Superfish, Privdog and other Scary Beasts
Categories: Information
You may have heard something about Lenovo computers and something called “Superfish”. (If you’ve actually heard of “Privdog”, you can skip the rest of this article – you’re already well ahead of the game.)
Superfish is a company that makes a piece of software called “Visual Discovery”. How bad is it? Somewhere between “Seriously Bad” and “Apocalyptic”, depending on how many machines actually have it and how quickly it can be exploited. It’s software that tracks what you’re looking at on the web and finds similar things to suggest to you; you’re probably already familiar with this process if you have any sort of Google account.
The company decided that its software should be able to see what you’re doing all the time, even if what you’re doing is supposedly secured. When you connect to a secured site (one that uses “https” instead of “http”) the site is supposed to confirm that it is who it says it is. This is good, but means that Visual Discovery couldn’t see what was going on if you had a secure connection going. What Visual Discovery does is simple: it sets itself up as a Certificate Authority (an entity that verifies certificates) and acts as a proxy connection, meaning all of your traffic has to go through it. So when you connect to Citibank, it actually stops your connection and then makes its own connection to Citibank. This means that all of your traffic is now unencrypted, so Visual Design can read it and show you some ads. “But wait,” I hear you say. “I started an encrypted session! Surely my browser isn’t going to let it just go unencrypted and not warn me!” That’s true. So, to keep you from being scared by a bunch of browser warnings, Visual Discovery uses its certificate to re-encrypt the traffic and send it to your browser. However, since your browser thinks it should be talking to Citibank, VD has to lie to it and say that yes, you are in fact connected to Citibank. Anyone who is on a network with a machine or machines running Visual Discovery can make his own certificates, not only for sites but for software, meaning that when you think you’re connecting to Citibank.com and getting their banking app, you’re actually connecting to another site and running the software that the deceitful person wants you to run.
If you have a new Lenovo laptop (made since October 2014), you should be thinking about having it wiped and having a new version of Windows (NOT Lenovo’s version) installed. Obviously, most OCES computers aren’t Lenovos, and as far as we know, don’t have any of Superfish’s software on them. However, that may not be good enough.
PrivDog is a piece of software made by Comodo software. It also sets itself as a proxy with a trusted root certificate and looks at the secure traffic, for much the same reason. Unlike VD, PrivDog uses a different certificate on every system, so it’s not vulnerable to an attacker making fake certificates. The problem it has is simpler, but still bad: PrivDog doesn’t verify the certificates it gets from sites. That means that if you connect to a bogus site, instead of getting a warning, you’ll just be connected. In other words, you could still find yourself on an attack site without any warning from your browser.
There doesn’t appear to be a lot of people affected by this – perhaps only about 6,000 potential victims in the US, as it will only include those who installed certain Comodo products. (It’s unclear exactly which ones – it might be a good idea to contact DASNR IT if you have installed anything from Comodo.) Please contact DASNR-IT if you have installed software from any of the following:
- CartCrunch Israel LTD
- WiredTools LTD
- Say Media Group LTD
- Over the Rainbow Tech
- System Alerts
- ArcadeGiant
- Objectify Media Inc
- Catalytix Web Services
- OptimizerMonitor
This kind of willful breaking of the chain of trust that is used to secure the internet has the potential to be really dangerous; whether any of these iterations will be the fatal one remains to be seen.
Source: Scott Wilson
DASNR IT
Originally posted in the March 2015 edition of the OCES Extension Exchange Newsletter.