![]() “If you uninstall the software, it doesn’t remove the certificate created by it,” Venafi’s Bocek said. Superfish can be removed from a computer through Windows uninstall, but that won’t plug all security holes created by the program, Lenovo explained in one of its forums. “It can install a backdoor to your computer.” SSL Stymies Adware “It allows anything to be injected into the data stream from your computer,” he told TechNewsWorld. Superfish circumvents that process by substituting its own certificates for the legitimate ones.Ĭommunication isn’t the only thing compromised by Superfish, noted Pavel Krcma, CTO of Sticky Password. When SSL is used to encrypt a data stream from a device, a digital certificate is used to do it. “It uses the exact same technique that cybercriminals use for bank account takeovers,” he told TechNewsWorld. “Superfish allows every bit of communication with your bank, your email provider, or your healthcare provider to be inspected,” said Kevin Bocek, vice president for security strategy and threat intelligence at Venafi. SSL is used to encrypt communication between computers and websites. ![]() Preloading software that has more to do with marketing than utlilty is a common practice in the PC world, but what makes Superfish so disturbing to many in the security community is the program’s disregard for SSL security. “We recognize that the software did not meet that goal and have acted quickly and decisively.” Copycatting Bank Robbers Users are given a choice whether or not to use the product,” Lenovo added.įurther, “the relationship with Superfish is not financially significant our goal was to enhance the experience for users,” the company said. It does not profile nor monitor user behavior,” the company maintained. “To be clear,” it said in its statement, “Superfish technology is purely based on contextual/image and not behavioral. “We will not preload this software in the future,” the company said.Īlthough it has been reported that Superfish monitors user behavior, Lenovo refuted that claim. Superfish was installed on some consumer notebooks from September to December of last year to help customers potentially discover interesting products while shopping, Lenovo explained.Īfter receiving negative customer feedback, the company in January disabled the software on all Lenovo machines and stopped preloading it on new laptops. “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” the company said in a statement provided to TechNewsWorld by spokesperson Brion Tingler. However, security concerns raised by malware fighters are misplaced, Lenovo insisted. “Users are inherently at risk of being directed to malicious sites that appear valid,” he told TechNewsWorld, “making it much easier for attackers to steal information and further infect computers with malware.” ![]() “Superfish is purposely designed to bypass the security of HTTPS websites in a manner that would allow malware and attackers to also bypass the security provided by HTTPS,” said Adam Ely, cofounder of Bluebox. The software, Superfish, uses the same techniques cybercriminals often employ to crack encrypted traffic from computers to the Internet. Lenovo on Thursday came under fire for preinstalling spyware on some of its laptops. ![]()
0 Comments
Leave a Reply. |