Basically Lenovo computers are shipping insecure and can allow for anyone to intercept and decrypt secure HTTPS traffic using this.
Luckily I don’t have this problem because the power supply in mine died. Now THAT is security.
That last link showing how he cracked the password just goes to show how easy it really is for someone to crack any sort of account. When I was first getting my server setup, I had port forwarded the IP so that I could work on it from my office. I had left it open one night and got my security log email the following morning showing over 500 attempts to crack my server. I promptly closed that port and setup a proper ssh tunnel to it so that I can access it safely in the future.
BTW my server is a Lenovo, but it didn’t come with any OS. Does it matter in this case?
If you have a Lenovo computer, just do yourself a favor and burn it with fire.
In all seriousness, this is the reason why you should always re-format and install virgin OS on any new computer.
If you can view this website WITHOUT a SSL error your computer is effected and the site will include fix instructions.
A strong password can keep out most instances. If you remove social engineering from the equation, a good 15-20 character random a-zA-Z0-9$%@ style password that is not reused on other sites should be ultra secure. Securing backup “security questions” with the same random-style password answers is the next thing to do. A password 100 characters random long will be nothing if your high school mascot also lets you in.
The caveat to this is if someone is able to get Administrator privileges on a windows machine you can recover even the most complex password out of memory plaintext on the system.
For example if you had a super strong password and your machine got popped via some web exploit or malicious adobe PDF the person attacking could get the plaintext password out of memory.
I do this all the time on client engagements and its pretty hilarious when people have passwords like “i h0pE the bills win the Superbowl!” with spaces/numbers/special characters
Yeah, but you are still much less likely to be compromised via that method compared to having your password be ‘123456’ on all of your sites. I just finished a large project of updating every password I have (and have had) over the years. It was quite the job, but I can sleep a little better at night now.
I guess if it makes you feel better…
Realistically most people are losing credentials when the sites themselves get popped and passwords are stored incorrectly.
It’s the same thing with people losing healthcare data while you can use the strongest password possible for your health insurance site I will put money on a percentage of employees using Spring2015 or Winter2014 for their windows active directory password.
Right, but you would agree that having unique passwords for every site mitigates some of that problem, correct? One of the most common methods hackers use is gathering passwords from weak-protected sites, and then using them on more important sites, such as Google, Turbo Tax, etc… Then combining two-step in with unique passwords for every site and you’re doing pretty good. People are much like nature, and like to follow the path of least resistance.
With that said, I am not ignorant, and I know on a larger scale, every company will be hacked, not may be hacked. I suppose that’s another reason to be careful with what you put online to begin with.
I would advocate using a strong unique password for every site and hopefully with two factor authentication.
I’m just saying in the big picture your shit will probably get stolen some other way.
Out of date acrobat/flash/java is pretty much the number one way to get hacked right now (well, outside of this Lenovo shit). All sorts of exploit kits are available to pop many of the vulns in those packages. Like LZ said, then it’s just a single tool/command to grab your creds. And the exploit kits are being deployed in shitty ad networks on all of your favorite websites. So you’re not really ever safe unless you burn your computer.
Agreed that unique passwords on every site is pretty good protection. If NYSpeed gets hacked and that password is the same for your bank account, then I feel bad for you (actually I don’t because that would be a stupid thing to do).
Sounds sophisticated.
@LZ1 Our campus is 1200+ strong with Lenovo, no issues here.
Every PC is imaged on a DMZ/Staging vlan right out of the box. All supporting features are then applied… Symantec (Unfortunately), BitLocker, etc…
Although, I wont mention names, but know of certain IT solution groups that see no issue with using OEM loaded operating systems.
The following information was provided to us.
-
“Think” Products are not affected. Thinkpad, ThinkCentre, ThinkStation, etc. have never shipped a unit with Superfish included in the preload -
Superfish shipped for a very limited time. Consumer preloads built ONLY between Oct – Dec 2014 included it. -
Lenovo listened to customers and took quick action. Customer’s feedback was not positive in forums, and drove the rapid removal of Superfish from preloads plus the disabling of Superfish in market.
So it’s highly doubtful that any corporate/campus machines are running around with this. Unless you’re a small business and buy your computers at Best Buy. But again, that would be stupid.
So the Lenovo fix was updating the software NOT removing the SSL certificate
I don’t think they even updated the software. I think they forced Superfish to disable the remote proxy service. At least, initially.
We’re an HP shop and I don’t think we have any HP software on there at image time. Images were created with a bare metal VL install, office added and windows updates applied. Only the Intel network driver was added.
As far as passwords, right now I use LastPass with two factor authentication. I try and generate as long and as complex of a password as possible using a random string for each site. A few sites I have random ASCII characters that aren’t natively on the keyboard even.
Google, FB, twitter, dropbox, etc are all using two factor authentication.
I just bought two lenovo z40 laptops for my mom and sister, so basically there is adware installed on them that I need to remove?