Wednesday, March 30, 2011

Samsung installs keylogger on its laptop computers Part 2 | Network World

From Network World:

This story appeared on Network World at
http://www.networkworld.com/newsletters/sec/2011/040411sec1.html

Samsung responds to installation of keylogger on its laptop computers

Security Strategies Alert By M. E. Kabay and Mohamed Hassan Mohamed Hassan, Network World
March 30, 2011 11:15 AM ET

In the first part of this two-part report, MSIA 2009 graduate Mohamed Hassan told of discovering a keylogger on two different models of Samsung portable computers. Today he continues the story. Everything that follows is Mr Hassan's own work with minor edits.

* * *

On March 1, 2011, I called and logged incident 2101163379 with Samsung Support (SS). First, as Sony BMG did six years ago, the SS personnel denied the presence of such software on its laptops. After having been informed of the two models where the software was found and the location, SS changed its story by referring the author to Microsoft since "all Samsung did was to manufacture the hardware." When told that did not make sense, SS personnel relented and escalated the incident to one of the support supervisors.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In the first part of this two-part report, MSIA 2009 graduate Mohamed Hassan told of discovering a keylogger on two different models of Samsung portable computers. Today he continues the story. Everything that follows is Mr Hassan's own work with minor edits.

* * *

On March 1, 2011, I called and logged incident 2101163379 with Samsung Support (SS). First, as Sony BMG did six years ago, the SS personnel denied the presence of such software on its laptops. After having been informed of the two models where the software was found and the location, SS changed its story by referring the author to Microsoft since "all Samsung did was to manufacture the hardware." When told that did not make sense, SS personnel relented and escalated the incident to one of the support supervisors.

The supervisor who spoke with me was not sure how this software ended up in the new laptop thus put me on hold. He confirmed that yes, Samsung did knowingly put this software on the laptop to, as he put it, "monitor the performance of the machine and to find out how it is being used."

In other words, Samsung wanted to gather usage data without obtaining consent from laptop owners.

While in the Sony BMG security incident described in the first article in this pair one had to buy and install the CD on one's computer, Samsung has gone one step further by actually preinstalling the monitoring software on its brand laptops. This is a déjà vu security incident with far reaching potential consequences. In the words of the of former FTC chairman Deborah Platt Majoras, "Installations of secret software that create security risks are intrusive and unlawful." (FTC, 2007).

Samsung's conduct may be illegal; even if it is eventually ruled legal by the courts, the issue has legal, ethical, and privacy implications for both the businesses and individuals who may purchase and use Samsung laptops. Samsung could also be liable should the vast amount of information collected through StarLogger fall into the wrong hands.

[Mich Kabay adds:]

We contacted three public relations officers for Samsung for comment about this issue and gave them a week to send us their comments. No one from the company replied.

Good luck, Samsung! We see a class-action lawsuit in your future….

* * *

Mohamed Hassan, MSIA, CISSP, CISA is the founder of NetSec Consulting Corp, a firm that specializes in information security consulting services. He is a senior IT security consultant and an adjunct professor of Information Systems in the School of Business at the University of Phoenix.

No comments:

Post a Comment