Thursday, March 31, 2011

How not to post a security article

Yesterday a story from NetworkWorld did the rounds making the amazing claim that Samsung installs keylogger on its laptop computers with a follow up called Samsung responds to installation of keylogger on its laptop computer.

Everything about these articles set off alarm bells for me. And not alarm bells about Samsung, but about the authors.

The first article begins:
Mohamed Hassan, MSIA, CISSP, CISA graduated from the Master of Science in Information Assurance (MSIA) program from Norwich University in 2009.
This is a really bad way to start an article because it's an appeal to authority. It screams someone saying "Hello, look at me, I have all these qualifications". In computer security (and in general) I would prefer to read the results before who did the work.

The next paragraphs are about the Sony rootkit fiasco which has nothing to do with the rest of article (except for the claim that Sony == Samsung with respect to naughty low-level computer manipulation).

Then we get to the meat:
While setting up a new Samsung computer laptop with model number R525 in early February 2011, I came across an issue that mirrored what Sony BMG did six years ago. After the initial set up of the laptop, I installed licensed commercial security software and then ran a full system scan before installing any other software. The scan found two instances of a commercial keylogger called StarLogger installed on the brand new laptop. Files associated with the keylogger were found in a c:\windows\SL directory.
OK, sounds really suspicious. But then we get:
According to a Starlogger description, StarLogger records every keystroke made on your computer on every window, even on password protected boxes.
What an odd thing to say (for a security professional)? Of course keyloggers can capture passwords, they are logging keystrokes and don't care where they are going. He goes on:
This key logger is completely undetectable and starts up whenever your computer starts up.
No self-respecting security person would claim something was completely undetectable, especially after having said a couple of paragraphs before that they detected it using commercial software and that it can be found in a directory called C:\WINDOWS\SL.

Then we get:
Research online brought up a discussion of "Samsung rootkit" from May 2010 in which contributors reported a freeze on rootkit scans of Samsung laptop computers.
This seems completely irrelevant to the article since we are not talking about a rootkit, but a keylogger.

In the follow up article we get Samsung's response in the form of a quote from a second-level technical support person:
The supervisor who spoke with me was not sure how this software ended up in the new laptop thus put me on hold. He confirmed that yes, Samsung did knowingly put this software on the laptop to, as he put it, "monitor the performance of the machine and to find out how it is being used."
This too seems unbelievable to me. We are meant to believe that (a) Samsung installed a shareware keylogger on its systems and that (b) their technical support people are aware of it and that (c) no one noticed this before. This seems very unlikely. If Samsung really wanted to do this they'd not use some old piece of shareware and they'd keep it a secret.

A follow up by NetworkWorld says that Samsung are investigating the matter. But Samsung themselves seem to say this is a false positive from the VIPRE tool that the 'researcher' used.

I figured that would be worth checking. So I took a fresh Windows VM and downloaded VIPRE Premium and ran a scan. All it found were a few cookies.

So then I figured I'd just create a directory called C:\WINDOWS\SL and for good measure I put something in it (another directory called JGC).

And the I reran VIPRE Premium and bam it told me I had Starlogger. Since I don't this is clearly a false positive. Which brings me to something very silly that the original author said:
The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years.
Poppycock! Any self-respecting security person would know that false positives are possible and real.

Now, Samsung claim that the SL folder was created for Slovenski language support for Microsoft Live (I assume they mean Windows Live Essentials).

On a fresh VM I installed Windows Live Essentials and, as Samsung says, it does create a folder called C:\WINDOWS\EN if I select English as my language.

So, how did they get an SL folder? That would have been installed when selecting Slovenski as the language. I still haven't confirmed the exact reason and I wonder if this is because of a selection that the 'researcher' made when setting up the laptops. Perhaps there's some family or personal connection that made him install the Slovenski version of Windows Live.

The moral of the story is that you shouldn't believe people who tout their credentials over details of the problem they are talking about. The authors could have gone much further with their investigation (such as seeing if the logger was running, tracking network connections to see if data was being sent and, if so, where to). But it looks to me like they stopped investigating once the antivirus software told them something was up and went ahead with quite wild accusations.

In the coming days I'd imagine that the authors and NetworkWorld are going to be forced into a public apology and that the 'researcher' will be lucky if he avoids a lawsuit for defamation.


martijn said...

F-Secure have double checked with some fresh Samsung laptops and confirmed they do not have the keylogger installed (but some models appear to have the Slovene language dir).

John Graham-Cumming said...

I guess a good possibility is that Samsung installs lots of languages by default.

Arzak said...

I wonder why this "professional" published in Network World when your report is far better, makes sense (contrary to the original story) and it's full of basic technical steps that the "professional" ignored or does not know about.

We almost forgot how easy is for a fool to expose himself on the Internet.

Jeff said...

The so-called security consultant professional - Mohamed Hassan - seems to be running his company (NetSec Consulting Corp) out of his apartment in Toronto. The website is on a budget shared host for $6/m.

Point in case it seems.

slag said...

I place much less blame on the author of the article than on the thousands of readers who exercised little to no critical analysis while reading it. This hack of a research piece spread like wildfire amongst a group of people who ought to know better.

Anton said...

You're right its an appeal to authority. Not a fallacious one though, not even a totally bad one. But you're right, the guy is a total fool. I lol'd @ Poppycock! For Samsung to install a keylogger on laptops just seems so absurd, and this guy is also. Thanks a lot for your article its very thorough and fun to read.

Appeal to Authority Breakdown