Lenovo Superfish scandal: Why it’s one of the worst consumer computing screw-ups ever.

http://www.slate.com/articles/technology/bitwise/2015/02/lenovo_superfish_scandal_why_it_s_one_of_the_worst_consumer_computing_screw.html#comments

Posted from WordPress for Android

18 Comments

  1. Tomi Engdahl says:

    Lenovo has just released an automatic Superfish removal tool
    The company updated its statement on the bug today
    http://www.theverge.com/2015/2/20/8079933/lenovo-superfish-removal-tool-uninstall

    Lenovo has released a tool to help users remove Superfish, according to a statement released today by the company.

    Superfish is an adware program that was pre-installed on Lenovo’s consumer PCs and made users vulnerable to attack. The Superfish bug quickly went from bad to worse yesterday when researchers found and published a password that would allow anyone to unlock the certificate authority and bypass the computer’s web encryption. With the password and the right software, a person on the same Wi-Fi network as a bugged Lenovo user could potentially spy on that user, or insert malware into the data stream.

    The tool allows users to automatically uninstall the Superfish application and remove the certificate from web browsers, which previously could only be done manually. In the statement, Lenovo said, “We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies. This action has already started and will automatically fix the vulnerability even for users who are not currently aware of the problem.”

    Reply
  2. Tomi Engdahl says:

    Ina Fried / Re/code:
    Lenovo CTO admits company “flat-out missed” major security flaws resulting from Superfish

    Lenovo CTO Admits It ‘Messed Up’ Allowing Major Security Hole Onto PCs
    http://recode.net/2015/02/20/lenovo-cto-admits-it-messed-up-allowing-major-security-hole-onto-pcs/

    Lenovo’s chief technology officer said Friday that the computer maker erred significantly by preinstalling onto consumer PCs a piece of software that made the machines vulnerable to attack.

    The tool, a shopping aid called Superfish, was installed on some Lenovo consumer laptops sold between September and January. Lenovo said earlier this week that it had stopped installing the controversial software because of bad customer reviews, but initially downplayed the security concerns.

    “We messed up,” CTO Peter Hortensius told Re/code. The company now confirms that the way Superfish operates could leave machines vulnerable to a “man-in-the-middle,” or MITM, attack, in which an attacker mimics both sides of a conversation to actively eavesdrop on each one. The problem stems from the fact that Superfish intercepts Web traffic, including secure traffic, using a self-signed security certificate that could be spoofed by attackers.

    Lenovo, like most PC makers, makes some of its money by preinstalling certain software.

    Dan Goodin / Ars Technica:
    Superfish doubles down, says HTTPS-busting adware poses no security risk
    http://arstechnica.com/security/2015/02/superfish-doubles-down-says-https-busting-adware-poses-no-security-risk/

    Reply
  3. Tomi Engdahl says:

    Mozilla mulls Superfish torpedo
    Green-lighted blacklist of compromised certs could be ready in a day
    http://www.theregister.co.uk/2015/02/23/mozilla_mulls_super_phish_torpedo/

    Firefox-maker Mozilla may neuter the likes of Superfish by blacklisting dangerous root certificates revealed less than a week ago to be used in Lenovo laptops.

    The move will be another blow against Superfish, which is under a sustained barrage of criticism for its use of a root certificate to launch man-in-the-middle attacks against innocent users in order to inject advertising into web searches.

    That crude tactic meant Lenovo machines running the program could be trivially attacked by hackers who set up fake banking websites using the certificate to shore-up legitimacy.

    Mozilla has not yet pulled the blacklist trigger but is mulling options, cryptographic engineering manager Richard Barnes told El Reg.

    “It is one of our core principles that individuals’ security and privacy on the internet are fundamental and must not be treated as optional,” Barnes says.

