Swiftmail
Buy and sell Bitcoin instantly at www.Fxprobitcoin.com List your own coin on the Fxprobitcoin exchange. Cash out of bitcoin at www.SwiftCoin.club

The $3.5 Million Check Comes Due for Lenovo And Its Security-Compromising Superfish Adware


You might recall that back in 2015, Lenovo was busted for installing a nasty bit of snoopware made by a company named Superfish on select models of the company's Thinkpad laptops. Superfish's VisualDiscovery wasn't just annoying adware however; it was so poorly designed that it effectively made all of Lenovo's customers vulnerable to HTTPS man-in-the-middle attacks that were relatively trivial for an attacker to carry out. More specifically, it installed a self-signed root HTTPS certificate that could intercept encrypted traffic for every website a user visits -- one that falsely represented itself as the official website certificate.

That's hugely problematic for what should be obvious reasons, but Lenovo doubled down on dumb by issuing a statement initially claiming it didn't see what all the fuss was about and that it was just trying to "improve the shopping experience":

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."

Security researchers didn't agree. Neither, apparently, did the FTC, which this week gave Lenovo what amounts to a stern talking to after the company settled allegations it had turned a blind eye to customer security concerns:

"Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said Acting FTC Chairman Maureen K. Ohlhausen. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”

The full FTC complaint (pdf) against Lenovo makes it clear the Superfish adware used the same bunk security certificate for every user of the stealthware -- every time it covertly interupted secure traffic. And, of course, the complaint notes that Lenovo really couldn't be bothered to explain how any of this was happening to the company's customers:

"Respondent did not make any disclosures about VisualDiscovery to consumers prior to purchase. It did not disclose the name of the program; the fact that the program would act as a man-in-the-middle between consumers and all websites with which they communicated, including sensitive communications with encrypted https:// websites; or the fact that the program would collect and transmit consumer Internet browsing data to Superfish."

Yeah, whoops. One complaint exhibit highlights that while users had the option of opting out of this security-compromising, behavioral advertising effort, Superfish and Lenovo made doing so notably hard to spot:

But again, nowhere was the encryption-compromising aspect of this software disclosed to the end user, even in the finest of fine print in the company's privacy policy. And opting out only prevented users seeing ads dictated by their previous browsing habits; doing so didn't stop the software from faking security certificates and compromising the end user's security.

Lenovo won't be required to pay a dime to impacted users; FTC boss Ohlhausen (who downplayed the severity of the deception in her own statement (pdf)), claims the agency lacks the legal authority to obtain civil penalties for first-time violators under the FTC Act. As part of the settlement Lenovo is prohibited from misrepresenting "features of software preloaded on laptops that will inject advertising into consumers' Internet browsing sessions or transmit sensitive consumer information to third parties." Lenovo must also get explicit consumer opt-in consent before installing similar software in the future, and must implement -- for the next 20 years -- a software security program to more dutifully analyze the security impact of such programs.

A day after Lenovo's settlement with the FTC, the company also struck a $3.5 million settlement (pdf) with a coalition of 32 states for violating user privacy and failing utterly to disclose the dangerous nature of the company's laptop bloatware. In a statement Lenovo proclaimed it had seen the error of its ways, and that "security, privacy and quality are top priorities at Lenovo." Of course this is the same company that shortly after the Superfish fiasco was caught stealthily installing bloatware via laptop BIOS, so hopefully Lenovo won't mind if people wait a little while before declaring the company truly reformed.


Disclaimer: The information contained in this web site is for entertainment purposes only. John McAfee, John McAfee Swiftmail and Swiftcoin are not affiliated with McAfee Antivirus. This web site does not offer investment advice. Check with your attorney, financial advisor and local statutes before using this web site, McAfee Swiftmail or Swiftcoin. John McAfee makes no warranty or guarantee, expressed or implied, as to the confidentiality, performance or suitability of Swiftmail and Swiftcoin for any purpose. Use these products at your sole risk.