Lenovo in hot water over Superfish adware, but dismisses security worries (updated)

Reports from security consultants, media, and Lenovo users indicate that there’s bloatware pre-installed on recent Lenovo Windows PCs that’s a bit more sinister than a set of superfluous ThinkPad tools. It appears that adware called Superfish had been running on consumer laptops sold by Lenovo between September 2014 and this past January, raising significant security concerns.

In a statement issued on Thursday, Lenovo said although it had disabled Superfish “server side interactions” since January, it could “not find any evidence to substantiate security concerns.” It also promised not to pre-load Superfish in the future, while clarifying that Superfish requires users to approve its terms of use, and that it hasn’t been installed on devices since “December.”

Update: Sometime today, Lenovo changed its statement and quietly removed the line “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.” The statement was most likely tweaked because there is actually a lot of evidence to back up that Superfish is a security problem. Lenovo also posted a PDF with instructions how to remove Superfish.

The Electronic Frontier Foundation called Superfish “horrifically dangerous” and a “security catastrophe.”

The worst part is, Superfish isn’t even tangentially useful to the consumer. It’s ad-placing software — so far, what it appears to do is to place it own ads against Google search results, which presumably generates income for both Lenovo, and Superfish, which is a privately-held Palo Alto-based company. Lenovo’s statement said that Superfish was included to “to help customers potentially discover interesting products while shopping.”

While ads might be annoying, the real problem with Superfish is the liberties it takes with users machines’ to serve those ads, which resembles a “man-in-the-middle” attack. The adware makes itself an unrestricted root certificate authority in Windows, so it is able to spoof SSL certificates. If you connect to a secure website, such as your bank, from Internet Explorer or Google Chrome on an affected Lenovo laptop, the security certificate will have been signed by Superfish, as opposed to a trusted SSL certificate services provider like VeriSign.

Essentially, this discovery means that HTTPS browsing on an affected Lenovo laptop is insecure. In fact, researchers have already cracked Superfish’s private key — which was the same on all affected laptops — meaning hackers could snoop on encrypted traffic while on the same network, or even install malware under the guise of a trusted program. Simply uninstalling the program doesn’t remove the unrestricted root certificate.

Lenovo is the top PC vendor in the world, according to IDC, and shipped over 16 million PCs in the fourth quarter of last year, part of the time period where Superfish was preinstalled on some devices. Here’s a online test to check whether your device is affected.

OpenDNS and Google team to speed up the web

A few million Americans may find their YouTube requests get delivered faster on Tuesday as Google, OpenDNS, VeriSign and several content delivery networks announce Global Internet Speed Up effort. It’s another way to make content routing at the edge of the network smarter.

iPhone Security Key: VeriSign Identity Protection App Released

iphone_vip_screenshot

If you’ve ever suffered from fraud on the Internet, you’ll know how important it is to use decent passwords, keep them safe, and watch out for phishing activities. Unfortunately, a simple password isn’t always the best way to protect yourself online. Many banks are now starting to use two-factor authentication, a system requiring a dongle that generates a coded number before you’re able to access accounts online.

This concept has today been extended to mobile devices by VeriSign (s vrsn), with the launch of VeriSign Identity Protection (VIP) for the iPhone. This free application will act as a security dongle, generating a coded number that can be entered for additional security on various web sites.
This “two-factor authentication” process is a first for a device such as the iPhone. The first factor is something you know — a username and password. The second factor is something you have, namely the code provided via your iPhone. It greatly enhances security and means that, for a thief, simply knowing your password is not enough. Read More about iPhone Security Key: VeriSign Identity Protection App Released