So you're telling me, an American owned tech company is spying or allowing spying on its customers?!
Dell ships computers with all the tools necessary for crooks to spy on the owners' online banking, shopping, webmail, and more. The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted …
"It's a Dell trusted certificate that is mentioned in the OS. It doesn't cause any threat to the system"
Just like posting my bank details, home address, name and security answers all over the internet doesn't do any harm.
Or jumping off a building.
It's the bit afterwards that we're worried about. Cheers for the advice though, business as usual yea?
Perhaps someone more intelligent than me could explain the technical connection between a piece of spy software and a dodgy security certificate, apart from both being ungood.
It seems that here the author is comparing aardvarks* and anchovies*.
* apologies if either of these has been chosen for the name of a forthcoming release of Ubuntu...
While I have no data to compare our knowledge-bases or indeed intelligence; I'll offer the following hastily written summary - I apologise if it is not 100% accurate:
Software signed with a trusted certificate will run on your machine. A leaked root certificate means that anyone with it can sign any piece of software and your machine will trust it (if you have that root certificate installed).
A leaked root certificate means anyone with that private key can generate new public SSL certs so your browser, for example will trust the site. This exposes you to man in the middle attacks in places where an attacker hijacks your connection and presents http://haha_suckers_this_is_a_drive_by_site.com as https://facebook.com.
Combine those things, and you have an easy way to install malware on any machine using an open wireless connection - for example. But in reality there are many ways that this could cause trouble
So I think you are saying that the PC becomes in effect a certificate issue factory that will then accept any certificate it is persuaded to generate using the details held on its system.
The net effect is that the certificates are not certificates of anything at all.
Is that a correct reading?
If you buy a Dell and I buy a Dell.
I can use the private key on my dell to generate the aforementioned nasties. I can then install them on your Dell, and it will trust them, as I am using a certificate which is included in your list of trusted certificates. (ish)
So anyone with one of these Dell's can screw everyone else who has one, so long as they keep trusting that cert.
It's a bit like if a bank gave everyone who rented a safety deposit box the same key. Except the box is your laptop.
Sort of correct. It sounds like all of these Dell PC's have the same root CA installed, so anyone obtaining it can generate certificates that these Dell PC's will accept as genuine.
That opens them up to being exploited by fake websites (banking, etc), nefarious apps, and so on.
"[...] so anyone obtaining it can generate certificates that these Dell PC's will accept as genuine."
Yeah, and if someone here thinks that the private key is not already in the hands of any miscreant that caught wind of the outrage, I've got them a nice bridge to sell.
Icon simply because this is an outrage.
Minor correction here - a leaked private key for a root certificate means that anyone can sign a piece of software. Without the private key you cannot sign anything. The certificate is in effect the public key, the part that is freely shared.
The fact that the private key is installed on all these pc's means that anyone with the right skillset enact the attacks as mentioned in the article. The certificate and key need to be revoked - not sure on the mechanism for this outside the PC - but Dell need to supply a patch that will remove the affected certificate and private key and install only a replacement certificate based on a different private key and keep that key, well, private!
"The certificate and key need to be revoked"
This the the issue; as this is a self signed root certificate it CANNOT be revoked as there is no issuing authority to revoke it. As long as this root certificate is trusted by a computer then it will be trusted for EVERYTHING that it is issued from it. And as the private key is in the wild, then that could be ANYTHING! Using the private key and OpenSSL in 2 minutes I could issue certificates for Google, EBay, Amazon, Facebook, YourBank.com, etc, etc, etc. Then, if you have one of these Dells, you would be none the wiser if I was intercepting all of the traffic from your computer to these websites.
I cannot believe the scale of this absolute balls up!
Believe my comment on local revocation (remove the cert / key) still stands tho
...Except for those reports of people whe removed it and then it came back.
And looks like Dell are helping rectify this cock-up.
Far too little, far too late.
Someone that's stabbed you in the arm doesn't get sympathy because they're tried to keep some of the blood off your shirt...
Of course, major corporation says there is nothing to worry about so we shouldn't worry. It's not like major corporations have ever lied to us before, now is it ? Nor has any major corporation ever been proven wrong about something as sensitive and critical as security, right ?
