Anger, outrage and dark humor were on display on Sunday as the world waited for European leaders to figure out a solution to the most recent installment of the Greek debt crisis.
The anger and outrage coalesced around the hashtag #ThisIsACoup, in which people expressed their displeasure with Germany, which has pushed for even harsher terms on Greece even as the country already struggles with cash shortages and banks on the brink of failure. The country has pushed hard for Greece to accept stringent cuts to pensions and and tax hikes
#ThisIsACoup centered around the perception that Germany was negotiating with the goal of forcing Greece’s current leadership to step down. Greece Prime Minister Alexis Tsipras and his Syriza party were elected on a platform of fighting more cuts in return for another bailout Read more…
Researchers have found at least a dozen other products — including another tool that inserts ads into Web pages and parental control software — that subvert the HTTPS security protocol.
These products trick computers into trusting a security certificate, even if it wasn’t issued by a legitimate authority, to function. This could let attackers execute man-in-the-middle attacks on affected devices (such as the Lenovo devices with Superfish pre-loaded) with relative ease.
Facebook’s Matt Richard, CloudFlare’s Filippo Valsorda, and Marc Rogers all claim these products use Komodia software to function. Komodia’s website is currently down, perhaps as the result of a distributed denial of service (DDoS) attack inspired by “recent media attention.”
Komodia’s software will reportedly cause Web browsers to accept any security certificate with the correct name inserted into the appropriate field, thus “lower[ing]the bar for successful exploitation of the serious vulnerability,” as Ars Technica put it in a recent report on the issue.
“What all of these applications have in common,” Facebook’s Richard said, “Is that they make people less secure through their use of an easily obtained root CA, they provide little information about the risks of the technology, and in some cases they are difficult to remove.”
And the problems can persist even after the offending software has been removed. Lenovo devices from which Superfish has been uninstalled, for example, are still vulnerable to attack. The same could be true of the other products that undermine consumer security for profit.
Superfish was bad enough when it was thought to be swimming alone. Now we know there’s a whole school of software that introduces the same vulnerabilities to other consumers, and many of them probably don’t even know that attackers could steal information from them.
Put another way: There are a bunch of fish in the sea just looking for blood, and most people aren’t even aware that they’re swimming in dangerous waters. Superfish was just the start.