Podcast #466 - ECS Z270, Clutch Chairz, AMD market share, Lenovo Yoga, and more!

Subject: General Tech | September 7, 2017 - 09:46 AM |
Tagged: z270, Yoga 920, Yoga 720, video, Threadripper 1900x, superfish, skylake-x, podcast, Lenovo, IFA 2017, HP S700 Pro, GTX 1080, gigabyte, ECS, Die shot, Core i7-6700K, Core i5-6600k, Clutch Chairz, Aorus X5, amd

PC Perspective Podcast #466 - 09/07/17

Join us for discussion on ECS Z270 motherboards, Clutch Chairz, AMD market share, Lenovo Yoga, and more!

You can subscribe to us through iTunes and you can still access it directly through the RSS page HERE.

The URL for the podcast is: http://pcper.com/podcast - Share with your friends!

Hosts: Ryan Shrout, Josh Walrath, Allyn Malventano

Peanut Gallery: Ken Addison, Alex Lustenberg

Program length: 1:15:50

Podcast topics of discussion:
  1. Week in Review:
  2. News items of interest:
    1. 0:25:05 Casper
  3. Hardware/Software Picks of the Week
    1. 1:09:10 Allyn: FolderTimeUpdate
  4. Closing/outro

Source:

A Superfishy legal judgement

Subject: General Tech | September 5, 2017 - 02:47 PM |
Tagged: superfish, Lenovo

Lenovo's executives just breathed a sigh of relief as the final judgment in the case against them for the Superfish fiasco was released.  The court decided that as this was Lenovo's first offense they would not be fined, instead they have only been asked to follow procedures that most would assume they already had to.  Superfish was a generic root certificate that was pre-installed on many Lenovo machines which allowed the injection of ads into even HTTPS websites, which also meant it could be used to infect your machine via malware laden ads taking advantage of the easily replicated root certificate. 

According to Slashdot all Lenovo have been order to do is conduct security audits for the next two decades and to notify users of the existence of pre-installed software that collects data or serves ads and to let a user choose not to install those programs

20161008110139213.jpg

"Instead, the settlement requires Lenovo to give clear notice to customers of any data collection or ad-serving programs bundled on their laptops, and get affirmative consent before the software is installed. Lenovo also agreed to conduct an ongoing security review of its bundled software, running regular third-party audits for the next 20 years."

Here is some more Tech News from around the web:

Tech Talk

 

Source: Slashdot

Just say no to Accelerator support applications; yet another Lenovo vulnerability

Subject: General Tech | June 3, 2016 - 04:10 PM |
Tagged: Lenovo, security, idiots, superfish

At some point they may learn but obviously not yet as Lenovo's Accelerator support application opens two vulnerabilities for systems with the application installed.  As it uses unencrypted transmissions during the update process and does not verify the application you receive you are vulnerable to man in the middle attacks.  There are 6 notebooks and 25 desktop lines with this issue, although ThinkPads and ThinkStations are not on the list.  If you have the software you should remove it immediately.  More over at The Register.

lenovo-03.jpg

"Duo Security researcher Mikhail Davidov reported the holes that would allow eavesdropping attackers to tap into Accelerator's unencrypted update channels to compromise users."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Microsoft to Reclassify Certain Ad-Injectors as Malware

Subject: General Tech | December 24, 2015 - 05:52 PM |
Tagged: microsoft, windows defender, adware, Malware, superfish

The Microsoft Malware Protection Center has announced that, on March 31st, 2016, certain types of advertisement-injection will be reclassified as malware. This does not include all forms of ad-injection, just ones which use confusing, difficult to remove, or insecure methods of displaying them. Specifically, adware must use the browser's default extension model, including their disable and remove functions. Recent adware has been known to modify DNS and proxy settings to force web traffic through a third party that injects ads, including secure websites using root certificates.

