Search the Community
Showing results for tags 'lenovo'.
Found 8 results
Ce telefoane detineti?
sibipx posted a topic in Mobile securityCustom rom sau stock? Firmware schimbat? Overclock? Ce launchere/gadgets folositi? Un screenshot la ecran? Sau dati voi alte detalii intr-un reply. Incep eu. HTC ONE M8, custom rom de pe xda, fara oc, fara laucher de pe playstore (Love HTC UI), niciun gadget, ss n-are rost ca n-am nimic special facut pe ecran si cam atat.
Probleme wireless Lenovo
bulbuc96 posted a topic in Sisteme de operare si discutii hardwareSalut . Am un Lenovo All-in-One C460 ..nu imi funcționează drive-ul de wireless .nici cel original nici altele . Va rog dați un sfat cum as putea rezolva problema .Multumesc !!!
Lenovo are probleme cu securitatea.
JrNasti.PPOW posted a topic in Stiri securitateSalutare, am revenit cu o stire interesanta si anume securitatea celor de la Lenovo scartaie. O noua problema de securitate a fost descoperita zilele trecute, mai bine acuma decat niciodata. Compania Lenovo a fost acuzat? c? ar avea probleme mari în ceea ce prive?te securitatea, din cauza vulnerabilit??ilor din serviciul de actualizare online. Asta dup? scandalul Superfish de la începutul anului. Se pare c? din cauza actualelor vulnerabilit??i, hackerii pot desc?rca programe periculoase în sistemele utilizatorilor printr-un atac de tip MITM (man-in-the-middle). Lenovo a preinstalat pe mai mult computere., între septembrie 2014 ?i ianuarie 2015, o aplica?ie de tip adware care a expus utilizatorii la riscuri majore de securitate. Superfish era capabil ?i s? înlocuiasc? certificatele SSL ale sistemului, reducând la zero securitate oferit? de conexiunile HTTPS. Problemele au fost ar?tate de firma de securitate IOActive, la câteva s?pt?mâni dup? ce s-a aflat c? Lenovo distribuia computere cu Superfish preinstalat. Cercet?torii au descoperit vulnerabilit??ile în februarie, dar le-au oferit celor de la Lenovo ocazia de a le repara, înainte de a le face publice, noteaz? SC Magazine. Una dintre vulnerabilit??i, CVE-2015-2233, permite hackerilor s? treac? de verific?rile validit??ii semn?turii ?i s? înlocuiasc? aplica?ii Lenovo cu software-uri r?u inten?ionate. CVE-2015-2219, alt bug, permite accesul ?i rularea programelor ?i comenzilor mali?ioase. O alt? sl?biciune, CVE-2015-2234, permite efectuarea comenzilor pe care, în mod normal, doar administratorul de sistem le poate da. Sofiane Talmat, consultant în securitate pentru IOActive, a confirmat pentru SCMagazine c? Lenovo a rezolvat problemele, dar c? utilizatorii trebuie s? descarce ultima versiune a Lenovo System Update pentru a fi siguri. Actualizare Acest articol a fost completat cu declara?ia oficial? a celor de la Lenovo: “Echipele Lenovo de dezvoltare ?i securitate au colaborat în mod direct cu IOActive referitor la vulnerabilit??ile aplica?iei System Update depistate de ace?tia din urm? ?i apreciem expertiza acestora pentru identificarea ?i raportarea lor cu responsabilitate. Lenovo a lansat pe 1 aprilie o versiune actualizat? a aplica?iei System Update care solu?ioneaz? aceste vulnerabilit??i. Am publicat ulterior, in colaborare cu IOActive, o not? de securitate, disponibil? aici. În situa?ia în care aplica?ia System Update a fost deja instalat?, utilizatorului i se cere s? instaleze versiunea actualizat? de îndat? ce aplica?ia ruleaz?. Ca solu?ie alternativ?, utilizatorii pot actualiza manual System Update, urmând pa?ii descri?i în nota de securitate. Lenovo recomand? tuturor utilizatorilor s? actualizeze aplica?ia System Update pentru a elimina vulnerabilit??ile raportate de IOActive. În general, Lenovo recomand? utilizatorilor s?i s? permit? actualizarea automat? a sistemelor, pentru a avea în permanen?? acces la cele mai nou software disponibil.” Multumesc pentru timpul acordat!
