Man in the Middle Attacks & Superfish - Computerphile

Have you heard of Superfish this year? Yes, this is the Lenovo laptop scandal, isn't it? Yes, this is the software that was installed on almost all consumer Lenovo laptops. I mean, it was so bad that the US Department of Homeland Security issued an advisory saying this needs to be taken down and to understand why it's so bad, we need to understand the INE man-in-the-

middle

attacks

. There have been many techniques for intercepting traffic for a long time, one of the first. I remember this is called ARP spoofing or ARP poisoning, so you have your router in the

middle

, because all routers have a little antenna and some lights and you have computers that you know connected to this and what.

What you do is you take your computer to an open wi-fi network, something like that, plug your computer in and your comp just announces hello. Now I'm the router. I mean, I'm greatly simplifying here, but basically the network is built. in trust, uh, and the computers just believe it, so the computers and the route send you all their packets first and then you forward them to the right location so that everything goes through you and 10, 15 years ago. This was terrible because almost everything was sent in plain text, uh, email passwords, websites, everything was processed in plain text, so you can sit there and, as long as your computer is fast enough, your credit card network is good enough and you can see every bit of traffic. this network works and just removes all passwords, obviously it's massively illegal without the consent of everyone on the network, so don't do that, but I mean, the solution to that is SSL on your computer, sitting here and the server outside.

Here because all servers look like computers from the 1990s. Your computer sends a request saying hello. I would like to speak safely. These are the protocols I can support. This is my data and the server sends it. Yeah, okay, here's my public key. and I know the computer file has done it, you've done the public and private key before, yeah, he sat behind me, so yeah, go watch his video on public and private key cryptography if you want to know the Details of that basically the server sends back. a long series of numbers that your computer can sign messages with these and encrypt messages with these and they can only be unlocked by that server because math, um, I'm not going to try to explain more than that, uh, only they can block messages. unlock them, which is great because your attacker, who is sitting in the middle here and reading everything, will only see noise, except what we've really done is take the problem up a notch because the first part is hello.

I would like to speak safely. yeah, okay, here's my private key that has to go in plain text and someone in the middle can change and can take that public key that was sent by the server and just say no. I'm going to have that, here's my public key. actually you go here and then here your computer here doesn't know the difference then encrypts the message with the attacker's public key sends it back here the attacker opens it decrypts it reads it yes, it goes well and then sends the message that should have been ha been sent from your computer or server correctly encrypted all good, we have an encrypted connection here you send the encrypted packet the attacker who can do this now unlocks it says yes, okay and then re-encrypts it with your key sends I transmit it to you and now every communication goes through the attacker, no one knows anything is wrong, that's your classic man in the middle attack, the solution to this is something called signed certificates, uh, and that's why you set up a secure The web server costs a bit of money right now, I mean, it may not in the future.

The Electronic Frontier Foundation and Milla are trying to set something up to make this free. Hopefully by the end of the year it will be um, but the idea is that there is a third party that guarantees the set of public keys that you are exchanging. I had to do this so I set up a secure server about a year ago. What I had to do is when I was setting it up, I was typing correctly, it will run this website, it will be at this address, it will use these protocols. Now I'm going to generate this set of public and private keys and then over an existing secure network. connection that I knew was good.

I sent that private key to something called cic. How do I draw a certification authority? I think it will be a faceless office or why don't we make a factory and then we know. that's some kind of IND let's go to the Internet Factory there we go to the lock factory Internet Factory yes, well, there we go, we have, we have a lock Factory there, no, it's not a lock. I have drawn a lock here. It is not, it is a set of keys, this is what is called public and private keys. I generate my keys, I make them and send them through a connection that I know is secure for this company and there are about half a dozen large ones in the world, maybe 50,100 or more small regional ones and what they do is verify these keys well. that we have, they are definitely from this server, yes, and if you want one of those green padlocks with your company name on it, they will ask you to fax something on letterhead, something like that, it's probably still a fax machine, in actually, um, that's why it's so expensive, you know, you need to keep the fax machine running, they get this. they verify that it's coming from the right server, they verify that they're the right keys and then they do the math on them and those keys are now signed by that company with their own private key that no one else has, so now when I do that initial back and forth then A person comes, talks to my server and says hello.

I would like to talk securely and my server says okay, here's my public key, it's been signed by those people over there and the company says ah oh yeah, okay, that's cool and what if the attacker changes one bit of those keys, I mean in the computer sense, one or zero, the math no longer adds up and, more than that, the math not only doesn't add up, but it can't generate any new ones. keys and sign them because they don't have the private key of any of these big companies, so the attacker will be out of luck if he changes it, it would be like when you try to log in to a public Wi-Fi network and it shows up. uh you need to log in, we need your data, sometimes it's a guy in the middle of an attack, they're taking the stuff that you're trying to send to the server and they're getting in the way and they're sending, not really, let's go instead, we will send back our page.

