Monday, March 2, 2015

Guest Post from Patty’s Pioneers - Peter Horne Exposes Lenovo Security Risk

Patty’s Pioneer, Peter Horne, Exposes Lenovo Security Risk

Originally posted on on  Friday, February 27, 2015 by Patricia Seybold

Things have been buzzing on our private email listserv over the past two months. Peter Horne, one of the most active members of Patty’s Pioneers*, began discussing a troubling problem he had found on a Lenovo computer he purchased in Sydney, Australia in early January, 2015.
Peter Horn, image via

Pete quickly discovered malware on his new computer. He realized that this malware—Superfish Adware—had been pre-installed at the Lenovo factory as part of the Lenovo additions to the pre-installed version of the Windows operating system. He found that the Superfish Adware had compromised the Windows network software at a very low level, allowing it to insert its own script into every single page viewed by a browser. It was at such a low level that it did not matter which browser was used—Explorer, Chrome, or Firefox—it was the operating system that was compromised. Furthermore, it was so deep in the operating system that neither McAfee, Trend Micro, nor the Microsoft malware removal tool, found the Superfish software.

Customer Tried to Alert the Company; But Was Ignored
Peter reported the infected computer to the store, and they contacted their Lenovo sales rep. However, Lenovo had a policy of not talking directly to customers about store enquiries, and he waited. Nothing happened, and so he logged his own call with the Lenovo Help desk.

But, this was all to no avail. Repeatedly, company spokespeople told this savvy customer, who was only trying to help, that he was mistaken. Nothing like this could possibly be happening. “Lenovo doesn’t distribute Malware.” Pete offered to walk the Lenovo product manager through the process to demonstrate the existence of the Malware, but nobody ever got back to him. In the end, the store manager refunded Pete the money because he was convinced of the issue himself, and he wanted to keep a valuable customer who had purchased many items at the store in the past with no problems.

While he was getting the run around from Lenovo, Pete also did a fair amount of time-consuming due diligence. He checked computers at Lenovo stores in four cities around the world. He asked other Pioneers to check their own machines and at local stores.

If Lenovo’s management had paid attention to the customer feedback from Pete and other customers, their security team might have discovered the issue, quietly dealt with it, and avoided the ensuing uproar.

Customer Alerts the Press
Pete was troubled. He’s also a busy guy. He was tempted to move on, but was troubled by the fact that less tech-savvy consumers would be buying a spyware-infected computer. He reached out to the other members of the Pioneers’ forum, including my brothers, Jonathan and Andy Seybold, who encouraged him to get the word out, and they helped by contacting reporters they knew at The New York Times.

Luckily, a tech-savvy reporter, Nicole Perlroth, paid attention, interviewed Pete, and began doing her own investigation.

Other reporters also got wind of the story. The first article that appeared was written by Timothy Seppala for New Lenovo PCs shipped with Factory-Installed Adware appeared at 1:25 am on February 19th. Timothy based his story on the user discussions about this adware he found on the Lenovo Forums. It was also discovered that Superfish used a product from Komodia that corrupted the machine’s trust store—the store of certificates that vendors include that certify that SSL connections can be trusted.  The Komodia certificate opened all infected computers to “man-in-the-middle” attacks—an attack that allows bad guys to impersonate the sites you trust and capture your traffic.

Nicole Perlroth’s first New York Times article appeared online at 7:44 pm on February 19, 2015, Researcher Discovers Superfish Spyware Installed on Lenovo PCs, and in the print edition the next day. Essentially the same story was published as “Spyware Is Found Installed on PCs Made by Lenovo,” as well as in newspapers around the world, since it was submitted to, and distributed by, the Associated Press. It was Peter Horne who revealed to Nicole the darker truth—it wasn’t just that adware was being pre-installed inside the machine's operating system—it was tracking every single page and image a user was looking at, and sending all the metadata to the Superfish servers! And it could not be turned off.

Once the story was out, a feeding frenzy quickly spawned lots of follow-on articles, among them:

Ars Technica: Lenovo PCs Ship with Man-in-the-Middle Adware that Breaks HTTPS Connections, Feb. 19th and then updated
C/Net: Lenovo's Superfish Security snafu Blows up in its Face, Feb. 20th Superfish-Lenovo Adware FAQ, Feb. 19th and then updated Lenovo’s Response to Its Dangerous Adware Is Astonishingly Clueless, Feb. 19th
NBC News: Lenovo Made Laptops Vulnerable to Hacking, Feb. 19th, and Government Urges Lenovo Computer Owners to Remove Superfish Software on Feb. 20th. Department of Homeland Security urges Lenovo Users to remove Superfish How could Lenovo miss its Superfish security hole? February 20, 2015
And many more….
As part of her due diligence, Nicole Perlroth of The New York Times interviewed Lenovo CTO, Peter Hortensius, and asked him why the company had ignored the issue when it was reported by an obviously concerned and knowledgeable customer.  Read the full article on for their Q&A.

