Tag Archives: Lenovo

Security News for the Week Ending August 30, 2019

Lenovo “Crapware” Allows Attacker to Compromise Any PC in 600 Seconds

I am not going to get on my soapbox about why you should not buy a PC built by the Chinese government because I know people love their old IBM Thinkpads, but handle this issue no matter what.

Apparently the Lenovo “Solutions” Center has a bug that allows any user (meaning a hacker that has installed any malware on your computer – so your computer has to be compromised at some small level for this to work) to  become an admin in 10 minutes, the frequency that Solutions Center runs.  You can read the details in the link, but the simple fix is to delete the app completely.  Lenovo has a new app that does not have this vulnerability if you actually use the Solutions Center functionality.  Source: The Register.


Should You Block Newly Registered Domains?

Researchers say that OVER 70% of newly registered domains are malicious or otherwise potentially harmful to organizations.  Newly registered means 32 days.  Some organizations are already blocking these or alternatively giving users a warning if they go there.

Two thoughts on this – if YOU plan on launching a new domain, you should plan in advance and buy the domain early.  Many hackers do not have the patience to do this (and in fact their domains are only live for a few hours) and second, you should consider implementing a block or warning on newly registered domains to protect your users.  Source: Help Net Security.


House Dems Ask FSOC to Regulate AWS, Azure and Google Cloud

Two House Democrats have asked the Financial Stability Oversight Council (FSOC), which is comprised of Federal bank regulators, to consider making the big 3 cloud providers “systemically important” to the banking industry and as a result directly regulate them.

This was directly in response to the Capital One breach, even though that breach was the fault of Capital One’s bad security practices and not a security failure at Amazon.

It is probably obvious but I will point out that given the current political climate, it is unlikely that the administration will do anything that Democratic Party lawmakers suggest.  Still it does point to the possibility that Congress will try to legislate that if the administration doesn’t do anything about cloud security.  Source: Rep. Velazquez.


Cloud Archive for Dentists Hit By Ransomware Attack

DDSSafe, a cloud archive solution for dentists, was hit by a ransomware attack that encrypted the data of hundreds of practices.  This follows the FBI/DHS alert that hackers were going after cloud service providers because one attack can generate a massive payday.  In this case it is believed the hackers were asking $5,000 per practice and if 500 practices were affected, that would represent a $2 Mil+ payday.  Tax free.  Source: Krebs on Security.


Google Reveals Websites That Hacks iPhones With No Interaction

Google’s Project Zero identifies bugs in a variety of software from every vendor.  This week they announced 14 flaws which, when chained together in different ways, created 5 different ways an iPhone user can be totally compromised just by visiting a malicious web site, without clicking on anything.  The flaws were shared with Apple in February and Apple fixed them in version 12.1.4 of iOS.  Successful attacks allow a bad guy to steal your photos, contacts, location and passwords.  The bugs go back to iOS 10 and the web sites have been serving up malware for two years.  The nature of the attack was such that rebooting the phone (and not visiting those sites again) would get rid of the  malware.  Source: Computing.

Lenovo Settles With FTC Over Superfish

Some of you will remember back in mid 2014 that Lenovo added some software called Visual Discovery by Superfish to hundreds of thousands of computers.  The purpose of Visual Discovery is to “help” you by intercepting your browser communications and either insert ads into your web traffic or even redirect you to web sites that Superfish thinks you need to visit.

If the traffic to the original web site is encrypted, then Superfish decrypts that traffic without telling you so that it can “help” you and then re-encrypts it, often in a way that is not as secure due to flaws in the Visual Discovery software.

In early 2015, the cat was let out of the bag by researchers and the media started reported about what Lenovo was doing. Lenovo tried, unsuccessfully, to do damage control and eventually released a utility that allowed people to uninstall the Superfish software.  Without this hack, there was, literally, no way to uninstall the Superfish software.

Since they were intercepting user’s encrypted traffic, they likely had access to medical, financial and other sensitive information.  All without obvious notice to the consumer.

It is likely that Lenovo didn’t think too much about what their partner, Superfish was doing, didn’t think much about the security implications, apparently did not look at the coding techniques that Superfish had used and was likely only interested in the size of the commission checks they were cashing.  This is all speculation on my part, but I doubt  that Lenovo gave Superfish access to hundreds of thousands of their customers for free.

