Who Can You Trust?

burglar2Earlier this week, I issued an alert to our readers regarding Lenovo’s pre-installation of Superfish onto their PCs shipped between September 2014 and February 2014. That security email blast evoked quite a few responses from our readers — and rightfully so. Superfish apparently makes it easy for hackers to exploit the program and attack users and connected networks.

As I peruse the security blogs this morning, I came across an article exposing a free cloud-based mobile and desktop messaging program called Telegram that claims to allow users to send encrypted messages to other Telegram users. Versions of this application run on iOS, Android, Windows Phone, Windows, Linux, and MAX OS X systems.

Here’s the problem with the Telegram application: a security company founder tested the program by creating private messages using Telegram’s secret chat feature on a mobile device. Unfortunately, he was able to find plain text versions of his “secret messages” and also found those messages on a cache database on the device (those messages were supposed to be deleted on the device by the program). This was all done by simulating an active attack on the device itself. Click here to read the original article.

In one case, we have a trusted computer manufacturer knowingly installing a spyware program onto its products and releasing those devices to the public. In another case, we have a company that created what seems to be a useful app, but failed to rigorously test it and harden it against attacks.

Lenovo claims that they loaded Superfish onto their devices to increase the user experience (Superfish serves up targeted ads based on user searches). I don’t doubt their sincerity. However, Lenovo didn’t properly vet the program to make sure it didn’t leave its users vulnerable to cyber-criminals. Which it did.

The makers of the Telegram application had a great idea with the intention of giving people and businesses the ability to send encrypted messages, keeping them safe from hackers. Unfortunately, they didn’t harden their app sufficiently and it did not do as advertised.

These events are very upsetting, especially since the main stream media and internet are awash with stories of data breaches, hacks, stolen records, etc. We expect criminals to try to gain access to our systems and steal our information. What we don’t expect is for trusted manufacturers and software makers to enable criminal activity by their actions (even if well-intentioned) or failure to provide safe products in the name of profit.

XSolutions is a Managed Services Provider (MSP) and provides 24/7/365 remote monitoring, scheduled workstation and server maintenance, Help Desk Services, Cloud & Hosted Services, Backup/Disaster Recovery, and Software Development. Call us at (845) 362-9675 and see how we can help your company.