Monday, March 2, 2015

Lenovo, Cyberattacks and the Global Economy

The recent news about Lenovo Computer adding "Superfish" software (aka Adware) to its computers last fall (2014) inspired me to think about our global economy and computer infrastructure. How threatened is our way of life by these events and the increasing complexity of our world?

Lenovo installed Superfish which directed specific ads to be displayed on the affected computer based on the user's choices in web page viewing. Programs like Super Fish are called "ad-ware", short for advertising software, more affectionately termed "bloat ware" or "crapware."

Advertising software, or advertising supported software, is defined, by Wikipedia, as "any software package which automatically renders advertisements in order to generate revenue for its author." Newer adware is designed to analyze which internet sites the user visits and presents advertising "pertinent to the types of goods or services featured there", according to Wikipedia.

Below is a non-inclusive list of applications that bundle toolbars or unwanted add-ons with their installer (source Wikipedia).
  • •Absolute Uninstaller - Ask toolbar
  • •Ad-Aware - Google Chrome
  • •Adobe Flash Player - Google toolbar
  • •AnVir Task Manager Free - Dealio toolbar
  • •Any Video Converter – Google Chrome
  • •AOL Instant Messenger - AOL toolbar
  • •avast! Free Antivirus - OpenCandy
  • •AVG Free - Yahoo toolbar
  • •AVG LinkScanner - Yahoo toolbar
  • •BitComet - Google toolbar
  • •BitTorrent - Ask toolbar
  • •BS.Player - BS.ControlBar
  • •Burn4free - 1Click DVD Copy Pro
  • •BurnAware Free - ASK toolbar
  • •CCleaner - Yahoo toolbar
  • •CDBurnerXP - OpenCandy
  • •ClamWin - Ask toolbar
  • •COMODO Internet Security - ASK toolbar
  • •Core Temp - Search Enhancement
  • •CPU-Z - ASK toolbar
  • •CrystalDiskInfo - OpenCandy
  • •CrystalDiskMark - OpenCandy
  • •CSmenu - Ask toolbar
  • •CutePDF Writer - ASK toolbar
  • •DarkWave Studio - OpenCandy
  • •Defraggler - Google toolbar
  • •Devpad - Babylon toolbar
  • •Dexpot - OpenCandy
  • •Driver Sweeper - Open Candy
  • •ExtractNow - Registry Reviver
  • •FlashGet - Google toolbar
  • •FLVPlayer4Free - Video Download toolbar
  • •Fotosizer - Dealio toolbar
  • •Foxit Reader - Ask toolbar
  • •Free Process Freezer - FLV Direct Player
  • •FreeCommander - eBay shortcuts
  • •Freemake Audio Converter, Video Converter, Video Downloader - Facemoods toolbar
  • •Glary Utilities - Ask toolbar
  • •Gom Player - ASK toolbar
  • •HWMonitor - ASK toolbar
  • •ICQ - ICQ toolbar
  • •IE7Pro - Grab Pro toolbar
  • •Image Tuner - ASK toolbar
  • •ImgBurn - ASK toolbar
  • •Immunet - Ask toolbar
  • •IObit SmartDefrag - IObit toolbar
  • •IObit Advanced SystemCare - Yahoo toolbar
  • •IrfanView - Google toolbar
  • •ISO Workshop - ASK toolbar
  • •IZArc - Registry Booster
  • •MediaCoder - Nitro PDF Reader
  • •MediaInfo - OpenCandy
  • •Miro - Ask toolbar
  • •Moo0 Software - Autocomplete Pro
  • •µTorrent - µTorrent toolbar
  • •Nero Free - ASK toolbar
  • •Orbit Downloader - Grab Pro
  • •PC Tools Spyware Doctor - Google Toolbar
  • •PC Tools Firewall Plus - Google Toolbar and Threatfire
  • •PC Tools ThreatFire - Google Toolbar
  • •PC Wizard - ASK toolbar
  • •PDFCreator - Yahoo toolbar
  • •PDF-XChange Viewer - ASK toolbar
  • •Photobie - OpenCandy
  • •PhotoFiltre - ASK toolbar
  • •PicPick - Bing toolbar
  • •Quick StartUp - ASK toolbar
  • •Quicksys RegDefrag - ASK toolbar
  • •RapidTyping - Bing toolbar
  • •RarZilla Free Unrar - ASK toolbar
  • •Recuva - Yahoo toolbar
  • •Registry Repair - ASK toolbar
  • •Satellite Antenna Alignment - Relevant Knowledge
  • •SIW - Crawler toolbar
  • •Skype - Google toolbar
  • •Spider Player - Bing toolbar
  • •Spyware Terminator - Web Security Guard
  • •SUMo - Facemoods, Autocomplete Pro
  • •SUPER - OpenCandy
  • •Sweet Home 3D - Open Candy
  • •Trillian - Ask toolbar
  • •Tweak Me! - Nitro PDF Reader
  • •Unlocker - Bing toolbar
  • •USB Guardian - BestSecurityTips toolbar
  • •µTorrent - Bing toolbar
  • •Vista Codec Package - Bing toolbar
  • •WebShot - OpenCandy
  • •Win7codecs - Bing toolbar
  • •Winamp - Winamp toolbar
  • •Windows 7 Codec Pack - Dealio toolbar
  • •Windows Essentials Codec Pack - Babylon toolbar
  • •WinSCP - OpenCandy
  • •XP Smoker - Bing toolbar
So what is the problem with this and why did Lenovo allow this to happen? After all, it potentially violates the "Defense in Depth" strategy for protecting computer systems (shown in the above diagram – courtesy of Microsoft).

