Lenovo shipping new computers with Adware called Superfish

Discussion in 'The Howard Stern Show' started by dawg, Feb 19, 2015.

  1. dawg

    dawg In The Dog House Staff Member

    Reputations:
    541,159
    Joined:
    Aug 19, 2010
    Messages:
    119,559
    Likes Received:
    90,940
    superfish-certificate-fd.jpg
    No one likes crapware--the adware and trial software that PC and smartphone vendors put on their devices. Until recently, though we rarely got actual malware installed on new computers. Now, thanks to Lenovo and Superfish Visual Discovery adware, we didn't merely get injected ads in our search engine results, we also had our computer doors opened to man-in-the-middle Secure-Socket Layer/Transport Layer Security (SSL/TLS) attacks.

    Users always disliked Superfish. As early as September 2014, Lenovo buyers were complaining about Superfish's fishy search results. Lenovo, however, didn't admit to installing Superfish, and its problems, until January 2015. Then, Mark Hopkins, a Lenovo social media program manager, admitted that Superfish had "some issues (browser pop up behavior for example)," so Lenovo temporarily removed Superfish from their systems.

    What Lenovo didn't say was that Superfish was installing its own self-signed root certificate authority (CA), This enabled the Superfish software to void SSL/TLS connections and gave hackers a hole to be used in man-in-the-middle (MITM) attack and view the contents of any "encrypted" connections.

    This hole was discovered on January 21 by a Lenovo user. Lenovo, however, while no longer installing it on new systems, didn't alert users of the potential danger. This hole can be used against you no matter which Web browser you're using.

    Then, the problem with Lenovo consumer laptops running Windows 8.1 sold between September 2014 and January 2015, was shown to be even worse than expected. Google security engineer, Chris Palmer, showed on Twitter that Superfish was intercepting SSL/TLS connections and injecting its own self-signed certificates for all sites on his Yoga 2 laptop. This included such sites as the one for Bank of America.
    Read this

    Until Superfish fix, Lenovo devices can't be trusted for secure work

    Enterprise customers are not said to be affected, but millions of consumers and bring-your-own-device users are likely using compromised machines.



    On February 19th, the problem went from merely terrible security practice and a potential problem to being a real security hole. Robert Graham, a security hacker, extracted the password that Superfish uses for its CA and published it. This means that, as Graham put it, "I can intercept the encrypted communications of SuperFish's victims (people with Lenovo laptops) while hanging out near them at a café wifi hotspot."

    So, since if you're in a coffee shop right now using your new Lenovo to look at a secured Web site open in another tab, you could be having your password stolen at this moment, here's how to zap Superfish.

    First, you need to get rid of the program. To do that, first take the following steps:

    Go to Control Panel > Uninstall a Program
    Select Visual Discovery > Uninstall

    According to Lenovo, that's all you need do and besides"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns." In part, Lenovo states this because "Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market."

    I don't buy it. If that's the case then Palmer never should have been misdirected while browsing with his Lenovo laptop on February 18th.

    This issue aside, the bad certificate will still be on your Windows system. To get rid of it, run the Microsoft Management Console, Mmc.exe (you need an administrator's credentials to do this), and do the following:

    Go to File -> Add/Remove Snap-in
    Pick Certificates, click Add
    Pick Computer Account, click Next
    Pick Local Computer, click Finish
    Click OK
    Look under Trusted Root Certification Authorities -> Certificates
    Find the one issued to Superfish and delete it.
     
    Beth Onostrosky likes this.
  2. Schmoopy

    Schmoopy Shit Mult Hunter

    Reputations:
    216,454
    Joined:
    Aug 25, 2010
    Messages:
    211,015
    Likes Received:
    33,726
    PITY FUCKING POST!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!:lol::jj::funny::bounce:
     
  3. ScottBaiosPenis

    ScottBaiosPenis Well-Known Member

    Reputations:
    77,389
    Joined:
    May 26, 2013
    Messages:
    8,971
    Likes Received:
    15,454
    linux,yes
     
    Quedee likes this.
  4. Peau de Soie

    Peau de Soie Edit Button? Thanks LaserTilt!

