Tag Archives: Lenovo

Lenovo Settles With FTC Over Superfish

Some of you will remember back in mid 2014 that Lenovo added some software called Visual Discovery by Superfish to hundreds of thousands of computers.  The purpose of Visual Discovery is to “help” you by intercepting your browser communications and either insert ads into your web traffic or even redirect you to web sites that Superfish thinks you need to visit.

If the traffic to the original web site is encrypted, then Superfish decrypts that traffic without telling you so that it can “help” you and then re-encrypts it, often in a way that is not as secure due to flaws in the Visual Discovery software.

In early 2015, the cat was let out of the bag by researchers and the media started reported about what Lenovo was doing. Lenovo tried, unsuccessfully, to do damage control and eventually released a utility that allowed people to uninstall the Superfish software.  Without this hack, there was, literally, no way to uninstall the Superfish software.

Since they were intercepting user’s encrypted traffic, they likely had access to medical, financial and other sensitive information.  All without obvious notice to the consumer.

It is likely that Lenovo didn’t think too much about what their partner, Superfish was doing, didn’t think much about the security implications, apparently did not look at the coding techniques that Superfish had used and was likely only interested in the size of the commission checks they were cashing.  This is all speculation on my part, but I doubt  that Lenovo gave Superfish access to hundreds of thousands of their customers for free.

Well the fallout has finally happened.  It took over two years, but Lenovo and the Federal Trade Commission have come to an agreement in the form of a consent decree.  A few of the highlights of the agreement:

  • Lenovo does not have to admit any guilt.  This is pretty typical.
  • Lenovo agrees that if they ever do anything that even remotely looks like this again, which I doubt, but you never know, they will create a clear and conspicuous disclosure and require the consumer to OPT-IN not opt-out.
  • Again, if they do this again, they will give the consumer the ability to opt-out at any point in time and also give the consumer the ability to uninstall the software.  None of these were done with Superfish, although there was a brief blurb when they first fired up the browser.
  • Lenovo is prohibited from making misleading representations regarding promotions like this.
  • Lenovo will implement and maintain a software security program designed to address software security risks and protect customer’s information.
  • They will identify a point person – the proverbial one throat to choke (or jail) to manage the program.
  • They will hire an outside expert to conduct software security audits every two years for the next twenty years.  That is a long time to have the FTC breathing down your neck.

Suffice it to say, this is a large pile of turds; Lenovo will spend millions of dollars and the FTC will be watching closely.  FOR THE NEXT TWENTY YEARS.

All this trouble to make a few bucks from ads to their customers.

The moral of this story is to think through the security implications of programs that hijack user’s traffic and have significant privacy implications.

More than likely, any company that was considering doing something similar to what Lenovo was doing is reconsidering that plan.  It is just not worth the risk.

Information for this post came from the FTC web site.

Facebooktwitterredditlinkedinmailby feather

Dell, Lenovo, AOL and Shodan Make Life Easy For Hackers and Foreign Intelligence Services

Here is an interesting group of vulnerabilities that make life easy for hackers and the Chinese (or Russians, or Ukrainians or pick your country).

  1. Dell has a couple of features in Dell Foundation Services.  One allows an unauthenticated user to get the Service Tag (Dell’s version of a serial number) over the net.  With that, you can go to Dell’s web site and get the complete hardware and software configuration of the computer – useful to hackers, intelligence agencies and scammers.  Another bug allows an attacker to remotely execute Windows WMI commands which allow you to access the system configuration including running processes and the file system and remotely run programs.  Dells service runs on port 7779 and provides a SOAP interface – for ease of exploit.  Err, ease of use.
  2. Lenovo has a bug in Lenovo Solution Center.  It listens on port 55555 and allows an attacker to remotely execute any program – with SYSTEM privileges based on a whole series of flaws described in the article below.  This could also allow a local attacker to execute programs with more privileges than the user has.

Both of these, most likely, are done to make support easier for either the vendor or enterprise users – without regard to the security consequences.

In theory these ports should be closed from the Internet – but not always – read below.  Still, if an attacker gets onto your local network some other way, this is an easy way to increase the attacker’s footprint in your network.

3. AOL Desktop, an absolutely antique piece of software from the early 1990s is still being run by some users.  It was an early attempt to access the web in a graphical fashion when the only connectivity users had was slow dialup.  It uses a proprietary language called DFO which allows AOL’s servers to execute functions remotely on a user’s desktop.  Given this was written more than two decades ago, no one thought about requiring authentication and it did not use SSL to protect the data stream.  This means that all an attacker needs to do is find a system that is still running this antique and it can own it in a heartbeat.

Potentially, attacks from the outside should be mitigated by the user’s firewall, but apparently not always.

