NaCreSoMo Day 2: Catching up on my security vulnerability series, where I learn a new song on guitar and then promptly replace the lyrics to draw attention to a critical internet security issue.
Today’s February’s issue: Superfish.
If you’re on a slow internet connection, you might want to download the audio instead.
Superfish is basically a typical intercept attack, happening locally: it captures all traffic and pretends to be a secure server between your browser and whatever you’re actually trying to access. To do this, it has to circumvent the security system that holds up the entire internet (that little lock icon in your location bar); long story short, their less-than-perfect system ended up letting not only them impersonate arbitrary servers, but also anybody else.
If you haven’t already, please check if you’re infected.
Anyway, the company that made this malignant software, Komodia, sold it to several clients, including one called Superfish. Superfish used it to insert ads into web pages you visit. That’s it. They sacrificed your privacy and security for ads.
And they made a deal with Lenovo, PC vendor, to have their software preinstalled on new Lenovo machines. That means thousands if not millions of laptops that can’t internet correctly.
Again, please check if you’re infected. (If you’re not running Windows, it’s unlikely that you’ll be affected, but it probably doesn’t hurt to check if someone’s figured out how to port it to OS X or Linux.)
Oh, and the same week we found out that the US and UK together hacked a major SIM card vendor, meaning that you should assume all cell phone calls are being tapped these days. If you want to do something about this, use apps to communicate, specifically those that include security as one of their features.
Anyway, um, enjoy the song. Apologies for the lousy audio; I’ll use a better mic next time.
This one’s for the users with Lenovo systems
Sturdy and reliable’s the market wisdom
Sell at a nice price, you be savin’ up
Got Windows on disk version 8.1
And it’s ’lil, it’s real, you think it’s a deal
But little do you know what else’s on the bill
Some company wants to put ads in your browser
Even HTTPS now they have the power
It’s a one, two punch: first claim to be God
Then intercept your connections and do what they want
And now when you try to load some video or text
Here’s what happens when your browser connects
She says, excuse me, this connection’s secure
Could you kindly proffer your certificate sir?
And the server says sure, and he gives it to her
And she checks it against the list of keys registered
Yes they did, yes they did,
Superfish put themselves into that list
It’s for absolute trust and they just say it’s all right,
and your info is leaked, and it ruins your life
Hey, you got that malware ruining your day
Snooping any traffic that’s coming your way
Yeah you got that root, r-r-r-root, r-r-root cert
You got that Superfish
Root, r-r-r-root, r-r-root cert
You got that Superphish
SIM cards cracked by the US and UK
They can hear every single thing you say
No, no, no, no, no, no NSA (ay-ay)
But Lenovo’s the one who’s here today
Komodia pretends that they’re a CA
Install their root, r-r-r-root, r-r-root cert
Masquerade as any site upon this Earth