Here is an update for this specific issue. There are other instances of this same SSL-busting code that have been recently discovered in a dozen more applications. See this article at Ars Technica: http://feeds.arstechnica.com/~r/arstechnica/index/~3/4y8_mNq8xdM/  Also of note is that Lenovo published an apology, sent out a software update that removes Superfish adware, published instructions for how to remove it, and is giving a free six-month subscription to McAfee LiveSafe to all affected users. Today they announced that they are going to significantly reduce the amount of software that comes preinstalled on their laptops, and they are also going to list all preinstalled software and what it's for on their website.

Jerel, WT6G

Sent from my iPhone

On Feb 27, 2015, at 8:07 AM, William Talanian <w1uuq@cox.net> wrote:



FYI
 
From: Patricia Seybold Group [ mailto:research=customers.com@cmail1.com] On Behalf Of Patricia Seybold Group
Sent: Friday, February 27, 2015 7:22 AM

Subject: Strategic Research: Patty’s Pioneer, Peter Horne, Exposes Lenovo Security Risk
 
Customers.com

February 27, 2015
 

Patty’s Pioneer, Peter Horne, Exposes Lenovo Security Risk

By Patty Seybold
Things have been buzzing on our private email listserv over the past two months. Peter Horne, one of the most active members of Patty’s Pioneers, began discussing a troubling problem he had found on a Lenovo computer he purchased in Sydney, Australia in early January, 2015. Pete quickly discovered malware on his new computer. He realized that this malware­Superfish Adware had been pre-installed at the Lenovo factory as part of the Lenovo additions to the pre-installed version of the Windows operating system. He found that the Superfish Adware had compromised the Windows network software at a very low level, allowing it to insert its own script into every single page viewed by a browser. It was at such a low level that it did not matter which browser was used Explorer, Chrome, or Firefox it wa was the operating system that was compromised. Furthermore, it was so deep in the operating system that neither McAfee, Trend Micro, nor the Microsoft malware removal tool, found the Superfish software.

Customer Tried to Alert the Company; But Was Ignored

Peter reported the infected computer to the store, and they contacted their Lenovo sales rep. However, Lenovo had a policy of not talking directly to customers about store enquiries, and he waited. Nothing happened, and so he logged his own call with the Lenovo Help desk.
But, this was all to no avail. Repeatedly, company spokespeople told this savvy customer, who was only trying to help, that he was mistaken. Nothing like this could possibly be happening. “Lenovo doesn’t distribute Malware.” Pete offered to walk the Lenovo product manager through the process to demonstrate the existence of the Malware, but nobody ever got back to him. In the end, the store manager refunded Pete the money because he was convinced of the issue himself, and he wanted to keep a valuable customer who had purchased many items at the store in the past with no problems.
While he was getting the run around from Lenovo, Pete also did a fair amount of time-consuming due diligence. He checked computers at Lenovo stores in four cities around the world. He asked other Pioneers to check their own machines and at local stores.
If Lenovo’s management had paid attention to the customer feedback from Pete and other customers, their security team might have discovered the issue, quietly dealt with it, and avoided the ensuing uproar.

Customer Alerts the Press

Pete was troubled. He’s also a busy guy. He was tempted to move on, but was troubled by the fact that less tech-savvy consumers would be buying a spyware-infected computer. He reached out to the other members of the Pioneers’ forum, including my brothers, Jonathan and Andy Seybold, who encouraged him to get the word out, and they helped by contacting reporters they knew at the New York Times.
Luckily, a tech-savvy reporter, Nicole Perlroth, paid attention, interviewed Pete, and began doing her own investigation.
Other reporters also got wind of the story. The first article that appeared was written by Timothy Seppala for Endgadget.com. New Lenovo PCs shipped with Factory-Installed Adware appeared at 1:25 am on February 19th. Timothy based his story on the user discussions about this adware he found on the Lenovo Forums. It was also discovered that Superfish used a product from Komodia that corrupted the machine’s trust store the store of certifiicates that vendors include that certify that SSL connections can be trusted.  The Komodia certificate opened all infected computers to “man-in-the-middle” attacks an attack that allows bad guys to impersonate the siites you trust and capture your traffic.
Nicole Perlroth’s first New York Times article appeared online at 7:44 pm on February 19, 2015, Researcher Discovers Superfish Spyware Installed on Lenovo PCs, and in the print edition the next day. Essentially the same story was published as “Spyware Is Found Installed on PCs Made by Lenovo,” as well as in newspapers around the world, since it was submitted to, and distributed by, the Associated Press. It was Peter Horne who revealed to Nicole the darker truth it wasn’t just thatt adware was being pre-installed inside the machine's operating system it was tracking every single page and immage a user was looking at, and sending all the metadata to the Superfish servers! And it could not be turned off.
Once the story was out, a feeding frenzy quickly spawned lots of follow-on articles.

The Damage Continues

Lenovo’s stock price has been hit. The company is now facing lawsuits. The Lenovo websites are under siege. Many customers have decided they won’t ever trust the brand again, for either consumer or business computers.
And there’s more troubling information about to come to light (stay tuned).
Peter Horne is raising some additional questions:
  • What’s happening to the massive amounts of personal data that has already been siphoned off by these services for anyone who is using one of the affected models of a recently purchased Lenovo consumer PC?
  • Why is it so easy to spoof the supposedly secure Certificate Authority on which our global e-commerce infrastructure is built? Look at how corrupted the Certificate Authority process is. This incident highlights its incredible flimsiness and vulnerability.
  • What is visual search, where did it come from and how is it being used? If Superfish is collecting the photo DNA of all the photos your mouse touches and combining that information your internet session data, and mining that data, this is a huge invasion of privacy.
  • Who are these companies, Superfish and Komodia, and who are the people behind them? Executives at both companies are open about their backgrounds in intelligence work in Israel, their work for intelligence specialist companies, their work on intelligence contracts, and the decision to move their operations to the U.S. Why haven't they said anything about their products and services?

The Moral of the Story: Listen to What Your Customers Are Trying to Tell You!

Don’t ignore your customers’ attempts to warn you about a product or a process flaw that will damage your reputation! To their credit, Lenovo executives have finally reached out to Peter Horne (and probably other smart customers) and asked for their help in keeping similar problems from happening in the future. After all, if you have smart customers, why not harness their intelligence to keep you out of trouble?
Click here to read the longer version of this post.
 
If you were forwarded this message and would like to receive our weekly customers.com emails, click here.
 
Customers.com

© 2015 The Patricia Seybold Group
387 Central Avenue
Needham, MA 02494 USA

facebook    twitter    linkedin    article RSS feed

Login
 
View this email in your browser. Provide feedback. Not interested anymore? Unsubscribe.
This email was sent to: Aseybold@andrewseybold.com
_______________________________________________
SBARC-list mailing list
SBARC-list@lists.netlojix.com
http://lists.netlojix.com/mailman/listinfo/sbarc-list