Tuesday, February 24, 2015

Noodling down in the Bayou for Superfish-like SSL Shenanigans

Come on in and get mucky. The Bayou water is cold but fine. Nothing in here that won’t probably bite you (hard enough to draw blood) or cause weird growths (on your system) if you dip in.

When we last hauled in the Superfish mess, Lenovo had ping-ponged back and forth about it not being a problem, then conceding it was a problem, issuing a removal tool, and now going into apology-mode.

Great. We are making progress.

Only as time goes on and the security folks noodle the bayou, they keep hauling out additional examples of this exploit and the mess grows deeper.

I don’t Twitter but do manually follow InfoSec Taylor Swift (@SwiftOnSecurity) and found this mindful tweet in the stream:

I think it is a great point of context with all the SuperCookies, mobile-app ID trackers, and the whole Internet of Things (IoT) we now live with daily.

So were are we now with this Superfish story?

This post is excellent (and highly Valca recommended for IT readers of all age levels) to bring everyone up to speed on the dangers of third-party “enhanced” download and installer file bundling.

Even more companies are using the same technique as Superfish and doing HTTPS-Hijacking & HTTPS-validation disabling.

The post goes in ways to check your Trusted Root Certification Authorities store and check around for some HTTPS MITM hijackers that are listed.

Then there are some very good recommendations and reminders for protection against that threat.

Test to see if your browser(s) are vulnerable:

Superfish, Komodia, PrivDog vulnerability test – Filippo.IO

Filippo Valsorda has coded up a page that allows you to visit it with EACH of your installed web-browsers to see if they are vulnerable to the Superfish, Komodia, PrivDog vulnerability. Easy to do and a great place to start assessing your system’s security.

Now for noodling in deeper waters:

Feed Me!

I want to highlight these blogs which much of the research and analysis documentation listed here. Some offer RSS feeds and have ongoing posts of themes that may be useful for the for/sec crowd. I’m always on the lookout and want to draw attention to the work behind great technical writers and researchers.

Constant Vigilance!

--Claus Valca

No comments: