Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Government Security

Homeland Security Urges Lenovo Customers To Remove Superfish 134

HughPickens.com (3830033) writes "Reuters reports that the US Department of Homeland Security has advised Lenovo customers to remove "Superfish" software from their computers. According to an alert released through its National Cyber Awareness System the software makes users vulnerable to SSL spoofing and could allow a remote attacker to read encrypted web browser traffic, spoof websites and perform other attacks on Lenovo PCs with the software installed. Lenovo inititally said it stopped shipping the software because of complaints about features, not a security vulnerability. "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company said in a statement to Reuters early on Thursday. On Friday, Lenovo spokesman Brion Tingler said the company's initial findings were flawed and that it was now advising customers to remove the software and providing instructions for uninstalling "Superfish". "We should have known about this sooner," Tingler said in an email. "And if we could go back, we never would have installed this software on our machines. But we can't, so we are dealing with this head on.""
This discussion has been archived. No new comments can be posted.

Homeland Security Urges Lenovo Customers To Remove Superfish

Comments Filter:
  • by hcs_$reboot ( 1536101 ) on Saturday February 21, 2015 @08:37AM (#49100043)
    "Lenovo began installing Superfish VisualDiscovery software on some of its computers as early as 2010 [wikipedia.org]". And Homeland Security, with all their skillful teams, their heavy means, could not figure out that dirty adware before 2015?
    • by Anonymous Coward on Saturday February 21, 2015 @08:42AM (#49100057)
      it isn't enough to bitch about Lenovo. You also have to take to task the investors who have been keeping Superfish the California startup afloat since 2007. [qntra.net]
      • The last time I checked Superfish was installed in the Flash Video Downloader available from the official Mozilla Addons download website.

        In the FVD source I have locally, the files of interest are superfish_titles.txt and superfish.js which are both in the modules/ directory.

    • "Lenovo began installing Superfish VisualDiscovery software on some of its computers as early as 2010 [wikipedia.org]". And Homeland Security, with all their skillful teams, their heavy means, could not figure out that dirty adware before 2015?

      You assume that homeland security do something useful. The reality is they sit around and wait for some major crisis in the mainstream media. Then they jump up and issue statements, press-releases, and suggestions in a futile attempt to appear relevant and useful.

      • by dbIII ( 701233 )

        You assume that homeland security do something useful

        They run FEMA - heck of a job!
        They also send people around to toy shops to check for copyright violations on Rubik's cubes.
        They also ... I've got nothing.

    • by dbIII ( 701233 )
      The NSA has probably been using it as a backdoor. Oh wait, they are the guys with the Star Trek set designer building their operations room? Maybe not then, maybe just focusing on rewarding ex-employees with very lucrative outsourcing gigs.
  • Hey! We found a chance to get positive PR! Such a rare occurence...contact the spin department!

    • Re: (Score:2, Offtopic)

      by MrL0G1C ( 867445 )

      Exactly, I'm not sure why this story is gracing the front page, I think the Initial story and Lenovo removing it story cover it. Also an MS update removes it anyway.

    • This needs to be modded up to fucking hilarious!!!!
  • as most viruses and trojans today are written for windows.

    • by hcs_$reboot ( 1536101 ) on Saturday February 21, 2015 @08:45AM (#49100067)
      To be fair, 90% OSes in the world are Windows. What do you think would happen if 90% OSes were Linux (besides my complete satisfaction)?
      • Linux would certainly rise the entry level for malware writers, which would make malware writing a less promising market.

        • +1I, that's what I thought.
        • by Kjella ( 173770 ) on Saturday February 21, 2015 @09:33AM (#49100225) Homepage

          Linux would certainly rise the entry level for malware writers, which would make malware writing a less promising market.

          Today's Linux, maybe. The Linux that's been rewritten so 90%+ of the population will use it... doubtful. You'd probably have to make sudo escalation as easy as UAC escalation and once you run as administrator/root it's pretty much game over no matter what system you're on.

          • Number one reason not to use Ubuntu and anything that uses SUDO in a way that it uses the same password as your username password, it's fucking stupid, kill sudo and use SU with a proper root password that's different to your user password. Ubuntu should be shamed for using sudo in such a stupid fashion.
            • by chihowa ( 366380 )

              For the typical Windows/Mac/Ubuntu user who would install malware, the only time they ever type an OS-related password on their system is to perform superuser tasks. Most people don't use passwords on their personal computers and have automatic login set up. The fact that the sudo password is the same as their account password is irrelevant because they only ever use it to perform superuser tasks anyway.

            • Yeah right,
              I remind you of the rant Linus Torvalds had with SUSE where his daughter needed to know the root password to install printers.

              I think a not so super level is required for limited system change rights.
          • by rdnetto ( 955205 )

            Not even today's Linux. How many distros actually have AppArmor/SELinux enabled?

        • by blueg3 ( 192743 ) on Saturday February 21, 2015 @02:37PM (#49101665)

          That may be true.

          It's not applicable in this case, because this is OEM-installed adware. Everything it does can be implemented just fine on a Linux system. The solution is really the same for this sort of thing regardless of whether you're talking Windows or Linux -- don't use the OEM-provided pile of crapware that comes with the machine; install a brand-new copy of just the OS.

      • To be fair, 90% OSes in the world are Windows. What do you think would happen if 90% OSes were Linux (besides my complete satisfaction)?

        I can't say for sure - but I doubt people would be touting the security of Windows.

      • Easy. Shit ware, Trojaned app stores, and fake certicates would come pre-installed on them with Linux too.

        Folks put your linux advocacy aside as linux has Trojans too. They simply aren't targeted as linux users are smarter and can delete them. Not because modern windows is somehow less secure.

        Hasn't been true since XP SP 1 died. Windows today is as secure if not more than linux design wise. It has ACL lists, low rights sandboxing options and so on.

      • by rtb61 ( 674572 )

        That 90% OS's is of course, one great big fat lie. Let's try and count mobile devices in that and as they greatly outnumber desktops and that doesn't include servers either. So yeah, windows, they are well below 50% and falling fast with regard to OS installations. When it comes to Lenovo and superfish and their intent was to 'supplement the shopping experience', seriously piss of you public relations shit heads, that makes them a dead product manufacturer for at least a decade, simply not to be trusted, r

      • To be fair, 90% OSes in the world are Windows. What do you think would happen if 90% OSes were Linux (besides my complete satisfaction)?

        Then the year of the Linux desktop would be 3 years away instead of 5 years away.

    • as most viruses and trojans today are written for windows.

      Are you suggesting that Lenovo couldn't have done this if Linux was preinstalled?

      • Are you suggesting that Lenovo couldn't have done this if Linux was preinstalled?

        Lenovo wouldn't have dared doing it.

        • Wut? I know Linus is a bit of a hard case, but I kinda doubt that Lenovo shivers in their corporate boots every time they here his name mentioned.

    • What about all those nefarious apps in the Android app store? Do you recommend not using Android either?

  • Head on? (Score:5, Informative)

    by Anonymous Coward on Saturday February 21, 2015 @08:44AM (#49100065)

    They've been doing nothing but putting spin on this since it blew up in their face. Claiming they installed it to enhance the user's experience instead of because they were paid to. Claiming there's no security risk. Claiming they stopped it because of complaints of the "features", rather than because their customers believed it to be intrusive and dangerous. Claiming it can be simply and completely removed with a standard uninstall, which does not remove the custom certificate and vulnerability. Retracting statements and making apologies while dodging the actual issue.
    I don't expect many will accept this as a suitable definition of "head on".

    • Re:Head on? (Score:4, Insightful)

      by Mr D from 63 ( 3395377 ) on Saturday February 21, 2015 @09:22AM (#49100183)
      The best PR move Lenovo could make right now would be to file a lawsuit against Superfish for damages caused.
      • Someone needs to sue these dicks- if I had to repair my computer for national security reasons because of someone's incompetent malfeasance, I would want to get paid for the time wasted. If you're a lawyer specializing in class action suits, this warning from the DHS is like a Superfish on a platter!
    • They've been doing nothing but putting spin on this since it blew up in their face.

