Lenovo Superfish: Not The First Time Vendors Have Preinstalled Malware

Aside

The recent fiasco involving Lenovo and what has come to be known as Superfish that amongst other things performs a MiTM attack on TLS encrypted HTTP traffic so that it can still insert advertisments into encrypted pages.

The story broke on Feb 18 when major tech sites and even mainstream media began speaking of a security issue affecting recent laptops from Chinese vendor Lenovo. Given the large amount of negative publicity the company has reacted quite swiftly an has even provided a list of affected laptops and portables along with an easy to use Superfish removal tool. LastPass has a third party tool which will quickly identify the presence of Superfish on your machine. Given that it does not actively hide its presence, there are likely far more straightforward ways to identify the presence of the malware.

Of course this isn’t the first time OEMs have saddled their customers with preinstalled junk that is either annoying or worse compromises the confidentiality of any data on that machine. An excellent example would be the multiple vendors who include a variety of Popcap games which include the perennially problematic OpenCandy advertising engine and trial copies of software that you have no realistic chance of ever requiring let alone purchasing on a whim.

I have a big problem with Microsoft Windows, particularly 8x so any time I purchase a new machine I typically do the following:

  • Boot the machine, skipping the sysprep/OOBE screens so that i may enter Device Manager and note down the hardware within the machine (generally done only if the unit’s manual does not list full specifications and there is no reliable information online).
  • Reboot whilst pressing the boot selection hotkey so that I can boot the clonezilla DVD, which is relatively lightweight and includes the tools we need. Obviously you could substitute any similarly equipped Linux, *BSD or Solaris live CD/DVD.
  • Using hdparm(8) a master password is set on the HDD and if the disk appears frozen, the power connector is temporarily disconnected. An ATA SECURE ERASE (enhanced) is then executed. This ensures that there is no chance of any data remanence (particularly important if your new PC is ex-display and there have been myriad of people playing with it in the store).
  • Following the conclusion of the ATA SECURE ERASE command, smartctl(8) is used to run a long self-test and the outcome of this is noted.
  • I go ahead with the installation of FreeBSD or Debian Linux.
Advertisements

My Apologies For The Brief Hiatus

Aside

I have been away from this blog and most of my other responsibilities for a little over a week as a result of tending to some family issues and preparing ourselves for a move across town.

Fortunately I will be back on track in the next few days and will update this blog again very shortly.

GCHQ Catalog Leaked

Aside

Several months ago Greenwald et. al. reported on the NSA’s TAO division and provided a somewhat redacted copy of what amounts to their “spy catalog”. Yesterday the GCHQ’s catalog was leaked and there indeed appears to be many similarities in capability to their American allies.

Another IoT Device Broken

Aside

Security firm Context recently reported on a vulnerability they discovered in a LIFX smart globe that resulted in credential disclosure and ultimately the ability to remotely alter the lamp’s state – that is to say, they were able to turn lamps on or off. Their report is an interesting read.

Banner Art – I’m Working On It!

Aside

Okay, so quite a few people have been amused at the fact that I haven’t changed away from the stock banner photos. I have actually sent some ideas to an artist to see what can be done, one of my favorites being a goat raising the flag at Iwo Jima, with the “hill” comprised of broken PCs labeled with privacy invading concepts such as ‘key escrow’, etc. Kind of like the NetBSD attempt, but more political. Don’t quote me but I believe that NetBSD changed their logo to be a little less “in your face” as a consequence of a number of developers of Japanese heritage taking offense at the logo. In any case, I digress – I am aware of the issue – and unless you are willing to volunteer your services as an artist to remedy the situation – please sit tight and I will get some art organized as soon as I can.

My Thoughts On Reset The Net

Aside

The Reset The Net initiative plans to run splash screens on major sites on June 5 encouraging users to protect themselves from mass surveillance. I have been asked what I think of the project and my answer is simple – any initiative that results in more people using encryption is a good thing. I am uncertain as to how effective this will be at actually bringing about the legislative change we need to actually address the root cause of the problem but remain hopeful that such a targeted response may indeed get some people talking.