Archive for the ‘3rd Party Vendors’ Category

News from Superfish (aka Lenovogate)

Tuesday, February 24th, 2015

Hi Folks,

last week we posted two articles related to the Superfish Adware which came pre-installed with some Lenovo devices produced in the last Quarter of 2014. Superfish contains strong security concerns regarding the used SSL interception technology coming from an other Company calling Komodia.

It seams that this will now run into a or better several (i know already about two) class action lawsuit in the US against Lenovo, read also the article at PCWorld. I hope this will be a warning for other Hardware vendors pre-installing software without any sense or effective use for the user and without any real security verification.

Lenovo has already published a uninstall tool (Read also here), also some Virus remove tools like Avast or Microsoft Defender will remove it (or try to do it). In any way you should verify the local Computer Certificate Store to be sure… Also Lenovo released an open letter here.

There is also other Software available which uses the Komodia SSL interception technology incl. a Trojan, there is a really good article available at Facebook by Matt Richard(Facebook Securtiy Team) here and i recommend to read it if you have to do or are intrested with/in IT Security.

If you want to perform a check to verfiy that you’ve not any SSL interception software installed try out this site: Badfish check

You’re using Firefox and Chrome/Internet Explorer? Don’t forget to open the Website above with Firefox and also Chrome/Internet Explorer.

Cheers

Michael

Security: cloud-client.info domain blacklist

Monday, February 23rd, 2015

Hello Folks,

like already mentioned in our blog registration form we will publish domains which are used by spam bots, malware and virus senders and/or domains where users perform suspicious actions against our websites.

So here is our first list called “domains_we_dont_like” containing 643 domains (collected by our websites in the last 12 months), you can use this list as blacklist for mail servers or to protect other webhostings/services. We do also allow the use of this list for other security related use and to prevent these actions in the future. Please note: There are also a couple popular email providers like GMX, Yahoo or Hotmail in the list, as long these mail provider can’t prevent the massive misuse of there services we have no reason to remove these providers from the list. All listed domains are used a couple of times for different suspicious activities, if you are responsible for one of these domains and you want to be removed you can get in contact with us to discuss how you can be removed from the list.

The list will updated from time to time.

Cheers

Michael

 

Lenovo released a Superfish uninstall tool

Saturday, February 21st, 2015

Hi Folks,

after big public concerns against the Superfish pre-installed tool coming with some Lenovo End Consumer product’s, Lenovo now released a tool to fully remove the Superfish Adware.

You can download the software from the Lenovo support site here.

I strongly recommend to perform the uninstall as soon as possible, the root certificate is already hacked (CA Private key password: “komodia”) and this means it’s now quite simple to create or be a victim of a man in the middle attack by using this certificate anymore.

Cheers

Michael

Warning: BYOS-Bring your own Sh**! …and why Lenovo now was a Adware distributor. (Updated)

Thursday, February 19th, 2015

Hi Folks,

can your users work with there own device (Laptop/PC/Tablet) in your company environment or have access  to your company environment from home?

Than you should look out for new Lenovo End-Consumer devices! Why?

Lenovo seams to have some fun to add a software called “Superfish” to there harddisk images, so why this is now a security concern?

First of all Superfish can be called a Adware, the software will add a component to Webbrowsers like the Firefox, Internet Explorer and Google Chrome. This by default is already a pain in the a*s but to make it even worser. Superfish will add an own thrusted root CA certificate to the certificate store and this means it’s possible to perform a man in the middle attack for all certificate based SSL communication; like Facebook, Online Banking, Remote Desktop Gateway access or your companies Netscaler incl. the related ICA traffic. This will affect the Google Chrome Browser and the Internet Explorer, Firefox comes with an own certificate store and doesn’t use the Windows Certificate Store. There is also a nice article describing how Superfish deals with certificates here (expand the pictures in the top post).

So i strongly recommend, if a user came up with a “new” Lenovo device that you should force him to allow a device review.. Uninstall Superfish (some Virus Scanners like Avira incl. the certificate or Malware Tools can do the job, just use google) and remove all thrusted CA Certificates which belongs to Superfish Inc or even better: Read out the Windows activation Key incl. Office and wipe the damm system (My prefered way… 🙂 ). Removing CA Certifcates can be tricky read also here, but this is the most important part.