This warning appears in a pop-up window that says we must have a secure connection to Gmail, but we don't panic. Everything is wrong. There's a big red screen that most people have now trained themselves to click on, but you know, you try. Well, the attacker can't intercept the keys anymore, not without sending all sorts of red flags, which is fine, but again, all we've done is move the problem to the background because how do you know which certificate? authorities to trust and that's when for end users for people like you or me surfing the web, that's when you have to trust it because when you bought your smartphone, well, I bought this.

I trusted Apple, they installed a list of maybe, uh, probably. about 100 certificate authorities, those factories that are there and install their public keys there so that they don't get transmitted over the air to begin with, they are pre-installed with uh on your device if you install a web browser. uh, that will be over a connection that you know is secure, hopefully, and you'll install what you say right. I trust these companies because my browser manufacturer trusts them, so okay, now we have keys on this server signed by the factory. here and whoever created your browser or your device trusts that factory, so we have this entire trust network that is set up, which means the attacker can't change the keys and there are two obvious weaknesses: one is the certification authority if you can get them to fraudulently sign keys then all the people who trust them are out of luck and that happened to a dutch certification authority that is now bankrupt because no one trusts them.

Somehow, they were conned, coerced, bribed, no one, no one. you know, but they generated a completely valid signed certificate for Google, they had no right to do it, they had no permission to do it, but they generated a certificate for all of Google with their signature saying we trust this, and that somehow managed to reach Iran , where someone pulled off a massive man-in-the-middle attack against a huge number of Iranian web users, so everyone saw a big green padlock with Google written on it, um if you looked at the details that a couple of people like yeah yeah. you are paranoid, you check the details about this and someone asks why this Google certificate is signed by someone in the Netherlands, that doesn't make sense and that's how it was discovered that it was not a genuine Google certificate. but most people wouldn't know that they are talking to Gmail, they see a big green Google certificate there, they think everything is fine, so they are basically looking at their Gmail emails, but everything is happening somewhere else. everything went through an attacker, the keys that are being replaced, they couldn't do it for every website, but they did it for this one, they did it for Google, so every bit of Google traffic that went through, they were swapping the keys, opening all. looking at it SW and this is all happening in milliseconds, obviously, open it, save it, put the new keys that you have in it, send it forward and it's Terri, it's a devastating attack if you can pull it off and there's a genuine uh.

It is worrying that governments can do this. Governments can go to certifying authorities and say, "This is the government here." We need you to generate some fake certificates or they can simply steal the private keys. If they can steal the Certificate Authority's private keys, then they can generate. their own keys without even the authority knowing. I mean, it's a devastating attack if they can pull it off. I mean, I'd be surprised if the NSA couldn't do that somehow. Whether they actually choose to do so is another question. because if they do it and it is discovered, not only will they have bankrupted a fairly important company that no one trusts anymore, but they will also have blown their cover, so I suspect that yes, they can do it and they use it in very, very rare when they have no choice as to whether they should or not.

I'm not going to get into that debate, so that's a weak point, the other one is the list of trusted authorities on your phone or on your computer because if an attacker can get an additional entry there, they can get in there and then they can generate new keys on the fly and every connection will be intercepted, so that's what Superfish did. They wanted to insert advertising. Superfish was a program that took your Google searches and added a little more advertising. I'm there for them, which is a terrible idea, but Google switched to safe search for everyone, so Superfish, it's such a bad idea that they set up as a trusted certificate provider and this little program wasn't even on the networks. . sitting at your own computer looking at all your traffic and performing a man-in-the-middle attack and inserting their own ads, that Authority is sitting at your computer signing keys on the fly, meaning the private key is the numbers that should never ever be seen is on your computer and can be extracted, it was the same on all computers, so as soon as an attacker removed it from one computer, every installation is vulnerable because every computer that has

superfish

trusts

superfish

, so if someone on the medium pretends to be superfish, which they can do because they have that private key, then that attacker can control INE on every secure website out there and they know you have it because they can see Lenovo on the back of your computer in the coffee shop, you know, there is a way, there are uninstallers out there now, the noo promised to never do it again, um, super fish, as far as I know, it no longer exists as a software, but it is a short-sighted company that used all the shortcuts ignorant in the book to try to get some ads to appear just for that tens of thousands, maybe hundreds of thousands of computers, I don't know, maybe I don't know how many they make in a year, but all of those became vulnerable to a really terrible attack just because a company wanted to sell some ants and it's very, very difficult for people who go to a bad place and use a card because if you complain to your bank, the strip club owner will just say he was with four girls the whole time. night and £4,000 is what it costs in our house how long has it been since you were recording a really good question?

This is because I'm an idiot. I love it. We are three 4 of the way. I didn't record, we did that for the Drone footage on chobble, we had a monitor on the Drone footage with a remote link and we know we're getting all kinds of stores. I just look and Wow, GoPro is not rolling, oh, put the Drone down,change the Drone battery, oh man.