Lenovo CTO Claims Concerns Over Superfish Are Simply 'Theoretical'

from the find-a-new-cto dept

Lenovo keeps making things worse. First it installed crappy Superfish malware/adware on a bunch of its computers. That was bad enough. But the real problem was that in a clever little "hack" to get around the fact that the adware wouldn't work on HTTPS enabled pages, Superfish installed its own self-signed root certificate to basically create a massively dangerous man-in-the-middle attack to snoop on what you were doing on those HTTPS pages. Oh, and to make it even worse, the company made sure that everyone who had this Superfish self-signed root certificate had the exact same certificate with an easily cracked password, so that a massive and easily exploited vulnerability is in place in tons of machines out there. And Lenovo's first response was to insist there was no evidence of any security concerns. It later, quietly, deleted that statement, but still seems to be unwilling to admit what an incredibly dangerous situation it has created.

In fact, the company is still in denial mode. Lenovo's CTO, Peter Hortensius, was interviewed by the WSJ, and he insisted that any threats were "theoretical."

WSJ: There seems to be a disparity between what security researchers are saying about the potential dangers of this Superfish software, and what the company has said about this app not presenting a security risk.

Hortensius: We’re not trying to get into an argument with the security guys. They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more.

Fire your CTO, Lenovo. Fire your marketing people. Fire your security team. This is a disaster. In our first post, we compared it to the Sony rootkit fiasco from a decade ago, while noting the security risk here is much, much greater. And, so far, Lenovo appears to be playing straight from the Sony rootkit response playbook. If you don't recall, after security folks pointed out what a security disaster the rootkit was, Sony's response was to dismiss the concerns as... theoretical:

"Most people, I think, don't even know what a rootkit is, so why should they care about it?"

In both cases, these technologies opened up giant, massive vulnerabilities on people's computers. In both cases, they were easily exploitable (in the Lenovo case, much, much, much more easily exploitable in a much, much, much more nefarious way). And, in both cases, senior execs from the company tried to handwave it away because they don't know if anyone abused these problems. This ignores that (1) it's quite possible people have been abusing these vulnerabilities for months and it's just not public yet, and (2) more importantly, it doesn't fucking matter because the vulnerability is still there and easily exploitable by lots and lots of people now because it's widely known.

Handwaving this off as a "theoretical" concern is not just missing the point -- it suggests a fundamental lack of understanding about rather basic security practices. As I mentioned earlier, I've been a very loyal Thinkpad buyer for years (though, thankfully, the machine I bought a couple months ago wasn't one infected this way). Every time I've dabbled with other laptops I've regretted it. But Lenovo's response to this is very quickly convincing me that the company should never get any more money from me. It's not just the initial screwup in preinstalling such a security mess, but the completely ridiculous response to it that suggests a company that still doesn't recognize what it has done.

Filed Under: certificate, danger, peter hortensius, security, self-signing, superfish
Companies: komodia, lenovo, superfish

This Week In 'The NSA Knows F**king Everything': How It Hacked Most Hard Drives And SIM Cards

from the call-it-a-twofer... dept

Thought that the revelations of NSA/GCHQ spying were dying out? Having some "surveillance fatigue" from all the stories that have been coming out? Have no fear -- or, rather, be very very very fearful -- because two big new revelations this week show just how far the NSA will go to make sure it collects everything. First up: your hard drives. Earlier this week, Kaspersky Lab revealed that the NSA (likely) has figured out ways to hide its own spyware deep in pretty much any hard drive made by the most popular hard drive manufacturers: Western Digital, Seagate and Toshiba.

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.

The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the U.S. agency responsible for gathering electronic intelligence.

A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the spy agency valued these espionage programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

As the report notes, it appears that this is a kind of "sleeper" software, that is buried inside tons of hard drives, but only "turned on" when necessary. The report notes that it's unclear as to how the NSA was getting this software in there, but that it couldn't do it without knowing the source code of the hard drive firmware -- information that is not easily accessible. A few of the hard drive manufacturers have denied working with the government on this and/or giving them access to the firmware. It's possible they're lying/misleading -- but it's also possible that the NSA figured out other ways to get that information.

And that brings us to door number two: your mobile phone's SIM card. Today, the Intercept revealed (via the Ed Snowden documents) how the NSA and GCHQ were basically able to hack into the world's largest manufacturer of mobile phone SIM cards in order to swipe encryption keys, so that your friendly neighborhood intelligence snooper can snoop on you too:

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

The details of just how the NSA hacked into Gemalto are quite a story -- and proves what a load of crap it is when the NSA and its defenders insist that they only target bad people. As former NSA (and CIA) boss Michael Hayden recently admitted, they actually like to spy on "interesting people." And who could be more interesting than the people who have access to the encryption keys on billions of mobile phones? So, yeah, the NSA and GCHQ basically spied on IT folks at the company until they found a way in. So, the NSA spies on "bad guys" and "IT people" for the good guys. Because, I'm sure they'll claim, it helps them get the bad guys. We've seen this before, when the GCHQ hacked into Belgian telco giant Belgacom, allowing them to tap into communications at the EU Parliament. Hacking into various companies appears to be standard operating procedures for the NSA/GCHQ these days, with no thought to the collateral damage being caused.

And, yes, both of these hacks basically involve giving the NSA an astounding amount of access to our electronic devices:

Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment. “Once you have the keys, decrypting traffic is trivial,” says Christopher Soghoian, the principal technologist for the American Civil Liberties Union. “The news of this key theft will send a shock wave through the security community.”

[....]

The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted. “Gaining access to a database of keys is pretty much game over for cellular encryption,” says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is “bad news for phone security. Really bad news.”

Between both of these big stories this week, it's clear that the NSA is basically deeply buried in pretty much every bit of electronic equipment these days, with the tools ready to go to spy on just about anything. The idea that this power isn't being abused regularly is pretty laughable.

Filed Under: certificate, encryption key, gchq, hacking, hard drives, malware, nsa, privacy, sim cards, spyware, surveillance
Companies: gemalto, samsung, seagate, toshiba, western digital