John Matherly of Shodan, the search engine for Internet of Things attacks, did a quick search to see if he could find systems that responded.  For the Dell feature, he found around 12,800 webservers that responded to that port.  Of those, about 2,300 are running software that looks like it is from Dell,  He ran a quick script and was able to collect about 1,000 Dell service tags.  He didn’t try this for the other exploits – that I know about.

Quickly.

Obviously, we did not know, until now, about these wonderful Dell, Lenovo and AOL features.  That doesn’t mean that hackers and foreign (or domestic) intelligence agencies didn’t know about them.

Why bother with really obscure and hard attacks to get into computers that you want to when you can just, basically, walk in the front door.

The big question is how many more of these features exist that we have not found.

And since manufacturers have no liability as a result (other than getting a little bad press that blows over quickly), they have no incentive to do things securely.  And also, since they don’t even tell you that they are doing it, you as a user cannot make an educated decision as to whether you want the manufacturer’s “help” in this manner.

Soooooo, HOW MANY MORE FEATURES ARE THERE?  Features that are here today or will be here tomorrow.  As vendors try to help users without considering the security implications. This is just from a quick round up of the news that I happened to hear about today.

 

Information on the Shodan search can be found here.

For information on the Dell feature, go to LizardHQ.

For information the Lenovo feature, go to PC World.

Facebooktwitterredditlinkedinmailby feather

A Different Perspective On Lenovo – It Is A Supply Chain Problem

While everyone is off beating up Lenovo and Lenovo, in turn, is beating up Komodia, I suggest everyone is missing the real problem.

First of all, to make sure that no one is confused, this problem is not limited to Lenovo consumer laptops.  Komodia has over a hundred customers developing software, all of which put your network at the exact same risk.  Lenovo just happened to get caught.

It is also not limited to Komodio.  Privdog, made by AdTrustMedia and sold by Comodo (no relation to Komodia), behaves in a very similar way.  And there are probably many more.

The problem is a supply chain problem.  Lenovo did not check out Superfish’s software very well and Superfish did not check out the library that they licensed from Komodio very well.

I assert that there are millions of developers who use software libraries that have no clue regarding the security practices of the libraries that they use.  Most of the time, the developers check to see that the libraries do what they want them to do – and that is all they check for.

It is a very unusual developer who will do a full scale cyber risk assessment on each and every third party software component that they license.

The result is Lenovo.  We happen to actually be very lucky that we caught this one after only a couple of months.  While we have seen some indications that this might have been exploited, there is only smoke and no fire.

What about the hundreds of thousands or millions of software libraries that other developers, big and small, incorporate into their software – blindly assuming that there are no security holes?

Even good developers typically only audit THEIR code and not the libraries they license.  In part, this is because they usually don’t get the source code to these libraries which makes auditing them very difficult.

As part of a cyber risk assessment, these potential vulnerabilities will be identified so that the organization can make a decision regarding how to mitigate these risks – and there is more than one way.

The alternative is like driving a car with a blindfold on – a scary thought.

And, it is important to understand that while the Lenovo’s of the world are being sued, they can only hope to collect something from Komodio.  Komodio is not even a U.S. company, so if Lenovo wants to go after them, they may have to do it in Israeli courts according to their laws.  And, I have no clue how big they are.  It could be that Komodio is two guys in a garage – I have no idea.

The reputation that gets clobbered is yours, so you need to protect it.  It is very difficult to repair after the fact.

The supply chain problem is not limited to tech or to software.  For example, the U.S. Department Of Defense has discovered many counterfeit parts for weapons and vehicles that were not made to spec and so may put soldiers at risk.  This is a huge problem that will not be easy to solve.

Mitch

Facebooktwitterredditlinkedinmailby feather

Maybe it is time to thank Lenovo?

I just wouldn’t buy their computers.

I wrote the other day about the problem Lenovo is having.  They contracted with a company called Superfish and installed some crapware on your computer (if you bought a Lenovo consumer grade computer) that shoved ads at you.

That wouldn’t be that much of a problem – everyone from Facebook to GMail does it – until it was discovered that Superfish used a library from Komodia that hacks into your SSL encrypted traffic to look at your banking traffic, along with everything else, to figure out what ads to show you.

That would have been bad enough if the way they hacked into your SSL (https) encrypted traffic didn’t completely compromise the security of your computer.

Here is the part where we need to thank Lenovo.  They shined a bright light on some digital cockroaches and there is a lot of scurrying.

Microsoft and other vendors have now, correctly, classified the Komodia software as spyware and flag, quarantine and/or delete it, depending on your system’s configuration.  What was discovered was that Komodia sold their software to lots of firms – not just Superfish – so that crap is all around you.  They said on their web site that they had over 100 development firms using their software.  They very blatently said that hacking your client’s SSL traffic is hard to do, so let us do it.

Now, ARS Technica, a well respected geek site, is reporting that researchers have found evidence of Komodia based attacks against users of GMail, Amazon, eBay and Twitter, among many other sites.

