Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

A Few Lessons from Recent Adware Insecurities

Home
Industry Insights
A Few Lessons from Recent Adware Insecurities

Blog Article Published: 03/11/2015

<strong>Recent adware has made significant waves in some information security </strong><strong>circles for its security vulnerabilities and </strong>
<strong>for its potential larger </strong><strong>impact on one of the essential systems of trust that Internet </strong><strong>sites use – the Browser <sup><a href="https://www.brightline.com/2015/03/adware-insecurities/#footnote"><strong>[1]</strong></a></sup></strong><sup> </sup><strong><sup><a href="https://www.brightline.com/2015/03/adware-insecurities/#footnote"><strong>[2]</strong></a></sup></strong><strong>.</strong>

By Jacob Ansari, Manager, Brightline

image001While users can obtain fixes or removal tools for both Superfish[3] and PrivDog, the issue remains that our browsers can make trust decisions for us that we do not always know about or understand, and to which we may not consent.

This problem isn’t new as public-key infrastructure (PKI) systems (e.g., systems that use digital certificates, which are used to verify the authenticity of websites on the Internet) ultimately rely on a series of ostensibly trustworthy entities not abusing that trust. For users, this often means understanding what root certificates their web browsers trust. These root certificates, issued by organizations called certificate authorities (CAs), digitally sign or verify the authenticity of other certificates that sites on the Internet use to substantiate their identity. Modern browsers come with several root certificates installed, usually from CAs, although users, or the software they install, can modify this repository.

This was the core problem with Superfish. The utility, installed by default on Lenovo laptops, subverted that trust relationship by installing not just a certificate that the browser trusted, but a root certificate which would then re-sign other certificates and allow the holder of that root certificate to decrypt the web traffic to those sites. The ad company intended for this to inject advertisements into browser traffic, even on encrypted sites, but the Superfish phony root certificate would allow an attacker to manipulate any encrypted web traffic and make it appear legitimate. The plot thickened a few days later when researchers and savvy users discovered that an ad blocking and replacement tool called PrivDog[4] did the same thing, although it had the potential to create even more security issues as it would re-sign any certificate, including otherwise invalid or questionable certificates without any verification whatsoever. The situation with PrivDog has a particularly troublesome quality to it in that the developer of this software is the founder and CEO of Comodo, one of the largest CAs in the world; however, it appears that the versions of PrivDog with this particular problem do not appear to come bundled with Comodo security software for users.

Attacks that target this system of trust before exist. An attack in 2011 took place against DigiNotar[5], a Dutch CA. The attacker or attackers (thought to be agents of the Iranian government trying to spy on dissidents) issued numerous certificates that appeared legitimate. However, they had access to the corresponding private keys, and thus the ability to decrypt any intercepted encrypted traffic authenticated by these fraudulent certificates or any certificates derived from them. In 2012, another CA issued a subordinate root certificate, encased in a specialized hardware device called a hardware security module (HSM), to a third party as a product for monitoring traffic from an organization, ostensibly for preventing company confidential information from leaving[6]. However, in doing so, this yielded the same sort of result as it allowed the device with the root certificate to impersonate any other encrypted site on the Internet in a fashion that most users would not detect.

These developments create significant dangers for safe Internet use in that an attacker who obtains these certificates can potentially manipulate many users into trusting hostile sites. Even without the scenario of a criminal gaining access to root certificates, placing root certificates outside of the most protected and trusted sort of environments tampers with one of the underpinnings of the Internet. The trust that needs to exist will subsequently erode away if users cannot trust that the site they intend to visit is the actually the site in the browser. Adversely affecting website security and authenticity for criminal purposes, or as an act of surveillance, has its own issues, legal, political and otherwise. Doing so merely to serve up advertisements in browsers shows a breathtaking measure of recklessness.

So what do we learn from this?

Primarily we learn that the world is full of organizations that play with fire and adversely affect Internet security for a variety of self-serving reasons. Perhaps this isn’t surprising. Users will need to fully understand how these trust relationships work, so that they can make decisions about what sites to visit and trust from a more informed standpoint. This may be an unrealistic expectation that puts a lot of burden on ordinary people who just want to use the Internet in the ways they always have. Additionally, Certificate Authorities and other intermediaries should undergo more scrutiny in terms of how they manage security of certificates, keys, and the likes. There several audit standards out there to guide CAs from WebTrust for Certification Authorities to the various CA Browser Forum guidelines. More than likely however, the responsibility will fall to the community of security professionals to connect all interested parties out about these sorts of threats and mount effective defenses against them.

[1] PCWorld.com – CEO says Superfish is safe as US issues alert to remove Superfish from Lenovo PCs

[2] A Few Thoughts on Cryptographic Engineering

[3] Lenovo – Superfish Uninstall Instructions

[4] nakedsecurity.com – Anatomy of a certificate problem – the “PrivDog” software in the spotlight

[5] Wikipedia – DigiNotar

[6] Trustwave issued a man-in-the-middle certificate

Share this content on your favorite social network today!

Latest from CSA
Join AT&T Cybersecurity in Chicago
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Enhance your cloud security skills with CSA's online training options.