The Moral of the Story: Listen to What Your Customers Are Trying to Tell You!
Don’t ignore your customers’ attempts to warn you about a product or a process flaw that will damage your reputation! To their credit, Lenovo executives have finally reached out to Peter Horne (and probably other smart customers) and asked for their help in keeping similar problems from happening in the future. After all, if you have smart customers, why not harness their intelligence to keep you out of trouble?

This article was first published on on  Friday, February 27, 2015 by Patricia Seybold

*Patty’s Pioneers is a group of our customers—tech-savvy IT architects—who have been hanging out electronically and meeting twice a year for over two decades. I learn incredible amounts from participating in these wonderful, rich, conversations whose topics range broadly from organizational issues, to tech industry personalities, to trends in IT architecture, implementation, and adoption, to financial markets and philosophy.

Friday, February 27, 2015

Security, Cloud and Networking Weekly News Roundup: February 23 - 27

This week's news in cloud, networking, and security - the week of February 23rd: 

Cyberattackers have free rein in a victim's systems for median of 205 days before detection, and some breaches "can go undetected for years," says a new report from FireEye. Also, 69% of organizations breached in 2014 learned of the attack from a third party Fewer Enterprises Able To Detect Hacks on Their Own

Worldwide enterprise software spending is on track to hit $335 billion. This is a 5.5% increase from 2014. Data center systems worldwide are also projected to pass $143 billion in 2015.  IT spending on pace to grow 2.4 per cent in 2015

What's wrong with my private cloud ... from Simon Wardley

IBM hopes to capture $40 billion in annual revenue from cloud, big data, and security growth areas by 2018. At the company's annual investor meeting in New York on Thursday, CEO Virginia Rometty said she was happy to jettison revenue from business units selling low-end servers, semiconductors and cash registers. IBM Pumps $4 Billion Into Cloud and Mobile Initiatives via the Wall Street Journal

HP hopes to prevent future networking division challenges in the U.S through potential Aruba acquisition. Aruba’s annual sales are projected to grow to more than $1 billion by 2017, from $729 million in the year through July. HP in Talks to Buy Aruba Networks for Wi-Fi Infrastructure via Bloomberg

Upcoming events Cohesive is hosting and attending:
  • 2 Mar - CloudCamp Chicago - Cloud Security
  • 11 - 12 March - exhibiting and speaking at CloudExpo in London
    • Wed at 1pm Chris Swan is on the panel "Panel: Is the future containers, virtualization, or both?" in the Service Provider & Cloud Ecosystem Theatre – Technology
    • Thurs at 1.15pm Chris Swan is presenting "The Application Security Controller" in Software Defined Data Centre and Networks Theatre
  • 20 - 24 April - attending RSA Conference in San Francisco
  • 30 April - Cohesive Sponsoring & hosting the Secret Service Chicago Electronic Crimes Task Force April meeting

Tuesday, February 24, 2015

Guard Against Cyberattacks - Application Segmentation and Security

Originally published on the Illinois Technology Association blog on 2/9/2015

2014 saw more than 697 separate data breaches in the U.S., according to an October report from the Identity Theft Resource Center (ITRC). The organization estimates the 2014 attacks exposed over 81,443,910 personal records of customers, patients, partners and employees. Organizations are now facing potential exploitation by hackers, criminal gangs, foreign governments, and even disgruntled employees.

Just last week, a large health insurance company was attacked, exposing over 80 Million patient and employee records.

How can companies in all industries best prevent attacks?

Perimeter-focused security is broken

Most enterprises focus on perimeter defenses and overlook internal network security. Yet, the Target and Sony hackers exploited the weak internal network security to plunder the critical applications “on a wire” connected inside the network.

Today’s complex and distributed networks can create a more porous data center perimeter. Once hackers (or a disgruntled employees) breach the perimeter, they can easily expose potential weaknesses inside the network, like what happened in the recent Sony attack. Nearly 85 percent of insider attacks or “privilege misuse” attacks used the target enterprises’ corporate local area network (LAN), according to a 2014 Verizon security report.

Hackers are now using corporations’ networks against them.

Changes are coming - from regulation and the board room

2014 also saw some hope for enterprises looking for cures for the common data breach: more government agencies and compliance groups are updating security standards to match modern cybercrime.

Upcoming security compliance regulations - like NIST, PCI, and the EU banking standards - are beginning to focus more on security at all layers. Wrapping applications into secure networks is a new and potentially game-changing way to thwart east/west attacks.

Defense in depth with application security controllers

To guard and quarantine an application, enterprises can force all data and network traffic to go through secure, encrypted switches at every layer within a data center network. Controlled access and encryption can all but eliminating malicious east/west movement.

In order to gain control over all incoming and outgoing traffic for each application, enterprises can use “micro-perimeters” to break the secure network into smaller, tightly controlled overlay networks. Just like the physical segmentation at the core hardware layer and logical segmentation at the virtualization layer, a micro-perimeter can provide “application segmentation.”

With application segmentation, enterprises can dictate what traffic travels to each application server through the application security controller. Because all data must pass through an encrypted switch, enterprises can mediate security and segmentation. User traffic then gets isolated to flow through the application’s secure edge. Even with only basic interior firewall rules, this enterprise can protect themselves from an east/west exploit.

