investor Marc Andreessen has produced a list of his favorite people to follow on Twitter. He was prompted to do so by an article in The Information called “Silicon Valley’s Frontman Problem” by Jessica Lessin, who questioned if the industry leaders most often quoted by the media (she cited Andreessen, Elon Musk, and Peter Thiel) really “represent the views of the broader Silicon Valley community.” “The more media coverage Silicon Valley gets, the more important it is that other voices get heard,” Lessin wrote. (In addition to Lessin’s thought piece, New York magazine also just published an interview with Andreessen, in which he talked about the cultural changes in Silicon Valley since he arrived in 1994 and diversity in the tech industry, among other topics.) His list “only a highly abridged selection,” Andreessen (@pmarca) tweeted, but a helpful one because his public list of tech industry-related accounts has over 600 members. Since Andreessen’s ...
Read more