Tag Archives: Cyber Risk Assessment

A Different Perspective On Lenovo – It Is A Supply Chain Problem

While everyone is off beating up Lenovo and Lenovo, in turn, is beating up Komodia, I suggest everyone is missing the real problem.

First of all, to make sure that no one is confused, this problem is not limited to Lenovo consumer laptops.  Komodia has over a hundred customers developing software, all of which put your network at the exact same risk.  Lenovo just happened to get caught.

It is also not limited to Komodio.  Privdog, made by AdTrustMedia and sold by Comodo (no relation to Komodia), behaves in a very similar way.  And there are probably many more.

The problem is a supply chain problem.  Lenovo did not check out Superfish’s software very well and Superfish did not check out the library that they licensed from Komodio very well.

I assert that there are millions of developers who use software libraries that have no clue regarding the security practices of the libraries that they use.  Most of the time, the developers check to see that the libraries do what they want them to do – and that is all they check for.

It is a very unusual developer who will do a full scale cyber risk assessment on each and every third party software component that they license.

The result is Lenovo.  We happen to actually be very lucky that we caught this one after only a couple of months.  While we have seen some indications that this might have been exploited, there is only smoke and no fire.

What about the hundreds of thousands or millions of software libraries that other developers, big and small, incorporate into their software – blindly assuming that there are no security holes?

Even good developers typically only audit THEIR code and not the libraries they license.  In part, this is because they usually don’t get the source code to these libraries which makes auditing them very difficult.

As part of a cyber risk assessment, these potential vulnerabilities will be identified so that the organization can make a decision regarding how to mitigate these risks – and there is more than one way.

The alternative is like driving a car with a blindfold on – a scary thought.

And, it is important to understand that while the Lenovo’s of the world are being sued, they can only hope to collect something from Komodio.  Komodio is not even a U.S. company, so if Lenovo wants to go after them, they may have to do it in Israeli courts according to their laws.  And, I have no clue how big they are.  It could be that Komodio is two guys in a garage – I have no idea.

The reputation that gets clobbered is yours, so you need to protect it.  It is very difficult to repair after the fact.

The supply chain problem is not limited to tech or to software.  For example, the U.S. Department Of Defense has discovered many counterfeit parts for weapons and vehicles that were not made to spec and so may put soldiers at risk.  This is a huge problem that will not be easy to solve.