http://marcrogers.org/2015/02/19/lenovo-installs-adware-on-customer-laptops-and-compromises-all-ssl/
By Marc Rogers
FEBRUARY 19, 2015
A pretty shocking thing came to light this evening – Lenovo is installing
adware that uses a “man-in-the-middle” attack to break secure connections
on affected laptops in order to access sensitive data and inject
advertising. As if that wasn’t bad enough they installed a weak
certificate into the system in a way that means affected users cannot
trust any secure connections they make – TO ANY SITE.
We trust our hardware manufacturers to build products that are secure. In
this current climate of rising cybercrime, if you cant trust your hardware
manufacturer you are in a very difficult position. That manufacturer has a
huge role to play in keeping you safe – from releasing patches to update
software when vulnerabilities are found to behaving in a responsible manor
with the data the collect and the privileged access they have to your
hardware.
When bad guys are able to get into the supply chain and install malware it
is devastating. Often users find themselves with equipment that is
compromised and are unable to do anything about it. When malware is
installed with the access a manufacturer has it buries itself deep inside
the system often with a level of access that often takes it beyond the
reach of antivirus or other countermeasures. This is why it is all the
more disappointing – and shocking – to find a manufacturer doing this to
its customers voluntarily.
Lenovo has partnered with a company called Superfish to install
advertising software on it’s customer’s laptops. Under normal
circumstances this would not be cause for concern. However Superfish’s
software has quite a reputation. It is a notorious piece of “adware”,
malicious advertising software. A quick search on Google reveals numerous
links for pages containing everything from software to remove Superfish to
consumers complaining about the presence of this malicious advertising
tool.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
