background preloader

Superfish

Facebook Twitter

Lenovo's security breakdown shows the danger of invisible systems. Lenovo is having a very bad day. Last night, the company was called out for implanting adware that cut through user security. This morning, researchers uncovered a crucial password in the system, exposing Lenovo users to all manner of malicious attack. It's a major, embarrassing security failure — but unlike breaches like Heartbleed or Shellshock, Superfish isn't a flaw in a protocol or a programming mistake.

It's a deliberate program, deliberately installed on Lenovo computers with corporate permission but without user consent. A deliberate program, installed with corporate permission At its heart, Superfish is just an unusually mean piece of crapware, the kind of program that has been cluttering up cheap PCs for decades now. The problem isn't just that users don't choose to install the software (although that's a problem too.) Invisibility leads to some strange incentives Invisibility leads to some strange incentives.

SSL is invisible too. The Lenovo “Superfish” controversy – what you need to know. Looking for advice on how to remove Superfish? See our instructions here: How to get rid of the Lenovo “Superfish” adware. The controversy of the week is Superfish, which is the name of a marketing company that, amongst other things, produces software called Visual Discovery. As far as we can tell, Superfish’s claim to fame is “visual search.” That seems to involve analysing images that come your way, matching them against a giant database of images in the cloud, and putting in front of you a bunch of similar images. For example, if you’re looking at an ad for a chest of drawers, Superfish, going by the example on its own website, can help you find a matching sideboard (credenza). You may be able to guess where this is going. If you install the Superfish software to monitor which websites you visit, and what’s in them, it can keep its eye out for related sites, all based on images instead of relying on old-fashioned keywords.

The Lenovo situation Pros and cons of filters The Superfish approach. Man-in-the-Middle Attacks on Lenovo Computers. It's not just national intelligence agencies that break your https security through man-in-the-middle attacks. Corporations do it, too. For the past few months, Lenovo PCs have shipped with an adware app called Superfish that man-in-the-middles TLS connections.

Here's how it works, and here's how to get rid of it. And you should get rid of it, not merely because it's nasty adware. It's a security risk. Someone with the password -- here it is, cracked -- can perform a man-in-the-middle attack on your security as well. Since the story broke, Lenovo completely misunderstood the problem, turned off the app, and is now removing it from its computers. Superfish, as well, exhibited extreme cluelessness by claiming its sofware poses no security risk. Three Slashdot threads. EDITED TO ADD (2/20): US CERT has issued two security advisories. EDITED TO ADD (2/23): Another good article. EDITED TO ADD (2/24): More commentary. Tags: adware, computer security, Lenovo, man-in-the-middle attacks. How to find out if your Lenovo is infected with the Superfish adware and remove it. Users on Lenovo's forums have discovered that the Chinese company has been preloading some consumer PC models with a software called Superfish Visual Discovery.

In short, the software tracks your searches and browsing habits (even on secure sites) and uses this information to place additional advertisements on the sites you visit. It's unclear what models have come preloaded with the software, although users have reported finding it on Lenovo Y50, Z40, Z50, G50 and Yoga 2 Pro models.

LastPass has created a Web tool that makes it easy to check to see if your computer is infected. You can check by simply clicking on this link. To manually check for the Superfish adware and uninstall it, head to the Windows Control Panel, select Programs and click Uninstall a Program. Search the list for VisualDiscovery. You're not finished yet, though, there is one more step. To make sure you have fully removed the program, restart your browser and revisit the LastPass web tool. Security Bug in Dell PCs Shipped Since 8/15. All new Dell laptops and desktops shipped since August 2015 contain a serious security vulnerability that exposes users to online eavesdropping and malware attacks.

Dell says it is prepping a fix for the issue, but experts say the threat may ultimately need to be stomped out by the major Web browser makers. At issue is a root certificate installed on newer Dell computers that also includes the private cryptographic key for that certificate. Clever attackers can use this key from Dell to sign phony browser security certificates for any HTTPS-protected site. Translation: A malicious hacker could exploit this flaw on open, public networks (think WiFi hotspots, coffee shops, airports) to impersonate any Web site to a Dell user, and to quietly intercept, read and modify all of a vulnerable Dell system’s Web traffic. According to Joe Nord, the computer security researcher credited with discovering the problem, the trouble stems from a certificate Dell installed named “eDellRoot.”

Dell does a Superfish, ships PCs with easily cloneable root certificates. In a move eerily similar to the Superfish debacle that visited Lenovo in February, Dell is shipping computers that come preinstalled with a digital certificate that makes it easy for attackers to cryptographically impersonate Google, Bank of America, and any other HTTPS-protected website. The self-signed transport layer security credential, which was issued by an entity calling itself eDellRoot, was preinstalled as a root certificate on at least two Dell laptops, one an Inspiron 5000 series notebook and the other an XPS 15 model. Both are signed with the same private cryptographic key. That means anyone with moderate technical skills can extract the key and use it to sign fraudulent TLS certificates for any HTTPS-protected website on the Internet. Depending on the browser used, any Dell computer that ships with the root certificate described above will then accept the encrypted Web sessions with no warnings whatsoever.

Dell Danger! “Superfish 2.0” blunder: It gets worse. Every single Dell desktop and laptop shipped since August contains three bogus root certificates, including eDellRoot. Not only that, but two certs include their own private keys! It’s like Superfish all over again... That means more than ten million computers were infected at source, allowing attackers to spoof secure websites. And they could install infected Windows updates, because the certificate is also able to sign code. Get to know the new interface, features and shortcuts in Microsoft's latest operating system. Read Now Oh, and if you try to remove eDellRoot, Dell’s bloatware reinstalls it. What a freakin’ mess. In IT Blogwatch, bloggers never tire of Slacker-Steve macros. Your humble blogwatcher curated these bloggy bits for your entertainment. It's a “troubling” “blunder” by Dell. Yikes, that sounds bad. Time to roll out the PR fluffery? Ahem: “properly” removed? The rogue root certificate...will magically reinstall itself even when deleted. … Run...

" And Finally... Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections [Updated] Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said. The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there's something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits.

When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate. Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. It's not known exactly which Lenovo computers come with Superfish pre-installed. Dell does a Superfish, ships PCs with easily cloneable root certificates.