CIA Hacks US Developers, Jeopardizes US Citizens in Surveillance Efforts

One of the latest revelations from the Edward Snowden leaks is that CIA has been taking unusual approaches to collecting information from surveillance targets.

The CIA claimed to have tools that would be used to hack US-based developers in order to insert back doors into the developer’s programs. These back doors would then be used for surveillance of targeted individuals.

The trouble with this approach is that the CIA is incapable of controlling which end users have back doors installed. Every single user of a targeted program is not only vulnerable to CIA attacks, but is also vulnerable to attacks from foreign governments (or whoever else might be interested).

To put this in perspective, this is the modern equivalent of the CIA degrading the quality of steel used by a US-based company to produce safes, just in case the CIA needs to be able to quickly break into a safe used by a target someday.

To quote one of the people interviewed in the linked article

It may be a means to an end, but it’s a hell of a means.

The whole article is pretty long, but I really think that this is something that all Americans should at least be aware of, if not completely outraged by.

Layperson’s Guide to Lenovo & Superfish

You’ve probably heard about Lenovo’s recent security dust-up but you probably have no idea what to make of it. As usual, the mainstream press hasn’t done a very good job of explaining computer security stories. Let’s take a look at what actually happened, its consequences, and what should be done in the future.

What Lenovo & Superfish said they did

Lenovo’s basic goal was to make money by selling ads on their computers. To do this, they took the normal Windows operating system and added software from a company called Superfish that would display additional ads on some websites. The normal ads that you might see on a normal website—say Google search results—are still there. They just added a few more. But, almost every PC manufacturer adds crapware to their computers. What’s the big deal?

What Lenovo & Superfish actually did

An analogy

To explain what what actually took place, let’s take a step back and look at an analogy. Imagine a letter carrier needs to make some extra money to help make ends meet. His buddy recently picked up a mail truck at auction.

The letter carrier and his buddy decide to repaint the truck identically to the letter carrier’s work truck. Every day the letter carrier goes to work, gets his truck, and drives to his buddy’s house. His buddy opens every piece of advertising, staples, glues, or inserts new ads into each ad, and reseals the ads.

Since this process takes a few hours, the letter carrier takes the fake truck and delivers the previous day’s mail that now includes the extra ads. At the end of the day, he takes the fake truck back to the post office. The next day, he takes the fake truck filled with the new day’s mail from the post office to his buddy’s house, grabs the real truck, and delivers the previous day’s mail.

This is more or less the analog equivalent of what Superfish’s software was doing with its adware. Oh, and the best part? Superfish pretty much did the equivalent of leaving the keys in the mail truck parked at the letter carrier’s buddy’s house so anyone off the street was free to use the truck for their own purposes.

Back to real life

Lenovo and Superfish wanted to insert ads into webpages, particularly search results. The goal was to target ads towards people who were searching to buy things. This would very easy to do on any normal HTTP website. But the place where these ads would generate the most money would be on pages showing search results.

The problem with this plan was that Google and other search engines have started using HTTPS on their sites. This technology prevents anyone between the search engine’s servers and the user’s web browser from seeing or changing a webpage as it travels across the internet to the user. This is exactly what banks use to secure their online banking connections.

So, this adware couldn’t just insert ads into Google search results without showing big security warnings to the user. So, they added a file (called a root certificate) to Windows that enables the adware to intercept all traffic from every single website a user visits. Because this file was trusted by the Windows operating system, no web browser would throw up the big security warnings.

But, wouldn’t somebody notice the lock icon or the green address bar was missing from their web browsers? The adware would also re-“secure” all HTTPS websites, causing the padlock and green address bar to be displayed. So, most people would assume that everything was okay.

The only catch was that if a paranoid person went looking at the equivalent of the mail truck’s registration, they would see that it wasn’t issued by the internet equivalent of a government agency. It’s not quite the same thing, but for this discussion they’re close enough (they’re actually called certificate authorities).

For example, if you visited https://www.BankOfAmerica.com, you would expect the registration to be issued by a certificate authority.  But instead, the registration wold be issued by Superfish, Inc.

But they stopped the ads! What’s the big deal?

Yes, you’re absolutely right. Lenovo did stop inserting ads and removed the adware portion of the system from all computers back in January. But remember that little trick to re-“secure” websites? That piece of the system was left in place. The problem is this piece was secured with a simple password. The password was cracked in just 3 hours by security professional Robert Graham.

Now that the password (and the certificate that it secured) is public, anyone can put up a malicious website to target users of these Lenovo laptops. On these laptops, that website would still show the lock icon and green address bar.

Lenovo’s response

When Lenovo was confronted with this issue Thursday morning, they initially responded by sticking their head in the sand. Statements released to The Next Web (see update #2) and Ars Technica by Lenovo read in part:

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.

This was clearly not the case and to Lenovo’s credit, they have since updated their original statement. Late Thursday, Lenovo’s Chief Technical Officer pledged to provide a tool to remove the Superfish software. On Friday, Lenovo made good on that promise by releasing that tool.

What should I do now?

If you have a Lenovo laptop, the easiest way to check if you’ve been affected is to use this web checker. It would also be a good idea to look at Lenovo’s Superfish website to see if your model may have been affected.

If you’re in the market for a new computer, I probably wouldn’t recommend buying a Lenovo computer for at least 6 months. Lenovo doesn’t seem to have intentionally acted maliciously, but since they’ve done something this bad, it makes you wonder what else they might have done. I really think they will sort this out and should be a better company as a result of it in the future.

If you know me, you probably know that I like Apple’s technology. That’s true, but I’m not going to tell everyone to switch to a Mac. If I was in the market for a Windows laptop (I’m not because I’m a relatively poor college student), a Lenovo Yoga series laptop would have been among my top choices. At the moment? Not so much. In a year or two? I’d be willing to consider it.

Additional sources

InfoSec Taylor Swift (@SwiftOnSecurity): “Goodbye Lenovo, and thanks for all the Superfish.” [parody]

Ars Technica: Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections [Updated]

Ars Technica: Lenovo CTO says, “We didn’t do enough,” promises to wipe Superfish off PCs

Ars Technica: How to remove the Superfish malware: What Lenovo doesn’t tell you

Fast Company: The worst thing about Lenovo’s adware isn’t the adware

PCWorld: Lenovo preinstalls man-in-the-middle adware that hijacks HTTPS traffic on new PCs

PCWorld: How to remove the dangerous Superfish adware preinstalled on Lenovo PCs

Hotel Operators Petition FCC for Wi-Fi Management Authority

Glenn Fleishman writes for Boing Boing a very good summary of Marriott’s petition to the FCC to allow hotel operators to manage Wi-Fi networks on their premises.

Glenn explains that these techniques may adhere to the letter of the law, but certainly not the spirit of the law:

Rogue AP detection and mitigation relies on the fact that much of the handshaking between devices in Wi-Fi connections isn’t validated. A network-management system can prevent clients from associating with Wi-Fi networks under its control in a number of ways, but they can also block wireless devices from connecting with other networks that are in range. This typically involves sending deauthentication frames—frames are data packets in the wireless world—that either or both spoof the client or base station. (This is also a way to launch a denial-of-service attack, by a rogue hotspot spewing out such frames against legitimate local usage.)

I’m sympathetic to the stated desires of hotel & conference operators, schools, universities, and businesses. Customers & students expect these networks to work, even (or especially) when their own hotspots don’t. Businesses & schools have understandable concerns about user security.

However, unlicensed spectrum is intended for anyone to use pretty much however they want (as long as the equipment is certified & isn’t modified). Allowing these organizations to effectively control who can operate certain devices in this spectrum seems to go against the intent of these rules.

Glenn does a good job of explaining this issue in detail while also keeping it understandable to normal folks. The whole article is worth a read if you’re interested in this topic.

January 2, 2015 4:00 pm Update: Marriott issued a statement clarifying that the requested network management authority would only be used to identify & disable malicious devices in conference venues. While it is encouraging to see this clarification, the FCC needs to clearly define malicious actions that permit use of these techniques, should the FCC allow them in the future.

Hello, World!

My name is Nathan Clague. I’m a student in Software Engineering and am planning to join the workforce in the near future.

I’ve wanted to start blogging for a while, but for various reasons I’ve always put it off. That ends today. I don’t have all of the details figured out. I still need to decide some things like site theme, post frequency, and website layout. On the other hand, I want to be able to write a post when I feel compelled to. I’ll work out the remaining details as I go.

Some of the topics I want to cover include technology news (mostly Apple-centric), computer security, software reviews, and some how-to guides. I realize that most in my audience probably aren’t as technically inclined as I am, so I will try to keep posts as simple as possible and try to clearly explain complex topics.

I may also write a little bit about transportation, broadcasting, music, and social issues. In short, I want to write about topics that interest me, that I have some knowledge about, and that would be interesting to others.

I’ve created the @nathanclaguecom Twitter account for this site. Feel free to follow this account for notifications of new posts. I ask that you direct all feedback to this account so that I don’t have to manage a comment system. Comments may be retweeted occasionally, but I will keep all tweets relevant to the site as much as possible.

I hope everyone enjoys reading this site and has a great year in 2015.