Solve : Lenovo’s Response to Adware Clueless?

1.	Solve : Lenovo’s Response to Adware Clueless?
Answer» This is based on the following: Lenovo’s Response to Its Dangerous Adware Is Astonishingly Clueless Ir was reported widely that a program being shipped on a number of computers was really a form of malware. This kind of thing is CALLED 'Man in the Middle', or MTM. It breaks a connection between a user and a server and puts in stuff that is fake. The story above suggests that the head of Lenovo did not have a clue about what percolated earlier this year. The official site is www.lenovo.com and appears to almost ignore the story. But if you search, you can find this: https://support.lenovo.com/us/en/product_security/superfish What do you think? I wouldn't say Lenovo did this intentionally to be malicious. Instead they were asked by Superfish to install the software on their machines much like every CONSUMER manufacturer does now but Lenovo failed to perform a proper security audit on the software to see exactly what it was doing.camerongray, Exactly! Every major PC make should check out the software before shipping. And Lenovo says they released it on a few machines as a test. Still, would have helped if they had given the users some warning. Other reports also say that mere removal of the ad-ware does not fix the problem. That particular ad-ware leases the PC vulnerable after removal. Windows Shopper toolbar/extension After removal of Superfish, you will need to see if other programs were infected. The issue with Superfish had nothing to do with it being adware, considering that is unfortunately a given with pretty much any consumer-oriented laptop or even prefab desktop. The real issue was that it was vulnerable. This was because Superfish inserted itself as root certificate authority and effectively made itself a "man in the middle" between servers and the browser. (This isn't exactly something you WANT either, but, again- this is adware, and nobody would want that anyway) The Issue was that cracking Superfish was relatively easy, and that could be used for malicious purposes by creating a malicious hotspot that serves SSL websites signed with the Superfish key, which affected Lenovo systems would show as being a secure connection. This is better demonstrated here. Well done BC...as usual you provide the clarity that comes with details. Great fine, BC. As you said, the adware is not the issue. The thing makes a hole in the system security. The AUTHOR says he got common tools and hardware and spent several hours to CREATE a bogus 'hotpot' to intercept a real bank transaction. Quote Conclusion Thus, this example proves that this exploit is practical, not merely theoretical as claimed by the Lenovo CTO. Exploiting this was a straightforward application of commonly available tools. The only thing out of the ordinary was sslsplit, but that's a tool commonly used by corporations for security purposes, and not some special "hacking" purpose. A search finds Quote SSLsplit – Transparent and scalable SSL/TLS interception So anybody can use it. No license needed. Which means the treat is very real.

Answer»

This is based on the following:

Lenovo’s Response to Its Dangerous Adware Is Astonishingly Clueless

Ir was reported widely that a program being shipped on a number of computers was really a form of malware. This kind of thing is CALLED 'Man in the Middle', or MTM. It breaks a connection between a user and a server and puts in stuff that is fake.

The story above suggests that the head of Lenovo ** did not have a clue about what percolated earlier this year.

**The official site is www.lenovo.com and appears to almost ignore the story. But if you search, you can find this:
https://support.lenovo.com/us/en/product_security/superfish

What do you think?
I wouldn't say Lenovo did this intentionally to be malicious. Instead they were asked by Superfish to install the software on their machines much like every CONSUMER manufacturer does now but Lenovo failed to perform a proper security audit on the software to see exactly what it was doing.camerongray, Exactly!
Every major PC make should check out the software before shipping. And Lenovo says they released it on a few machines as a test. Still, would have helped if they had given the users some warning.

Other reports also say that mere removal of the ad-ware does not fix the problem. That particular ad-ware leases the PC vulnerable after removal.
Windows Shopper toolbar/extension
After removal of Superfish, you will need to see if other programs were infected.

The issue with Superfish had nothing to do with it being adware, considering that is unfortunately a given with pretty much any consumer-oriented laptop or even prefab desktop. The real issue was that it was vulnerable.

This was because Superfish inserted itself as root certificate authority and effectively made itself a "man in the middle" between servers and the browser. (This isn't exactly something you WANT either, but, again- this is adware, and nobody would want that anyway) The Issue was that cracking Superfish was relatively easy, and that could be used for malicious purposes by creating a malicious hotspot that serves SSL websites signed with the Superfish key, which affected Lenovo systems would show as being a secure connection. This is better demonstrated here.

Well done BC...as usual you provide the clarity that comes with details. Great fine, BC.
As you said, the adware is not the issue. The thing makes a hole in the system security. The AUTHOR says he got common tools and hardware and spent several hours to CREATE a bogus 'hotpot' to intercept a real bank transaction.
Quote

Conclusion
Thus, this example proves that this exploit is practical, not merely theoretical as claimed by the Lenovo CTO. Exploiting this was a straightforward application of commonly available tools. The only thing out of the ordinary was sslsplit, but that's a tool commonly used by corporations for security purposes, and not some special "hacking" purpose.

A search finds Quote

SSLsplit – Transparent and scalable SSL/TLS interception

So anybody can use it. No license needed.
Which means the treat is very real.

Solve : Lenovo’s Response to Adware Clueless?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment