Lenovo shipping PCs with man-in-the-middle adware which compromises HTTPS

[ah123]

If you bought a Lenovo PC in the last little while, you might want to check if you're affected

Quote:

Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said.

The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there's something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.

Quote:

The adware and its effect on Web encryption has been discussed since at least September in Lenovo customer forum threads such as those here and here. In the latter post, dated January 21, a user showed a root certificate titled Superfish was installed...

He then went on to show how the certificate tampered with the HTTPS connection to a banking website, behavior that allowed Superfish to collect all data unencrypted.

http://arstechnica.com/security/2015...s-connections/

[Bobblehead]

I was just about to post that.

Seems like Lenovo's version of the Sony rootkit debacle.

[Hack&Lube]

Quote:

Originally Posted by Bobblehead

I was just about to post that.

Seems like Lenovo's version of the Sony rootkit debacle.

Not sure which is worse. Sony's interferred with the PC to prevent CD copying by creating rootkit level DRM without the user's consent.

Lenovo is simply throwing it's customers under the bus to make a few cents on razor thin consumer PC sales. Even they admitted that they financially get very little but even a few cents count on every machine. It cares more about that than it's customers. Lenovo basically sold the rights to a company to install adware on an operating system level that's so badly designed that intercepts and replaces all secure https certificates wtf.

[Vulcan]

Samsung smart TVs join the invasive party.

Quote:

The report was prompted by a Reddit post that featured Samsung’s SmartTV policy, which states that the SmartTV captures “voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features.” This simply means that spoken commands are being analyzed so the TV can learn your language so it can function much better. The problem is that it’s always listening, even if you are not interacting with the TV.


“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

http://siliconangle.com/blog/2015/02...p-big-brother/

Quote:

Getty Images

Samsung's Smart TV may be a little too smart for its own good.
Tucked into the privacy policy of the South Korean electronics behemoth's Smart TV are a few paragraphs that may send chills down the spine of some consumers. According to the document, the unit's voice recognition protocols can "capture voice commands and associated texts so that [Samsung] can provide you with Voice Recognition features and evaluate and improve the features."
The boilerplate language—which granted few people read in its entirety—sounds fairly anodyne. That is, until the company adds this warning: "Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition."
Read MoreLet's study AI before we allow it to take over: Group
The TV's voice features can be disabled. However, the company adds another caveat: "While Samsung will not collect your spoken word, Samsung may still collect associated texts and other usage data so that we can evaluate the performance of the feature and improve it."
In other words, owners of the Samsung Smart TVs may need to watch what they say in their own homes, and especially where they say it.

Of course,

Quote:

A spokesperson for the company told CNBC that Samsung "takes consumer privacy very seriously,"

http://www.cnbc.com/id/102407345#.

[rbochan]

Get a new machine, wipe it and do a vanilla OS install. Your machine will thank you.

[Resolute 14]

Quote:

Originally Posted by Hack&Lube

Not sure which is worse. Sony's interferred with the PC to prevent CD copying by creating rootkit level DRM without the user's consent.

Lenovo is simply throwing it's customers under the bus to make a few cents on razor thin consumer PC sales. Even they admitted that they financially get very little but even a few cents count on every machine. It cares more about that than it's customers. Lenovo basically sold the rights to a company to install adware on an operating system level that's so badly designed that intercepts and replaces all secure https certificates wtf.

I'm betting Lenovo actually gets more than they are admitting, but were trying to claim they only got a little money out of the deal in a brain-dead effort to make this all seem a little less bad. Their entire response was basically "this isn't a big deal for us, so it shouldn't be a big deal for you".

For anyone with an affected Lenovo laptop, the steps to remove this crap: https://www.eff.org/deeplinks/2015/0...enovo-computer

[Bobblehead]

LenovoUS accepted blame last night and tweeted this link for removal

http://support.lenovo.com/us/en/prod...fish_uninstall

[pylon]

Wow, and I have a Lenovo laptop sitting at UPS today I am picking up after work. Is there a point where they stopped installing it? Or will mine be affected. It was built last week.

[ah123]

Quote:

Originally Posted by pylon

Wow, and I have a Lenovo laptop sitting at UPS today I am picking up after work. Is there a point where they stopped installing it? Or will mine be affected. It was built last week.

Lenovo said that they stopped installing in January. Personally, I wouldn't trust anything they have said, since they have flip-flopped so much over the last few days.

You can easily re-install Windows 8.1 if you have the time (link with instructions), which will also get rid of all the bloatware

EDIT: Both Ars Technica and Lenovo have instructions on just removing the malware: link

[pylon]

Lenovo sucks. My laptop that was built last week, according to the website, had the full suite of spyware in it. Plus I got the god damn fr/en keyboard with the small shift keys. French people f'n suck for ruining keyboards in Canada. Seriously, make it a special order item if you are the a-hole that needs one. Not the default for every Canadian order.

[TorqueDog]

An update for Windows Defender has been pushed out that will remove the Superfish certificate as well as the application that leverages it.

[Resolute 14]

Yeah, I was expecting that cert would get revoked in a hurry.

[jammies]

Quote:

Originally Posted by pylon

French people f'n suck for ruining keyboards in Canada.

Yes, the dastardly French and Big Keyboard are in cahoots. If only there was some way - maybe some kind of interconnected network hosting billions of data pages, searchable via free and easily grasped tools - to discover just exactly what kind of keyboard configuration a particular model of laptop uses. Or maybe even if the manufacturer linked that information in some kind of configuration sheet you could view.

Oh, to live in such a world! What a happy, happy place that would be!

[pylon]

Quote:

Originally Posted by jammies

Yes, the dastardly French and Big Keyboard are in cahoots. If only there was some way - maybe some kind of interconnected network hosting billions of data pages, searchable via free and easily grasped tools - to discover just exactly what kind of keyboard configuration a particular model of laptop uses. Or maybe even if the manufacturer linked that information in some kind of configuration sheet you could view.

Oh, to live in such a world! What a happy, happy place that would be!

Actually, every indication was it would not come with the gibbled keyboard. The images on the website showed the standard keyboard. I looked at the exact model at staples and it had the standard English keyboard. I also specified in the order notes 'Do not ship with en/fr keyboard, if this is not possible, please cancel the order'.

But thanks for the input.

[Barnes]

Quote:

Originally Posted by pylon

Actually, every indication was it would not come with the gibbled keyboard. The images on the website showed the standard keyboard. I looked at the exact model at staples and it had the standard English keyboard. I also specified in the order notes 'Do not ship with en/fr keyboard, if this is not possible, please cancel the order'.

So you're saying you could have done more...

[jammies]

Quote:

Originally Posted by pylon

Actually, every indication was it would not come with the gibbled keyboard. The images on the website showed the standard keyboard. I looked at the exact model at staples and it had the standard English keyboard. I also specified in the order notes 'Do not ship with en/fr keyboard, if this is not possible, please cancel the order'.

But thanks for the input.

Well y'know, before I wrote that, I actually went and checked their site, and on a page like this: http://shop.lenovo.com/ca/en/laptops.../z-series/z40/ it pretty clearly says at the bottom of the model specs KEYBOARD FRENCH-ENGLISH. Now, I don't know what model you bought, but generally a specific model number has a specific style of keyboard, so if the model number you bought had the wrong keyboard, c'est la vie.

Anyway, the point is that blaming the French for a mistake either you or the manufacturer made (as it's possible they sent you the wrong model, I suppose), is really annoyingly redneck. You sound like my dear departed grampa moaning about the metric system and that communist Trudeau.

[To Be Quite Honest]

I actually didn't take his blaming the French seriously and I also think the discussion about it is pretty funny.

[Vulcan]

Quote:

After investigating the Lenovo incident we found out that many other softwares - like some Parental Controls or security packages - do things even worse for your security. This test attempts to detect them all.

https://filippo.io/Badfish/

[Resolute 14]

Quote:

Originally Posted by Vulcan

https://filippo.io/Badfish/

Which is one of the reasons why I always wipe and re-install a clean version of Windows if I buy a prebuilt computer on behalf of anyone. Sucks for the people who don't know any better or otherwise can't do so.


Also, who didn't see this coming? Lenovo and Superfish hit with a class-action lawsuit: http://www.pcworld.com/article/28873...ish-snafu.html

The part of the complaint talking about "making money by studying her browsing habits" is amusing though. I sincerely hope she doesn't use any social media site or any internet search engine....