VNS3:turret - Application segmentation creates secure micro-perimeters 

VNS3:turret is an application security controller from Cohesive Networks. Enterprises can deploy multiple VNS3:turrets as encrypted, clustered virtual appliances, creating a micro-perimeter around mission critical applications. The micro-perimeter works as a secure, redundant network combined with dataflow and compliance tools. VNS3:turret’s “application segmentation” provides the most comprehensive application security model available today.

Application security controllers can add security within the network layers to strengthen existing core networking hardware and virtualization layer security. Installing full function network security appliances for each application can improve network security without changing existing network or security infrastructure.

VNS3:turret is deployed as clustered software-only virtual appliances that create a micro-perimeter to secure your mission critical business systems in any network. The application segmentation allows each application’s developer team to take a proactive role in cybersecurity in any public, private, hybrid or virtualized environment.

Get in touch with the Cohesive Networks team to find out how VNS3:turret can secure your critical applications.

Read the full post on the ITA blog

Friday, February 20, 2015

Security, Cloud and Networking Weekly News Roundup: February 16 - 20

This week's news in cloud, networking, and security - the week of February 16th: 

Lenovo laptops have a dangerous superbug called Superfish, which tampers with Windows' cryptographic security and allows man-in-the-middle attacks. Superfish allows external groups to inject advertising into secure HTTPS pages. Robert Graham has extracted the key and posted it on his blog.  Check to see if your laptop is vulnerable by visiting this website via FiloSottile. Lenovo Is Breaking HTTPS Security on its Recent Laptops via the EFF
"Lenovo: For Those Who Do Have Adware
Installed by the Manufacturer." quips

Microsoft says Azure is now compliant with the data privacy standard from the International Organization for Standardization (ISO) ISO/IEC 27018 standard. Compliance could be a major selling point for privacy obsessed consumers looking at public clouds like Google and Amazon. Microsoft claims compliance with ISO data privacy standard via Gigaom

Hackers use malware to impersonate bank officers and transfer millions from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts. Kaspersky Labs, who discovered the Carbanak hack, estimates losses over $1bn (£648m) over 24 months. Bank Hackers Steal Millions via Malware from the New York Times

HP will begin selling commodity open source switches built by Accton with Cumulus Linux OS. In 2014 HP's networking unit posted about $2.6 billion in revenue, up from $2.5 billion in 2013. HP Boosts Networking Line in Deals With Cumulus and Accton via Re/Code

Japan's government National Institute of Information and Communications Technology (NICT) received more than 25 billion online attacks in 2014. The Japanese government logged the attempts to compromise systems, with 40% traced to China. Japan sees 25 billion online attacks in 2014 via ZDnet

Upcoming events Cohesive is hosting and attending:
  • 2 Mar - CloudCamp Chicago - Cloud Security
  • 11 - 12 March - exhibiting and speaking at CloudExpo in London
    • Wed at 1pm Chris Swan is on the panel "Panel: Is the future containers, virtualization, or both?" in the Service Provider & Cloud Ecosystem Theatre – Technology
    • Thurs at 1.15pm Chris Swan is presenting "The Application Security Controller" in Software Defined Data Centre and Networks Theatre
  • 20 - 24 April - attending RSA Conference in San Francisco

Tuesday, February 17, 2015

A message from your friends in a foreign government

photo credit: the Atlantic


It's your friends in foreign government here.

Look, we don't normally do this, but because we’re really really nice people we thought it might be nice to give you some advice on security. Now listen carefully….

Application security is a myth. You don't need it!  It’s been made up by a bunch of startups trying to get attention for being “disruptive.” Don’t worry about them. We have your best interests at heart.

That thing that happened at Sony was not their fault.  It was probably one person (in North Korea?) who attacked them because their PS4 stopped working.

Take it from us: one nice big firewall is all you need.  The bigger the better! Make sure to get one that draws lots of power, too. The bigger the firewall is the more people it will stop from trying to break in and steal stuff. The more power it uses, the harder it works at protecting your edge. Don't worry about all that “save the planet” green stuff, that’s just more nonsense.

Of course everybody knows that one big firewall is enough.  Our research and defense departments tell us there is no chance a hacker can get in and move “east and west” across your applications compromising one system after another.

It is totally fine to have your payroll system, payment gateway, client databases, and billing solution in your application VLAN. If you’re one of those “paranoid types” then stick a firewall between your application VLAN and your edge... but you don't really need it. You're good with that big firewall at the edge!

No need to secure each application individually.If you think the cost of one of those big firewalls is just way too much, just imagine trying to configure each one yourself!  Nightmare!!

No, take it from us, one massive (heavy in weight) firewall is all you need.

Now, we noticed something concerning in your email inbox erm, in the news. That announcement from Cohesive Networks about application security...that its not true, no sir!  It can’t be. Just treat it like virtualization - it’s ‘just a fad’. Stay clear of this and buy a big firewall instead!

By Sam Mitchell, Senior Solutions Architect at Cohesive Networks

Share this Post

Related Posts Plugin for WordPress, Blogger...