In other words, Superfish.

microsoft-2015-windowsdefender.jpg

An interesting side-story is that, while Microsoft requires that adware uses default browser extensions, Microsoft Edge does not yet have any. Enforcement doesn't start until March 31st, but we don't have a date for when extensions arrive in Microsoft. I seriously doubt that the company intends to give Edge a lead-time, but that might end up happening by chance. The lead time is probably to give OEMs and adware vendors a chance to update their software before it is targeted.

The post doesn't explicitly state the penalties of shipping adware that violates this blog post, but the criteria is used for antimalware tools. As such, violators will probably be removed by Windows Defender, but that might not be the only consequence.

Source: Microsoft

What the hell Dell?

Subject: General Tech | November 24, 2015 - 12:42 PM |
Tagged: dell, superfish, security, edellroot

As Scott mentioned yesterday, Dell refused to learn from Lenovo's lesson and repeated the exact same mistake with eDellRoot, a self-signed root CA cert with an unknown purpose.  Unlike SuperFish which was to allow targeted ads to be displayed eDellRoot serves an unclear purpose apart from a mention of Microsoft-like "easier customer support" but it exposes you to the exact same security risks as SuperFish does.  You could remove the cert manually, however as it resides in Dell.Foundation.Agent.Plugins.eDell.dll it will return on next boot and can return on fresh Windows installs via Dell driver updates, something which will be of great concern to their business customers.

Dell has finally responded to the issue, "The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability." and provided a process to remove the certificate from the machine permanently in this Word Document.  You can check for the presence of the cert on your machine in those two links. 

However the best was yet to come as researchers have found a second cert as well as an expired Atheros Authenticode cert for BlueTooth and private key on a limited amount of new Dell computers as well.  As Dell made no mention of these additional certificates in their statement to the press it is hard to give them the benefit of the doubt.  The Bluetooth cert will not make you vulnerable to a man in the middle attack however the second cert is as dangerous as eDellRoot and can be used to snoop on encrypted communications.  The second cert was found on a SCADA machine which is, as they say, a bad thing. 

We await Dell's response to the second discovery as well as further research to determine how widespread the new certs actually are.  So far Dell XPS 15 laptops, M4800 workstations, and Inspiron desktops and laptops have been found to contain these security issues.  The chances of you falling victim to a man in the middle attack thanks to these security vulnerabilities are slim but not zero so be aware of them and keep your eyes out for them on your systems.  With Lenovo and Dell both being caught, it will be interesting to see if HP and other large vendors will learn this lesson or if it will take a third company being caught exposing their customers to unnecessary risks.

dell_root_ca.png

"A second root certificate and private key, similar to eDellRoot along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop. The impact of these two certs is limited compared to the original eDellRoot cert."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Security Professionals Find eDellRoot Superfishy

Subject: Systems | November 23, 2015 - 09:25 PM |
Tagged: dell, superfish, edellroot

The pun was too tempting, but don't take it too seriously even though it's relatively similar. In short, Dell installs a long-lived, root certificate on their machines with a private key that is now compromised (because they didn't exactly protect it too well). This certificate, and the compromised private key, can be used to sign secure connections without needing to be verified by a Certificate Authority. In other words, it adds a huge level of unwarranted trust to phishing and man-in-the-middle attacks.

Dell-2015-Logo.png

Dell has not really made any public comment on this issue yet. I don't really count the tweet from Dell Cares, because customer support is a terrible source for basically any breaking news. It's best to wait until Dell brings out an official statement through typical PR channels before assuming what their position is. Regardless of what they say, of course, your security will be heavily reduced until the certificate and eDell plug-in are removed from your device.

I'm really just wondering if Dell will somehow apologize, or stick to their guns.

Source: Duo Security

So Long Adware, and Thanks for All the Fish!

Subject: Graphics Cards | March 1, 2015 - 07:30 AM |
Tagged: superfish, Lenovo, bloatware, adware

Obviously, this does not forget the controversy that Lenovo got themselves into, but it is certainly the correct response (if they act how they imply). Adware and bloatware is common to find on consumer PCs, which makes the slowest of devices even more sluggish as demos and sometimes straight-up advertisements claim their share of your resources. This does not even begin to discuss the security issues that some of these hitchhikers drag in. Again, I refer you to the aforementioned controversy.

lenovo-do.png

In response, albeit a delayed one, Lenovo has announced that, by the launch of Windows 10, they will only pre-install the OS and “related software”. Lenovo classifies this related software as drivers, security software, Lenovo applications, and applications for “unique hardware” (ex: software for an embedded 3D camera).

