Skip to content

Superfish Mk2

Featured Replies

So, Dell, not learning from the debacle of Superfish back in February on Lenovo kid, have decided to do exactly the same thing.

 

if you own a Dell machine, you should probably check here to see if you're potentially vulnerable https://edell.tlsfun.de/

 

Without launching into a techy explanation, if you're vulnerable to this, you're also vulnerable to pretty much anyone monitoring your "encrypted" connections on a public wifi network and being able to pull out any details they like.

I just removed Java today. Can't say I'm missing it yet

  • Author

It's not a bad idea, although Java would (probably) be safe from this - it's surprisingly difficult to add stuff to the Java keystore, so if you visited that site to try and load a malicious Java applet then it'd probably flag up and cause concern. More of an issue is that the way that certificate is installed in the default keystore, it significantly reduces your security in both IE and Chrome. Even if you think you're being smart by downloading a non-Microsoft browser, Chrome shares the built-in Windows keystore so ultimately trusts the same set of certificates...

My Dell wot I iz using now, seems to be fine :)

  • Author

http://www.theregister.co.uk/2015/11/23/dell_security_nightmare_gets_worse/

 

Yep Dell in trouble with this.

 

I can imagine a lot of lawyers in the US about to start a bidding war for a class action.

I'm sure the EU Data Commissioners will be taking a close interest.

 

Apparently they also shipped a code-signing certificate from Atheros with their Bluetooth drivers. This expired in 2013, but it wouldn't surprise me if there was a way of emulating the timestamping procedure on a box which thinks it is still 2013, and therefore extending the validity of the signature outside of the actual lifetime of the certificate...

Not sure I understand quite what's going on, but according to this article, dell are pushing through an update to address this problem.

Not sure I understand quite what's going on, but according to this article, dell are pushing through an update to address this problem.

 

Dell put in their software (a bit like Lenovo did last year) which plays a bit fast and loose with security certificates.

Certificates are what lets you communicate secure over the internet. I.e. when you see the little padlock when you're shopping online, that's all done via certificates.

 

Dell put in software that made their secret certificate a special one that is at the top of the tree. What this meant, the reason for all teh drama, was that anyone that could get the special dell certificate (not hard) could use this to carry out a Man in the Middle attack (MITM) and intercept your data when you thought it was secured. So you go to Amazon, check for the padlock think you're safe but Dell (or anyone who decided to be evil with this certificate) could look at your data anyway, personal details, credit card numbers everything. And they could do this MITM attack on any site you went to.

 

I suspect we'll find in teh coming months that this was a 'rogue' employee acting on their own discretion. Quite possible the same 'rogue' employee that did the dirty at VW.  Since it couldn't be the board being utter ****s and trying to track customers, nooooo no responsible company would do that....(Dell, Lenovo, Samsung, Sony etc).

  • Author

My take is that it's clearly a backhanded advertising deal, like Superfish, but that Dell were somehow stupid enough to actually put their own name on it which will make their ultimate "defence" of it being a third-party contracted software product even flimsier than it was in the Lenovo case.

Dell put in their software (a bit like Lenovo did last year) which plays a bit fast and loose with security certificates.

Certificates are what lets you communicate secure over the internet. I.e. when you see the little padlock when you're shopping online, that's all done via certificates.

 

Dell put in software that made their secret certificate a special one that is at the top of the tree. What this meant, the reason for all teh drama, was that anyone that could get the special dell certificate (not hard) could use this to carry out a Man in the Middle attack (MITM) and intercept your data when you thought it was secured. So you go to Amazon, check for the padlock think you're safe but Dell (or anyone who decided to be evil with this certificate) could look at your data anyway, personal details, credit card numbers everything. And they could do this MITM attack on any site you went to.

 

I suspect we'll find in teh coming months that this was a 'rogue' employee acting on their own discretion. Quite possible the same 'rogue' employee that did the dirty at VW.  Since it couldn't be the board being utter ****s and trying to track customers, nooooo no responsible company would do that....(Dell, Lenovo, Samsung, Sony etc).

 

Is there a sound reason for Dell to do this? is it linked to system check-ups? Seems an odd thing to install if there was no reason to do so. Unless, as you say, VW was involved...

 

 

 

oh heck, here comes another conspiracy thread

Is there a sound reason for Dell to do this? is it linked to system check-ups? Seems an odd thing to install if there was no reason to do so. Unless, as you say, VW was involved...

 

 

 

oh heck, here comes another conspiracy thread

 

Lenovo did it as a way to push their adverts onto customers PCs to make money.

I would suspect Dell was doing something similar.

 

However it's a diabolical thing to have done since to make some money from adverts (that their customers don't want) they put all of those customers at some considerably risk.

 

Metaphorically like Toyota deciding to make a skeleton key that opens all cars for 'their' staff so that 'their' people can drop paper adverts in your car which Toyota gets paid for. They don't tell any customer that this skeleton key exists or that they are going to get adverts pushed into their cars.

