Chinese computer manufacturer Lenovo (IBM’s former hardware division) is making headlines this month, but not the kind that most companies covet. Until as recently as January 2015, Lenovo has shipped a large number of computers with pre-installed software from adware company Superfish. In and of itself, this isn’t an uncommon practice – hardware manufacturers commonly reduce manufacturing costs for their consumer products by striking deals with various companies who pay to have their software installed on brand-new computers. As initially reported by security researcher Marc Rogers, the Superfish partnership was a bad one for Lenovo, not only because the software itself was already notorious for being adware, but also because it compromises the built-in security of your computer’s SSL protocols to do its dirty work. Lenovo initially tried to downplay the problem, but pressure from the security community and the resulting media attention has since caused Lenovo to reverse its position 180 degrees. The CTO apologized in an open letter, and the company has issued a fix that completely removes the vulnerable software.
What this means for you:
Unless you are really into the technical details, the “what” and “how” of the Superfish vulnerability is much less important than the “why” and the “who”. In this case, we know why Lenovo installed Superfish – presumably they benefitted financially in some fashion. The real problem behind this fiasco is that Lenovo (a “trusted” brand – I use a Yoga 3 while I’m out seeing clients) missed the security flaws in this arguably useless piece of software and endangered thousands of its customers for no other reason than to make a buck. Can any hardware manufacturer be trusted to have our security in mind when making and selling their products? If the most recent NSA hard drive firmware scandal is to be believed, I’d say the answer is a resounding “no”. As we’ve seen with numerous other industries, when a company is held more accountable to shareholder profit (or “patriotic” duty?) than to consumer wellbeing, the only person we can trust is ourselves.
Unfortunately, manufacturers like Lenovo, Dell and HP have made a bed that is now very uncomfortable in which to lie. Their practice of installing “bloatware” on their equipment have driven prices down to a level that may be very difficult to maintain if they can’t lean on the dollars gained by these pre-installed software deals. At minimum, they’ll have to be much more discerning on what they pre-install, which, in turn, will drive up costs and narrow their margins even further.
A client recently asked me, “What’s the difference between ‘malware’ and a ‘virus’? Is ‘spyware’ still a thing? Are these pop-ups a virus, or something else? Was I hacked?!?” As a computer user who could easily remember the earliest days of computer viruses, his confusion was understandable, especially when the media and sometimes even industry pros have a tendency to use those terms interchangeably when they really aren’t. The complexity of today’s malware landscape is complex enough to fill multiple textbooks, but I’ll try to boil it down to the things most professionals should know.
The term “hacking” is probably the most mis-appropriated term in use today. Originally, the true purpose of hacking something was to make alterations to how a device (or system) operated in order to achieve results different from the originally intended purpose of the hacked object. This could take just about any form: the brilliant, life-saving hacks used to return the Apollo 13 crew safely to earth in 1961, all the way to subverting computer security systems to paralyze a giant corporation in 2014. The important qualifier in determining if something was “hacked” is identifying actual, human-driven intent. In most cases, malware-compromised systems are the result of an “infection” versus a purposeful hacking.
The term “malware” is a portmanteau of the two words “malicious software” which, as you might imagine, is used to describe any sort of non-native programming or code loaded into a device that subverts the device’s original purpose, with the result that its activities cause some form of harm (hence the “mal” part). Malware covers a broad range of code including the annoying pop-ups and browser redirects that take control of your internet searches to show you advertising (aka “adware”), to the incredibly disruptive (and effective) malware that encrypts your data and holds it for ransom (aka “ransomware”). “Spyware” still exists – though it has taken a dark turn from it’s original advertising roots of harvesting your demographics to now harvesting your sensitive personal information for the purposes of identity theft.
Though a computer “virus” is still considered malware, most malware found today are not considered actual viruses. In keeping with the spirit of its biological predecessor, a true computer virus distinguishes itself by insinuating itself into or altering the host’s code with the express purpose of multiplying and spreading, something that is relatively rare at the moment in most malware, even the ones that spread via email. Though they exhibit virus-like infection patterns, their methods of spreading are more akin to poisoning or parasitic infection.
How it all comes together
It’s important to note that malware is often a primary tool in any computer hacking effort. It can be used to weaken or subvert security systems, usually by installing other programs that facilitate other activities that can range from gathering passwords, data and opening security backdoors to erasing hard drives and crippling critical network infrastructure. Though they find little comfort in it, I tell my clients that most malware infections are akin to getting the flu: it’s highly unlikely someone set out to get you sick. Typically you got it from someone who didn’t even know they were contagious.
However, similar to their biological counterparts, other digital pathogens may take advantage of your computer’s compromised immune system to cause further damage. At best, these malware infections take the form of a symbiotic parasite that may surface relatively innocuous symptoms (pop-ups, Google doesn’t work, etc.), but those redirects can lead you to further infection by more harmful malware. At the extreme, they can lead to the digital equivalent of metastatic cancer, usually with fatal results. Suffice it to say, any form of malware infection should not be tolerated, regardless of the host machine’s primary purpose, and should be taken care of immediately.