The recent Superfish debacle is yet another reminder that as security professionals we live in an inherently post-prevention world. Increasingly everyone must assume that despite all our best efforts, users on our networks are may already compromised. While the focus is often on the many ways that a user can be infected with malware, Superfish is a reminder that a device can be compromised before it ever comes out of the box.
As a quick recap, Superfish is software that acts as an SSL man-in-the-middle in order to control the ads a user sees while browsing the Web – it’s “adware” which pretends to provide a service you would want. To break SSL encryption without triggering a browser warning, Superfish installs a signed root certificate on the machine. More specifically, the software installs the exact same root cert on a series of laptops, and researchers (and attackers) are able to quickly extract the cert. Rob Graham at Errata Security provides a nice write-up on how he was able to do this.
Worse still, due to the way the software handles invalid certificates, attackers can direct victims to a malicious site without raising a browser security warning. Analysis from the Electronic Frontier Foundation shows that attackers are likely already using this weakness for MitM attacks in the wild. It’s important to remember that while this is an egregious lapse in security, it is by no means unique. PrivDog software associated with Comodo has shown similar man-in-the-middle weaknesses that allow attackers to redirect victims to malicious sites.
Such software typically gets on laptops by coaxing an unwitting user to install such a “potentially unwanted program” (PUP). Lenovo chose to cut out the middleman and preinstalled the Superfish application on a series of laptops it sold in markets across the world. The end result is that advertisers and attackers can introduce anything they want in what appears to be a trusted and encrypted session. This is a case where preventive security measures would clearly come too late, and increasingly there is no guarantee that even our “golden images” are safe.
In many cases, the attacker starts the game on second base, and this reality means we must look at security differently. The first observable signs of an attack may very well come from inside the network. Internal reconnaissance, lateral movement or a staged transfer may not to be the first step of an attack, but it may the first step that security teams can detect. Furthermore, by observing the real behavior of hosts on our networks, we can begin to audit and verify things that previously were trusted blindly. With the likes of Superfish and PrivDog in the neighborhood, it certainly makes sense to verify before we trust.
Read more about how your security can evolve to automatically detect active network attacks in real time.