Superfish doubles down, says HTTPS-busting adware poses no security risk

Following security professionals' near-unanimous condemnation of adware that hijacked encrypted Web connections on Lenovo computers, the CEO of the company that developed the finished product is doubling down on his insistence that it poses no threat to end users.

The statement, e-mailed to Ars by a Superfish spokeswoman and attributed to company CEO Adi Pinhas, is notable for making no reference to secure sockets layer, transport layer security, HTTPS, or any other form of encryption. Those technologies are at the core of security researchers' criticisms. They say the self-signed certificates, registered to Superfish and installed in the root level of every PC's SSL/TLS folder, makes it easy for malicious hackers and even script kiddies to build websites that trick affected browsers into behaving as if they're connected to servers for Bank of America, Google, or any other HTTPS-protected website on the Internet. In fact, there's near-universal agreement about this. Earlier today, the US CERT joined the growing chorus of critics with an advisory headlined "Lenovo Computers Vulnerable to HTTPS Spoofing."

Despite all of this, Pinhas's statement doesn't address the criticism. Instead, it attacks an argument that no one has made—that Superfish somehow shares personal information without users' permission. Here is the statement in full:

Read 4 remaining paragraphs | Comments

Accused British hacker, wanted for crimes in US, won’t give up crypto keys

An alleged British hacker who has criminal charges pending in three American federal districts is preparing to petition a Suffolk County, United Kingdom court to compel the National Crime Agency (NCA) to return his encrypted seized computers and storage devices.

The BBC reported Friday that Lauri Love “will petition Bury St Edmunds magistrates for the return of his property,” on March 12, adding that “the BBC understands that the NCA has been unable to decrypt some of the files and does not want to return the computers and media devices until Mr Love helps them to decrypt them.”

Love, who was arrested in the UK in October 2013 and was released on bail in July 2014, did not immediately respond to Ars’ request for comment. The NCA is the rough British equivalent to the FBI.

Read 9 remaining paragraphs | Comments

“SSL hijacker” behind Superfish debacle imperils large number of users

Thursday's revelations that Lenovo PCs ship with adware that intercepts sensitive HTTPS-protected traffic has focused intense scrutiny on Superfish, the company that markets the intrusive software. But lost in the furor is the central role a company called Komodia plays in needlessly exposing the passwords and other sensitive data of not just Lenovo customers, but also a much larger base of PC users.

As this post was being prepared, Komodia's website was only sporadically available, with its homepage saying it was under distributed denial of service attacks. There's never a legitimate reason for people to carry out DDoS attacks, but the underlying anger directed at Komodia is understandable. The company proudly markets HTTPS-decrypting and interception software that's used by more than 100 clients, including Fortune 500 companies. "With a simple-to-control interface, you can intercept website traffic and network applications from any program language," a promotional video boasts. The company's website brazenly refers to one of its software development kits as an "SSL hijacker."

The fake secure sockets layer certificate found on Lenovo machines preinstalled with Superfish came from none other than Komodia. It was bundled with a password-protected private encryption key, presumably to prevent it from being used by malicious hackers to create websites that spied on users as they visited HTTPS-protected pages. But as Ars reported Thursday, the measure was laughably easy to bypass, since it took Errata Security CEO Rob Graham just three hours to discover that the password was, you guessed it, "komodia."

Read 9 remaining paragraphs | Comments

Windows Defender now removes Superfish malware… if you’re lucky

First the good news. Microsoft today released a signature update for Windows Defender, the anti-malware software that's built in to Windows, to enable it to both detect and remove the Superfish malware that Lenovo installed on some systems.

Defender's removal process seems to be quite robust, both uninstalling the software and removing the dangerous certificate that Superfish installs. However, it doesn't appear to clean any contaminated installs of Firefox or Thunderbird; for that, you'll want to check out our manual removal instructions.

Now the bad news. While Windows Defender is supplied as part of Windows and works well enough, Microsoft gave it some rather strange behavior as a concession to third-party anti-malware vendors. If a third-party anti-malware product is installed, Windows Defender will automatically disable itself. Many Lenovo systems include trial versions of anti-malware software; during the duration of these trials, Windows Defender will be inactive.

Read 2 remaining paragraphs | Comments