Tag Archives: Superfish

Lenovo Settles With FTC Over Superfish

Some of you will remember back in mid 2014 that Lenovo added some software called Visual Discovery by Superfish to hundreds of thousands of computers.  The purpose of Visual Discovery is to “help” you by intercepting your browser communications and either insert ads into your web traffic or even redirect you to web sites that Superfish thinks you need to visit.

If the traffic to the original web site is encrypted, then Superfish decrypts that traffic without telling you so that it can “help” you and then re-encrypts it, often in a way that is not as secure due to flaws in the Visual Discovery software.

In early 2015, the cat was let out of the bag by researchers and the media started reported about what Lenovo was doing. Lenovo tried, unsuccessfully, to do damage control and eventually released a utility that allowed people to uninstall the Superfish software.  Without this hack, there was, literally, no way to uninstall the Superfish software.

Since they were intercepting user’s encrypted traffic, they likely had access to medical, financial and other sensitive information.  All without obvious notice to the consumer.

It is likely that Lenovo didn’t think too much about what their partner, Superfish was doing, didn’t think much about the security implications, apparently did not look at the coding techniques that Superfish had used and was likely only interested in the size of the commission checks they were cashing.  This is all speculation on my part, but I doubt  that Lenovo gave Superfish access to hundreds of thousands of their customers for free.

Well the fallout has finally happened.  It took over two years, but Lenovo and the Federal Trade Commission have come to an agreement in the form of a consent decree.  A few of the highlights of the agreement:

  • Lenovo does not have to admit any guilt.  This is pretty typical.
  • Lenovo agrees that if they ever do anything that even remotely looks like this again, which I doubt, but you never know, they will create a clear and conspicuous disclosure and require the consumer to OPT-IN not opt-out.
  • Again, if they do this again, they will give the consumer the ability to opt-out at any point in time and also give the consumer the ability to uninstall the software.  None of these were done with Superfish, although there was a brief blurb when they first fired up the browser.
  • Lenovo is prohibited from making misleading representations regarding promotions like this.
  • Lenovo will implement and maintain a software security program designed to address software security risks and protect customer’s information.
  • They will identify a point person – the proverbial one throat to choke (or jail) to manage the program.
  • They will hire an outside expert to conduct software security audits every two years for the next twenty years.  That is a long time to have the FTC breathing down your neck.

Suffice it to say, this is a large pile of turds; Lenovo will spend millions of dollars and the FTC will be watching closely.  FOR THE NEXT TWENTY YEARS.

All this trouble to make a few bucks from ads to their customers.

The moral of this story is to think through the security implications of programs that hijack user’s traffic and have significant privacy implications.

More than likely, any company that was considering doing something similar to what Lenovo was doing is reconsidering that plan.  It is just not worth the risk.

Information for this post came from the FTC web site.

Facebooktwitterredditlinkedinmailby feather

Maybe it is time to thank Lenovo?

I just wouldn’t buy their computers.

I wrote the other day about the problem Lenovo is having.  They contracted with a company called Superfish and installed some crapware on your computer (if you bought a Lenovo consumer grade computer) that shoved ads at you.

That wouldn’t be that much of a problem – everyone from Facebook to GMail does it – until it was discovered that Superfish used a library from Komodia that hacks into your SSL encrypted traffic to look at your banking traffic, along with everything else, to figure out what ads to show you.

That would have been bad enough if the way they hacked into your SSL (https) encrypted traffic didn’t completely compromise the security of your computer.

Here is the part where we need to thank Lenovo.  They shined a bright light on some digital cockroaches and there is a lot of scurrying.

Microsoft and other vendors have now, correctly, classified the Komodia software as spyware and flag, quarantine and/or delete it, depending on your system’s configuration.  What was discovered was that Komodia sold their software to lots of firms – not just Superfish – so that crap is all around you.  They said on their web site that they had over 100 development firms using their software.  They very blatently said that hacking your client’s SSL traffic is hard to do, so let us do it.

Now, ARS Technica, a well respected geek site, is reporting that researchers have found evidence of Komodia based attacks against users of GMail, Amazon, eBay and Twitter, among many other sites.

