Lenovo - if it's on your network, you ARE breached.

scottalanmiller

@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:

I would support the title of this post being Some Lenovo consumer models computers are susceptible to really shady things because manufactures want to make money, but the title as is, in my opinion, does not accurately represent the situation.

Except it was commercial models, as is well known, that were affected. This "we rebranded things that were breached as consumer after the fact" BS is seriously bad and itself is a security concern. No IT person should ever repeat this. It's completely false and totally misleading and is a result of Lenovo socially engineering their customers. As we say in IT, the biggest risk is people not technology and that you are repeating this incorrect information tells us that you have been compromised by Lenovo. You actually just proved our point, Lenovo has manipulated you into repeating a security falsehood to promote their attacks. This shows the extent to their devious nature.

Travis even mentioned this in the OP. There is zero question here, commercial models are where this was discovered. It's actually all commercial, NOT consumer, that we are aware of as issues.

It was actually because it was commercial units that made finding Superfish so easy because it was equipment specifically for IT pros with Windows 10 Pro on it that made Superfish easy to spot because SF breaks sites like MangoLassi and also breaks ActiveDirectory. Both of those things were reported on ML while troubleshooting the first Superfish discovery and led to figuring out that the network was being shimmed.

scottalanmiller

@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:

NOT intending to excuse Lenovo, but I work in the business, and ALL major companies (HP, Microsoft, Apple, Google, AT&T, Verizon, Comcast, etc...) Hate Us, and would happily sell razor blades to babies if they could figure out how to weather the lawsuits & still turn a profit...

But that is what you are doing. Not a one of those examples is even remotely like Lenovo. Not a one has come close as to how bad it was, not one has come close to doing it repeatedly. That you'd mention any of those as some sort of comparison means either that you are trying to make Lenovo sound better than it is or you don't understand what Lenovo has done that we are discussing. There are no known issues in IT history that are comparable to Lenovo. Not a one. And Lenovo has done it more than once.

If you want to have an honest discussion about Lenovo, you can't mention stuff like this nor repeat Lenovo's own false social engineering security attacks to make them sound reasonable or plausible. If for no other reason, someone reading this thread might actually think that what Lenovo has done might not be absolutely true (it is, it's all over the news, it's beyond reasonable question, it's happened to people you know, it was discovered on a machine you've seen first hand by people you know personally, it actively disabled the very site we are writing on to discuss it) or that the degree to which this was unthinkably bad isn't what it is.

scottalanmiller

The Pentagon seems to agree that Lenovo is a specific threat that other vendors are not. They don't see other vendors in the same light:

https://mangolassi.it/topic/11320/pentagon-warns-against-using-lenovo-equipment

scottalanmiller

Don't forget this one reported by Webroot...

https://mangolassi.it/topic/7748/lenovo-screws-the-pooch-yet-again-on-the-security-front

scottalanmiller

And the big one, other than Superfish, Lenovo adding rootkits to the hardware in order to deploy malware onto their boxes against the wishes or knowledge of users:

https://mangolassi.it/topic/5751/lenovo-accused-of-using-rootkit-like-methods-to-sneak-software-onto-clean-windows-installs

scottalanmiller

All of those original threads have links to original sources, ML is not the source of anything originally except, of course, for Superfish which was discovered here first.

donaldlandru

@scottalanmiller I will review your links; however, I think the overall point was missed here.

My point is not Lenovo is safe, my point is there are other companies doing the same or similar shady practices and yet they are being marked as safe. Much like officiating, I don't care if someone always is right or wrong, just be consistent.

Dell has (had) Superfish as well, links in my original post, yet that is ok to you because they are not Lenovo

HP has the same SMM BIOS remote execution code that is being discussed as Lenovo owning your network. Yet, this thread says HP is safe. Again, on the only argument is that it is nor Lenovo.

Dashrender

@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:

And the big one, other than Superfish, Lenovo adding rootkits to the hardware in order to deploy malware onto their boxes against the wishes or knowledge of users:

https://mangolassi.it/topic/5751/lenovo-accused-of-using-rootkit-like-methods-to-sneak-software-onto-clean-windows-installs

I'm pretty sure this particular one is an over statement by Scott. As far as I know no malware was discovered in this (I'll agree with this term) hardware rootkit. Could it be used this way, absolutely, but I'm currently unaware or not remembering actual malware deployed through this.
Junkware on the other hand - sure. Lenovo's own crapware to help them deploy their own drivers, etc. This was after the SF issue, so again, it's not known if actual malware was distributed this way.

Dashrender

@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:

@scottalanmiller I will review your links; however, I think the overall point was missed here.

My point is not Lenovo is safe, my point is there are other companies doing the same or similar shady practices and yet they are being marked as safe. Much like officiating, I don't care if someone always is right or wrong, just be consistent.

Dell has (had) Superfish as well, links in my original post, yet that is ok to you because they are not Lenovo

Your article doesn't really have enough information. It doesn't say if it was ever discovered why these certs where included. In the case of Lenovo, we know that Lenovo included 3rd party software that included SuperFish - which is bad enough, but even worse, Lenovo keyed their hardware preventing the use of non SuperFish infected Network Drivers. The Dell article indicates that dell simply included a cert - but again not why. The why is very important.

Furthermore Lenovo released press releases that said that there was nothing wrong with their laptops and that they didn't include such malware, which is clearly false. This was then finally later followed up by new drivers devoid of the SF malware.

HP has the same SMM BIOS remote execution code that is being discussed as Lenovo owning your network. Yet, this thread says HP is safe. Again, on the only argument is that it is nor Lenovo.

The SMM BIOS issue is less an issue for me personally. From my view, the vendors are using these features to assist users getting their systems back to a stable condition. I already responded above saying that Scott is making an overstatement about the use of SMM BIOS codes.
of course, this said - manufactures SHOULD provide a way to disable this in the BIOS/UEFI.

Dashrender

@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:

@scottalanmiller I will review your links; however, I think the overall point was missed here.

My point is not Lenovo is safe, my point is there are other companies doing the same or similar shady practices and yet they are being marked as safe. Much like officiating, I don't care if someone always is right or wrong, just be consistent.

Lenovo forcing the use of their own SuperFish'ed driver via hardware locks is what makes Lenovo so untrustable. This is unforgivable to me. They were very well aware that they were installing a network shim on these computers. If you agree they were unaware of the harm available via this shim, then you must also agree that they are incapable of making good hardware (secure) because they lack fundamental understandings of that hardware platform and should be out of business. If they did understand the harm available due to this shim, then they are complicate in the act, and should also be out of business.

donaldlandru

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

Your article doesn't really have enough information. It doesn't say if it was ever discovered why these certs where included

I was trying to avoid manufacturer links however here is Dell's statement

Doesn't excuse the blatant security risk they created by doing it

Dashrender

Ok fine, I would excuse that they made a mistake including the private key, but mistakes happen, we are human after all, even Scott have made one or two in his life.

And that release is basically Dell taking the hit, though admittedly they didn't call themselves out in that post.

I most of us can allow mistakes, but Lenovo didn't make a mistake. It wasn't an accident that the hardware was key locked to a code from Lenovo for drivers, it wasn't as mistake that the drivers had SF embedded in the drivers. It wasn't a mistake that they denied these things when they first came to light.

Lenovo was clearly gambling that we would never find out. This Dell thing was an accident/ mistake.
The SMM thing is actually part of the system being used as designed. Computrace has been using it for over a decade to reinstall tracking software on stole devices, the main reason someone brought it up now was two fold: first because Lenovo was in the news for being shady recently, and also because it was doing something that wasn't purchased specifically by the user, unlike computrace.

scottalanmiller

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

Ok fine, I would excuse that they made a mistake including the private key, but mistakes happen, we are human after all, even Scott have made one or two in his life.

And that release is basically Dell taking the hit, though admittedly they didn't call themselves out in that post.

I most of us can allow mistakes, but Lenovo didn't make a mistake. It wasn't an accident that the hardware was key locked to a code from Lenovo for drivers, it wasn't as mistake that the drivers had SF embedded in the drivers. It wasn't a mistake that they denied these things when they first came to light.

Lenovo was clearly gambling that we would never find out. This Dell thing was an accident/ mistake.
The SMM thing is actually part of the system being used as designed. Computrace has been using it for over a decade to reinstall tracking software on stole devices, the main reason someone brought it up now was two fold: first because Lenovo was in the news for being shady recently, and also because it was doing something that wasn't purchased specifically by the user, unlike computrace.

This is key. Lenovo had three "non-accidents" of unprecedented proportions. Did they also have "mistakes" above and beyond those like everyone else? Sure, but we aren't talking about those. We are talking about malicious, unforgivable attacks on their end users. We are talking about a company that hoped they wouldn't get caught, got caught, and kept right on doing it because they don't care.

And bottom line, people using Lenovo at this point don't care (how could you) and are in a position of being implicated in security concerns. Lenovo has lost the security conscious market. That's gone. They've reduced their customer base only to those that value price over security of their organizations at a pretty extreme level. So while smaller, Lenovo now has shown that with the right marketing they can push their current users to any level that they want.

They have an army of people on places like SW who will attack anyone that points out the security or ethics problems, who will cover up issues or try to belittle them. Lenovo has shown that in many cases, marketing is more powerful than security, even to the IT world.

scottalanmiller

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:

@scottalanmiller I will review your links; however, I think the overall point was missed here.

My point is not Lenovo is safe, my point is there are other companies doing the same or similar shady practices and yet they are being marked as safe. Much like officiating, I don't care if someone always is right or wrong, just be consistent.

Dell has (had) Superfish as well, links in my original post, yet that is ok to you because they are not Lenovo

Your article doesn't really have enough information. It doesn't say if it was ever discovered why these certs where included. In the case of Lenovo, we know that Lenovo included 3rd party software that included SuperFish - which is bad enough, but even worse, Lenovo keyed their hardware preventing the use of non SuperFish infected Network Drivers. The Dell article indicates that dell simply included a cert - but again not why. The why is very important.

Furthermore Lenovo released press releases that said that there was nothing wrong with their laptops and that they didn't include such malware, which is clearly false. This was then finally later followed up by new drivers devoid of the SF malware.

HP has the same SMM BIOS remote execution code that is being discussed as Lenovo owning your network. Yet, this thread says HP is safe. Again, on the only argument is that it is nor Lenovo.

The SMM BIOS issue is less an issue for me personally. From my view, the vendors are using these features to assist users getting their systems back to a stable condition. I already responded above saying that Scott is making an overstatement about the use of SMM BIOS codes.
of course, this said - manufactures SHOULD provide a way to disable this in the BIOS/UEFI.

Any software that isn't supposed to be there pushed in this way IS malware, period. There is no grey area. If a hostile entity puts things Im' trying to block onto my network, that's malware. That the malware didn't have a chance to do something really malicious and was still in a deployment testing mode makes no difference.

scottalanmiller

@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:

And do you have links to back up these claims? Quite a few Google searches later and at the BIOS level I have not found a vulnerability that was also not found in other manufacturers BIOS as well by other IBV's. This suggests that the issue may be further up the chain. Nasty Lenovo UEFI exploit also affects products from other vendors

No, this is an ADDITIONAL security problem that no one is talking about with Lenovo. That's how bad Lenovo is, their later actual mistakes are bad enough that they have been used to cover up their earlier, far worse non-mistake security issues. What you are listing here is not at all the type of or level of issue that Travis meant by this thread or what any of us mean when talking about the evils of Lenovo. This is just general incompetence or errors that all vendors make.

For all we know, Lenovo did this on purpose knowing that media attention about something that they could mitigate would go a long way to erasing the social memory of the things that they had done before. IT has been shown to have a very, very short memory and whether Lenovo managed to plan a social engineering of it or it was just a happy accident - they actually managed to get positive marketing covering up their unforgivable acts by having a security exploit discovered.

Think about how bad that actually makes it....

1. Do unthinkably bad attack on customers.
2. Get caught.
3. Show no remorse.
4. Casually include major security mistake a year later.
5. Act quick to make sure it is discovered on your systems first.
6. Quickly show that you are not alone and it is a broad industry mistake.
7. Use new security hole as a tool to hack the wetware of IT departments and make them feel that all the former Lenovo-specific issues were derived for this "mistake" two years later.

scottalanmiller

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

Junkware on the other hand - sure. Lenovo's own crapware to help them deploy their own drivers, etc. This was after the SF issue, so again, it's not known if actual malware was distributed this way.

That's malware. Plain and simple. When deployed via a rootkit. And more importantly, there was a rootkit!!

scottalanmiller

@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:

@scottalanmiller I will review your links; however, I think the overall point was missed here.

My point is not Lenovo is safe, my point is there are other companies doing the same or similar shady practices and yet they are being marked as safe.

No, this is missing the point. The point is that no one but Lenovo has ever done stuff like this. No one. If you think that there is any other company that you can use as a "see they did this too" then you've missed what has happened. We aren't talking about safe, we are talking about malicious. HPE and Dell are not your enemies, nor are they completely safe. But Lenovo is the actual enemy.

I'm extremely aware of the overall point here and am trying to show why you are missing how this all comes together. Travis wasn't pointing out that Lenovo made mistakes like all companies do, that's something you brought to the discussion. He (and we) are talking about the things that only Lenovo has done that are unlike anything seen in the industry before.

Lenovo is completely unique here. Any attempt to compare to another company, unless you have security examples none of us have ever heard of, means you are missing the discussion and are talking about something different.

coliver

@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:

They've reduced their customer base only to those that value price over security of their organizations at a pretty extreme level

This is what's bizarre to me. Even if you price Lenovo side-by-side and spec-for-spec. They are rarely cheaper then their competition. Sometimes they are but mostly they are within a few hundred dollars.

scottalanmiller

@Dashrender said in Lenovo - if it's on your network, you ARE breached.:

@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:

And the big one, other than Superfish, Lenovo adding rootkits to the hardware in order to deploy malware onto their boxes against the wishes or knowledge of users:

https://mangolassi.it/topic/5751/lenovo-accused-of-using-rootkit-like-methods-to-sneak-software-onto-clean-windows-installs

I'm pretty sure this particular one is an over statement by Scott. As far as I know no malware was discovered in this (I'll agree with this term) hardware rootkit. Could it be used this way, absolutely, but I'm currently unaware or not remembering actual malware deployed through this.
Junkware on the other hand - sure. Lenovo's own crapware to help them deploy their own drivers, etc. This was after the SF issue, so again, it's not known if actual malware was distributed this way.

Anything delivered by this method would be malware. It's a hijack of your system. Unwanted software deployed to your system like this is malware, period.

I think if you are getting quotes and in different markets they are sometimes super cheap.

Dashrender

@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:

@dashrender said in Lenovo - if it's on your network, you ARE breached.:

Junkware on the other hand - sure. Lenovo's own crapware to help them deploy their own drivers, etc. This was after the SF issue, so again, it's not known if actual malware was distributed this way.

That's malware. Plain and simple. When deployed via a rootkit. And more importantly, there was a rootkit!!

Is it a windows rootkit? Or is it using built in tech by MS and BIOS/UEFI makers as a deployment method?