Well the fallout has finally happened.  It took over two years, but Lenovo and the Federal Trade Commission have come to an agreement in the form of a consent decree.  A few of the highlights of the agreement:

  • Lenovo does not have to admit any guilt.  This is pretty typical.
  • Lenovo agrees that if they ever do anything that even remotely looks like this again, which I doubt, but you never know, they will create a clear and conspicuous disclosure and require the consumer to OPT-IN not opt-out.
  • Again, if they do this again, they will give the consumer the ability to opt-out at any point in time and also give the consumer the ability to uninstall the software.  None of these were done with Superfish, although there was a brief blurb when they first fired up the browser.
  • Lenovo is prohibited from making misleading representations regarding promotions like this.
  • Lenovo will implement and maintain a software security program designed to address software security risks and protect customer’s information.
  • They will identify a point person – the proverbial one throat to choke (or jail) to manage the program.
  • They will hire an outside expert to conduct software security audits every two years for the next twenty years.  That is a long time to have the FTC breathing down your neck.

Suffice it to say, this is a large pile of turds; Lenovo will spend millions of dollars and the FTC will be watching closely.  FOR THE NEXT TWENTY YEARS.

All this trouble to make a few bucks from ads to their customers.

The moral of this story is to think through the security implications of programs that hijack user’s traffic and have significant privacy implications.

More than likely, any company that was considering doing something similar to what Lenovo was doing is reconsidering that plan.  It is just not worth the risk.

Information for this post came from the FTC web site.

Dell, Lenovo, AOL and Shodan Make Life Easy For Hackers and Foreign Intelligence Services

Here is an interesting group of vulnerabilities that make life easy for hackers and the Chinese (or Russians, or Ukrainians or pick your country).

  1. Dell has a couple of features in Dell Foundation Services.  One allows an unauthenticated user to get the Service Tag (Dell’s version of a serial number) over the net.  With that, you can go to Dell’s web site and get the complete hardware and software configuration of the computer – useful to hackers, intelligence agencies and scammers.  Another bug allows an attacker to remotely execute Windows WMI commands which allow you to access the system configuration including running processes and the file system and remotely run programs.  Dells service runs on port 7779 and provides a SOAP interface – for ease of exploit.  Err, ease of use.
  2. Lenovo has a bug in Lenovo Solution Center.  It listens on port 55555 and allows an attacker to remotely execute any program – with SYSTEM privileges based on a whole series of flaws described in the article below.  This could also allow a local attacker to execute programs with more privileges than the user has.

Both of these, most likely, are done to make support easier for either the vendor or enterprise users – without regard to the security consequences.

In theory these ports should be closed from the Internet – but not always – read below.  Still, if an attacker gets onto your local network some other way, this is an easy way to increase the attacker’s footprint in your network.

3. AOL Desktop, an absolutely antique piece of software from the early 1990s is still being run by some users.  It was an early attempt to access the web in a graphical fashion when the only connectivity users had was slow dialup.  It uses a proprietary language called DFO which allows AOL’s servers to execute functions remotely on a user’s desktop.  Given this was written more than two decades ago, no one thought about requiring authentication and it did not use SSL to protect the data stream.  This means that all an attacker needs to do is find a system that is still running this antique and it can own it in a heartbeat.

Potentially, attacks from the outside should be mitigated by the user’s firewall, but apparently not always.

John Matherly of Shodan, the search engine for Internet of Things attacks, did a quick search to see if he could find systems that responded.  For the Dell feature, he found around 12,800 webservers that responded to that port.  Of those, about 2,300 are running software that looks like it is from Dell,  He ran a quick script and was able to collect about 1,000 Dell service tags.  He didn’t try this for the other exploits – that I know about.


Obviously, we did not know, until now, about these wonderful Dell, Lenovo and AOL features.  That doesn’t mean that hackers and foreign (or domestic) intelligence agencies didn’t know about them.

Why bother with really obscure and hard attacks to get into computers that you want to when you can just, basically, walk in the front door.

The big question is how many more of these features exist that we have not found.

And since manufacturers have no liability as a result (other than getting a little bad press that blows over quickly), they have no incentive to do things securely.  And also, since they don’t even tell you that they are doing it, you as a user cannot make an educated decision as to whether you want the manufacturer’s “help” in this manner.

Soooooo, HOW MANY MORE FEATURES ARE THERE?  Features that are here today or will be here tomorrow.  As vendors try to help users without considering the security implications. This is just from a quick round up of the news that I happened to hear about today.


Information on the Shodan search can be found here.

For information on the Dell feature, go to LizardHQ.

For information the Lenovo feature, go to PC World.

A Different Perspective On Lenovo – It Is A Supply Chain Problem

While everyone is off beating up Lenovo and Lenovo, in turn, is beating up Komodia, I suggest everyone is missing the real problem.

First of all, to make sure that no one is confused, this problem is not limited to Lenovo consumer laptops.  Komodia has over a hundred customers developing software, all of which put your network at the exact same risk.  Lenovo just happened to get caught.

It is also not limited to Komodio.  Privdog, made by AdTrustMedia and sold by Comodo (no relation to Komodia), behaves in a very similar way.  And there are probably many more.

The problem is a supply chain problem.  Lenovo did not check out Superfish’s software very well and Superfish did not check out the library that they licensed from Komodio very well.

