Kaspars Zibarts sat on the train from work. Every workday commute his over two hours each way between Scania’s IT department in Södertälje and home in Karlstad. With him on the train, he had his new Lenovo computer, which he bought Elgiganten.
– I noticed I got the wrong certificate on Google sites, and because I work with security so I thought it did not feel fair. So I started checking, and it showed that Superfish issued the certificate for Google. What the hell, I thought, and was a little nervous, says Kaspars Zibarts to IDG.se.
Read more: Lenovo accused of installing spyware on new computers – can read your bank traffic
More and more surprised he tried Nordea’s side. And yes, although there appeared Superfish up as a Certificate Authority.
– So I turned me to Nordea, the Data Inspectorate and the police and said that this is against the basic laws, that no one should be able to decrypt your secret links on the internet. Police received my notification, the other in February.
Excerpts from the letter as Kaspars Zibarts sent to the police.
Super Fish is a software who inject advertising when the user is surfing the web and comes preinstalled on a variety of consumer PCs from Lenovo sold between September and December last year. But as much knew Kaspars Zibarts not in January.
read more Lenovo promises put a lid on sneaky programs that Superfish
In addition to the bank and authorities he emailed Lenovo – but got no response anywhere. So he wrote a post in the Lenovo forums about what he discovered. Only then did it – to say the least – screw.
Kaspars Zibarts posts Lenovo forum that started it all.
On a screenshot with Nordea exemplary Kaspars Zibarts to Superfish installed an en-signed root certificate for encrypted traffic on your computer. It opens to a so-called man-in-middle attack where traffic against an encrypted web page, such as a bank, could be intercepted and read unencrypted by Superfish even though the browser shows that the traffic is safe.
read more Here Lenovo PCs that may have spyware Superfish – and so remove it
“This software söndertrasar a decade of browsersäkerhets- and integrity development, and the last five years SSL ciphers work,” wrote Cloudflares security expert Marc Rogers.
“I did not expect that it would become this big”
In short, was the discovery of Lenovo dangerous software world news. The company had to apologize, US Homeland Security sent out a warning to American citizens, Microsoft sent out an update that would clear out Superfish problem.
– I expected me not that it would be this big. Only when Cnet wrote about it, I said wow, that’s a pretty big site. But that CNN and BBC have picked it up. Ouch! I shook inside, says Kaspars Zibarts.
Around the world was astonished people that Lenovo could drop off computers with something that Superfish on. The international media has been called both outrage and betrayal.
– We know clear that we have made a significant mistake here, or we missed something. We see clearly that we did us away, said Peter Hortensius, chief technology officer at Lenovo, PC World.
International media mince not words.
But what happened with the warnings Kaspars Zibarts sent to the major Swedish bank Nordea? Data Inspection Board whose mission is to protect citizens’ privacy? Or to the police? He had even attached the images that showed how the computers went through Superfish when they joined the bank and police their own sites.
One of the pictures that was included in the letter to the police – was taken at Elgiganten.
– The of course difficult to understand if you do not work with IT security in everyday life, but in the bank, they should of course have specialists. I figured that if one turns to right bank so it would arouse interest, they’d sent out a professional warning, but no. Nada, he said.
For even in day, long after Superfish became a global scandal, has Kaspars Zibarts not received a response from either the bank or authority – but from the police, it has come.
– Funnily enough, they returned a few days before everything was great and said they did not think anything was wrong. I gave the police very simple things. I went back to Elgiganten and took pictures of laptops in the store that showed that the computers went through Superfish when they joined the police site. You’d think it would give attention, but police found this was quite ok, he says.
IDG.se has been in contact with Nordea , the bank that did not seem to take the warnings seriously.
– We can confirm that we have received the email, but what security we have and the steps we take is nothing we comment. As the Nordic region’s largest bank, of course extensive safety to protect us against various kinds of fraud, intrusion attempts, etc., writes press secretary PetterLarsson in an email request for an interview.
After all the attention , the problem is somewhat corrected, but the damage is not repaired. A number of US class action legal case being prepared against Lenovo. But Kaspars Zibarts are equally disappointed with the Swedish authorities and companies that do not heed his warnings.
– Betrayed is probably word. I’m not entirely influenced, because I can fix this yourself. But everyone else, as my wife or cousin who has no track of this stuff. What should they do?
No comments:
Post a Comment