« Le constructeur de PC ripou #Lenovo livre ses poubelles avec un #adware pré-installé, quoi vous affiche des pubs dans vos sessions Web. Bien pire, le navigateur est pré-configuré avec une Autorité de Certification [NDLR : X509] pirate (#SuperFish), ce qui permet de casser [NDLR : contourner plutôt : une des 2 parties de la communication est vérolée] TLS (attaque de l’Homme du Milieu) et donc de mettre les pubs même sur les sessions HTTPS. Seule solution : reformater tout PC acheté et y mettre un système d’exploitation de confiance (en attendant que les entreprises capitalistes mettent le malware dans le BIOS). » +1 :'(
« It looks like Lenovo has been installing adware onto new consumer computers from the company that activates when taken out of the box for the first time.
The adware, named Superfish, is reportedly installed on a number of Lenovo’s consumer laptops out of the box. The software injects third-party ads on Google searches and websites without the user’s permission.
[...]
A Lenovo community administrator, Mark Hopkins, wrote in late January that the software would be temporarily removed from current systems after irate users complained of popups and other unwanted behavior:
[...]
Other users are reporting that the adware actually installs its own self-signed certificate authority [NDLR : self-signed ? normal pour un certificat d'AC] which effectively allows the software to snoop on secure connections, like banking websites as pictured in action below.
This is a malicious technique commonly known as a man-in-the middle attack, where the certificate allows the software to decrypt secure requests [...] If this is true — we’ve only seen screenshots so far — Superfish could be far more dangerous than just inserting advertising.
[...]
Reports of Superfish being pre-loaded on Lenovo computers have appeared on forums as early as mid-2014.
[...]
Update: Mozilla Firefox does not appear to be affected by the SSL man-in-the-middle issue, because it maintains its own certificate store. »
« A pretty shocking thing came to light this evening – Lenovo is installing adware that uses a “man-in-the-middle” attack to break secure connections on affected laptops in order to access sensitive data and inject advertising. As if that wasn’t bad enough they installed a weak certificate into the system in a way that means affected users cannot trust any secure connections they make – TO ANY SITE.
However Superfish’s software has quite a reputation. It is a notorious piece of “adware”, malicious advertising software. A quick search on Google reveals numerous links for pages containing everything from software to remove Superfish to consumers complaining about the presence of this malicious advertising tool.
Superfish Features:
Hijacks legitimate connections.
Monitors user activity.
Collects personal information and uploads it to it’s servers
Injects advertising in legitimate pages.
Displays popups with advertising software
Uses man-in-the-middle attack techniques to crack open secure connections.
Presents users with its own fake certificate instead of the legitimate site’s certificate.
[...]
This presents a security nightmare for affected consumers.
Superfish replaces legitimate site certificates with its own in order to compromise the connections so it can install its adverts. This means that anyone affected by this adware cannot trust any secure connections they make.
Users will not be notified if the legitimate site’s certificate has been tampered with, has expired or is bogus. In fact they now have to rely on Superfish to perform that check for them. Which it does not appear to do.
Because Superfish uses the same certificate for every site it would be easy for another hostile actor to leverage this and further compromise the user’s connections.
The user has to trust that this software which has compromised their secure connections is not tampering with the content, or stealing sensitive data such as usernames and passwords.
If this software or any of its control infrastructure is compromised, an attacker would have complete and unrestricted access to affected customers banking sites, personal data and private messages. »
ÉDIT du 19/02/2014 à 13h55 :
« Clubic explique cependant qu'une manipulation permet au départ d'éviter de l'installer.
«L'utilisateur a la possibilité de refuser l'installation de ce programme en décochant une petite case au moment où il allume pour la première fois son nouveau PC, mais évidemment, peu font attention à ce genre de détails.» [NDLR : ok, c'est cool mais la source / méthodologie pour arriver à cette conclusion n'est pas indiquée.]
[...]
Et, si vous n'avez pu l'éviter, «il est très simple de désinstaller Superfish. Voici d'ailleurs une vidéo qui vous explique comment procéder»:
[NDLR : apparemment, ce n'est pas aussi simple : « Readers should be aware that even after uninstalling the Superfish adware from their machines, the Superfish root certificate will remain. » ;) ]
[...]
Rien qu'en 2014, Lenovo a vendu plus de 59 millions de PC, faisant de lui le numéro un du marché, selon Gartner. »
« It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.
[...]
Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet. Under such a scenario, PCs that have the Superfish root certificate installed will fail to flag the sites as forgeries—a failure that completely undermines the reason HTTPS protections exist in the first place.
[...]
Palmer [NDLR : un chercheur en sécurité info semble-t-il] was later able to confirm that the private key for the Superfish certificate installed on his Yoga 2 contained the same private key as a Superfish certificate installed on a different person's Lenovo PC. That means there's a good chance attackers could use the certificate to create fake HTTPS websites that wouldn't be detected by vulnerable Lenovo machines. »
Ok donc un faux certificat X509 est généré à la volée sur le PC infecté pour chaque site web consulté. Il ne s'agit pas juste de quelques certificats pré-générés valides seulement pour quelques sites web bien connus (exemple : top X Alexa) !)
FIN DE L'ÉDIT.
ÉDIT du 19/02/2015 à 15h55 : Et vlaaaaam la clé privée et son mot de passe :
http://shaarli.guiguishow.info/?TBUR6w FIN DE L'ÉDIT
En résumé : un assembleur PC ripou, un adware et la magie de X509. COMBO !