Somewhere in January Lenovo has stopped to deploy Superfish but regarding what i read until now it’s only on-hold and not finally stopped, so this shi**y software can be delivered again. So customers should now “force” Lenovo to stop this in the future, don’t forget that there are also other vendors available.. Be also aware: Lenovo has stopped this in January and affected devices can still be sold in retail stores.

There is already a statement available from Lenovo (Source(Parts in German) ):

“Lenovo removed Superfish from the preloads of new consumer systems in January 2015. At the same time Superfish disabled existing Lenovo machines in market from activating Superfish. Superfish was preloaded onto a select number of consumer models only. Lenovo is thoroughly investigating all and any new concerns raised regarding Superfish.”

Background information on Superfish

Superfish was preloaded onto select models of Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.

The Superfish Visual Discovery engine analyzes an image 100% algorithmically, providing similar and near identical images in real time without the need for text tags or human intervention. When a user is interested in a product, Superfish will search instantly among more than 70,000 stores to find similar items and compare prices so the user can make the best decision on product and price.

Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled.

The statement is one of the funniest i ever read… Superfish is a miracle software, it can help a user to find and discover products without monitoring the user = Pure Magic? ..or who should believe this? How do you call a real time image recognition and a software that can intercept and sneak into certificate trusts? A glorious present for all Hackers and intelligence agencies! Did anyone from Lenovo read the Superfish “Privacy Policy”?

Superfish will collect and store certain information that is automatically collected by WindowShopper or provided by its users, such as download date, status changes, usage logs, email address. Such information will be kept private by Superfish and is not for public distribution.
Superfish will also store bugs hunting information provided regarding the service. This information is for Superfish’s internal use only and will not be distributed under any circumstances.

Ok… So what do you call “It does not profile nor monitor user behavior”?

Lenovo is a strong canditate for our “That sucks!” Award now. Bloatware or other useless pre-installed crap like a lot of vendors do provide is one thing but a pre-installed Adware containing strong security issues/concerns is a new dimension how hardware vendors tread customers. Today and in the mixed environments it’s also not important if the device comes as “End consumer” or “Enterprise” device.

Update: I just got a new statement provided thru the Lenovo Website here. Most important is the part: We will not preload this software in the future. Lesson learned.. But please remember, there could be still affected devices available in stores and the time period Lenovo “provided” Superfish is estimated with ~3 months.

Cheers

Michael

Video (Updated): Open the Archos Cesium 80 Tablet

Friday, January 16th, 2015

Hello Folks,

here is a new video that shows how to open the Archos Cesium 80 Windows 8.1 with Bing Tablet based on the Intel Atom Processor Z3735G.

I needed to open the tablet to fix an issue with the Audio Playback (noise during playback but no sound with Realtek I2S/Intel SST Audio Device) thru the speakers (headset did always work), after i tried several drivers (really a lot… 🙁 ) the only thing that helped me was to disconnect the battery from the mainboard. Of couse it could also be a driver issue but as written, other driver versions (older and newer) or the default drivers coming with the pre-installed Windows did never fix it for me.  Some forum articles recommend to change some BIOS settings to fix the issue but the Archos Cesium 80 BIOS is very limited and don’t offer any relevant configuration.

Maybe the same procedure will fix this “playback via speaker” issue also for other Tablets using the Intel/Realtek combo. There can be found a lot of user descriptions mentioning similar issues with other Tablet’s and Vendor’,s but i can’t guarentee that this solution will also work for these issues.

To watch the video click here.

It’s also sad that a bunch of tablet vendors incl. the chipset producer’s Intel and Realtek do not offer driver downloads incl. recovery images (Tablet Vendors only) related to these products. A Windows x86 or 64-Bit Tablet is not a Android Tablet where the user can not “wipe” a driver, how long will it take until a few vendors will notify this? Take a look on Acer or Asus, these vendors offer recovery ISO’s for there products by default (it’s maybe not easy to recover a UEFI based Tablet for the typical user but a recovery solution is still available at all).

