Man in the Middle Attacks & Superfish - Computerphile

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Why I feel this belongs here is the takeaway:

One company (Lenovo) decided to make a few bucks injecting ads, and left potentially millions of ordinary people vulnerable to easy, horrible attacking and scraping of all their personal data by anyone who spent an hour tinkering.

👍︎︎ 3 👤︎︎ u/SilentDis 📅︎︎ Oct 23 2015 🗫︎ replies

Captions

did you hear about super fish this year right yes this is the Lenovo laptop scandal isn't it yeah this is this is a better software that was installed on pretty much every consumer a nuovo laptop that it was so bad that the US Department of Homeland Security issued an advisory saying this needs to be uninstalled and to understand why it's so bad we need to understand man-in-the-middle attacks there have been a lot of techniques for intercepting traffic for a long long time one of the earliest ones I remember is it's called ARP spoofing or ARP poisoning so you've got your looter sitting in the middle because all looters have a little aerial and and some lights on them and you've got computers you know connected to this and what you do is you you bring your computer along to an open Wi-Fi network something like that connect your computer and your computer just announcer's hello I nailed a router I'm simplifying massively here but basically the network is built on trust and so the computers just kind of believe it and so the computers and the router are sending all their packets to you first and then you're forwarding them on to the right location so everything is going through you and 10-15 years ago this was terrible because pretty much everything was sent in plaintext email passwords websites everything was going through in plain text so you just sit there and provide your computer as fast nothing in network card was good enough you could see every bit of traffic on this network I just kind of slur fault passwords out obviously massively illegal without the consent of everyone on the network so don't do that um but I mean the solution to that is SSL your computer sitting here and the the server out here because all servers look like computers from the 1990s your computer sends a request saying hello I would like to talk securely this is the protocols I can support this if this is my details and the server sends back yeah ok here is my public key uh and no computer filers has done you've done public and private key before yeah he sat behind me so yeah go watch his video about public and private trip now if you if you want other details that basically the server sends back a long series of numbers that your computer can sign messages with these and encrypt messages with these and they can only be unlocked by that server because maths I'm not good Ryan explained more than that you can lock messages only they can unlock them which is great because because your attacker who is sitting in the middle here and reading everything will just see noise except all we've really done is move the problem back a stage because that first bit that that hello I would like to talk securely okay here's my private key that has to go and plaintext and some in the middle can change that they can take that that public key that was sent by the server and just go no I'm gonna have that here's my public key instead you're actually going here and then here your computer here it doesn't know the difference it then encrypts the message with the attackers public key sends it back here attacker opens it decrypt it reads it yeah goes okay and then sends the message that should have been sent from your computer or properly encrypted server goes alright we've got an encrypted connection going on here sends the encrypted packet the attacker who can do this now unlocks it goes yeah all right and then re encrypt it with their key sends it on to you and now every single communication is going through the attacker no one knows anything is wrong that is you that's your classic man-in-the-middle attack the solution to this is something called signed certificates and this is why setting up a secure server on the web casts a little bit of money right now I mean it may not in future the Electronic Frontier Foundation and Mozilla are trying to set up a thing to make this free hopefully by the end of the year it will be um but the idea is that there is a third party vouching for the set of public keys that you're exchanging I've had to do this so I set up a secure server about the year hook on hell what I have to do is I when I'm setting it up on time being right there it's going to run this website it's going to be on this address it's going to use these protocols and now they generate this set of public and private keys and then over an existing secure connection one that I knew to be good I send that private key off to something called a certificate how do I draw a certificate authority I think it's going to be a faceless office or why don't we do a factory and then we know that that's kind of industry going to the Internet factory there we go the factory of a factory of the inter yeah all right we're there we go we got a padlock factory there no it's not a padlock I've drawn a padlock it's not it's a set of keys this is what they called public and private keys i generate my keys I make them and I send them over over a connection I know to be secured to this company and there's like half a dozen big ones in the world maybe a 50 100 or so small regional ones and what they do is they check alright these keys we've got are they definitely from this server yes and if you want one of the kind of green green padlocks with the company name on it they will ask you to I'm in fact something L headed paper something like that it probably is still a fax machine actually which is why it's so expensive you need to keep the fax machine running uh-huh they get this they check it's coming from the right server they check it's the right keys and then they do maths to them and those keys are now signed by that company with their own private key which no one else has so now when I do that initial back and forth so person comes along they talk to my server and they say hello I would like to talk securely and my server says alright here is my public key it's been signed by those folks over there and the computers ahh oh yeah ok that's that's great and if the attacker changes one bit of those keys I mean they're in the computer sense 1 1 or 0 in there the maths doesn't add up anymore and more than that knowledge is the the maths not hand up they can't generate any new keys and sign them because they don't have the private key for any of these big companies so the attacker is completely out of luck if they change it it will be like when you try and logging into a public Wi-Fi network it pops up hey you need to login we need your details sometimes that's a man-in-the-middle attack but they are taking the stuff you're trying to send to the server and the get in the way and send they actually know we're going to we're going to send back our page instead this warning or polyps thing we're meant to be on a secure connection to Gmail but we're not yeah panic everything run big red screen which most people have now trained themselves to click through but you know you try okay the attacker can't intercept the keys anymore not without sending up all sorts of red flags which is fine but again all we've done is we've moved the problem back estate because how do you know which certificate authorities to trust and that's when for end-users for people like you or me web browsing that is when you do have to take it on trust because when you bought your smartphone well I bought this I trusted Apple they installed a list of maybe probably about a hundred certificate authorities those those those factories on that announced all their public keys on there so they don't really go over the air to start off with they're pre-installed with with your device if you install a web browser Oh that'll be over a connection you know to be secure or hopefully and you install that you say right I'm trusting these companies because my browser manufacturer trust them it's okay we now have keys on this server signed by by the factory here and that factory is trusted by whoever made your browser or your device so we have this complete network of trust that set up that means the attacker can't change the keys and there are two obvious weak points there one is the certificate authority if you can get them to fraudulently sign keys then all the people that trust them are completely out of luck and that happened that happen to a Dutch certificate authority that is now bankrupt because no one trusts them somehow they they got conned coerced bribed no no one knows but they generated a completely valid signed certificate for Google they have no right to do that no permission to do that but they generated a certificate for the whole of Google with their signature on it saying we trust this and that somehow made it to Iran where someone managed a massive man in the middle attack on enormous numbers of Iranian web users so they were all seeing a big green padlock with Google written in it um oh if they looked through the details which a couple of people like if you're paranoid you check the details on this and someone is asking why is this certificate for Google signed by someone in the Netherlands that doesn't make sense and that was how it was found out like that wasn't a genuine Google Certificate but most people wouldn't know that they're talking to Gmail they're seeing a big green Google certificate in that they think all's well so they're basically looking at their Gmail emails but it's all going through someone it's all going through an attack and the keys that are being replaced they couldn't do it for every website but they done it for this one they done it for Google so every bit of Google traffic that went through they were swapping out the keys they loot opening everything looking at it so what and this is all happening in milliseconds object open it store it put the new keys on it that you've got send it on words and it's tera it's a devastating attack if you can pull that off and there is a genuine concern that governments can do this governments can go to certificate authorities and say right this is the government here um we need you to generate some fake certificates or they can just steal the private keys if they can steal the certificate authorities private keys and they can generate their own keys without even the authority knowing I mean it's a devastating attack if I can pull it off can they I mean I'd be surprised at the NSA couldn't do that somehow whether they actually choose to do it is another matter because if they do and it gets found out not only have they bankrupted a fairly major company oh no one trusts anymore but they've blown their cover so I suspect that yeah they can do it and they're using very very rare situations when they haven't got another option whether they should are not getting into that debate so that's one weak spot the other is the list of trusted authorities on your phone or on your computer because if an attacker can get an extra entry in there they can get themselves in there then they can just generate new keys on the fly in every single connection will be intercepted so that's what superfish did they wanted to insert advertising superfish was a program that took your Google searches and added a little bit more advertising in it for them um which is a terrible idea but Google switched to secure searching for everyone so it's super fair which ain't such a bad idea they installed themselves as a trusted certificate provider and it wasn't even sitting out in the network's this little program sitting on your own computer looking at all your traffic and doing a man-in-the-middle attack on it and inserting their own advert that authority is sitting on your computer signing keys on the fly which means that the private key the numbers that should never ever be seen it's sitting on your computer and can be extracted it was the same on every single computer so soon as one attacker pulled it off one computer every single installation is vulnerable because every single computer that has superfish trusts superfish so someone in the middle pretends to be superfish which they can do because they have that private key then that attacker can man-in-the-middle every single secure website out there and they know you've got it because they can see Lenovo on the back of your computer in the coffee shop and you know there's there's there's way there's uninstall as out there now the Novo promise them to do it again superfish as far as I know does not exist as a bit of software anymore but it's one short-sighted company that used every ignorant shortcut in the book to try and make a few adverts appear just because of that tens of thousands maybe hundreds of thousands of computers I don't know perhaps with a million I don't know how many they make in a year but all those were made vulnerable to a really really terrible attack just because one company wants to sell a few ads you very difficult for people who go into a bad place and use a card because if you complain to your bank then the strip club or and I want to say we was with four girls all night and 4000 phones that's what that costs at our place how long have you not been recording that's a really good question this is because I'm an idiot ha ha ha I love it with 3/4 of the way through uh and he says I am not recording we did that for the drone footage and schnabel we had a we had a live monitor on the on the drone footage with a remote link and we get an also shopping I just looking ago I GoPros not rolling oh bring the drone back down change the battery in the drone

Info

Channel: Computerphile

Views: 915,027

Rating: undefined out of 5

Keywords: computers, computerphile, computer, science, man in the middle, superfish, lenovo, super fish, compromise, Man-in-the-middle Attack, Software (Industry)

Id: -enHfpHMBo4

Channel Id: undefined

Length: 13min 29sec (809 seconds)

Published: Fri Oct 23 2015