    Reply
  4. Tomi Engdahl says:

    Superfish, Komodia, PrivDog vulnerability test
    https://filippo.io/Badfish/

    Reply
  5. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    SSL-busting code that threatened Lenovo users found in a dozen more apps

    SSL-busting code that threatened Lenovo users found in a dozen more apps
    “What all these applications have in common is that they make people less secure.”
    http://arstechnica.com/security/2015/02/ssl-busting-code-that-threatened-lenovo-users-found-in-a-dozen-more-apps/

    The list of software known to use the same HTTPS-breaking technology recently found preinstalled on Lenovo laptops has risen dramatically with the discovery of at least 12 new titles, including one that’s categorized as a malicious trojan by a major antivirus provider.

    Trojan.Nurjax, a malicious program Symantec discovered in December, hijacks the Web browsers of compromised computers and may download additional threats.

    Nurjax is one such example of newly found software that incorporates HTTPS-defeating code from an Israeli company called Komodia. Combined with the Superfish ad-injecting software preinstalled on some Lenovo computers and three additional applications that came to light shortly after that revelation, there are now 14 known apps that use Komodia technology.

    “What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove,” Matt Richard, a threats researcher on the Facebook security team, wrote in Friday’s post. “Furthermore, it is likely that these intercepting SSL proxies won’t keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic.”

    Komodia, a company that brazenly calls one of its software development kits as an “SSL hijacker,” is able to bypass secure sockets layer protections by modifying the network stack of computers that run its underlying code. Specifically, Komodia installs a self-signed root CA certificate that allows the library to intercept encrypted connections from any HTTPS-protected website on the Internet. This behavior is by no means unique to Komodia, Superfish, or the other programs that use the SSL-breaking certificates. Antivirus apps and other security-related wares often install similar root certificates. What sets Komodia apart from so many others is its reuse of the same digital certificate across many different computers.

    “We’re publishing this analysis to raise awareness about the scope of local SSL MITM software so that the community can also help protect people and their computers,”

    Reply
  6. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Lenovo CTO Peter Hortensius apologizes for Superfish vulnerability, promises new security policy going forward — Still smarting from HTTPS-busting Superfish debacle, Lenovo says sorry — CTO pledges new policy to prevent similar mishaps in the future. — Lenovo’s top technical executive …

    Still smarting from HTTPS-busting Superfish debacle, Lenovo says sorry
    CTO pledges new policy to prevent similar mishaps in the future.
    http://arstechnica.com/security/2015/02/still-smarting-from-https-busting-superfish-debacle-lenovo-says-sorry/

    Lenovo’s top technical executive apologized once again for preinstalling laptops with software that intercepted customers’ encrypted Web traffic, and the company has gone on to outline plans to ensure that similar mistakes don’t happen again.

    “This software frustrated some users without adding value to the experience so we were in the process of removing it from our preloads,” Lenovo CTO Peter Hortensius wrote in an open letter published Monday afternoon. “Then, we saw published reports about a security vulnerability created by this software and have taken immediate action to remove it. Clearly this issue has caused concern among our customers, partners, and those who care about Lenovo, our industry and technology in general. For this, I would like to again apologize.”

    Hortensius went on to enumerate the ways affected customers can remove Superfish software, which installs a dangerous Secure Sockets Layer credential in the root certificate authority folder of affected PCs. In addition to an automated removal tool created and distributed by Lenovo, antivirus software from Microsoft, McAfee, and Symantec will also detect and remove the threat. Hortensius said that Lenovo plans to release an updated system for addressing software vulnerabilities and security threats. Options include creating a “cleaner PC image,” working with customers and security professionals to create a better policy for preinstalled software, and “soliciting and assessing the opinions of even our harshest critics” as they relate to product security.

    Monday’s open letter is the latest indication that Lenovo’s regret is genuine.

