Monday, February 23, 2015

Using the same key for all devices / clients / services

Sufis told the story of a locksmith who, in a prison for crimes he did not commit, finds a way to escape thanks to a well-thought plan. The trigger was the carpet that his wife managed to give him so he could perform his daily prayers. But the finely woven carpet had a big key in the center, along with all the steps to be followed embroidered around it.

The thesis of the story is that anyone can use what he has around him to get a key. A unique key which can open any obstacle that comes his way. In fact, one of the biggest obstacles today is known as Superfish, the bloat/ad/malware that came with Lenovo devices and was used by others as a key for their misdeeds.

Now Superfish has a number of new competitors. One of the researchers at Facebook Security called Matt Richard claims to have found at least 10 "Superfishes" on different widely used services and devices.

Superfish allows to include hidden adware. In addition, it exploits the security of SSL protocols. Moreover it affects some of the tools of antivirus firms like Lavasoft or Comodo, which is quite paradoxical since such tools are aimed at strengthening the security of the SSL traffic and preventing potential attacks by malvertising...

The problem is so critical that the Mozilla Foundation is currently considering whether to include certificates used by Superfish in its blacklist. This certificates are installed by default in most Lenovo devices and even used by some other digital services.

But how these kind of vulnerabilities are spread? Just managing that one of the apps everyday used by any of us runs compromised certificates, which usually have root access, the attacker will have in a huge range of possibilities. To do this, apps with necessary permissions are sought and usually it is performed a phishing campaign targeting their developers. Fooling the team behind them, attackers can corrupt the legitimate purpose of the service.

As you might have realized, humans (users, workers) are very often the weakest link in the chain. Sometimes this is due to their own digital Diogenes syndrome, ie the habit of keeping everything just in case "I need it for something in the future."

Further, too flexible use of corporate information could lead to some problems if security rules as ISO 27001 are not applied.

Who did not leave a post-it with a password written on it next to his computer? Or who does trust on the contact list of his cell phone to remember a phone number? Don’t forget that technology is a key both for good and, as in this case, evil.


Post a Comment