The problem with it is twofold. To examine the first problem we need to look at the five stages of a cyberattack. According to an article entitled "Understanding What Happens in A Cyberattack," Processor magazine, February 6, 2015:
"Although no attacker sits down and thinks "now I'm in phase one," says Daniel Kennedy, research director at 4551 Research, there are general phases or steps of attack that explain how a cybercriminal penetrates a system. The first step includes "reconnaissance, learning about the target system, [and identifying] potential targets for social engineering." In step two, attackers scan, determine, or probe the system for vulnerabilities. Step three involves gaining access via one or more of those vulnerabilities. Step four is about maintaining access, which can involve "closing the initial vulnerability used and installing a backdoor, or pivoting off of an initially gained access to further gain access to more sensitive downstream systems." Step five focuses on destroying evidence of the intrusion and covering tracks."
Mr. Kennedy notes that "some common methods of attack include exploiting weakness via web applications, administrative systems, brute forcing credentials, phishing for access credentials, malware, RAM scrapers, key loggers and root kits." Threats may be internally or externally instigated. While internal threats are typically the most effective and the most difficult to detect, external threats are becoming increasingly sophisticated.

According to James Bickley, director of disputes and investigations, Navigant Consulting (Processor magazine, February 6, 2015), "a cybercriminal "might leave multiple pieces of malware in an enterprise once access is obtained and have some of it remain dormant to fool the enterprise into believing the network is secure."
"Attackers may also leave behind a 'toolkit,' Bickley says, 'to actually write malware inside the enterprise.' This is particularly difficult to locate he adds, because it didn't exist to be detected prior to breaching the system."
So what does this have to do with the recent Lenovo Superfish incident? There are two problems with this incident.

The first problem is that Superfish creates a "potential security hole." This program reaches outside the network conveying information about the user to the web. While this might or might not be directly exploitable by a cybercriminal, the hole is still there.

The second problem is more insidious. It turns out that the Root Certificates for the Superfish program were written by a firm named Komodia.
"Barak Weichselbaum founded Komodia, Inc. in 2000, following his military service as a programmer in the IDF's Intelligence Core. A custom solution provider to customers worldwide, Komodia first released its open source TCP/IP library in 2001. Through numerous projects in the past ten years, the company has found a niche in multiple areas of programming with one common theme: scarce documentation and a lack of experts. Today the company is focused on marketing its flagship product:"
Some interesting facts about Komodia include:
"Komodia's Redirector allows you to change TCP/IP network sessions with a few simple clicks. The platform intercepts traffic on the local machine based on rules that you define, and it includes many built in functions that you can use without writing a single line of code (if you need a solution that only sniffs the network traffic without modifying it, visit Komodia' s Interceptor web page)."
These root certificates are defined as:
"In cryptography and computer security, a root certificate is an unsigned public key certificate, or a self-signed certificate, and is part of a public key infrastructure scheme. The most common commercial variety is based on the ISO X.509 standard. Normally an X.509 certificate includes a digital signature from a certificate authority (CA) which vouches for correctness of the data contained in a certificate."
"Root certificates are implicitly trusted. They are included with many software applications. The best known is Web browsers; they are used for SSL / TLS secure connections. However this implies that you trust your browser's publisher to include correct root certificates, and in turn the certificate authorities it trusts, and anyone to whom the CA may have issued a certificate-issuing-certificate, to faithfully authenticate the users of all their certificates. This (transitive) trust in a root certificate is merely assumed in the usual case, there being no way in practice to better ground it, but is integral to the X.509 certificate chain model." – [source: http://en.wikipedia.org/wiki/Certificate_authority]
The following information presented on ArsTechnica website presents a good idea of the depth of the problem (From: http://arstechnica.com/security/2015/02/ssl-busting-code-that-threatened-lenovo-users-found-in-a-dozen-more-apps/).

SSL-busting code that threatened Lenovo users found in a dozen more apps
"What all these applications have in common is that they make people less secure."
A browser's root certificate helps encode communications back and forth with a secure web site, such as a bank or email service, so that messages can't be read by anyone else. The problem was that the replacement certificate from Superfish could be easily cracked by hackers, who could then pose as the secure web site and steal a user's passwords or other sensitive data.
A security researcher who goes by the Twitter handle @TheWack0lian said an additional piece of software known as SecureTeen also installed Komodia-enabled certificates. Over the weekend, the researcher also published findings documenting rootkit technology in Komodia code that allows it to remain hidden from key operating system functions.
Web searches for many of these titles uncover forum posts in which computer users complain that some of these applications are hard to remove once they're installed. Richard noted that he was unable to find documentation from any of the publishers explaining what effect Komodia software had on end-user PCs such as its ability to sniff passwords and other sensitive data from encrypted Web sessions.
The vulnerability was considered so serious that the Homeland Security Department's Computer Emergency Readiness Team issued an alert, as well, with additional advice for detecting and removing Superfish. Microsoft (MSFT) also got into the act and added Superfish removal to its Windows Defender antivirus app.
Over the weekend, researchers at Facebook (FB) reviewed data from the millions of browsers that contact the company's web site and found similarly weakened root certificates installed by other apps, not just Superfish. The culprits were a mixed bag of games, adware and other apps of unknown purpose. Eventually, antivirus programs should be updated to eliminate these weakened root certificates and restore browsers' proper certificates.
When the world's number one computer manufacturer and distributor sells computers with built-in security holes, this potentially bypasses step one and potentially step two of the cyberattack process. Cybercriminals can immediately work on gaining access to via identified vulnerabilities.

Of the 315 million computers sold worldwide in 2014 (Source: wikopedia.com), Lenovo sold about 18%. This would amount to about 50 million for the year and an estimated 10 million during this period (Q4). While not all of the Lenovo line of computers included this potentially harmful software, enough did to create a stir among the security and computer blogs that I follow.
"Consolidated sales for Lenovo's laptop PC business worldwide in the fourth fiscal quarter increased 16 percent year-over-year to US$4.8 billion, accounting for 51 percent of the Company's overall sales. During the same period, Lenovo's worldwide laptop PC shipments increased 12.9 percent, against the backdrop of an overall industry decrease of 5.8 percent." Source: http://news.lenovo.com/article_display.cfm?article_id=1795
I have three Lenovo laptop computers, all of which are used in our network. They work very well and none of them have presented any problem. I must say that I am dismayed at this action by a company that makes such a fine product.

Now that you understand some of the problems with "adware", the number of computers impacted as well as having an idea about the methodology of cyberattacks, we can explore the implications on our global society. As noted before, one of the basic principles of computer and network security is defense-in-depth. One of the immediate global implications is the potential security hole threatens not just the computer with the adware, but possibly any computer connected to it.

There is clearly a fight for global growth and increasing sales revenue in an exceedingly competitive technology market. All of the major computer manufacturers, such as Dell, Apple and Lenovo, are locked into a struggle to increase market share. Profits per computer sold are falling significantly due to extreme competition between chip and other component manufacturers.

It is for that reason, companies like Lenovo might, and apparently did, consider installing such software. They reportedly increased their revenue by a few dollars per machine, paid by the software developer, for the installation. Needless to say, the software developer was able to get its software in front of a large number of computer users (even if it was undetectable), for which advertisers probably paid large fees. While, as noted earlier, this "adware" or "bloat ware" is common in the industry, users don't particularly like it. It tends to slow computers down and is commonly accepted as the price to pay for "inexpensive computers."

This case, however, pointed out the extreme vulnerability with this model. If it had only been the adware, Lenovo might have had a few disgruntled customers. However, because of Komadia's involvement, the problem became far more sinister. As noted earlier, Komadia's use of easily hackable passwords for their certificates for the Superfish adware opened up a large security hole in the system. It also demonstrated the vulnerability of using external code, over which you may have no control or even knowledge of the depth of the potential problem. What Lenovo thought would be an innocuous piece of software, for which it could increase its bottom line, clearly backfired.

It seems that the needs of the top executives, board of directors and shareholders trumped the needs of the customers. This seems to be occurring more and more in a world dominated by "mega" corporations such as Lenovo, Verizon, ATT and Apple. It seems that there has been a change in the way business is conducted. Business ethics have been corrupted by corporate and political greed on a massive scale.

My EPub "World Collapse or New Eden" presents a look at some of the changes in business ethics from 2008 to today. There was a time when the majority of businesses could balance these aspects of commerce in a reasonable manner. Certainly, some large corporations are better than others on the scale of ethics. However, in my opinion, the majority of them are in lock step with our political system and are sliding seriously toward the negative end of the spectrum. This does not bode well for the global economy.

Technology presents great hope for a bright future. New advances in technology will advance medicine, communications, resource development, food production and the exploration of space to name a few. My EPub EROS, Journey to an Asteroid
shows the promise of technology and what can be accomplished with technology.

However, these advances in technology have to be coupled with wisdom, vision and ethics [i.e. morality]. I remember the small town shopkeepers of my Dad's and granddads generation. While they wanted to make a "profit" and a "good living", they were also part of a community. These "mom and pop" stores valued the "sale" but they valued their customers and the relationship they had with them even more. Their business was less of a revenue generation model and more of a service model. Unless we get back to the service approach to business and business ethics, the promise of technology will be available and affordable only to those who have the resources [i.e. the "top 1%"].

Sincerely,

H. Court Young
Author, publisher, speaker and geologist
Promoting awareness through the written word
Research, freelance writing & self-publishing services
Facebook: HCourtYoung
Phone: 303-726-8320
Email: tmcco@msn.com

Twitter: http://twitter.com/hcourtyoung


Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)