Update: I just want to add that the power supply coming with the device is crap at the moment, as example you will get issues with the touch input if you try to use the tablet during the charge of the battery. So i strongly recommend to use any other power supply or a regular PC to charge the battery.

Cheers

Michael

P.S.: Of course this video comes without any warranty!

Tip: How to open the Emdoor EM-18270-D Windows 8.1 7″ Tablet

Tuesday, December 30th, 2014

Hi Folks,

here is a short video how to open the Emdoor EM-18270-D Windows 8.1 7″ Tablet, the quality could be better but I made the video with only one shot during the launch break with my mobile. You don’t require any tools for the task… 🙂

How to open the EM-18270-D Tablet Video

Cheers

Michael

Tip (Updated): Getting Drivers for the Emdoor 7″ EM-18270 Windows 8.1 Tablet

Monday, December 29th, 2014

Hi Folks,

maybe you noticed that 7″ Windows 8.1 (with Bing) Tablets are available now very cheap… The cheapeast one is the Emdoor EM-18270 Tablet but in this case cheap means not cheap.

I got one of these tablets and iam very happy with it, it’s a Emdoor EM-18270 Tablet, this tablet is available for less than 100€ and comes with Windows 8.1 with Bing, a one year Office 365 subscription and offers a Micro HDMI, USB and SD Card extension incl. 2×2 MP Cameras incl. Bluetooth 4.0 based on a Intel Atom Z3735G (Baytrail) platform.

The tablet is available in different revisions (EM-18270 seen in the UK as Linx 7″ Tablet or EM-18270-D seen in Switzerland as Surf 7 Tab), there are only two differences i notified: The UK Version is partly available with a 32GB internal e-MMC the Swiss Version in general comes with a 16GB internal e-MMC also the UK Version comes with a plastic instead a metal case which comes with the Swiss Version.

Update: In the US/UK a similar device can be seen as Cube Iwork7 (U67GT), it seams to be the same device based on a EM-18270 but i got this only as report and I was not able to verify this on my own.

For my Swiss Version i tried to optimize the e-MMC/SSD usage, 16GB is not very much and in the default Version there is only ~1GB HDD space available, enough for surfing but to less for working. 🙂

So i wiped the e-MMC and re-installed a regular Windows 8.1 x86 incl. Office (you should enable Office 365 thru the device before wiping the e-MMC 😉 ), compressed the Windows winsxs (script can be provided on demand but on your own risk) and c:/Program Files folder and installed/moved Office 365 by using symbolic links to a fast SD-Card in the slot.. (Microsoft is still not able to provide a simple target selection during the installation for Office 365). Now i got ~5GB free space for the e-MMC and a big issue.. Where do i get the damm drivers for the hardware? Emdoor do not provide any recovery media or driver packages on the website.. Very weak by Emdoor but after a lot of research i found an article here: Article . The drivers for the Linx 7″ incl. the Kionix G-Sensor are working like a charm (don’t forget to install the registry file for the Kionix G-Sensor with Administrator permissions).

So i would really like to thank the author for providing the drivers in a simple way! If you also got the Emdoor Tablet this download is a must have for future recovery and maybe Emdoor should re-thing the way how “support” is provided to customers. The device itself is great but it doesn’t help if you can not recover or reinstall it and not all people do like the “default” installation coming with the device (like me). It should not be so hard to provide simple driver downloads…

Important: Do not perform a new installation without a Windows 8.1 installation media and a valid Product Key, do not wipe the partition without this! You will not get a Windows 8.1 with Bing installation media from Microsoft or the hardware Vendor! You also have to use the x86 Windows 8.1 Version, the 64-Bit Version will not fit on the 16GB e-MMC harddisk.

Cheers

Michael

P.S.: I did not try to install the Linx Bios on a Surf 7 Tab, the BIOS coming with my device is only a few days older than the Linx one but don’t come with the Linx icon. So i can not say if this works or not, i used only the drivers…. You should also get the Windows OEM Key from the BIOS in advance by following these instructions Get OEM BIOS Windows Key

Info: Root any Android Device, towel root demonstrates the weakness of Android and the crappy update handling from Vendors

Tuesday, June 17th, 2014

Hi Folk,

do you have an Android Device and you thing it’s secure? You’re mostly wrong!

