Lenovo, Google websites hijacked by DNS attacks
On Wednesday, visitors to lenovo.com were greeted with what appeared to be webcam images of a bored young man sitting in a bedroom, and the song “Breaking Free” from an old Disney movie. On Monday, Google’s site for Vietnam also briefly redirected people to another website.
Both Google and Lenovo were victims of “domain hijacking,” a type of attack against the Domain Name System (DNS), which translates domain names into IP addresses that can be called into a browser.
The domain name records for both companies were modified to redirect to different websites when people entered “lenovo.com” and “google.com.vn.”
The changes were apparently made through Web Commerce Communications, known as Webnic.cc, a Malaysian company that registers domains names.
The hacker group Lizard Squad has claimed credit for the defacements. Lenovo appeared to restore service at one point on Wednesday afternoon, but later was unavailable due to system maintenance, a notice said. Webnic.cc could not be immediately reached for comment.
In Lenovo’s case, the hackers changed Lenovo’s domain name registration details to redirect to nameservers at CloudFlare, a San Francisco-based company that specializes in bettering the performance of websites through extensive caching. Nameservers tell a computer which IP address to look up to view a website.
CloudFlare’s servers then redirected people trying to go to lenovo.com to two IP addresses hosted in the Netherlands by the company Digital Ocean, said Andrew Hay, senior security research lead for OpenDNS, a company that specializes in DNS-related security.
Those redirected to the other sites saw the webcam images of the bored young man. The source code for the Web page included the line: “The new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey,” referring to persons who have reportedly been connected to the hacker group Lizard Squad.
The Lizard Squad’s access to Lenovo’s registrant account also allowed it to capture some of Lenovo’s email, which the group posted excerpts of on Twitter.
Lenovo has already been under pressure in the last week for pre-installing a secretive application called Superfish on its laptops, which substitutes some ads on encrypted websites but also created a major security vulnerability.
CloudFlare offers free services that are sometimes abused by miscreants, but the company said it moved fast to help fix Lenovo’s problem.
“As soon as we saw the unauthorized transfer, we took control of the account, notified Lenovo and worked with them to restore service while they worked on getting their domain back,” said Marc Rogers, principal security researcher at CloudFlare.
On Monday, Google’s site for Vietnam briefly redirected people to another website. Like Lenovo, Google also had its google.com.vn domain name registered with Webnic.
It is possible that Webnic.cc has a vulnerability in its network that was discovered by the Lizard Squad and allowed changes to be made to domain name registrations. Another possibility is that the Lizard Squad obtained the authentication credentials used by those companies to modify domain name records.
It’s considered a low-brow style of attack, but changes to domain name records can be dangerous for Web users since there’s little they can do to protect themselves.
Such attacks—especially against websites that receive a lot of traffic—are powerful because attackers could redirect them to websites that try to automatically install malicious software. But that doesn’t appear to be the case with either the Lenovo or Google redirects.
Domain name registrars have been slowly implementing a security technology called DNS Security Extensions (DNSSEC) to better protect domain name records. DNSSEC uses public key cryptography to digitally “sign” domain names and corresponding IP addresses.
The technology is complicated to set up, however, and it has been a years-long effort to see it supported by registrars and hosting providers.
DNSSEC could have prevented the attack against Lenovo or “at the very least it would have made it much more complicated and slow to do with many more steps for the bad guys before they succeeded,” Rogers said.
Worse than Superfish? Comodo-affiliated PrivDog compromises web security too
Over the weekend, a user reported on Hacker News that his system failed an online test designed to detect a man-in-the-middle vulnerability introduced by Superfish, a program preloaded on some Lenovo consumer laptops.
However, his system did not have Superfish installed. Instead, the problem was tracked down to another advertising-related application called PrivDog, which was built with the involvement of Comodo’s CEO, Melih Abdulhayoglu. New PrivDog releases are announced on the Comodo community forum by people tagged as Comodo staff.