      Spin. Present day corporatese for lies and deception.

      My, how those ugly accusations have been made to sound pretty.

    • by Anonymous Coward

      Yes, they were disingenuous about the intent. The claim that there was no security risk was due to incompetence rather than trying to lie, and to be fair, no one had highlighted the TLS proxy facet until recently and that statement came a significant time ago. I think this is more incompetent bungling more than willful maliciousness. For the past that's of no significant comfort, but it does suggest they could learn from their mistakes.

      Besides, Lenovo isn't the only delivery vector here. There's a crap

    • I don't expect many will accept this as a suitable definition of "head on".

      In less than a day it has gone from scandal to basically resolved. Let me reword that sentence for emphasis: The company has responded to the issue within a day of complaints. Honestly how many companies have done this? How long was the Sony rootkit an issue before they released an uninstall? 2 years! How long do we wait for major security vulnerabilities to be resolved from the worlds largest software vendors? Often months, sometimes that long even after public disclosure.

      PR drones are idiots, if they were

      • by Khyber ( 864651 )

        "In less than a day it has gone from scandal to basically resolved."

        What? Not even close! What about the damage this shit does to OTHER PROGRAMS I INSTALL that Lenovo has no business touching? Their fix DOESN'T FIX THAT.

        And you call the issue resolved? How easy to appease are you?

        • Care to cite examples of ongoing sustained damage that isn't resolved by removing the offending program and the associated SSL certificate?

          • by Khyber ( 864651 )

            Uh, yea. Trust of ANY program on your computer. Damage is done and continuing to be dealt.

      • In less than a day it has gone from scandal to basically resolved

        LMFAO!!! Not even close. Its only been less than a day SINCE YOU HEARD ABOUT IT. They've been in the media for installing Superfish for the last 5 years. It just finally hit mainstream media, and they resolved it in less than a day since it blew up in their faces.

      • by DingerX ( 847589 )
        And only a month after the first public posting of the vulnerability, in their own forums.

        Some guy accurately describes the vulnerability, complete with screenshots showing a Superfish-signed online banking page, and posts it to the public Lenovo Security-Malware support forum, and they take no public action for 29 days; yet around the same time, they stopped installing the software on new machines. Only when it's a scandal do they first make statements that are designed "to defuse the situation", which, i
  • by ClaraBow ( 212734 ) on Saturday February 21, 2015 @09:03AM (#49100125)
    Does anyone know if other computer manufactures have used Superfish software? Software installers? Just curious if other manufactures also bought the sales pitch from the Superfish sales team.
    • According to the wiki [wikipedia.org] only "some" Lenovo are affected. But according to the same page, that fat fish has ~100m users monthly. So it is likely other products are affected...
      • by FlynnMP3 ( 33498 )

        At least that wikipage has decent references on it. Some portions of wikipedia are no better than getting dating advise from bathroom stall scribblings.

        • At least that wikipage has decent references on it. Some portions of wikipedia are no better than getting dating advise from bathroom stall scribblings.

          [ citation needed ]

    • by nyet ( 19118 )

      Superfish is just the tip of the iceberg.

      Corrupting a Windows machine's CA store is very common in "enterprise" environments where your employer wishes to proxy all outgoing SSL/TLS connections.

      The fact that most people are completely unaware of this is disturbing, but unsurprising.

      • My employer is allowed to monitor all I do on their hardware. It is their hardware on their network in the time they pay me for.

  • by BlueTrin ( 683373 ) on Saturday February 21, 2015 @09:04AM (#49100131) Homepage Journal
    The agency could educate more the population. As it stands, this advice is superfishal.
  • This is a consumer protection function. For goodness sake. Give it to the commerce dept.
  • by Anonymous Coward

    Its a G series consumer model.
    It doesn't have "Superfish", never has had. I followed the manual removal procedure and didn't find any references to it.

