Lenovo apologizes for pre-installed malware "Superfish"

www.bloomberg.com...

Lenovo Group Ltd. apologized to customers as it works with users to enable laptop computer owners to remove pre-installed software that potentially exposed them to hacking attacks and unauthorized activity monitoring.

Tsk tsk tsk! The name of the program is "Superfish" and no one took a second glance at it...? Its only purpose, from what I gleaned, was to serve targeted advertising.

The technology used by Superfish essentially breaks the encryption between Web browsers and banking, e-commerce and other sites that handle sensitive information, potentially exposing machines to hacking.

Lenovo says that they "messed up badly" and Superfish stated instead that they were "completely transparent in what our software does and at no time were consumers vulnerable.". Hm. I'm thinking that if Lenovo is admitting fault to this extent, there's no way everything was fine and dandy as Superfish claimed.

The use of Superfish software only impacted consumer laptops and didn’t violate any parts of Lenovo’s agreements with the U.S. government and the Committee on Foreign Investment in the United States, which lay out rules for ways the manufacturer’s products will be designed in order for the company to sell products to the U.S. government and businesses

Yet we, as vulnerable consumers, were exposed to potential risk because bloatware is a rampant issue. Where are the sets of rules governing the manufacture of OUR laptops? Perhaps ATS should submit suggested guidelines?

For all we know the program was just another NSA monitoring scheme that managed to be exposed.

Superfish essentially tricks Web browsers into believing that it’s the bank or search engine or e-commerce site that users are trying to reach, which allows the software to intercept communications and monitor behavior. 

Sounds "fishy". (Sorry, I had to.)

a reply to: FireflyStars

Superfishy indeed.

Hmmm, I wonder if that apology would still come if people hadn't noticed... How many other backdoors are installed? No wonder I prefer to build my own systems and what I install on them.

So many pc companies pulling these dodgy practices lately, do they seriously hope they don't get caught?
First there were those Samsung SSD's that tested great at first, but once the market got into them Samsung cheapened the components and they were drastically slower. Terrible business practice... tsk tsk

Onto that list, NVidia with those latest 4GB video cards that are actually only good for 3.5 of those GB's - that extra 0.5 GB is sluggish and technically faulty, but still functional memory so long as you don't mind your fps crashing from 90fps to about 10fps...

Flipping accountants and managers. Just desperate to eek out the very last cent from us, for god sake treat us with respect! This lenovo crap will hurt their name and for what? Some data to sell about what we're up to... Scum.

a reply to: FireflyStars

The list will be very small indeed of technology that I will still purchase as more information shkes out concerning this type of affair. Lenovo already fell on my DO NOT purchase ever again list because of their incredibly cheap laptop cases used plastic threading for the case screws, thus making the machine a candidate for Duct Tape a year after purchase...this is a cincher.

Heres another thing I feel is counter intuitive about these advertisers, especially obtrusive pop ups and auto play videos...let me just say now: I will never entertain a single product for purchase that uses underhanded or exploitative measures for advertising...So all those advertisers on every website are throwing their money away in regards me.

a reply to: Qumulys

Same I build all the desktop in my house. I find I get more bang for the buck in the long run if I do. But the whole spyware thing is an added plus now.

I do wish it was easy to DIY a laptop or tablet PC. I know it can be done but it's still hard to do, at least on a budget. 3D printer hardware and laser cut case still cost a pretty penny.

www.forbes.com...

A guy in this article recommends wiping any new computer and installing a 'clean' version of the OS you want. Personally I'm thinking if you can't trust the company you bought the computer from you should have bought it from someone else.

originally posted by: FireflyStars
...For all we know the program was just another NSA monitoring scheme that managed to be exposed...

Maybe, but Lenovo is owned by the Chinese, so that would be quite the partnership (The Chinese and the NSA).

I still don't know how corporations can get away with this in the U.S.. Our privacy rights are guaranteed by the 4th amendment of the U.S. constitution. I would think these corporations would be heavily fined, and our government held accountable if they forced these corporations to embed a chip that can track us online. This goes against everything our founding fathers expected our constitution to prevent. To prevent our government from encroaching on a citizen's right to privacy. Our government should be enforcing and defending these rights when it comes to corporations who think they can use technology to secretly track consumers.

a reply to: WeRpeons

Amen
I think its because the same corporations own our Government.

a reply to: WeRpeons

Lenovo is a Chinese-owned corporation, so I'm not sure what penalties the U.S. government can levy against them. They can, however, impose some sort of trade restrictions involving the sale of Lenovo products in the U.S.