It looks to be a great step, but I need to call out “security software”. Windows 10 should ship with Microsoft's security applications in many regions, which really questions why a laptop provider would include an alternative. If the problem is that people expect McAfee or Symantec, then advertise pre-loaded Microsoft anti-malware and keep it clean. Otherwise, it feels like keeping a single finger in the adware take-a-penny dish.

At least it is not as bad as trying to install McAfee every time you update Flash Player. I consider Adobe's tactic the greater of two evils on that one. I mean, unless Adobe just thinks that Flash Player is so insecure that you would be crazy to install it without a metaphorical guard watching over your shoulder.

And then of course we reach the divide between “saying” and “doing”. We will need to see Lenovo's actual Windows 10 devices to find out if they kept their word, and followed its implications to a tee.

Source: Lenovo

Just wait, blacklisting dangerous root certificates will lead to a legal battle

Subject: General Tech | February 23, 2015 - 01:35 PM |
Tagged: superfish, mozilla, komodia, security

Firefox can remove any threat that Superfish presents with a simple step and 24 hours; indeed they could prevent any similar issue using a questionable or downright poisonous SSL Certificate simply by blacklisting them.  They specifically quote the ability of OneCRL to block even obfuscated certs before the Network Security Services level if the certs are properly recorded on the blacklist in this Register article.  This would lead to a much more secure web, requiring attackers to invest significantly more effort when attempting to create fake or dangerous SSL certs.  There is a flip side to this, for there are those who may attempt to have valid certs added to the Blacklist and so there must be a way of policing the list and a way to remove certs which should not be on the list due to being placed there in error or because of a change in the software associated with that certificate.  It is also likely that there will be court cases attempting to have the blacklist removed if it does come into being as Superfish is not the only business out there whose business model requires phishing or at least a way around proper SSL certification and best practices which will no longer be viable if we are allowed to block their mutant SSL certs.

images.jpg

"Firefox-maker Mozilla may neuter the likes of Superfish by blacklisting dangerous root certificates revealed less than a week ago to be used in Lenovo laptops."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Lenovo for those who don't care about security

Subject: General Tech | February 19, 2015 - 12:57 PM |
Tagged: superfish, Malware, Lenovo

Since 2014 Lenovo has been selling consumer laptops installed with an innocuously named program, Superfish.  For those not in the habit of wiping their laptop and installing the OS fresh to avoid the bloatware generally present on consumer products, you have been sharing the exact same SSL certificate as every other Lenovo owner and the icing on the cake is that it is self signed by Superfish, not a certificate authority.  This means any and all transmissions done on a browser (apparently other than Firefox) could have easily been unencrypted by anyone who captured your wireless transmissions since the SSL key you were using is well known seeing as it is present on every recent Lenovo machine. 

Lenovo is downplaying the security issue and emphasizing that Superfish was just intended inject ads into your browser based on history and that it could be disabled manually or by not agreeing to the terms and conditions when you turn on your laptop for the first time.  As the commentors on Slashdot rightly point out, that argument is disingenuous and exposing your customers to a man in the middle attack just so you can serve them up some targeted advertising is a gross oversight.  Samsung has not seen much success with the argument that their monitoring software could be manually disabled either.  The program is no longer bundled on Lenovo laptops, as of this year.

index.jpg

"... doesn't mention the SSL aspect, but this Lenovo Forum Post, with screen caps, is indicating it may be a man-in-the-middle attack to hijack an SSL connection too. It's too early to tell if this is a hoax or not, but there are multiple forum posts about the Superfish bug being installed on new systems. Another good reason to have your own fresh install disk, and to just drop the drivers onto a USB stick."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot