Friday

Shame on You Lenovo - Superfish Scandal

Imagine you were a hardware manufacturer and you'd been discovered installing something that made you money whilst simultaneously breaking one of the most important security aspects of their web browser.   Now further try and picture the apology you'd have to write for this disgraceful, greedy and technically inept behaviour - well you can  read it here -

Superfish was previously included on some consumer notebook products shipped between September 2014 and February 2015 to assist customers with discovering products similar to what they are viewing.  However, user feedback was not positive, and we responded quickly and decisively:

This is the apology that Lenovo has written on it's web page in response to the superfish scandal.  Make no mistake Lenovo has been guilty of the most appalling disregard for both their customer's privacy and their online safety.

So What is Superfish?

Well despite what Lenovo is waffling on about product search technology, Superfish is simply adware which it installed on thousands of computers and laptops. It's function was to hijack your web browsing and inject adverts when you searched, which of course earned Lenovo commission for displaying.  What was worse, is the fact that this adware actually performed a Man in the middle attack on your web browser in order to decrypt the traffic.

Superfish Breaks security


It's appalling, Superfish actually installed a false self signed certificate which it used to decrypt your personal browsing.   It's exactly the same method that a hacker or identity thief would use to steal usernames and accounts from encrypted HTTPS traffic.  What's worse is that even if Lenovo didn't actually steal your data directly by 'breaking' HTTPS and using a standard, false and duplicated root CA certificate it made hacking into that machine much, much easier for anyone else.

So it was not surprising that 'user feedback was not positive', as here's a brief summary -

  • Lenovo secretly installs adware on brand new machines.
  • Machines are then sold to customers.
  • Superfish installs false ssl certificate when accessing secure sites.
  • Superfish then performs Man in the middle attack to decrypt HTTP traffic
  • Fee paying adverts are displayed in your browser window to earn Lenovo commission.
  • Superfish effectively makes machine more vulnerable to other attacks.

Obviously computer and information laws vary across the world, but needless to say  that what Lenovo did is skirting on the edge of criminality.  Certainly as far as UK law, the updates to the Computer Misuse Act covers adware and specify that the installation should be clear and allow the consumer choice of whether to run it.  There are also numerous statements about unauthorised access and modifications to customers computers.

Whatever the legal ramifications, what is certain is that Lenovo is quite happy to exploit it's customer's security and privacy in order to make more money by installing adware.  I for one will certainly never trust this company again and I would hope I am not alone.

Other Posts You Might Enjoy
Watching Iplayer on Your IPad

Tuesday

Broken Smart DNS - Netflix Fights Back

For many people, finding ways to access the world's best media sites can be a full time job.  Depending on where you live, it can be very difficult to access anything online.  Although many solutions exist for a computer it becomes even more tricky to get these streams working on other network devices like Smart TVs, media streamers and tablets.

Which is why Smart DNS was becoming so popular, because it was very simple and could be enabled on the majority of devices with ease.  How it worked was surprisingly simple but very effective, all you had to do was change your DNS server to one of the Smart DNS enabled ones.  This then would intercept any requests for media sites which checked your location and rerouted the initial connection through an appropriate proxy server.

So if you were in France and wanted to access Hulu for example, the Smart DNS server would route your initial connection through a US server, enabling the USA only stream whilst having virtually no impact on speed!   Some of the best Smart DNS service providers like Overplay even allowed you to specify your exact location.  This was great for services like Netflix as you could switch between any version of Netflix you required, for example Netflix USA has by far the biggest choice, but Netflix UK has some great British content.


You could add the DNS setting to your TV, tablet, phone quickly and easily.  In fact you could modify the DNS server which was supplied by your router and effectively enable every device in your home all at the same time.  All your other browsing would not be effected and DNS requests would resolve normally, a great, efficient work around if you used a fast service.  However even the dodgy DNS codes would work reasonably well and often worked for a couple of days rather than for just a couple of hours like free proxies.

However this all changed with the latest update to the Netflix interface, which has been rolling out over the last few weeks.  This update is not just to make the interface look prettier and easier to use (although it does) - it includes a function to break the Smart DNS workaround.

How does it break the Smart DNS Code Method?

It's surprisingly simple - the new Netflix interface hard codes the DNS servers to use.  So whatever device you access Netlifx from it tries to use, the Google DNS and Open DNS servers for name resolution.   This obviously completely bypasses the Smart DNS servers you have configured and thus the redirection which fools the Netflix servers doesn't happen.

The result, if you're in the UK and try and get US Netflix you'll get an error message.  If you try and access Netflix from a country which doesn't have any version and you'll get completely blocked again.  It's very frustrating especially as you have to be paying for a Netflix subscription in the first place.

Fortunately, there is a fix although how long it will work for I'm not sure.   It involves ensuring that the Netflix application can't access the Google and Open DNS servers, which then falls back to your Smart DNS server.  Currently it seems to work very well, but the method looks vulnerable, Netflix could go further to stop this.  There are a variety of methods to achieve this DNS server block, but one of the best write ups is here - Broken Smart DNS - the Fix a fairly straight forward method of setting up a static route for each of the DNS servers which block access.

There are other options, and indeed many people will not have the facility to set up static routes on their routers.  Basically you just need to ensure that the client cannot access those DNS servers, you could use firewalls, Internet security software, perhaps even your hosts file to redirect those requests (Windows will use the hosts file before any DNS resolutions are attempted).  It just suddenly makes using Smart DNS much more complicated and needs some technical knowledge.

Will Netflix pursue this further?   They certainly could, their method would easily extend and indeed they could enforce those DNS requirements (or Netflix wouldn't work) - although they have to be careful that they don't cause other issues.  It might be that Netflix will leave the current situation, it's made the use of Smart DNS more difficult and less appealing certainly for accessing their service.


The Smart Phone Device That Can Steal Your ATM PIN

Technology can obviously bring huge benefits to society as a whole, but sometimes it can work the wrong way - at least when it's in the wrong hands.  Which is unfortunately the case with the amazing little gadget that has been recently released which works with the iPhone 5.

It's called the FLIR ONE and it's one of the wonderful little devices that you desperately want to have but just have to work out a justification for buying one. It's basically a device which can turn your iPhone into a fully fledged infrared personal thermal image camera.  So instead to trying to explain that, a picture will probably demonstrate exactly what it does.


As can be seen you simply point it and you can see all the different temperatures of everything around you.  It basically works by detecting the wavelength of infra red light being reflected, this varies with the temperature and so the FLIR ONE is able to detect the relative temperatures and display or take photos of them.

It's pretty neat, but unfortunately (or fortunately depending on your point of view). it has a rather impressive criminal potential, which maybe already being exploited.  You see this device if pointed at an ATM machine has the potential to identify the relative temperatures of the keys on the machine.   This temperature is of course caused by the fingers of the person who used the machine last.  Hence it can be used to identity the key presses that constitute your PIN number from the residual heat from your fingers.

There have already been demonstrations of how this might work, but it always involved large clunky infra red equipment, which would be rather difficult to conceal.  But imagine how much easier it is to just queue up behind people and then simply take a quick thermal photo before moving on.

Of course, they still need your card to actually be able to steal your cash, but the technology for that has been around for years certainly in the murkier areas of the web and the Darknet.  All you need if a $50 RFID reader and a $300 card magnetizing device and you have everything you need to steal and clone a card details from anyone nearby carrying an RFID enabled card.

So there you are a complete kit for creating a duplicate card and stealing the PIN number all for about $750. What's worse it involves little technical knowledge and all the gear can fit into a small bag !!!