3. Lenovo confirms installing a MITM cert and proxy to inject adware on new laptops

Lenovo confirms installing a MITM cert and proxy to inject adware on new laptops

So basically, imagine for a second that instead of all this technology stuff, we are sending snail mail to somebody we never met before. Lets say a bank that you want to sign up a new credit card with.

Now, we have a problem. We want to make sure that the bank receives the letter, and they are the only one that wrote it. And there isn't somebody in the middle of the post service (or sneaking outside your house's mailbox) that isn't either intercepting the letter, opening it, reading it, then putting it in a new envelope before sending it to the bank, or it's just somebody in the post service replying directly to us pretending it's the bank.

So basically we developed a system, with certificates. We basically have designated certain organizations as 'trustworthy' to authenticate people. These would be the 'root certificates' your computer has. Without being too technologically heavy, lets just say that these organizations have a way to authenticate they are who they are, like a wax seal people used to use in letters, so I'll just refer to 'authenticating who they are' as using a wax seal on our letter. And an organization like a bank also has their own authentication/seal.

But the problem is, since we've never wrote to this bank before, we don't know what their authentication 'seal' looks like, this theoretical eavesdropper could make his own seal and we would be none the wiser that it wasn't the bank.

So when we mail the bank, they can reply and say 'this other guy with a root certificate can tell you that I am who I say I am' and since you know what the 'root certificate' holder's seal looks like, and you have specified you trust them, you go ask the root certificate what the bank's seal looks like. And assuming the reply you get from the root certificate bears the seal you trust, you can now reliably know that the bank is who they said they are, because you know what their seal is supposed to look like.

So if there is a rogue root certificate organization out there issuing phony records, that basically completely undermines our little authentication thing here, because they are the source of authenticating who everybody else is on the internet, and we no longer know if we are talking to an eavesdropper, or the real thing.

/r/netsec Thread Link - forums.lenovo.com
Previous
Next

Recently removed from /r/netsec

Tracking Anonymized Bluetooth Devices via BLE security flaw PoC || GTFO 0x19 (Github Mirror) /r/netsec's Q1 2019 Information Security Hiring Thread The /r/netsec Monthly Discussion Thread - December 2018 /r/netsec's Q3 2018 Information Security Hiring Thread Simple hack bypasses iOS passcode entry limit, opens door to brute force hacks Google bug bounty for security exploit that influences search results Cybereason RansomFree detects and blocks WannaCry using behavioral based detection (video link, details in comment) PINs and passwords can be stolen just by watching the way a phone tilts Bella: A pure python, post-exploitation, data mining tool and remote administration tool for macOS. 2015 Vice article reveals Spotify allows for brute-force password collection. There is still no login failure/password reset to this day. More details in comments. Cryptkeeper Sets the same password "p" for everything independently of user input /r/netsec's Q1 2017 Information Security Hiring Thread A Formal Security Analysis of the Signal Messaging Protocol [PDF] Warberry Pi- Tactical Exploitation

More Random Comments

incoherent nonsense Apple investors are being asked to vote against giving CEO Tim Cook his $98.7 million pay package for 2021 Vegan hunting AITA for telling my BIL's girlfriend she's boring because all she talks about is her job? Marvel Studios' 'Thor: Love and Thunder' Rotten Tomatoes Verified Audience Score Thread To the surprise of no one, Bethany wants her followers to help her write the Singles' Pre-Dating Guide she's, like, really almost totally ready to release (for $10). AITA for taking the closest parking space even though a pregnant co worker asked for it? 7 ways to get your money back from a Bitcoin Scam TESLA SERVICE is not what it should be... Is this wd or some other sh. Study Show That Software Piracy Lowers Poverty Vaashi - streaming now on Netflix. Dangers of complimenting women? Which class you think is the most interesting generationally? AITA For taking a joke too far and making my mom faint