    Reply
  7. Tomi Engdahl says:

    Lenovo users lawyer up over hole-filled, HTTPS-breaking Superfish adware
    At least one lawsuit has been filed and one investigation has begun.
    http://arstechnica.com/tech-policy/2015/02/lenovo-users-lawyer-up-over-hole-filled-https-breaking-superfish-adware/

    In the wake of last week’s Lenovo’s Superfish debacle, at least one person has filed a lawsuit against the computer manufacturer and its notorious software partner, and one class-action investigation has begun.

    San Diego blogger Jessica Bennett filed a lawsuit in federal court last week, charging Lenovo and Superfish with violating state and federal wiretap laws, trespassing on personal property, and violating California’s unfair competition law. In addition to this, a Pennsylvania law firm put out a press release on Friday that asked Lenovo customers to participate in a class action lawsuit investigation regarding the presence of Superfish on their computers.

    That Lenovo would have lawyers clamoring to sue it is certainly no surprise given the gravity of the Superfish fallout, but it’s unclear how successful these legal overtures will be. Class-action lawsuits, as always, require a judge’s approval to go forward.

    Reply
  8. Tomi Engdahl says:

    Lenovo CTO: Hey, look around – we’re not the only ones with a crapware infection
    Friday is D-Day for PC lobber to regain trust
    http://www.theregister.co.uk/2015/02/25/lenovo_cto_were_not_the_only_ones_with_a_crapware_problem/

    On Friday Lenovo is going to tell the world about how it plans to regain the trust of its users in the wake of the Superfish clusterfuck – and may even launch an independent security audit of its products.

    “Our goal, in the end, is to make this right,” Lenovo’s CTO Peter Hortensius told The Register on Tuesday. “It’s going to take a long road to earn trust back.”

    Lenovo was caught bundling adware Superfish with its cheapo laptops to make a fast buck by injecting adverts into websites, a move that left users vulnerable to online password theft.

    Hortensius claims this is an industry-wide problem, and analysts have found other companies slipping software similar to Superfish into people’s PCs.

    “Everyone is one step away from disaster and we’re going to make sure that when we’re done we’re several steps away.”

    Hortensius said that last Thursday morning was the first he knew of a problem with Lenovo laptops and Superfish, and he initially assumed it was just an adware issue. Within a few hours he realized the problem was more serious, he says, and Lenovo went into crisis management mode.

    Lenovo, with the help of Microsoft and antivirus makers, worked to rid its laptops of Superfish, its ad-injection code and its rogue root CA certificate that compromised HTTPS connections, even releasing an open-source uninstall tool.

    That was the first step, Hortensius said, but his company recognizes that it’s got a much bigger hill to climb to get trust back from buyers. The firm hadn’t realized that so many of its PCs were used in businesses, he said, and it was clear that it is going to be difficult to reestablish trust.

    Reply
  9. Tomi Engdahl says:

    Superfish: Lenovo ditches adware, but that doesn’t fix SSL megavuln – researcher
    Here’s how to zap the ad-injecting crapware
    http://www.theregister.co.uk/2015/02/19/superfish_lenovo_analysis/

    But the problem only hit the mainstream after security researcher Marc Rogers wrote about it on Wednesday (here), provoking the angriest reaction against a tech firm since the Sony BMG rootkit affair back in 2005.

    Lenovo was deliberately breaking secure connections, making it easier in the process for any attackers to spoof any HTTPS website, say researchers. Obtaining a private key from one Lenovo laptop would allow the technically knowledgeable to snoop on the web traffic of any other Lenovo users on the same network.

    Reply
  10. Tomi Engdahl says:

    Russell Brandom / The Verge:
    Lenovo.com has been hacked, possibly by Lizard Squad
    http://www.theverge.com/2015/2/25/8110201/lenovo-com-has-been-hacked-apparently-by-lizard-squad

    Lenovo.com has been hacked. Starting at 4PM ET, users visiting the site saw a slideshow of disaffected youths, set to the song “Breaking Free” from High School Musical.

    The hack comes on the heels of a wave of public criticism of Lenovo, after the company bundled computers with an encryption-breaking adware program known as Superfish. Lenovo eventually released a program to remove the software and restore affected users, but the debacle left many users unhappy with the company. That lingering mistrust may have contributed to the attack.