The details are very geeky, so I am not going to bore most people – click on the link above to read the ARS Technica article if you are interested.

Suffice it to say, Komodia is in a world of hurt, business wise.  Their site was down for a while and no one in the tech world will touch them with a 10 foot pole for fear, rightfully, of guilt by association.

Sadly, what they were trying to do is probably not much worse than what a lot of advertising brokers do – it is just that they took a few “shortcuts” that have come back to bite them in the rear.

The moral of the story is that security MUST be a key component of the development process and an outside advisor (advertisement: like me!) is probably requisite.  Otherwise, the fox (the developers) will be guarding the henhouse (the architecture and design) and that sometimes does not turn out well.

One last thought that requires that you put on your tin foil hat.  What if an unnamed three letter agency was interested in targeting your web traffic?  Getting you to install some Komodia based software under some guise would allow them to totally own your computer.  Note that I am not saying that Komodia is an NSA plot, but if they were smart, they would do something like this – and probably already have.

That means that you should not count on using SSL (Https) encryption for anything that you really want to be secure.  You need to use a completely different technique.  

p.s.  Now that people are looking, they have found another product – Privdog, from the SSL certificate company Comodo that has a similar problem.  That means that Comodo should be on your S**t list too.

Mitch

Facebooktwitterredditlinkedinmailby feather

Microsoft 1, Lenovo 0 (or minus 1?)

Lenovo is getting more than it’s share of attention these days.

Microsoft has released an update to it’s free Windows Defender anti-malware software that classifies Lenovo’s Superfish as the malicious software that it is, removes the certificate from the Windows certificate store (which is the hard part, so yeah, Microsoft – and I don’t say that very often) and gives you instructions for removing the Superfish software.

Lenovo is now in hyper damage control mode and likely will be for a while.

There are plenty of other brands out that – perhaps choosing a brand that is not controlled by the Chinese government/military might be a wise move anyway.  I know that Lenovo claims that they are not controlled by the government, but what would you expect them to say?

Mitch

Facebooktwitterredditlinkedinmailby feather

The Lenovo Problem is NOT just Lenovo

I wrote the other day (see post) about malware (called Superfish) that Lenovo intentionally installed on their computers in the name of improving your customer experience.  Well, they admit that it was poorly thought out, but only for one of the two reasons I am concerned about.

They admit that snooping on your private conversations to present you with ads is probably not a good plan.  The bigger problem is the Komodia software is a security train wreck.

Marc Rogers, the guy who tipped us to the problem, has done more research on Komodia and the problem is much bigger.  Komodia makes a bunch of products that eavesdrop on your traffic for a bunch of different reasons and they all have the same issue.  Some of the products that use this same toolkit include:

  • Komodia’s “Keep My Family Secure” parental control software.
  • Qustodio’s parental control software
  • Kurupira Webfilter
  • Staffcop (version 5.6 and 5.8)
  • Easy hide IP Classic
  • Lavasoft Ad-aware Web Companion
  • Hide-my-ip (note: this package does not appear to utilize the SSL MITM, and the certificate is slightly different from the one found in other packages however it still utilizes an unrestricted root certificate with a simple plaintext password.

All of these products suffer from some common illnesses which include:

  • They intercept your private communications
  • The secret key for the software is embedded in the software and it is the same for every one of the installations around the world (no hacker would ever take advantage of that)
  • The password for the secret key, which is also embedded in the software, is also the same for everyone and it is a stupid password – Komodia .  I guess that is better than using 123456, but not much better.
  • The Komodia software which negotiates a connection with, say, your bank on your behalf, allows a whole bunch of weak cryptographic methods that are old, weak and modern browsers eliminated them years ago.  That means that on top of everything else, your traffic is susceptible to hacking.
  • The Komodia software does not check (not correctly, anyway) whether the certificate of the web site you are going to is valid.  This means, that, on top of everything else, you might be sent to a bogus web site and not even know it.

The web site that I reported last week (link above) has a test to see if the Superfish software is installed on your computer.  The site has been updated to reflect this news and the address is:

https://filippo.io/Badfish/ 

If you do have this software on your computer, not only do you need to remove the software, but you also need to remove their certificate (basically, a skeleton key into your computer) as well.  Marc has instructions for doing that on his web site.

All I can say is ARGH!!!!!

As I have said before, the internet merchants want to fool you into believing that SSL is secure.  It is less unsecure when you implement it correctly, but is totally unsecure when you implement it the way Komodia implemented it.  Worse than being unsecure, Komodia puts your computer at risk because of their actions.

The U.S. Computer Emergency Readiness Team (part of DHS, but run by intelligent people at Carnegie Mellon University) is now involved as well, so we may yet see more news about this.

If you are using any of these products, I would definitely uninstall them and remove the root certificate as well.

SOOORRY!

Mitch

Facebooktwitterredditlinkedinmailby feather