    Of course, this is probably only a feature of US Lenovo laptops, Lenovo Europe has probably got an equivalent fishing/manipulation system called someting else and are keeping quiet about it. "We don't install Superfish! OhhhNooooooo!!!!!".

  • by Anonymous Coward

    Petah Tiqva, Israel.

  • by Shoten ( 260439 )

    I think it's interesting that Lenovo posts not just the "Automatic Removal Tool," but also the source code to the tool. What I want to know is this: has anyone compiled it, and managed to get their compile options/environment such that they came up with a binary that matches the downloadable tool?

    • On Windows using MSFT's compilers you'll never get the same binary twice. There's timestamps and GUIDs (the latter for uniquely associating a pdb with an executable file). Different file paths to the source tree can also cause differences. Sometimes it's straightforward to pick out & ignore the GUID, timestamp, and checksum bytes that changed, but often not.

  • or Run away from companies that literally attempt to cause consumers security problems and consumers should never come back. That's the only way companies are going to learn to be buyer/customer oriented.

  • Homeland Security wants you to remove this from your system because something in it is messing with the NSA's ability to easily peer into said system? Just a thought.
    • by Lehk228 ( 705449 )
      no they want you to run the update^H^H^H^H^H^Hremoval tool so you can be updated to superfish 2015 which is PRISM-compliant.
  • Why, thank you! I had no idea you cared!

    Homeland security is now an expert on computer security? Will they do as wonderful a job here as they've done at airports? Will Americans soon have to flash their national IDs at the computers before being allowed on the Internet?

    What the devil is Homeland Security doing issuing such a statement? Mission creep to the nth degree...

  • by CanEHdian ( 1098955 ) on Saturday February 21, 2015 @09:51AM (#49100327)

    Hello!

    We, your neighbourly friends over at DHS got your back and we've provided a convient uninstaller for that nasty pieve of Chinese spyware a/k/a Superfish. Please indicate if you are a US Citizen/Resident* then click download, run and just click Yes to run as an Administrator. Kthxbye!

    * US Citizens/Residents will be provided by a similar download from our technology partners at gchq-dl.gov.uk.

  • by Walter White ( 1573805 ) on Saturday February 21, 2015 @10:03AM (#49100375)

    http://windows.microsoft.com/e... [microsoft.com]

    And get rid of all of the other crapware that Lenovo put on your PC in one fell swoop. No doubt it will take more effort to do it this way but it will also be more complete. (I have no idea if this works outside the US.)

    For further information I wold check the ideapad section at notebookreview.com where you can find reinstallation help (including the thread I just started.)

    • This page [fsf.org] seems to work fine for most users.
    • Lenovo has an "advisory" here [lenovo.com].

      Superfish was previously included on some consumer notebook products shipped between September 2014 and February 2015 to assist customers with discovering products similar to what they are viewing. However, user feedback was not positive, and we responded quickly and decisively

      What nerve!

      • I met a spammer once when I was out of work and thought I'd take anything. He had a similar attitude to the above quote and said he was just informing people of the options available for porn and penis enlargement. Turns out I wasn't quite ready to take anything, but maybe mostly because it didn't look like I could trust him to pay me either.
  • by jones_supa ( 887896 ) on Saturday February 21, 2015 @10:29AM (#49100475)
    Superfish has been added to malware database of Windows Defender (the integrated virus protection of Windows). A lot of Windows machines are already ringing alarm bells.
  • Because, just like with robbery, the government hates competition.

  • DHS wants a few thousand Lenovo PC owners to do this while their cronies are hacking and spying on everybody worldwide whether they own a PC, smartphone or not. Look over there! A Chinaman named Lenovo and you should be very afraid! Sick. Of. It.
  • Too late.

    If it's already been exploited to install other malware, removing the loader for that malware isn't going to get rid of the malware that came in while the door was being held open by Superfish.

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...