    The attackers seem to have hijacked Lenovo’s domain record, an attack that would have given them the power to redirect the lenovo.com url to a new server under their control.

    Reply
  11. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    EFF unearths evidence of possible Superfish-style attacks in the wild

    EFF unearths evidence of possible Superfish-style attacks in the wild
    Crypto-busting apps may have been exploited against visitors of Google and dozens more.
    http://arstechnica.com/security/2015/02/researchers-unearth-evidence-of-superfish-style-attacks-in-the-wild/

    It’s starting to look like Superfish and other software containing the same HTTPS-breaking code library may have posed more than a merely theoretical danger to Internet users. For the first time, researchers have uncovered evidence suggesting the critical weakness may have been exploited against real people visiting real sites, including Gmail, Amazon, eBay, Twitter, and Gpg4Win.org, to name just a few.

    As Ars reported one week ago, ad-injecting software pre-installed on some Lenovo laptops caused most browsers to trust fraudulent secure sockets layer certificates. The software was called Superfish. In the coming days, security researchers unearthed more than a dozen other apps that posed the same threat. The common thread among all the titles was a code library provided by an Israel-based company called Komodia.

    The Komodia library modified a PC’s network stack by adding a new root Certificate Authority certificate. Poor choices in both the way the certificate and underlying code were designed caused most browsers to trust fraudulent certificates that otherwise would have generated warnings.

    Until now, that danger was nothing more than a troubling hypothetical, but no more. On Wednesday, researchers presented evidence attackers have exploited the weaknesses in Superfish and the other programs to launch real man-in-the-middle attacks on end users as they visited some of the most sensitive HTTPS-protected websites on the Internet.

    Dear Software Vendors: Please Stop Trying to Intercept Your Customers’ Encrypted Traffic
    https://www.eff.org/deeplinks/2015/02/dear-software-vendors-please-stop-trying-intercept-your-customers-encrypted

    Over the past week many more details have emerged about the HTTPS-breaking Superfish software that Lenovo pre-installed on its laptops for several months.

    Unfortunately, the security implications have gone from bad to worse the more we’ve learned.

    What’s worse is that these attacks are even easier than researchers originally thought, because of the way Komodia’s software handles invalid certificates

    an attacker doesn’t even need to know which Komodia-based product a user has (and thus which Komodia private key to use to sign their evil certificate)

    To make matters worse, Komodia isn’t the only software vendor that’s been tripped up by this sort of problem.

    So what can we learn from this Lenovo/Superfish/Komodia/PrivDog debacle? For users, we’ve learned that you can’t trust the software that comes preinstalled on your computers—which means reinstalling a fresh OS will now have to be standard operating procedure whenever someone buys a new computer.

    But the most important lesson is for software vendors, who should learn that attempting to intercept their customers’ encrypted HTTPS traffic will only put their customers’ security at risk. Certificate validation is a very complicated and tricky process which has taken decades of careful engineering work by browser developers.2 Taking certificate validation outside of the browser and attempting to design any piece of cryptographic software from scratch without painstaking security audits is a recipe for disaster.

    Reply
  12. Tomi Engdahl says:

    Lizard Squad Claims Attack On Lenovo Days After Superfish
    http://it.slashdot.org/story/15/02/26/1515218/lizard-squad-claims-attack-on-lenovo-days-after-superfish

    Lizard Squad has claimed responsibility for a defacement of Lenovo’s website. This follows last week’s revelations that Lenovo installed Superfish adware on consumer laptops, which included a self-signed certificate authority that could have allowed man-in-the-middle attacks.