It was an accident. Honest. It's just another of those "internal" cert faking kits you've been reading about surprisingly frequently lately. For "testing" only, honest. Must have just fallen in at the depot. We have now implemented robust safeguards to guarantee we'll never be caught doing exactly this ever again, and eNthusiastically eNcourage you to continue eNjoying the Dell eXperience.
Look, Corporations have lied in the past but it's a logical fallacy to say they will lie in future. In fact having been caught lying we can safely say they won't do it again, that's all in the past.
(Did you see how I used 'critical thinking' to slam you? Did you see how I tried to say that because they have been caught lying that they no longer do so?)
Doing this kind of thing is bad.
Doing it *after* another major vendor and competitor was rightly nailed to the wall for doing pretty much the exact same thing is... well... I think Dell owes me a new BadSecurit-O-Meter.
This is why one should *always* do a complete wipe and reinstall of any new system. I don't care what anything: always wipe. Trust no one. If you can manage it, don't even trust yourself.
It never ceased to amaze me that the maladies associated with Windows systems continue to grow to astronomical proportions. First we have the major breaches at Target, Home Depot, TJX and other behemoth commercialUSA companies atributable to wWndows terminls or some innocuous Microsoft device. Now Superfish 2.0 is upon us, and combined with gross "ransomware" that threatens medical devices if patients don't pay up, and the predictions of dire consequences by Richard Clark, Federal Government Cyber Cazr under both Bush and Obama administrations, of relying on Microsoft weak software technologies has come home to roost.
Adding insult to innorance, a recent report indicates many USA corporations plan to move to Windows 10 by early 2017. If Microsoft is suddenly and unexpectedly pulling updates and fixes for Windows 10 just this past week, how bad will it become in 2017 and beyond?
"Yes bring back clay tablets, papyrus and reed pens."
Modern Android and iOS tablets are hardly "clay"*, there are more font choices on Linux and OS-X than that one, and the styluses, are "red", with a single "e", as in "seeing the price tag of the Apple Pencil will make your face flush red".
* although the latter's former propensity to stick glass everywhere makes them quite as brittle
This has nothing to do with Windows, Dell could as well ship machines with Linux with the same certificate installed, or install it into a pre-installed Firefox as well. CAs *can* be added in any OS because there are several situations where users need to add their own (think about company-wide CAs for a LAN...).
Of course, the private key should not be there...
At least, if you wish to bash Windows, try to do it looking smart... not clueless... it's not that difficult, after all.
"It never ceased to amaze me that the maladies associated with Windows systems continue to grow to astronomical proportions."
Yeah, because no other operating system uses certificates and trusted root certificate authority. Everyone else is on Commodore 64's.
I wouldn't be holding up android. Too many OEMs "customise" the experience and then have no way to patch for things like stagefright. There are literally phones sitting on store shelves that will never see a stagefright fix.
Microsoft have plenty to criticise. Too many windows updates address being pwned by fonts for goodness sake and half of those patches end up breaking outlook. The blame here sits squarely on dell. They are appropriately being shamed.
Okay, interesting find.
I located the second XPS 8700 workstation. No certificate present.
Both machines have a manufactured date of 13th October.
Both machines were received on the 23rd, and I had both side-by-side doing Windows Updates, installing our standard SOE software. I was pretty much sitting there with both machines, two keyboards, typing the same things into both.
One machine was deployed to a user, and has been in constant use. The second was put back in its box to keep as a spare for when it was needed. The one we put away has not got the certificate installed at present.
I'll do a quick update and see if it appears.
Stuart, presumably it was the stored system which was free of the malware?... suggesting that the machines arrive clean to be infected later?
Interesting indeed. Looking forward to your update update.
I wonder how long it'll be before Dell notices they've been rumbled and suspends this particular operation.
At least in the fine old USofA we've heard tales of shipments of equipment being detoured into warehouses where some minor alterations where performed. I'm guessing our common delivery systems (USPS, UPS, Fedex, etc.) are all part and parcel (sic) of this scheme.
When the BIOS (or other components) can be changed, good luck finding the nimble fingers.
Well, there are two possibilities:
- they are randomly loading PCs with A/B images, some which have the dodgy certificate, and some without.
- they shipped the bad certificate in an update after we deployed the machine.
I'm just rebooting the machine now. I'll do a few more checks for updates and see if it pops up.
I never checked to see if the certificate was present at the time of deployment: it is entirely possible it has been there the whole time.
Biting the hand that feeds IT © 1998–2019