I assert that there are millions of developers who use software libraries that have no clue regarding the security practices of the libraries that they use.  Most of the time, the developers check to see that the libraries do what they want them to do – and that is all they check for.

It is a very unusual developer who will do a full scale cyber risk assessment on each and every third party software component that they license.

The result is Lenovo.  We happen to actually be very lucky that we caught this one after only a couple of months.  While we have seen some indications that this might have been exploited, there is only smoke and no fire.

What about the hundreds of thousands or millions of software libraries that other developers, big and small, incorporate into their software – blindly assuming that there are no security holes?

Even good developers typically only audit THEIR code and not the libraries they license.  In part, this is because they usually don’t get the source code to these libraries which makes auditing them very difficult.

As part of a cyber risk assessment, these potential vulnerabilities will be identified so that the organization can make a decision regarding how to mitigate these risks – and there is more than one way.

The alternative is like driving a car with a blindfold on – a scary thought.

And, it is important to understand that while the Lenovo’s of the world are being sued, they can only hope to collect something from Komodio.  Komodio is not even a U.S. company, so if Lenovo wants to go after them, they may have to do it in Israeli courts according to their laws.  And, I have no clue how big they are.  It could be that Komodio is two guys in a garage – I have no idea.

The reputation that gets clobbered is yours, so you need to protect it.  It is very difficult to repair after the fact.

The supply chain problem is not limited to tech or to software.  For example, the U.S. Department Of Defense has discovered many counterfeit parts for weapons and vehicles that were not made to spec and so may put soldiers at risk.  This is a huge problem that will not be easy to solve.


Maybe it is time to thank Lenovo?

I just wouldn’t buy their computers.

I wrote the other day about the problem Lenovo is having.  They contracted with a company called Superfish and installed some crapware on your computer (if you bought a Lenovo consumer grade computer) that shoved ads at you.

That wouldn’t be that much of a problem – everyone from Facebook to GMail does it – until it was discovered that Superfish used a library from Komodia that hacks into your SSL encrypted traffic to look at your banking traffic, along with everything else, to figure out what ads to show you.

That would have been bad enough if the way they hacked into your SSL (https) encrypted traffic didn’t completely compromise the security of your computer.

Here is the part where we need to thank Lenovo.  They shined a bright light on some digital cockroaches and there is a lot of scurrying.

Microsoft and other vendors have now, correctly, classified the Komodia software as spyware and flag, quarantine and/or delete it, depending on your system’s configuration.  What was discovered was that Komodia sold their software to lots of firms – not just Superfish – so that crap is all around you.  They said on their web site that they had over 100 development firms using their software.  They very blatently said that hacking your client’s SSL traffic is hard to do, so let us do it.

Now, ARS Technica, a well respected geek site, is reporting that researchers have found evidence of Komodia based attacks against users of GMail, Amazon, eBay and Twitter, among many other sites.

The details are very geeky, so I am not going to bore most people – click on the link above to read the ARS Technica article if you are interested.

Suffice it to say, Komodia is in a world of hurt, business wise.  Their site was down for a while and no one in the tech world will touch them with a 10 foot pole for fear, rightfully, of guilt by association.

Sadly, what they were trying to do is probably not much worse than what a lot of advertising brokers do – it is just that they took a few “shortcuts” that have come back to bite them in the rear.

The moral of the story is that security MUST be a key component of the development process and an outside advisor (advertisement: like me!) is probably requisite.  Otherwise, the fox (the developers) will be guarding the henhouse (the architecture and design) and that sometimes does not turn out well.

One last thought that requires that you put on your tin foil hat.  What if an unnamed three letter agency was interested in targeting your web traffic?  Getting you to install some Komodia based software under some guise would allow them to totally own your computer.  Note that I am not saying that Komodia is an NSA plot, but if they were smart, they would do something like this – and probably already have.

That means that you should not count on using SSL (Https) encryption for anything that you really want to be secure.  You need to use a completely different technique.  

p.s.  Now that people are looking, they have found another product – Privdog, from the SSL certificate company Comodo that has a similar problem.  That means that Comodo should be on your S**t list too.


Microsoft 1, Lenovo 0 (or minus 1?)

Lenovo is getting more than it’s share of attention these days.

Microsoft has released an update to it’s free Windows Defender anti-malware software that classifies Lenovo’s Superfish as the malicious software that it is, removes the certificate from the Windows certificate store (which is the hard part, so yeah, Microsoft – and I don’t say that very often) and gives you instructions for removing the Superfish software.

Lenovo is now in hyper damage control mode and likely will be for a while.

There are plenty of other brands out that – perhaps choosing a brand that is not controlled by the Chinese government/military might be a wise move anyway.  I know that Lenovo claims that they are not controlled by the government, but what would you expect them to say?