DELL BLUNDER

-
Dell installed a self-signed root certificate and corresponding private key on its customers’ computers, apparently without realizing that this exposes users’ encrypted communications to potential spying, in an attempt to streamline remote support.
Even more surprising is that the company did this while being fully aware of a very similar security blunder by one of its competitors, Lenovo, that came to light in February,2015. This incident surely raises questions on Dell’s Research and Development team.
In Lenovo’s case it was an advertising program called Superfish that came preinstalled on some of the company’s consumer laptops and which installed a self-signed root certificate. In Dell’s case it was one of the company’s own support tools, which is arguably even worse because Dell bears full responsibility for the decision.
Dell actually took advantage of Lenovo’s mishap to highlight its own commitment to privacy and to advertise its products. The product pages for Dell’s Inspiron 20 and XPS 27 All-in-One desktops, Inspiron 14 5000 Series, Inspiron 15 7000 Series, Inspiron 17 7000 Series laptops and probably other products, read: “Worried about Superfish? Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns.”

Why should you care

The eDellRoot self-signed certificate is installed in the Windows certificate store under the “Trusted Root Certification Authorities.” This means that any SSL/TLS or code-signing certificate that is signed with the eDellRoot certificate’s private key will be trusted by browsers, desktop email clients and other applications that run on affected Dell systems.
For example, attackers can use the eDellRoot private key, which is now publicly available online, to generate certificates for any HTTPS-enabled websites. They can then use public wireless networks or hacked routers to decrypt traffic from affected Dell systems to those websites.
In these so-called Man-in-the-Middle (MitM) attacks, the attackers intercept users’ HTTPS requests to a secure website- lets say axisbank.com for example. They then start acting as a proxy by establishing a legitimate connection to the real website from their own machine and passing the traffic back to the victims after re-encrypting it with a rogue axisbank.com certificate generated with the eDellRoot key.
The users will see a valid HTTPS-encrypted connection to Bank of America in their browsers, but the attackers will actually be able to read and modify their traffic.
Attackers could also use the eDellRoot private key to generate certificates that could be used to sign malware files. Those files would generate less scary User Account Control prompts on affected Dell systems when executed, because they would appear to the OS as if they were signed by a trusted software publisher. Malicious system drivers signed with such a rogue certificate would also bypass the driver signature verification in 64-bit versions of Windows.

It’s not just laptops

Initial reports were about finding the eDellRoot certificate on various Dell laptop models. However, the certificate is actually installed by the Dell Foundation Services (DFS) application which, according to its release notes, is available on laptops, desktops, all-in-ones, two-in-ones, and towers from various Dell product lines, including XPS, OptiPlex, Inspiron, Vostro and Precision Tower.
Dell said Monday that it began loading the current version of this tool on “consumer and commercial devices” in August. This may refer both to devices sold since August as well as those sold prior and which received an updated version of the DFS tool. The certificate has been found on at least one older machine in PCWorld's possession: a Dell Venue Pro 11 tablet dating from April.

More than one certificate

Researchers from security firm Duo Security found a second eDellRoot certificate with a different fingerprint on 24 systems scattered around the world. Most surprisingly, one of those systems appears to be part of a SCADA (Supervisory Control and Data Acquisition) set-up, like those used to control industrial processes.
Other users also reported the presence of another certificate called DSDTestProvider on some Dell computers. Some people have speculated that this is related to the Dell System Detect utility, although this is not yet confirmed.Well, time to feel some pressure Dell..

There’s a removal tool available

Dell released a removal tool and also published manual removal instructions for the eDellRoot certificate. However, the instructions might prove too difficult for a user with no technical knowledge to follow. The company also plans to push a software update that will search for the certificate and remove it from systems automatically. If that's done so then it will be a big sigh of relief for DELL.

Who are on target list?

Well, Its likely Roaming corporate users, especially traveling executives, could be the most attractive targets for man-in-the-middle attackers exploiting this flaw, because they likely have valuable information on their computers.Well thats a matter of common sense, Hacker would like to steal information which is meaningful, confidential and precious.Of course I'm not in the target list. ;-) 
Robert Graham,CEO of Errata had a remarkable statement on this in a blog post-“If I were a black-hat hacker, I’d immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone’s encrypted communications.
As a matter of course, companies should deploy their own, clean and pre-configured Windows images on the laptops they buy. They should also make sure that their roaming employees are always connecting back to corporate offices over secure virtual private networks (VPNs).

It’s not just Dell computer owners who should care

The implications of this security hole reach beyond just owners of Dell systems. In addition to stealing information, including log-in credentials, from encrypted traffic, man-in-the-middle attackers can also modify that traffic on the fly. This means someone receiving an email from an affected Dell computer or a website receiving a request on behalf of a Dell user can’t be sure of its authenticity.How cool is that!!!!;-)
                                                                            - ASHISH CHHATANI

Comments

Post a Comment

Popular posts from this blog

Dresscode-Android malware that can infiltrate corporate networks is spreading

-
Image
According to Trendmicro, DressCode-a family of Android malware, has been found circulating in at least 3,000 Trojanized apps. An Android malware is spreading across app stores, including Google Play, and has the capability of stealing sensitive files from corporate networks. DressCode hides itself inside games, user interface themes, and phone optimization boosters. It can also be difficult to detect because the malicious coding only makes up a small portion of the overall app. On Google Play, Trend Micro found more than 400 apps that are part of the DressCode family, it said. That's 10 times more than what security researchers at Check Point observed a month ago. Trend Micro added that one these apps on Google Play had been installed 100,000 to 500,000 times. Once installed, Dress Code's malicious coding will contact its command and control servers and receive orders from its developers. The malware is particularly dangerous because it can infiltrate whatever internet
Read more

Clickjacking leads Android ransomware to gain the administrative rights!

-
Image
What is Ransomware? Ransomware   is one type of malware which prevents or limits users from accessing their system.   File-encrypting ransomware which is also called as Cryptolocker applications that target Android devices are becoming increasingly sophisticated. One new such program is using clickjacking techniques to trick users into granting it administrator rights. What’s this Clickjacking? Clickjacking is a method that involves manipulating the UI in a way that allows attackers to hijack users' clicks and trigger unauthorized actions. It is mostly used in Web-based attacks, where various technologies allow creating invisible buttons and positioning them on top of seemingly harmless page elements. Due to the restrictive application permissions system in Android, ransomware apps targeting the OS have historically been less effective than on Windows. For example, many of the early Android ransomware threats only displayed a persistent window on the screen with an
Read more

Importance of secure SDLC

-
Image
Time does require the change. Isn’t it? We’ll talk about the importance of securely software development life cycle in this story. We all know what exactly SDLC is? SDLC stands for Software Development Life Cycle. The developers builds the applications for certain purpose. The SDLC process has got certain pre-defined phases.  Requirement Gathering: What is the purpose and what’s it going to take for building the application. Plan and Design: Plan the phases of development. Prioritize the modules and finalize the design suitable. Implementation: Start implementing the modules. Coding takes place. Testing: Test the modules which are built Deploy: Deploy the application once the application is tested properly. Maintain: Check whether the application behaves exactly in the same way it was meant to. Eliminate the vulnerabilities identified if any. This is how the traditional SDLC process works. There are certain models to accomplish the pr
Read more