PrivDog is marketed as a solution to protect users against malicious advertising without completely blocking ads. The program is designed to replace potentially bad ads with safer ones that are reviewed by a compliance team from a company called Adtrustmedia. As Abdulhayoglu puts it in a January 2014 post on his personal blog in which he describes the technology: “Consumers win, Publishers win, Advertisers win.”
However, according to people who recently looked at PrivDog’s HTTPS interception functionality, consumers might actually lose when it comes to their system’s security if they use the product.
In order to replace ads on websites protected with HTTPS (HTTP with SSL/TLS encryption), PrivDog installs its own self-generated root certificate on the system and then runs as a man-in-the-middle proxy. When users access secure HTTPS sites, PrivDog hijacks their connections and replaces the legitimate certificates of those sites with new ones signed with the locally installed root certificate.
Since the root certificate installed by PrivDog on computers is trusted by browsers, all certificates that chain back to it will also be trusted. This means that users will think that they’re securely speaking to the websites they accessed, while in the background, PrivDog will decrypt and manipulate their traffic.
That in itself is not a bad implementation. There are legitimate reasons for scanning HTTPS traffic and many security products use similar techniques to analyze encrypted traffic for potential threats.
Unlike Superfish, PrivDog installs a different root certificate on every system, so there’s no shared private key that would allow attackers to generate rogue certificates. However, it turns out they don’t even need a shared key
The error in PrivDog’s implementation is simpler than that: The program doesn’t properly validate the original certificates it receives from websites. It will therefore accept rogue certificates that would normally trigger errors inside browsers and will replace them with certificates that those browsers will trust.
For example, an attacker on a public wireless network or with control over a compromised router could intercept a user’s connection to bankofamerica.com and present a self-signed certificate that would allow him to decrypt traffic. The user’s browser would normally reject such a certificate.
However, if PrivDog is installed, the program will take the attacker’s self-signed certificate and will create a copy signed with its own trusted root certificate, forcing the browser to accept it. In essence, the user’s traffic would be intercepted and decrypted by the local PrivDog proxy, but PrivDog’s connection to the real site would also be intercepted and decrypted by a hacker.
PrivDog is bundled with some products from Comodo, like Comodo Internet Security as well as its Chromodo, Dragon and IceDragon browsers. However, it seems that these products include PrivDog version 2, which lacks the HTTPS proxy functionality, and thus does not expose users to man-in-the-middle attacks.
The PrivDog version that exposes users to man-in-the-middle attacks is version 3, which is available to download as a stand-alone application and which supports a large number of browsers including Google Chrome, Mozilla Firefox and Internet Explorer, according to security researcher Filippo Valsorda, who’s online HTTPS test was updated to account for it.
This “potential issue” only exists in PrivDog versions 18.104.22.168 and 22.214.171.124 that have never been distributed by Comodo and are not present in the company’s browsers, a Comodo representative said Monday via email.
The PrivDog team at Adtrustmedia has published a security advisory that assigns a low threat level to the vulnerability. A maximum of 6,294 users in the USA and 57,568 users globally are potentially affected by the issue and they will be updated automatically to a patched version, the team said. The new version—126.96.36.199—is also available for download from the company’s site.
“As long as people use this practice of ‘breaking the chain of trust’ there are bound to be some who implement it utterly wrong,” said Amichai Shulman, CTO of security firm Imperva, via email. “Superfish’s mistake was using the same root certificate across all deployments. PrivDog’s mistake is not validating certificates at all.”
Some people believe that the PrivDog vulnerability is even worse than the one introduced by Superfish.
“By comparison, the Superfish ‘man-in-the-middle’ process at least requires the name of the targeted website to be inserted into the certificates alternate name field,” said Mark James, a security specialist at antivirus firm ESET. “Although Superfish allows the possibility of massive exploitation with this flaw it is still marginally better than what PrivDog is doing.”
However, it’s not just Superfish or PrivDog that open such security holes on computers. Researchers determined that the Superfish vulnerability was actually in a third-party software development kit from a company called Komodia. The same SDK is used in other products as well, including parental control applications, VPN clients andsoftware from a security vendor called Lavasoft.