[Micronet] Superfish Malware on Lenovo Laptops

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Superfish Malware on Lenovo Laptops

John McChesney-Young
When I looked at my Twitter timeline this morning I saw scores of
tweets about the discovery that Lenovo laptops come with a significant
vulnerability that breaks SSL. See (e.g.):

http://marcrogers.org/2015/02/19/lenovo-installs-adware-on-customer-laptops-and-compromises-all-ssl/

"A pretty shocking thing came to light this evening – Lenovo is
installing adware that uses a “man-in-the-middle” attack to break
secure connections on affected laptops in order to access sensitive
data and inject advertising. As if that wasn’t bad enough they
installed a weak certificate into the system in a way that means
affected users cannot trust any secure connections they make – TO ANY
SITE."

According to this article at Forbes, the problem dates back two years:

http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/

although I saw a tweet from someone who said their mid-year 2013
Lenovo was unaffected.

See also:

http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
http://arstechnica.com/security/2015/02/lenovo-honestly-thought-youd-enjoy-that-superfish-https-spyware/
(and yes, it's as funny/infuriating as the URL suggests)

I know the University's agreement with Dell means that's the
predominant Windows hardware brand on campus but any of you who have a
Lenovo machine or who support people who do should be aware of this.

John

--
John McChesney-Young, Administrative Assistant
History of Art Department, 416 Doe MC6020
U. C. Berkeley, Berkeley CA 94720-6020
[hidden email] // voice 1-510-642-5511 // fax 1-510-643-2185

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Superfish Malware on Lenovo Laptops

secabeen
As I understand it, this is only on consumer-grade laptops from Lenovo.
The Think* line is run by a different group, and does not engage in this
sort of chicanery.

--Ted

On 2/19/2015 8:59 AM, John McChesney-Young wrote:

> When I looked at my Twitter timeline this morning I saw scores of
> tweets about the discovery that Lenovo laptops come with a significant
> vulnerability that breaks SSL. See (e.g.):
>
> http://marcrogers.org/2015/02/19/lenovo-installs-adware-on-customer-laptops-and-compromises-all-ssl/
>
> "A pretty shocking thing came to light this evening – Lenovo is
> installing adware that uses a “man-in-the-middle” attack to break
> secure connections on affected laptops in order to access sensitive
> data and inject advertising. As if that wasn’t bad enough they
> installed a weak certificate into the system in a way that means
> affected users cannot trust any secure connections they make – TO ANY
> SITE."
>
> According to this article at Forbes, the problem dates back two years:
>
> http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/
>
> although I saw a tweet from someone who said their mid-year 2013
> Lenovo was unaffected.
>
> See also:
>
> http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
> http://arstechnica.com/security/2015/02/lenovo-honestly-thought-youd-enjoy-that-superfish-https-spyware/
> (and yes, it's as funny/infuriating as the URL suggests)
>
> I know the University's agreement with Dell means that's the
> predominant Windows hardware brand on campus but any of you who have a
> Lenovo machine or who support people who do should be aware of this.
>
> John
>

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Superfish Malware on Lenovo Laptops

John McChesney-Young
On Thu, Feb 19, 2015 at 9:49 AM, Ted Cabeen <[hidden email]> wrote:
> As I understand it, this is only on consumer-grade laptops from Lenovo.
> The Think* line is run by a different group, and does not engage in this
> sort of chicanery.

Thank you, I hadn't seen that Thinkpads were exempt. The Verge
confirms that's Lenovo's claim:

http://www.theverge.com/2015/2/19/8069127/superfish-password-certificate-cracked-lenovo

John, with a T43 at home running Utopic Unicorn


--
John McChesney-Young, Administrative Assistant
History of Art Department, 416 Doe MC6020
U. C. Berkeley, Berkeley CA 94720-6020
[hidden email] // voice 1-510-642-5511 // fax 1-510-643-2185

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Superfish Malware on Lenovo Laptops

Robert Hiramoto
In reply to this post by secabeen
From the Ars Technica article, there is this link, where one can test for this vulnerability:
People who are concerned their PC may contain this critical vulnerability can check at https://filippo.io/Badfish/.


And slashdot's comments:

http://yro.slashdot.org/story/15/02/19/1348207/lenovo-allegedly-installing-superfish-proxy-adware-on-new-computers

And a Paul Thurrott article on how a consumer can install Windows 8.1 in a clean manner, which may be of help to Yoga owners:

~Robert



~Robert

**************************************
Robert Hiramoto
IT Manager
Institute for Research on Labor and Employment (IRLE)
University of California, Berkeley
2521 Channing Way #5555
Berkeley, CA 94720-5555

 
Phone:  (510) 643-3903
Fax:  (510) 642-6432

IRLE IT Help Line - (510) 642-0077

IRLE IT Help Email address:

On Thu, Feb 19, 2015 at 9:49 AM, Ted Cabeen <[hidden email]> wrote:
As I understand it, this is only on consumer-grade laptops from Lenovo.
The Think* line is run by a different group, and does not engage in this
sort of chicanery.

--Ted

On 2/19/2015 8:59 AM, John McChesney-Young wrote:
> When I looked at my Twitter timeline this morning I saw scores of
> tweets about the discovery that Lenovo laptops come with a significant
> vulnerability that breaks SSL. See (e.g.):
>
> http://marcrogers.org/2015/02/19/lenovo-installs-adware-on-customer-laptops-and-compromises-all-ssl/
>
> "A pretty shocking thing came to light this evening – Lenovo is
> installing adware that uses a “man-in-the-middle” attack to break
> secure connections on affected laptops in order to access sensitive
> data and inject advertising. As if that wasn’t bad enough they
> installed a weak certificate into the system in a way that means
> affected users cannot trust any secure connections they make – TO ANY
> SITE."
>
> According to this article at Forbes, the problem dates back two years:
>
> http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/
>
> although I saw a tweet from someone who said their mid-year 2013
> Lenovo was unaffected.
>
> See also:
>
> http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
> http://arstechnica.com/security/2015/02/lenovo-honestly-thought-youd-enjoy-that-superfish-https-spyware/
> (and yes, it's as funny/infuriating as the URL suggests)
>
> I know the University's agreement with Dell means that's the
> predominant Windows hardware brand on campus but any of you who have a
> Lenovo machine or who support people who do should be aware of this.
>
> John
>


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Superfish Malware on Lenovo Laptops

John McChesney-Young
On Thu, Feb 19, 2015 at 10:21 AM, Robert HIRAMOTO
<[hidden email]> wrote in part:
...
> Ars Technica's article, with a little more info:
>
> http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/

That article has been updated with a list of affected models.

> From the Ars Technica article, there is this link, where one can test for
> this vulnerability:
> People who are concerned their PC may contain this critical vulnerability
> can check at https://filippo.io/Badfish/....

According to @SwiftOnSecurity - who I think is actually a security
researcher with Microsoft - the testing sites don't work with Firefox,
so use Chrome or IE.

https://twitter.com/SwiftOnSecurity/status/568474897770377216

BTW, if you like to read about infosec, see:

https://firstlook.org/theintercept/2015/02/19/great-sim-heist/

John


--
John McChesney-Young, Administrative Assistant
History of Art Department, 416 Doe MC6020
U. C. Berkeley, Berkeley CA 94720-6020
[hidden email] // voice 1-510-642-5511 // fax 1-510-643-2185

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.