HARDWARE FIRM Lenovo has been accused of offering its customers another free bonus security threat just weeks after the Superfish scandal. The firm has already fixed the problem, but the news, and its description as another "massive security risk", isn't good. Superfish was a scandal for the firm and affected a lot of its hardware. Lenovo disabled the software and took any associated financial losses on the chin. Ultimately, the firm said that it had failed its customers. "We recognise that the software did not meet that goal and have acted quickly and decisively. We are providing support on our forums for any user with concerns," Lenovo said at the time. "Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback and taken decisive actions to ensure that we address these concerns." Today we asked the firm to comment on the findings of IOActive Lab researchers who accused it of major vulnerabilities and a system that enables the creation and exploitation of fake credentials and the handing over of system control. IOActive Lab said in a security report (PDF) that the problem has been fixed, but that it had granted attackers the same kind of access as a system update, and allowed for the execution of code. Attackers could exploit an flaw in Lenovo's certificate authority methods, and use it to sign off their own executables which could have a range of capabilities. "Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications," said the advisory. "These applications will then be run as a privileged user. The System Update downloads executables from the internet and runs them. "Remote attackers who can perform a man-in-the-middle attack can exploit this to swap Lenovo's executables with a malicious executable. "The System Update uses TLS/SSL to secure its communications with the update server, which should protect against [such] attacks. "In a statement Lenovo told the INQUIRER that it worked with the security firm after it was notified and patched the problem in April. It added that it appreciates the assistance, explaining that its update fixed all issues. "Lenovo's development and security teams worked directly with IOActive regarding their System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them," it said. "Lenovo released an updated version of System Update which resolves these vulnerabilities and subsequently published a security advisory in coordination with IOActive. Lenovo recommends that all users update System Update to eliminate the vulnerabilities reported by IOActive." Source
How to paint yourself into a corner (Lenovo edition)
mundy. posted a topic in Stiri securitateThe information security news today is all about Lenovo’s default installation of a piece of adware called “Superfish” on a number of laptops shipped before February 2015. The Superfish system is essentially a tiny TLS/SSL “man in the middle” proxy that attacks secure connections by making them insecure — so that the proxy can insert ads in order to, oh, I don’t know, let’s just let Lenovo tell it: “To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually,” the representative continued. “The technology instantly analyses images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.” Whatever. The problem here is not just that this is a lousy idea. It’s that Lenovo used the same certificate on every single Laptop it shipped with Superfish. And since the proxy software also requires the corresponding private key to decrypt and modify your web sessions, that private key was also shipped on every laptop. It took all of a day for a number of researchers to find that key and turn themselves into Lenovo-eating interception proxies. This sucks for Lenovo users. If you’re a Lenovo owner in the affected time period, go to this site to find out if you’re vulnerable and (hopefully) what to do about it. But this isn't what I want to talk about in this post. Instead, what I’d like to discuss is some of the options for large-scale automated fixes to this kind of vulnerability. It’s quite possible that Lenovo will do this by themselves — pushing an automated patch to all of their customers to remove the product — but I'm not holding my breath. If Lenovo does not do this, there are roughly three options: Lenovo users live with this and/or manually patch. If the patch requires manual effort, I’d estimate it’ll be applied to about 30% of Lenovo laptops. Beware: the current uninstall package does not remove the certificate from the root store! Microsoft drops the bomb. Microsoft has a nuclear option themselves in terms of cleaning up nasty software — they can use the Windows Update mechanism or (less universally) the Windows Defender tool to remove spyware/adware. Unfortunately not everyone uses Defender, and Microsoft is probably loath to push out updates like this without massive testing and a lot of advice from the lawyers. Google and Mozilla fix internally. This seems like a more promising option. Google Chrome in particular is well known for quickly pushing out security updates that revoke keys, add public key pins, and generally make your browsing experience more secure. It seems unlikely that #1 and #2 will happen anytime soon, so the final option looks initially like the most promising. Unfortunately it's not that easy. To understand why, I'm going to sum up some reasoning given to me (on Twitter) by a couple of members of the Chrome security team. The obvious solution to fixing things at the Browser level is to have Chrome and/or Mozilla push out an update to their browsers that simply revokes the Superfish certificate. There's plenty of precedent for that, and since the private key is now out in the world, anyone can use it to build their own interception proxy. Sadly, this won't work! If Google does this, they'll instantly break every Lenovo laptop with Superfish still installed and running. That's not nice, or smart business for Google. A more promising option is to have Chrome at least throw up a warning whenever a vulnerable Lenovo user visits a page that's obviously been compromised by a Superfish certificate. This would include most (secure) sites any Superfish-enabled Lenovo user visits -- which would be annoying -- and just a few pages for those users who have uninstalled Superfish but still have the certificate in their list of trusted roots. This seems much nicer, but runs into two problems. First, someone has to write this code -- and in a hurry, because attacks may begin happening immediately. Second, what action item are these warnings going to give people? Manually uninstalling certificates is hard, and until a very nice tool becomes available a warning will just be an irritation for most users. One option for Google is to find a way to deal with these issues systemically -- that is, provide an option for their browser to tunnel traffic through some alternative (secure) protocol to a proxy, where it can then go securely to its location without being molested by Superfish attackers of any flavor. This would obviously require consent by the user -- nobody wants their traffic being routed through Google otherwise. But it's at least technically feasible. Google even has an extension for Android/iOS that works something like this: it's a compressing proxy extension that you can install in Chrome. It will shrink your traffic down and send it to a proxy (presumably at Google). Unfortunately this proxy won't work even if it was available for Windows machines -- because Superfish will likely just intercept its connections too So that's out too, and with it the last obvious idea I have for dealing with this in a clean, automated way. Hopefully the Google team will keep going until they find a better solution. The moral of this story, if you choose to take one, is that you should never compromise security for the sake of a few bucks -- because security is so terribly, awfully difficult to get back. Sursa: A Few Thoughts on Cryptographic Engineering: How to paint yourself into a corner (Lenovo edition)
Hackers have targeted Lenovo with a website defacement attack believed to be intended to ‘punish' the firm for its use of the Superfish adware. The attack occurred on Wednesday and forced Lenovo.com to display a slideshow of images while playing Breaking Free from High School Musical. A Lenovo spokesperson told V3 that the firm is taking action to improve the site's security and "investigating other aspects of the attack". "Unfortunately, Lenovo has been the victim of a cyber attack. One effect of this was to redirect traffic from the Lenovo website. We are also actively investigating other aspects," said the spokesperson. "We are responding and have already restored certain functionality to our public-facing website. "We are actively reviewing our network security and will take appropriate steps to bolster our site and protect the integrity of our users' information and experience. "We are also working with third parties to address this attack and will provide additional information as it becomes available." The attack follows Lenovo's use of the Superfish adware on a selected number of laptops. The problem erupted on the Lenovo forum earlier in February when several customers reported finding Superfish installed on their machines. Superfish is adware that collects data such as web traffic information using fake, self-signed root certificates and then uses it to push adverts to the user. The Lizard Squad hacking group is believed to have mounted the attack on Lenovo, although this is yet to be confirmed. Andrew Hay, director of security research at OpenDNS, said that forensic evidence indicates that the attack did stem from Lizard Squad, highlighting similarities with a previous raid on Google.com.vn. Hay explained that Lenovo.com and Google.com.vn use the same registrar, Webnic.cc, and both are hosted in Digital Ocean's Netherlands data centre. He also noted that both raids "used Cloudflare to obfuscate the IP address of the destination server and to balance the traffic load to the website". Ken Westin, senior security analyst at Tripwire, pointed out that the attack would be in line with Lizard Squad's past behaviour in attacking companies that it believes have acted wrongly. "As a result of getting its hands caught in the privacy invading cookie jar with the deployment of the Superfish adware which compromised customers' privacy and security, it has made itself an open target for a number of hacking groups which have essentially declared it open season against Lenovo for its questionable practices," he said. Source