    Reputations:
    11,162
    Joined:
    Jan 16, 2012
    Messages:
    9,617
    Likes Received:
    2,078
    This is important, and thanks for publishing it. From what I can gather, the only really bad thing going on is the untrustworthy CA being installed, and the resulting ability to sign phony certs for a MITM attack. It's NOT the case that they could invalidate certs from other CAs, is it?
     
  5. Droog

    Droog Well-Known Member VIP

    Reputations:
    134,995
    Joined:
    Jan 15, 2012
    Messages:
    15,130
    Likes Received:
    19,251
    I wish IBM had never sold their laptop business to Lenovo.
     
    EndOfLine likes this.
  6. AGT Blows

    AGT Blows Well-Known Member

    Reputations:
    79,083
    Joined:
    Dec 30, 2011
    Messages:
    10,616
    Likes Received:
    6,070
    Do people outside of the corporate world buy Lenovo? They are hugely overpriced.
    I've worked at a couple of large companies that use exclusively Lenovo computers, and they are wiped clean and have the company's image installed before they ever touch the network
     
  7. dawg

    dawg In The Dog House Staff Member

    Reputations:
    541,159
    Joined:
    Aug 19, 2010
    Messages:
    119,559
    Likes Received:
    90,940
    That's not the point bro, they got caught with their hand in the cookie jar. The point is they all do it.

    Dell, HP on and on
     
    Peau de Soie likes this.
  8. AGT Blows

    AGT Blows Well-Known Member

    Reputations:
    79,083
    Joined:
    Dec 30, 2011
    Messages:
    10,616
    Likes Received:
    6,070
    IBM invented the pencil eraser mouse pointer (I've heard it called the clit, haha) in the middle of the keyboard. It's so much better that a touchpad, especially on the more recent Lenovo models.
    I don't know why other companies don't add it to their designs.
     
    Droog likes this.
  9. Peau de Soie

    Peau de Soie Edit Button? Thanks LaserTilt!

    Reputations:
    11,162
    Joined:
    Jan 16, 2012
    Messages:
    9,617
    Likes Received:
    2,078
    They did. Often there are both touchpad and clit on the same machine. I much prefer a touchpad, even over a mouse.
     
  10. AGT Blows

    AGT Blows Well-Known Member

    Reputations:
    79,083
    Joined:
    Dec 30, 2011
    Messages:
    10,616
    Likes Received:
    6,070
    If Dell and HP are up to this level of shady behavior, I would be surprise. Lenovo is owned by the Chinese. China is not known for excellent business practices.
     
  11. dawg

    dawg In The Dog House Staff Member

    Reputations:
    541,159
    Joined:
    Aug 19, 2010
    Messages:
    119,559
    Likes Received:
    90,940
    They are up to the level of this shadiness and more.
     
  12. Peau de Soie

    Peau de Soie Edit Button? Thanks LaserTilt!

    Reputations:
    11,162
    Joined:
    Jan 16, 2012
    Messages:
    9,617
    Likes Received:
    2,078
    Nah, we've been through this many times before, with adware companies slipping full bore to the dark side, sometimes slowly and sometimes from the get-go but under the radar. Every bit of bundled crapware should be viewed with suspicion, from every brand. Besides, every last one is made in China anyway.
     
  13. dawg

    dawg In The Dog House Staff Member

    Reputations:
    541,159
    Joined:
    Aug 19, 2010
    Messages:
    119,559
    Likes Received:
    90,940
    Crapware is the most shameful practice of them all
     
    Droog likes this.
  14. AGT Blows

    AGT Blows Well-Known Member

    Reputations:
    79,083
    Joined:
    Dec 30, 2011
    Messages:
    10,616
    Likes Received:
    6,070
    I've seen the clit on some HP laptops in the past, but not any others. I have a Lenovo laptop at work, and I use the clit all day long. People are always asking why my laptop has a Pooh Bear sticker on it.
     
  15. Droog

    Droog Well-Known Member VIP

    Reputations:
    134,995
    Joined:
    Jan 15, 2012
    Messages:
    15,130
    Likes Received:
    19,251
    I agree. I hate the touchpad. Makes typing on a laptop a pain in the ass. The IBM Thinkpads had wonderful keyboards, nice screens, and good performance. They were expensive but they were really nice computers.