They assume that no one who is bad would ever figure out or get hold of they same key and use it to nick the cars or rake through peoples possessions.

The reality of the world being that the bad guys probably pay people in Toyota to get hold of the keys and probably have them before the car is released.

 

(dear lawyers I've picked Toyota at random could be anyone)

 

Or another real example David Cameron saying he wants to ban encryption on the internet then back pedals frantically to say he wants good encryption for everyone but encryption that the security services can open.

It's a farcically stupid assumption that encryption that can be made with a backdoor that only the good guys can open.

 

http://www.theregister.co.uk/2015/10/28/government_will_not_pass_laws_to_ban_encryption_says_baroness_shields/

 

<-angry security guy.

Edited by Aspman

  • Author

Is there a sound reason for Dell to do this?

 

I thought advertising (you can run a process to inject ads into HTTP pages easily, but HTTPS should protect you from that, you would need to do what Lenovo/Dell have done in order to inject ads into HTTPS pages such as Google, Facebook, Hotmail, etc). But their official statement reckons it was to do with the software they run to detect and send the service tag of your computer to their website to make searching for driver updates easier.

 

Which is pretty much nonsense, because while such code should be signed with a trusted certificate to verify that it hasn't been tampered with since leaving Dell, the correct way of doing this when you're a company the size of Dell is to:

 

1) pay for a commercial code signing certificate which would be trusted by the certs present in every Windows installation already, not adding your own CA

2) DO NOT ship private key with said certificate/CA, ever. If the tool was signed with a proper cert, they wouldn't need to ship anything; Windows would check the cert on the tool, see that it's signed by a cert that Windows already trusts, no problem there. If Dell must add their own CA, then shipping the public CA certificate is enough to be able to verify that the tool was trusted by Dell, but would not have allowed any Tom, **** or Harry to extend this trust to anything else. By shipping a CA with the private key, everyone can now impersonate Dell for nefarious purposes.

 

As an example, someone could get you to install an "updated" version of Dell's system tool, which they had signed with the eDellRoot CA certificate; this tool may then get installed by you with admin privileges, giving them a backdoor into the whole system with elevated privileges allowing them to encrypt/ransom/steal the contents of your computer. They could create website certificates which would be trusted by your computer, and monitor your online banking sessions if you ever do it from a public wifi network (which people do, because they trust HTTPS to keep their data safe, which it can when it's not fiddled with in the way Lenovo/Dell have done).

  • Author

To add to Aspman's examples, it's a bit like the fact that there was a leaked image on Imgur of all the TSA approved master keys, in enough detail to be able to 3D print your own copy of them.

 

The master keys exist because of the TSA's requirement that they can verify the contents of your luggage (which is a bit like the Dell CA existing in order to verify Dell software is legit). But now those images are available, everyone's luggage with a TSA approved lock should now be considered compromised and untrusted (just like the Dell CA which everyone can now issue certificates from).

 

I can only apologise for the crappy analogies, I sort of know what I'm on about in this area, but struggle greatly with putting things into plaintext terms that non-IT people might understand....tl;dr, it's bad behaviour, it was bad enough when Lenovo did it and got caught, but at least they had the defence of being the first. For Dell to get caught 6 months after that episode makes it even more stupid.

It's a sad world we live in. :(

  • Author

I agree, for many reasons.

 

It's a sad world when buying a laptop (which isn't yet what I'd call cheap) isn't enough to make it "yours" - software is already moving towards a subscription model where you're permitted to "borrow" software as long as you keep paying, maybe hardware is going the same way, just more subtly (subscription service to remove the ads from your own computer, otherwise they're injected outside of your control? Technically possible, with things like this...)

It's a sad world when people aren't willing to pay for quality and are happy to give away personal information (either willingly to Facebook et al, or unwillingly due to something like this) in order to save a few pounds

It's a sad world when our own Government are so utterly clueless when faced with technology

It's a sad world when said Government is quite happy to "sell off" their own citizen's right to privacy, even though it's been demonstrated that it'll do nothing to help their claimed goal

It's a sad world when I can't find Beef and Onion crisps on their own without having to buy a 'They're back' multi-pack :(

  • Author

Upgrade to Brannigan's Beef and Mustard, they sell them in the corner shop over the road from me. Pretty expensive for a standard sized bag of crisps, but pretty tasty.

It's a sad world when I can't find Beef and Onion crisps on their own without having to buy a 'They're back' multi-pack :(

 

Then you have to take the salt and vinegar you don't want.

 

It's an environmental tragedy.

There is a meaty special multi-pack that has beef and Onion and M&S do their own version of them.

Create an account or sign in to comment

Recently Browsing 0

  • No registered users viewing this page.

Important Information

Welcome to BRISKODA. Please note the following important links Terms of Use. We have a comprehensive Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Account

Navigation

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.