Lenovo has teamed up with Microsoft and McAfee to remove the Superfish adware from its machines, following concerns about security. Lenovo announced the partnerships in a public statement, promising that the tools will let users automatically block and remove the insecure, self-signing certificates used by Superfish. "We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies," the firm said. "These actions have already started and will automatically fix the vulnerability even for users who are not currently aware of the problem." The Microsoft removal tool will be integrated into Windows Defender version 1.193.444.0. The tools are the latest step in Lenovo's bid to allay customer concerns that the firm put personal data at risk. The problem erupted on the Lenovo forum earlier in February when several customers reported finding Superfish installed on their machines. Superfish is adware that collects data such as web traffic information using fake, self-signed root certificates and then uses it to push advertisements to the user. Lenovo claims that the adware is installed on only a limited number of machines and does not affect its business-focused Thinkpad line. "We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience," read the statement. "While this issue in no way impacts our ThinkPads, any tablets, desktops or smartphones, or any enterprise server or storage device, we recognise that all Lenovo customers need to be informed." Lenovo apologised for causing concern, but argued that the company never knowingly compromised its customers' privacy. "We apologise for causing these concerns among our users. We are learning from this experience and will use it to improve what we do and how we do it in the future," read the statement. "Superfish technology is purely based on contextual/image and not behavioural. It does not profile or monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted." Lenovo is one of many firms dealing with privacy and security concerns. Researchers at FireEye reported on 20 February that Apple had ignored a dangerous flaw in the iOS operating system, codenamed Masque Attack II. Source
Lenovo taken to task over 'malicious' adware
Aerosol posted a topic in Stiri securitateComputer maker Lenovo has been forced to remove hidden adware that it was shipping on its laptops and PCs after users expressed anger. The adware - dubbed Superfish - was potentially compromising their security, said experts. The hidden software was also injecting adverts on to browsers using techniques more akin to malware, they added. Lenovo faces questions about why and for how long it was pre-installed on machines - and what data was collected. The company told the BBC in a statement: "Lenovo removed Superfish from the preloads of new consumer systems in January 2015. At the same time Superfish disabled existing Lenovo machines in the market from activating Superfish. Complaining "Superfish was preloaded on to a select number of consumer models only. Lenovo is thoroughly investigating all and any new concerns raised regarding Superfish." Users began complaining about Superfish in Lenovo's forums in the autumn, and the firm told the BBC that it was shipped "in a short window from October to December to help customers potentially discover interesting products while shopping". User feedback, it acknowledged, "was not positive". Last month, forum administrator Mark Hopkins told users that "due to some issues (browser pop up behaviour, for example)", the company had "temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues". He added it had requested that Superfish issue an auto-update for "units already in market". Superfish was designed to help users find products by visually analysing images on the web to find the cheapest ones. Such adware is widely regarded in the industry as a form of malware because of the way it interacts with a person's laptop or PC. Security expert from Surrey University Prof Alan Woodward said: "It is annoying. It is not acceptable. It pops up adverts that you never asked for. It is like Google on steroids. "This bit of software is particularly naughty. People have shown that it can basically intercept everything and it could be really misused." According to security experts, it appears that Lenovo had given Superfish permission to issue its own certificates, allowing it to collect data over secure web connections, known in malware parlance as a man-in-the-middle attack. "If someone went to, say, the Bank of America then Superfish would issue its own certificate pretending to be the Bank of America and intercept whatever you are sending back and forth," said Prof Woodward. Ken Westin, senior analyst at security company Tripwire, agreed: "If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers' trust, but also put them at increased risk." Clean install Although Lenovo has said that it has removed Superfish from new machines and disabled it from others, it was unclear what the situation would be for machines where it had already been activated. Prof Woodward said: "Lenovo is being very coy about this but it needs to explain how long it has been doing this, what the scale is and where all the data it has collected is being stored. "There will be remnants of it left on machines and Lenovo does not ship the disks that allow people to do a clean install." It raises wider questions about the deals that computer manufacturers do with third parties and the amount of software that comes pre-installed on machines. Mr Westin said: "With increasingly security and privacy-conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetisation strategies." Users were particularly angry that they had not been told about the adware. One Lenovo forum user said: "It's not like they stuck it on the flier saying... we install adware on our computers so we can profit from our customers by using hidden software. "However, I now know this. I now will not buy any Lenovo laptop again." The problem also caused a storm on Twitter, where both Lenovo and Superfish were among the most popular discussion topics. Source