Even though it's a spin-off from IBM, Lenova is a Red Chinese owned company.

I recently did a network server upgrade with a client who was quoted a good price on the hardware using Lenova servers. When I found out that they were going with that bid, I hit the ceiling. Ultimately the client went with an Intel built system at a significantly higher cost.

I just sent the client an e-mail with a link to an article about this man-in-the-middle attack that Lenova built into their machines. He is now quite satisfied that he spent the extra money and went with a USA built machine.

This man-in-the-middle attack is potentially much more dangerous than injecting some advertisements into supposedly secure traffic. Virtually any traffic that traversed that application could have been compromised. This is quite serious!

In addition to inserting itself into the communications channel, SuperFish compromised the Windows certificate store so that it could accomplish this interception.

I would like to see this application dis-assembled to make sure that adware was its only purpose!


dex

a reply to: FireflyStars

OP here. They've released a wiping tool to get rid of it.

www.tomsguide.com...


This was interesting as well.

Early today (Feb. 21), Robert Graham, CEO of Atlanta-based Errata Security, posted detailed instructions on his blog on how to create a malicious Wi-Fi hotspot to exploit the security vulnerability that the Superfish adware creates on Lenovo laptops.

"This example proves that this exploit is practical, not merely theoretical, as claimed by the Lenovo CTO," Graham wrote.

For about $50, a malicious hacker could build a similar hotspot, name it "Starbucks HotSpot" and bring it into your local coffee shop. Any user of an affected Lenovo laptop who connected to the Internet using that hotspot could have all her or his banking, social-media and shopping sessions intercepted and decrypted, and the associated accounts broken into and taken over.

a reply to: FireflyStars


This really pisses me off,

I bought a dell desktop that came loaded with a ton of software, I deleted what I could but ultimately it got hacked and is totaly unusable.

I will do my research before buying any electronics.

I say lets talk with our dollars and drive these c suckers out of business.

The gov will do Nothing to protect us, we can only protect eachother by spreading the word, that goes for best buy, walmart, retail associates, let them know not to sell this crap til inevitably the big box stores pull the plug on them.

We gotta make it so the only ones who buy chinese crap are the chinese.

Man, I brought you all some bad news again. Not a lot of time to dissect this long article, but I'll try my best.
On a side note, they're already being sued so get ready for a class-action.

www.slate.com...

This is basically a postmortem.

Here's the gist of the situation for the non tech savvy:

There are three major players in the debacle: Lenovo, the “visual search” startup Superfish, and software “solution provider” Komodia. Lenovo included Superfish’s adware on its laptops. In order to inject its own recommendations into users’ search results, Superfish used Komodia’s technology in its adware. Lenovo has distanced itself from Superfish; Superfish has pointed the finger at Komodia.

The bad:
Lenovo asked Superfish to modify their program to get rid of potential security breach issues. Superfish said they did, but they didn't, and Lenovo never CHECKED.

The ugly:
Superfish is built on something called an SSL hijacker. They bought the code and wrote it into their program. Digest that for a moment.


The UGLIEST OF ALL:
Komodia... who wrote the SSL highjacker.

Barak Weichselbaum, who marketed an “SSL Digestor”/”SSL Hijacker” that not only defeated SSL security connections but contained the security hole that compromised all certificates on a machine—a true worst-case scenario. Weichselbaum was smart enough to figure out how to defeat SSL certificate authentication, but not smart enough to realize he was defeating user security itself in the process.

Weichselbaum has helpfully documented the history of his security-buster on his Komodia blog. He details his adventures with Windows’ network-intercepting “Layered Service Providers” (LSP).

The mind-bending ridiculous truth:

Komodia’s little skeleton key has made it into a lot of other software, including parental control software and anti-adware software.
....
Antivirus company Lavasoft rather ironically bundled Komodia into its Ad-Aware Web Companion. (To its credit, Lavasoft came clean immediately.)

What are these "tech" companies doing? Sounds like someone is j#cking off in the break room instead of checking out security.