    Lenovo website hacked and defaced by Lizard Squad in Superfish protest
    http://www.theguardian.com/technology/2015/feb/26/lenovo-website-hacked-and-defaced-by-lizard-squad-in-superfish-protest

    The hacking collective took over the Lenovo site for several hours on Wednesday, redirecting users to a slideshow of bored teenagers

    Lenovo, the PC maker at the centre of the Superfish controversy, suffered its own security breach on Wednesday when its main website was defaced, redirecting users to a slideshow of pictures of bored-looking teens (apparently the hackers themselves) set to the song Breaking Free from High School Musical.

    The hack was apparently carried out through a “DNS hijack”, an increasingly common method whereby domain name system server, which translates a human-readable web address such as google.cominto a machine-readable IP address such as “8.8.8.8”, redirects visitors to another website – in this case, one controlled by Lizard Squad.

    “Two defacements in a single week is normally nothing, but two extremely high-profile defacements from the same registrar in the same week is a definite trend,”

    Following the hack, Lizard Squad has been posting screenshots of emails allegedly sent to Lenovo.com addresses, including one discussing Superfish. A DNS hijack can potentially gain access to emails sent during the period the site is taken over, by redirecting the email in the same way as the website. But this would not grant access to the full database of emails.

    In a statement, Lenovo said: “Unfortunately, Lenovo has been the victim of a cyber attack.”

    Reply
  13. Tomi Engdahl says:

    How Superfish’s Security-Compromising Adware Came to Inhabit Lenovo’s PCs
    http://www.nytimes.com/2015/03/02/technology/how-superfishs-security-compromising-adware-came-to-inhabit-lenovos-pcs.html

    Until its advertising software was discovered deep inside Lenovo personal computers two weeks ago, a little company called Superfish had maintained a surprisingly low profile for an outfit once named America’s fastest-growing software start-up.

    In 2013, Superfish revenues had increased more than 26,000 percent over the previous three years to $35.3 million. It had advertising deals with some of the biggest names in e-commerce — Amazon, eBay and Alibaba among them.

    But as the start-up, based in Palo Alto, Calif., searched for new income sources last year, it landed a deal with Lenovo, the world’s largest PC maker, to put its software — often called adware — on several Lenovo consumer PCs.

    That deal has proved disastrous. Not only has it called into question the business practices of both Lenovo and Superfish, it has shined an unflattering light on makers of this sort of advertising technology.

    Superfish’s software, a security researcher revealed, was logging every online movement of the people using those Lenovo machines and hijacking the security system that is supposed to protect online communications and commerce. The Department of Homeland Security even warned Lenovo PC users to remove the software because of the risk it presented.

    Superfish’s technology, security experts now say, is a particularly aggressive example of the targeted advertising technology that tracks consumers’ online movements without their knowledge.

    What made its adware particularly bad, experts say, is that it fooled Lenovo customers into thinking that private sessions with their email service, or bank — secured with encryption that is often represented by the tiny padlock that appears in their web browser — were private, when Superfish, and potentially hackers, could see everything.

    “The padlock is a means of telling you that who you are talking to is who you think you are talking to. Superfish made that mechanism ineffective,”

    Reply
  14. Tomi Engdahl says:

    Lenovo: We SWEAR we’re done with bloatware, adware and scumware
    By Windows 10 launch our systems will be PURE, honest
    http://www.theregister.co.uk/2015/02/27/lenovo_makes_bold_play_for_the_clean_pc_market_after_superfish_snaufu/

    Barely a week after the breaking of the Superfish scandal, Lenovo has done a complete reverse ferret on bloatware – promising that by the time Windows 10 comes out its systems will be as pure as they can be.

    “The events of last week reinforce the principle that customer experience, security and privacy must be our top priorities,” the firm said in a statement supplied to the Register today. “With this in mind, we will significantly reduce preloaded applications. Our goal is clear: To become the leader in providing cleaner, safer PCs.”

    The company has been in frantic firefighting mode since the discovery of the SSL-busting Superfish code in a wide range of its consumer PCs caused an uproar. It has since issued automated tools to get rid of Superfish and has worked with antivirus vendors to get the Komodia library and certificate in the adware removed.

    Reply
  15. Tomi Engdahl says:

    Webnic Registrar Blamed for Hijack of Lenovo, Google Domains
    http://krebsonsecurity.com/2015/02/webnic-registrar-blamed-for-hijack-of-lenovo-google-domains/

    Two days ago, attackers allegedly associated with the fame-seeking group Lizard Squad briefly hijacked Google’s Vietnam domain (google.com.vn). On Wednesday, Lenovo.com was similarly attacked. Sources now tell KrebsOnSecurity that both hijacks were possible because the attackers seized control over Webnic.cc, the Malaysian registrar that serves both domains and 600,000 others.

    On Feb. 23, google.com.vn briefly redirected visitors to a page that read, “Hacked by Lizard Squad, greetz from antichrist, Brian Krebs, sp3c, Komodo, ryan, HTP & Rory Andrew Godfrey (holding it down in Texas).” The message also included a link to the group’s Twitter page and its Lizard Stresser online attacks-for-hire service.

    Reply
  16. Tomi Engdahl says:

    $250K: That’s what Lenovo earned to RAT YOU OUT with Superfish
    Report suggests Lenovo can be bought for peanuts as Mozilla kills dirty cert
    http://www.theregister.co.uk/2015/03/03/lenovo_bagged_250k_from_superfish_deal_report/

    Lenovo bagged a paltry US$250,000 from the deal that saw it install the Superfish certificate slurper onto PCs, according to reports.

    The PC maker was last month caught installing the ad/bloat/malware into its consumer PCs, sparking a very considerable backlash once the software’s ability to intercept encrypted website communications was revealed.

    Forbes sources’ now say Lenovo made between US$200,000 to US$250,000 from the deal to pre-install Superfish, a paltry amount given its net profit was US$253 million in the three months to December.

    At $250,000 the return on investment for Superfish is abominable: Lenovo initially defended the installation as a helpful tool for online shoppers, but quickly back-pedalled and started wheeling out senior execs at all hours of day and night to make apologetic utterances.

    Mozilla, meanwhile, has decided to blast Superfish with its hot lizard breath. The outfit will eradicate self-signed Superfish certificates from the latest version of its Firefox web browser

    The Superfish PR disaster has also snowballed into a lawsuit

    Reply
  17. Tomi Engdahl says:

    Oh No, Lenovo! Lizard Squad on the attack, flashes swiped emails
    Emo-takeover better not be a viral marketing stunt to win our hearts
    http://www.theregister.co.uk/2015/02/25/lenovo_hacked_lizard_squad/

    Lenovo’s domain name lenovo.com appears to have fallen victim to cyber-mischief-makers Lizard Squad.

    The domain’s nameserver settings were suspiciously updated today to point at DNS servers belonging to web hosting biz CloudFlare.

    It appears Lenovo has managed to claw back control of its domain, and is now pointing it at a legit server behind the IP address 64.26.251.145. CloudFlare security researcher Marc Rogers just tweeted

    Finally, it’s feared Lenovo’s domain registrar, Webnic.cc, was compromised by attackers to accomplish today’s DNS hijacking. Webnic.cc is down at time of writing.

    Reply
  18. Tomi Engdahl says:

    Conn. AG launches Lenovo-Superfish ‘crapware’ probe
    http://www.computerworld.com/article/2889928/conn-ag-launches-lenovo-superfish-crapware-probe.html

    Credit: TAKA@P.P.R.S
    Asks companies to provide information in 20 days about contracts, ‘financial arrangements,’ testing, much more

    Three days after Chinese computer maker Lenovo promised to flush “crapware” from its consumer PCs, Connecticut’s state attorney general announced a probe into the company’s practice of bundling adware.

    “It’s extremely concerning that, based on published reports, Lenovo installed this software — which appears to have no meaningful benefit to the consumer — on devices without the purchaser’s knowledge,”

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*