By using a Kernel weakness of nearly all current Android devices with a firmware build date before 06/2014 towel root allows to root a lot of these devices. Ok, by default this is not a big issue but what happens if “other” Apps are using this weakness and start to implement “bad” code into your device without your knowledge? Do you get a Update for you Samsung Galaxy S4 or maybe an other device? Mostly not because Android devices are “throw away” devices for the most vendors.. Every year a new device, update “who” cares? Security is not important as long the margin is okay, that’s the truth about nearly all Android device Vendors. ..and in the rare case that your Vendor provide a firmware update but you have to wait that all Mobile Providers in your region have to agree to a Firmware Update incl. for WiFi only devices like tablets: Good Night! (Hello Samsung! ..again.) Why should a mobile provider have an interest to provide you a “secure” device if you could buy a new one.

Just check it out, install the towel root apk file from the project site here: Towel Root Project Site and execute it, now click on “let it rain” and see what happens. What do you think? Will you note it if you run an other app the first time or do you thing the app could be corrupt?

Don’t misunterstood me, but this is a security hole that should not happen and Vendors should be “forced” to provide a fix for issues like this by law and for a minimum of two years after the last device of a series was sold. It also means for me that Android has no place in any business environment until vendors do not change there general update politics. I do like Android but i do not like what all the “cool” Vendors have done with it… Cheap stuff which is already outdated in the second where you buy it. If Apple, RIM or Microsoft will act with there Mobile OS in the same way everyone will be upset but for Android it’s okay? No, it’s not!

Cheers
Michael

Solution: Run a pfsense firewall on Microsoft Hyper-V Server

Friday, February 7th, 2014

Hello Folks,

this one is not IGEL related but maybe intresting, there is a really cool free firewall software called pfsense (http://www.pfsense.org/).

The firewall software is based on free bsd and comes with a lot of cool features but there is one problem… It will not work on Microsoft Hyper-V Servers regarding an issue with the free BSD network drivers but you can fix it. There are some solutions already available but none of same are really working well and/or require some manual actions after boot, so how can we fix it…

Create a new VM in the Microsoft Hyper-V and assign the pfsense ISO file for the installation, make sure to assign only “Legacy” Network Adapters to the VM. The virtual network cards in the VM are named like de0, de1 and so on.

After the installation perform the basic network setup and reboot the VM, the network adapters are not working at the moment so don’t connect to the Management GUI via HTTP. After the reboot open the VM and enter the pfsense console, one virtual network card should have a “working” internet connection! Enter the pfsense shell (Option 8) and type in here:

ifconfig de0 down (repeat this for every network card, like de1)
ifconfig de1 down
ifconfig de0 up
ifconfig de1 up
dhclient de0 (this command is only required for network cards using a DHCP address coming from an other DHCP server, repeat or skip like required)

Now open the HTTP based WebConfigurator coming with pfsense, the network cards should now work until a reboot is performed. Open the System->Packages->Available Packages Menu and install the “Shell Command” Service from here. After this is done open the Menu Services->Shellcmd and add the commands you have entered before in the shell here, keep the order like before and incl. also the dhclient commands if used before. Reboot the VM and everything should work now also together with the Hyper-V, no extra scripts or shell actions are required.

Cheers

Michael

Solution: Updated Apple device driver package for the IGEL Linux x86 (LX/OS) and information related to the new IOS 7

Thursday, September 19th, 2013

Hello Folks,

i’ve updated the two driver packages which can be downloaded here:

1) Apple device driver + local aTunes (iTunes alternative for Linux) + mplayer for the media playback      Download

2) Apple device driver only      Download

The updated packages are now able to detect an Apple Device without any User interaction, to enable this feature hide all three sessions in System->Firmware Customization->Custom Application. Then browse to Custom commands->Desktop commands->Custom Command Desktop Final and remove # from the line #setsid /config/sessions/applelauncher0 and reboot the device. After the reboot the device will check for an Apple Device every 5 seconds (can be modified thru the sleep commands). So you have three way how to mount a Apple device.

One small Tip: If you want to make only the DCIM folder available to transfer pictures in an ICA or RDP session you can browse in the IGEL setup in the session configuration to the ICA or RDP Global configuration and change in Mapping->Drive Mappings the path from /media/apple to /media/apple/DCIM.

If you already using one of these packages you only have to replace the UMS Profile and not the binaries.

Important Note: The new Apple IOS 7 is working with this package but it seams to be that the IPad together with IOS 7 get to less voltage from the client. If you got other results please inform me!

(Thanks to a User for this quick update, i only got an IPad with IOS 7 for my tests and not an IPhone!)

Update: It seams to  be that IOS7 produces some “hick ups”, as soon there is a fixed version available i will update this package.

 

Cheers

Michael

P.S.: This is the last release created in the manual way, all future releases will be created with DATI and can be edited/modified with DATI by your own, also this will be a sample how you can work with DATI for a IGEL Linux software integration.

My experience with Android Tablet’s or how Vendors like Samsung make cloud computing impossible.

Monday, September 16th, 2013

Hi,

still a not IGEL related topic but currently this one really steals my nerves: the handling of Firmware Updates for Android Tablet’s by some “major” Vendors, in my case Samsung.

First of all, i really like Android but it seems to be that some vendors try to do there best to destroy this solution. So what is the story, it’s quite simple and maybe it is not only related to the Samsung products. Iam talking about how firmware updates are provided by these vendors and why this has a direct impact on cloud computing and/or company policies.

First of all: What is important for a Company?

1) A working solution. (In this case a Update from Android 4.0.4 > 4.1.2, Android 4.0.4 has a lot of known issues see also here: http://socialcompare.com/en/comparison/android-versions-comparison
2) Same patch level / features on all similar devices.

Can this be guarenteed by some vendors? No!

Why? Because it depends where you bought the device, as example if you bought a Samsung Galaxy Tab 2 10.1 WiFi in Serbia or the Netherlands and you got all devices there: You are lucky and get your updates (Android 4.0.4 to Android 4.1.x in this case) very fast; but what happens if you got the device in the UK, the US, Germany, Austria or Switzerland? You can wait… …wait… and wait and maybe after a couple of months you will receive a update. Is this a single case? No!

What is the reason for this? Quality insurrance? Requires Serbia or the Netherlands less Quality? No!

What else could be the reason? Regional settings or really special regional configurations? No! Until now the only major difference seams to be the Samsung regional code in the firmware.

So what is it?

It’s quite simple: For Samsung and maybe also some other Vendors all Mobile Providers in an Area like Switzerland have to confirm the Firmware release if you got a device without any Provider relationship(?!?). Do this explain why you have to wait months for a working Android Firmware release to you?

Where are the updates? The Samsung dead end road!

Where are the updates? The Samsung dead end road!

 

But wait, we’re talking about a WiFi only device that was not bought in a mobile store; so why should a Mobile Provider confirm this firmware release? Nobody will tell you, don’t ask about which mobile Provider are blocking a firmware release and/or why; Samsung will not tell you at all. If  you got a device from T-Mobile, Verizon or who ever i would unterstand this but for a none provider branded device without the technical ability to connect to any mobile provider: Sorry but this is crazy and not usable for any company environment at all. In other words: Discrimination by area depending on the “acts of mercy” coming from a few hidden mobile providers and the hardware Vendor (Samsung): That’s what you get!

If you look  @ google you will find a lot of discussions about this and how people are not accepting this handling by flashing there Samsung device with other tools (and risk the warranty).  This might be a solution… But for a company? Mobile Device Management? BYOD and you tell an employee: “Oh, a Samsung device? We will flash it with our tool, you will loose your warranty and maybe we break it to get it working!”. This is no solution and iam not sure if Samsung or any other Vendors working in the same way really have an interest to be in the Tablet market; it doesn’t look and feel like this for me and it’s not enough to have only a good hardware Quality. Mostly the Software win’s a deal, not the Hardware.

So if a customer ask me the next time what type of mobile device/tablet i would recommend, it would by everything but not something like this. Of course you can say… The Galaxy Tab 2 is a end consumer product, regarding my experience it also fit’s for the Galaxy Note Series in the same way. For a company dealing in several areas and claims to be a “major” vendor this is not acceptable, compare it to a Laptop: You will only get an update from Microsoft until all Mobile Providers in your Country accept the update. Sounds funny for a Laptop right? Why do you accept it for your Android based tablet? I will not  as long this handling for WiFi only and/or Mobile Provider free devices is not fully changed.

…and if you have enough and only one or two tablets: Update it by your own, there is a tool called Odin and a lot of Websites/Forums available to break this stupid system and flash an other regional firmware on nearly every Samsung Device. A vendor who is not able to provide a usable firmware update to there customers or blow up the process to deliver a firmware with useless rules coming without any sense has not to blame any user for a try to get a working device at all.

If you plan to buy android tablets for your Company: Check the update history for your area in advance and compare it to other areas, if you find a big difference depending on the area: Forget it! Other Vendors do also offer a good hardware quality and the best hardware will not help in case that the Software do not support the things you want to do or work in the way it should do.

 

Cheers

Michael

P.S.: If you don’t believe me, i can provide everyone my email discussion with the Samsung Support, the Samsung Support confirmed the handling like described above and i asked several times.

 

Solution: Improved Apple device support for IGEL Linux (x86)

Friday, September 13th, 2013

Hi Folks,

like promised here is the improved Apple device Support for the x86 based IGEL Linux.

There are now two custom Partition packs available:

1) Apple device driver + local aTunes (iTunes alternative for Linux) + mplayer for the media playback      Download

2) Apple device driver only      Download

Both packs are coming now with an improved mount script that shows status messages to the User, also a unmount session is now available.

Apple device support for IGEL Linux (x86)

Apple device Support for IGEL Linux (x86)

New: A automount Option/Session is available, once this is started the script will run until a Apple device was mounted successfully.

 

Have fun!

 

Cheers

Michael

Information: Apple device support for IGEL Linux based Thin Clients (x86)

Tuesday, September 10th, 2013

Hello Folks,

thank you for all your feedback, i will release a reworked version this week friday with a few more currently missed features and improvements.

So stay tuned…

Cheers
Michael

Tip: Wake on LAN/Magic Packet information collection and check list

Monday, January 21st, 2013

Hello,

very often i’ve been asked related to Wake On LAN and mostly people are not getting it to work. Please note: WoL/Magic Packet’s is a technology created by AMD and not IGEL!

Setting up WoL mostly requires good networking skills and the right infrastructure, so you have to figure this out: There is no “general” tip or configuration at all!

Here are some good 3rd Party information sources:

http://en.wikipedia.org/wiki/Wake-on-LAN (english)
http://de.wikipedia.org/wiki/Wake_On_LAN (german)
http://support.amd.com/us/Embedded_TechDocs/20213.pdf (AMD Tech Specs for Wake on LAN)
http://technet.microsoft.com/en-us/library/bb932199.aspx ( Troubelshooting WoL-Microsoft Technet)

Checklist for WoL:
1) In general make sure that WoL/Magic Packet’s are supported by “ALL” of your network devices like routers and switches.
2) Do not hard power off your devices (power disconnect), by definition WoL will not wake up a device after a hard power off!
3) WoL do not work thru WiFi (WoL is pre-WiFi time), for VM’s and/or devices with an Intel 10GB network card (not supported by Intel)!
4) Play around with the Wake on LAN configuration in the IGEL UMS Administrator or for Universal Desktop LX/OS you can also perform some configuration task thru System->Registry->network.interfaces.ethernet.device0.wol. Attention: Make sure what you’re configuring, otherwise the device will be powered on very often… 😉
5) Make sure the ARP cache/table (for Switches/Routers)  is large enough, typical symptom: Wake on Lan is working for a few hours after the device is (soft-) switched off, then it doesn’t work anymore from one second to an other. Cheap retail switches mostly provide a very limited ARP cache and/or high end switches needs to be configured in the right way to handle this.

Dealing with Wake on Lan is tricky and you should figure out which component’s are creating the issue but in 99,99999% it’s not the (IGEL) end device!

Cheers
Michael