Superfish and Lenovo: One Big Fish Fry

“Superfish” by @EddieTheYeti

There’s a nasty little game afoot where new laptops come with undesirable extras. I’m talking about “crapware” – all those annoying little programs and invitations to sign up and buy that suddenly fill your screen moments after you first boot up.  That’s not the way anyone deserves to experience those heady first moments with a major new purchase. And yet, it’s exactly what happens with nearly all new laptops and pcs.

If you ask, you’re told that it’s been in practice by big companies for a while; that it’s the way business is done; that it’s nothing to worry about.  That doesn’t make it right.  And as of today, that doesn’t make it safe.

lenovolaptopIt has been discovered that the plethora of advertising extras pre-installed on Lenovo laptops contains a hidden danger.  A piece of adware, known as “Superfish Visual Discovery”, actually conducts a type of attack known as “MiTM” or Man-in-the-Middle, where it messes with that lovely new laptop’s configuration, and actually compromises a key security component. And no, that is not supposed to happen.  Which is why I think it’s time to speak up and speak out about this practice.

Plenty of top-drawer securitytech experts are currently dissecting and revealing the ugly truth about “Superfish”.  Simply put by Marc Rogers on Marc’s Security Ramblings,:

 badcert Lenovo is installing adware that uses a “man-in-the-middle” attack to break secure connections on affected laptops in order to access sensitive data and inject advertising. As if that wasn’t bad enough they installed a weak certificate into the system in a way that means affected users cannot trust any secure connections they make – TO ANY SITE.

Rik Ferguson offers this explanation on CounterMeasures:

 Superfish also installs its own self-signed Root Certificate Authority… Superfish can generate any certificate it wants, which will be trusted by your browser as entirely legitimate, allowing it to impersonate any destination on the internet. These sites are normally protected by strong encryption for your security

twittererRob Graham on Errata Security described how he was able to “intercept the encrypted communications of SuperFish’s victims (people with Lenovo laptops)”. On Twitter, he challenged the supposition by Peter Hortensius, CTO of Lenovo, that the problem was “theoretical” by saying how he had tested and proved otherwise.  And Steve Ragan on Salted Hash Security News hits the nail on the head when he states:

Even if the user removes the Superfish software, the certificate remains trusted and installed on the system. As for the opt-in requirement, most users agree to everything when configuring a new system, assuming they even notice the Superfish TOS to begin with.

What really bothers me is that most users don’t have the technical skillsets to understand what is actually happening, let alone to diagnose and disinfect.  From my years of experience working with end users, cleaning up this kind of mess definitely  falls outside reasonable expectations of what we should ask most people to do. Helping folks overcome their fear of technology is always challenging.  Most people would just like the problem to go away. Or for someone else to fix it.  There is a point to which you can lead users, but then they balk.certs

My team and I are all about simplifying technology for users. And honestly, if you can teach someone the easy ways to do things right, like security, then it’s like teaching that proverbial man to fish: they’ll be fine for the rest of their lives. But there is nothing simple about cleaning up malware, spyware, adware and the technical mess they inflict on devices.  Nobody who really cares about their customers should be asking them to start prodding around in program or registry files even if the customer is technically qualified.  Because confusion happens and mistakes can be made.

It’s really great to hear the outcry against what’s been going, and to put the issue squarely in front of major manufacturers. Time for certain parties to take a good look in the mirror: How can you proclaim your commitment to improving security when you’re actually contributing to a key source of problems? I love this statement by Marc Rogers on Marc’s Security Ramblings :

We trust our hardware manufacturers to build products that are secure. In this current climate of rising cybercrime, if you can’t trust your hardware manufacturer you are in a very difficult position

That said, what can you do about it? First and foremost, you need to get that junk off your device.  I’m happy to report that some terrific folks have been addressing that and there are some good suggestions on how to detect and remove.  For those inclined to do take the task on, read the steps through carefully a couple of times to make sure it’s clear before you undertake anything.  I can recommend this piece by PC World.  As well, I found this piece by ZDNet a little more detailed and perhaps easier to follow.

Crapware serves no purpose other than garnering profit.  Lenovo has a PR nightmare ahead, and they have a lot to answer for. While they claim to have halted shipping it back in January, that does nothing about what’s already out there.  Hopefully this serves notice to other distributors about cleaning up their acts so they don’t get caught up in the same net with “Superfish”.   Because the only real victims in this fish fry are the end-users.

NOTE: The awesome pic up at the top is by talented InfoSec member and artist @EddieTheYeti

IOS8 – What You Should Know Before You Update


You’re excited. It’s finally here. And like opening a shiny new present you can’t wait to install it. STOP! This is fortress security, where we don’t rush headlong into disaster, and you don’t either.

First – backup your device. Never make any changes to your tech without having a recent backup first. Because stuff happens, and it always happens when you didn’t take a backup. Consider it your insurance policy. If you haven’t done one yet, there’s no time like the present. Given how many people say their lives are in their phones, that’s reason enough. Don’t rely on the cloud, but do a tangible, retrievable backup to a computer and save it to iTunes. Move off some photos, videos, anything to ensure you have 1.4 GB of empty storage space. The upgrade isn’t for everyone. iPhone 4 and original iPads are too old.  Still eligible are 4S, 5, 5C, 5S, iPads 2, 3, 4 , Air and Mini. Allow between 30 minutes to an hour for the upgrade to complete and don’t expect to use your phone during that time. And then, the fun begins.

Expect to find lots of little changes to the old familiar: App store, iTunes store, multi-tasking and Spotlight. New are privacy controls and the iCloud keychain, a security feature for passwords etc. The new Apple Pay feature won’t be offered until October, and this is only for iPhone 6 and 6plus.

The iOS 8 Keyboard:  it’s predictive, which takes some getting used to but is helpful. And a whole new host of Emoji. Plus it supports third-party keyboards that allow for swipe-typing. Crazy as it looks, it works! I know, I use it.

Safari has a credit card reading feature in iOS8 so that you can scan your cards and have the information put directly onto the website page.  I’m not ready to recommend that yet, given the recent surge of security and data breaches, and knowing Apple products have fallen victim to targeted malware attacks and email schemes to lure users.

I do like, however, that a new feature lets you track apps that are battery hogs.  Just follow these steps:

  1. Open Settings
  2. Navigate to General | Usage | Battery Usage

After a few moments, the Battery Usage section will appear, and display those apps using the most power.


You may like that in the Photos App, you can view only those videos you shot, which are stored in their own album. Want some of those photos to briefly disappear? You can now tap and hold until a menu appears, then select Hide.

Find My iPhone: Send last location before battery dies. Find my iPhone/iPad/iPod Touch now can send the last known location from your device to iCloud before the battery dies. We know what that’s like. Here’s how to set things up:

  1. Open Settings
  2. Tap iCloud | Find my [device type]
  3. Turn on the option for Send Last Location

Note that if you use WiFi and aren’t near an access point, this may not be able to work.

And finally, font size. When iOS 7 came out, it came with the option to change font size throughout the system.  But it was hard to find. Here is how to find the setting in iOS 8:


Hopefully this gets you up and running, so you can start enjoying all the new features. Because technology should be fun and friendly. Just like me!


Passwords: The Keys to Your Digital Kingdom


Fortress Security is all about keeping you and your data safe. When your home is your castle, you don’t let the drawbridge down for just anyone, but it’s amazing how cavalier we are about securing our digital fortress. Passwords are what keep the barbarians from storming the gates – literally and figuratively. Your online security begins – and ends – with what you choose.

They are your first defense and they can be one of your best defenses when used properly. How so? Typically, the most that we are asked for is something longer than 6 characters, sometimes with a number. If that’s easy for us to come up with, think of how easy that is for a hacker to break.  It takes only 10 minutes to hack a typical 6-character password in lowercase but if we were to extend that password by 3 characters, making it a total of 9 characters in length, and then made it a mix of numbers and letters, alternating the cases of the letters, we just made the job harder by 44530 years. So, the lesson here is: longer is better, numbers and cases are stronger. Easy.

Easy except that the truth is most of us make passwords we can remember. After all, what good is it if we have to write them down someplace or keep forgetting them?  So, we fall into the trap of using names we know, dates, addresses, favourite foods or places or even celebs. These our things our friends and families already know about us. Guess what? We’ve put all this same personally identifiable information up on the social media sites we frequent, as we chat about lives, our jobs, our interests. Hackers know to go straight to these sites first and find their keys into our digital kingdoms. But now you know, too. Yahoo put together a list of passwords, 500 of them actually, that we shouldn’t be using. (here is the link: Yes, password is one, and butterfly is another. Along with every common name I’ve ever heard. Lesson learned: no pain, no gain. Making it inconvenient for ourselves makes it hard for hackers. That 9 character nonsense password will be deterrent enough.

So once we’ve gone to the trouble of making that impenetrable password, it should be good enough to use on everything, right? Wrong. So very, very wrong. And yet, that is a mistake most of us make. And almost as bad is when we alternate or recycle passwords. Oh, the inconvenience. Yes, it is a royal pain to manage up to a dozen different passwords, never mind we can’t remember them now.  But that pales in comparison to cancelling all your credit cards, then carefully reviewing your bank and card statements from now on. There are ways to manage your passwords, including third party software. While I can’t say what works best, what I can say is this: if you haven’t already been hacked, you are about to be. This is how you won’t become another data breach statistic on the nightly news.

Welcome to Fortress Security

imagesYour home is your castle. It’s filled with pictures and memories, set up just the way you like, more than just the money you paid for it. You buy insurance to cover the cost of replacing it lest anything should ever happen to it but the truth is – it’s irreplaceable. Nobody wants to go through the heartache or headache of massive loss or damage.  But that’s exactly what happens when our computers crash or phones go missing. We put the equivalent of our entire lives on tech devices. We have become a mobile society.

Most people know about anti-virus software and backups. A percentage use these to safeguard their tech and their data. But the reality is that most people have no idea just how vulnerable they are and what their actual exposure to damage and loss is.  Today, the real risk isn’t dropping a phone into a puddle or circuits frying. It’s something lurking in the shadows, waiting for you to swipe your credit card, visit a website, or open an email attachment. Cybercrime has become a significant player in the new global economy, and it’s here to stay.

If only hackers were those sharply savvy caricatures dressed in black we enjoy in movies. But there is nothing charming or funny about gangs of thugs whose sole motivation is to get rich by ruining the lives of others. And that is the true essence of cybercrime. Our personally identifiable information, or PII, is the new currency of the blackmarket. Usercodes, passwords, drivers licence numbers, home addresses -we are broken down to bits and pieces, sold to the highest bidder, who will then recreate a whole new identity at our cost.

As it stands, the black hats are keeping more than  one step ahead.  For those of us in information security, or InfoSec, it’s a frustrating game of catch-up.  Which means damage control more than damage prevention.  The stakes are high, the payoffs are huge, and the playing field is global. But knowledge is power in this fight. As malware evolves and data breaches make nightly news, for the average user that really will mean an ounce of prevention is worth a pound of cure.