The details are very geeky, so I am not going to bore most people – click on the link above to read the ARS Technica article if you are interested.

Suffice it to say, Komodia is in a world of hurt, business wise.  Their site was down for a while and no one in the tech world will touch them with a 10 foot pole for fear, rightfully, of guilt by association.

Sadly, what they were trying to do is probably not much worse than what a lot of advertising brokers do – it is just that they took a few “shortcuts” that have come back to bite them in the rear.

The moral of the story is that security MUST be a key component of the development process and an outside advisor (advertisement: like me!) is probably requisite.  Otherwise, the fox (the developers) will be guarding the henhouse (the architecture and design) and that sometimes does not turn out well.

One last thought that requires that you put on your tin foil hat.  What if an unnamed three letter agency was interested in targeting your web traffic?  Getting you to install some Komodia based software under some guise would allow them to totally own your computer.  Note that I am not saying that Komodia is an NSA plot, but if they were smart, they would do something like this – and probably already have.

That means that you should not count on using SSL (Https) encryption for anything that you really want to be secure.  You need to use a completely different technique.  

p.s.  Now that people are looking, they have found another product – Privdog, from the SSL certificate company Comodo that has a similar problem.  That means that Comodo should be on your S**t list too.

Mitch

Facebooktwitterredditlinkedinmailby feather

Microsoft 1, Lenovo 0 (or minus 1?)

Lenovo is getting more than it’s share of attention these days.

Microsoft has released an update to it’s free Windows Defender anti-malware software that classifies Lenovo’s Superfish as the malicious software that it is, removes the certificate from the Windows certificate store (which is the hard part, so yeah, Microsoft – and I don’t say that very often) and gives you instructions for removing the Superfish software.

Lenovo is now in hyper damage control mode and likely will be for a while.

There are plenty of other brands out that – perhaps choosing a brand that is not controlled by the Chinese government/military might be a wise move anyway.  I know that Lenovo claims that they are not controlled by the government, but what would you expect them to say?

Mitch

Facebooktwitterredditlinkedinmailby feather

Beware Lenovo Users

Marc Rogers (white hat hacker and principal security researcher for Cloudflare) wrote about an interesting problem Lenovo users have.  (see article)

What is not clear is how long Lenovo has been doing this.  The good news is that a friend of Marc’s has created a test to see if your Lenovo laptop is infected.

The short version is this.  Lenovo has partnered with a company named superfish to serve up ads to and steal data from your laptop.  They do this by creating a man in the middle attack inside your laptop – submitting fake SSL certificates to your bank (or any other site) and reflecting the data back to you.  If you look at the SSL certificate, which no one does, it is signed by Superfish, not your bank.

They did this by installing a SSL signing certificate in the certificate store that has God power and use that to generate certificates on the fly for any web site that you visit.  That requires that the password for this certificate is hard coded into the software on your laptop and that password is Komodia – for every laptop they sell.  Komodia is the name of a company that makes SSL software.  Not so secure.

The site that Marc’s friend created to test for the Superfish malware is:

https://filippo.io/Badfish

If you are infected, Lenovo has created instructions for removing the superfish software, the link for which is in Marc’s blog post above.  However, that removal does not remove the God like certificate in the computer and Marc has additional instructions to do that.

A smarter move, given we have no idea what other ‘bugs’ are hidden in the software, would be to wipe the disk and reinstall the software from a known good version of Windows (NOT the one that came with the laptop) and then reinstall all the applications and finally restore your data.

China has been getting rid of Cisco network gear because they say that they can’t trust it.

It is time for the U.S. to get rid of Lenovo computers for the same reason.  If you want to understand how really dangerous what Lenovo did is, you will need to read Marc’s blog, but for those of you who are not techies, trust me (and Marc) – it is pretty serious.

But here is the real question – they got caught doing this.  What else are the Chinese doing?  I took Lenovo off my buy list as soon as IBM sold it to the Chinese.  I get to be vindicated now – we have real evidence.

If you need help, feel free to contact me.

Mitch

Facebooktwitterredditlinkedinmailby feather