It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Lenovo Group Ltd. apologized to customers as it works with users to enable laptop computer owners to remove pre-installed software that potentially exposed them to hacking attacks and unauthorized activity monitoring.
The technology used by Superfish essentially breaks the encryption between Web browsers and banking, e-commerce and other sites that handle sensitive information, potentially exposing machines to hacking.
The use of Superfish software only impacted consumer laptops and didn’t violate any parts of Lenovo’s agreements with the U.S. government and the Committee on Foreign Investment in the United States, which lay out rules for ways the manufacturer’s products will be designed in order for the company to sell products to the U.S. government and businesses
Superfish essentially tricks Web browsers into believing that it’s the bank or search engine or e-commerce site that users are trying to reach, which allows the software to intercept communications and monitor behavior.
Early today (Feb. 21), Robert Graham, CEO of Atlanta-based Errata Security, posted detailed instructions on his blog on how to create a malicious Wi-Fi hotspot to exploit the security vulnerability that the Superfish adware creates on Lenovo laptops.
"This example proves that this exploit is practical, not merely theoretical, as claimed by the Lenovo CTO," Graham wrote.
For about $50, a malicious hacker could build a similar hotspot, name it "Starbucks HotSpot" and bring it into your local coffee shop. Any user of an affected Lenovo laptop who connected to the Internet using that hotspot could have all her or his banking, social-media and shopping sessions intercepted and decrypted, and the associated accounts broken into and taken over.
There are three major players in the debacle: Lenovo, the “visual search” startup Superfish, and software “solution provider” Komodia. Lenovo included Superfish’s adware on its laptops. In order to inject its own recommendations into users’ search results, Superfish used Komodia’s technology in its adware. Lenovo has distanced itself from Superfish; Superfish has pointed the finger at Komodia.
Barak Weichselbaum, who marketed an “SSL Digestor”/”SSL Hijacker” that not only defeated SSL security connections but contained the security hole that compromised all certificates on a machine—a true worst-case scenario. Weichselbaum was smart enough to figure out how to defeat SSL certificate authentication, but not smart enough to realize he was defeating user security itself in the process.
Weichselbaum has helpfully documented the history of his security-buster on his Komodia blog. He details his adventures with Windows’ network-intercepting “Layered Service Providers” (LSP).
Komodia’s little skeleton key has made it into a lot of other software, including parental control software and anti-adware software.
Antivirus company Lavasoft rather ironically bundled Komodia into its Ad-Aware Web Companion. (To its credit, Lavasoft came clean immediately.)