Cybersecurity at SXSW: Dell expert on the dangers of bloatware
Cybersecurity took center stage on Sunday at the technology-crazed South by Southwest festival in Austin. Yahoo kicked things off around noon when it unveiled its new end-to-end encrypted email service, which the company claims is an easier and faster alternative to other third-party encryption services. Later on, at Austin’s new JW Marriott, Amadeus Stevenson, CTO of Decoded, led a workshop on cybersecurity, where he taught attendees how to hack their own personal laptops (it was scary easy).
Then in the afternoon, word spread that NSA leakmaster Edward Snowden spoke via teleconference at a super-secret session on the dangers of government surveillance on businesses. The session, which was reportedly attended by roughly 20 hand-picked tech professionals, consisted of a question-and-answer session in which Snowden said that businesses need to come together and collectively do a better job of beefing up their security to protect themselves from government snooping.
Missing in the cybersecurity sessions this year, though, was any discussion concerning last month’s massive security breach involving PC-maker Lenovo and its adware partner Superfish. Lenovo admitted to loading its consumer PCs with an adware bug from Superfish, which analyzes a user’s visual searches so it can place third-party ads on Google search results and other websites—without your knowledge or permission, of course.
To do this, Superfish needs to issue its own encryption certificates which, to make a long and technical story short, makes the Superfish program vulnerable to a dreaded “man-in-the-middle attack.” That’s where a third party can monitor, intercept, and redirect your Internet communication without your knowledge. The breach to Internet security was considered so bad that the Department of Homeland Security got involved, advising Lenovo users to remove the Superfish adware from their computers’ web browsers immediately.
Bloatware has always been a nuisance with new PCs, but the Superfish adware program shows that it can also be quite dangerous. Since the scandal first broke, Lenovo says it will no longer be loading its computers with as much bloatware as before and that it will disclose everything it has added.
To make sense of this incident, Fortune spoke with security expert Brett Hansen from Lenovo rival Dell. Hansen is responsible for the planning, design, and launch of all software on Dell devices. The following interview has been edited and condensed for publication.
Fortune: What exactly is a “man-in-the-middle” attack?
Brett Hansen: Basically, it involves a malicious third-party intercepting something coming off your device and being able to see it and redirect it.
How exactly does a hacker go about doing this?
So, whenever you send something off your device it’s all encrypted—that’s what keeps you protected, right? But because this credential actually has an encryption code, if I can compromise that I can see everything that’s being sent to the Internet off of your device, including your email, browsing history, any sort of transactions you’re doing. Let’s say you go to your bank and you pay some bills. Well, I can watch that whole process take place. I can see it because I have the credential.
So, if you breach my system, could you then take control of my computer?
It would be an additional step, but why would I need to? I can just watch what you’re doing and take advantage of that. Once I have your credential, your entire online experience is now available for me to see.
This all sounds a little bit too easy…
It is! Once you have that credential, your entire online experience is now available for me to see.
Does Dell load its consumer or enterprise PCs with undetectable bloatware?
We do extensive market research to make sure we are not loading software on our machines that our customers do not need or want. So we actually don’t preload many programs on our computers at all.
What do you preload and why?
We preload management software to help you track your computer’s performance and to diagnose issues. Those programs are created by Dell for Dell machines. The only other piece of software that we’ll add is if, for example, we decide to do a 3D Camera, you’re going to need specialized software. So that’s the only other place where we can be adding software because you have to enable that physical piece of hardware. Another example would be optical drives, which have to have special software to allow for Blu-ray.
What about other programs not made by Dell? You know, the ones you make money on.
We do load a few third party applications on our consumer PCs, but only a few and none are hidden. We preload McAfee [antivirus software], Microsoft Office, Dropbox, Adobe [PDF reader and Flash], and the Amazon app. That’s it. And, actually, we will be phasing the Amazon app out soon.
If our customers are not utilizing a pre-load, it’s coming off our devices; that’s our approach. It’s very straightforward, and I would challenge you to go to a Best Buy or Staples or anywhere else and go look at that Windows 8 Menu and scroll. You’re going to see that Dell has that really tiny set of apps, but with all the other companies, you’re scrolling for a half-hour because they have all this stuff up there.
What’s the biggest threat IT professionals face?
Security is the No. 1 present concern. And the reason why is … end-users are the biggest pain-in-the-neck in security. And there are two different dimensions to that: one is the folks who click on the “cute-idiot” link that is spam, or the ones who open an attachment that is spam. Yes, they’re these very sophisticated attacks that take place over months, but in almost every instance, there is a person who is the attack-point who starts the whole thing. Someone clicks on a link, someone gets infected, and then they—the cyber attackers—use that penetration point to slowly extend themselves in the enterprise. Once I have an IT administrator’s credentials, I could do an awful lot of damage. I don’t care how good your network security is, once I know who you are and I have captured your password…
It’s that easy?
If I can infect your device, yeah. Keystroke counting software is the No. 1 virus in the marketplace. And all that does is capture what you’re writing and where you’re writing it.
If I’m an IT director at, say, Sony, how can you protect the company? How can Dell help to protect a company against another Sony-type hack?
Well, first and foremost, you’ve got to pick the endpoint. The Invincea solution—which we [use] for our commercial devices—is a secure, containerized browser. It works within your existing Firefox, or Chrome, or IE [web browser]. Typically, if you have a normal PC and you open up a browser, when you hit a drive-by attack—which is when you go to a website and it downloads code, that sort of thing—it’s on your device. You’re already infected. At this point, you’re in a compromised position and all you’re doing is trying to mediate the problem. Because our browsers open up in a virtualized sandbox, if you get hacked, it hits the sandbox and infects the sandbox, but your device remains clean.
It’s like creating a ring-fence around your browser—so, yes, your browser will be attacked but not your hard-drive.
Right. Your PC will not be infected.
So why don’t they build this capability into every browser? Is it because it doesn’t work for launching advertisements and cookies?
That’s where it’s a challenge. But for commercial customers, they’re like, “You know what, we don’t care.” It also works on your Office and Adobe applications. So when you open up an email from someone you know, what might have happened is that his email got hacked, he saw that we had a meeting with you, so he sends you an email with an attachment from the email you just had, you open that attachment thinking its benign, while it’s got weaponized code. If you open it in our sandbox environment it doesn’t matter if it has weaponized code because it’s sandboxed, and if it tries to launch anything it’s hidden in the sandbox.
What about the cloud? We are sending things to the cloud and that’s a lot of data that could get “high jacked,” so to speak, by hackers.
As you save a file, it will be encrypted so if you ever lose a device—which, by the way, happens far more often than we think, it causes a lot of data breaches—they can’t get into it. If you ever plug into a USB, or move that file to another device, or move that file to a mobile device, it will still be encrypted. And if you move it up to a OneDrive, or a Dropbox, or a Box, the encryption remains intact. And so you have the key, or your IT might say, “Okay, these two characters also get the key; we trust them, they’re good people.”
Watch more SXSW news from Fortune: