Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samsung Keylogger Stories a False Alarm

Posted by CmdrTaco on from the everyone-sit-down-and-chill-out dept.

Trailrunner7 writes "The panic that arose yesterday about Samsung allegedly shipping laptops that contained a pre-installed keylogger turns out to have been a complete mistake after further investigation by security researchers and the company itself. In fact, the controversy was the result of a false positive from one commercial antimalware suite and nothing else. Several outlets reported on Wednesday that Samsung laptops had been found to contain a keylogger known as StarLogger right out of the box from the factory. However, upon closer inspection by security companies, the folder on the laptops that supposedly contained the malware was actually a directory that is part of Windows' multi-language support."

38 of 183 comments (clear)

  1. epic FAIL by pasv · · Score: 5, Insightful

    We believed someone who used a 3rd rate antivirus and didnt verify with a kernel debugger? FAIL on all our parts especially the "security researcher" who so thoroughly researched this one

    1. Re:epic FAIL by cf18 · · Score: 5, Interesting
      Indeed.

      - an antivirus software that rise alarm base on a two letter directory name inside \Windows , even when it is empty.

      - a "security researcher" that take the alarm at face value and never check if is actually there, check if the process run, what kind of content it was logging and where it is sending them.

      - a low level support manager confirm the software's existence, probably thinking about the fan speed and temperature monitoring software.

    2. Re:epic FAIL by pasv · · Score: 2

      Sure you could do binary analysis and network traffic capturing but both of these things can be veiled in obscurity. Binary analysis is often extremely time consuming (especially if the author of said (spy|mal)ware is using anti-debugging tricks and self encryption which prevents normal strings from being extracted). As for the network monitoring it's possible to use stenography to pipe out information in things as obscure as DNS requests and outgoing TCP headers. But there is nothing that says keylogger quite like a hook seen from a kernel debugger. Gotta go to the source. Can't say this StarKeylogger would employ any of these techniques tho. I'm feeling just as lazy as the person who pointed said keylogger out in the first place.

    3. Re:epic FAIL by 19thNervousBreakdown · · Score: 2

      Heh I remember reading the line where he said that it definitely wasn't a false positive because it had never had one before, and going .... "what? Well, the part where he captures the network information or at the very least sees the log files on his disk somewhere must be coming soon." Nope! Just another credulous fool. By the end I was wondering how the hell he could claim that Samsung was logging every keystroke, when even if it was installed, in all likelihood Starlogger can be configured to do a number of different things.

      The part about it being "completely undetectable" gave me a chuckle too. That's not something you should say without some sort of qualifier, but he just kept on going about how bad-ass his investigation was.

      The main thing is though, no real evidence has been given either way (although given the ease of verifying his claim, the fact that it's an accusation, and its extraordinary nature, the burden of proof should clearly go on the accuser's shoulders) so either vilifying or exonerating Samsung is silly at this point. Besides, what did they think they were admitting to? Apparently there is some sort of information-gathering going on, and any at all without clear prior notice to the user and the user's acceptance is ... unacceptable.

      --
      <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
    4. Re:epic FAIL by John+Saffran · · Score: 4, Insightful

      Not to blow my own horn, but there were some of us who were sceptical of the story until it was proven by independent sources (http://slashdot.org/comments.pl?sid=2061772&cid=35673170).

      Basically the qualifications of the author aren't technical and he's commenting on a technical topic and the story was lacking on details so such a big claim couldn't (and shouldn't) be taken at face value without independent validation.

      In this case the independent validation seems to very strongly refute the claim, which is unfortunate for the author's reputation .. I hope he's learned a lesson from this, nobody needs security people talking about things they don't understand.

    5. Re:epic FAIL by BlueKitties · · Score: 2

      It's not an EPIC FAIL, it's marketing at its finest. I've never heard of VIPRE until this morning when I saw the news. Honestly, I wouldn't be surprised if they made it all up just to get attention. If not, that's probably the most profitable false positive in history (save me the medical diagnosis puns...)

      --
      "Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]
    6. Re:epic FAIL by recoiledsnake · · Score: 3, Informative

      First line of the article:

      Mohamed Hassan, MSIA, CISSP, CISA is the founder of NetSec Consulting Corp, a firm that specializes in information security consulting services. He is a senior IT Security consultant and an adjunct professor of Information Systems in the School of Business at the University of Phoenix

      Then a whole lot of fluff about the Sony root kit fiasco.

      The money quote:

      The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years.

      That seems to be some very concrete proof.

      Then some ramblings about how a class action lawsuit will come out of this. I too smell a lawsuit but not against Samsung.

      --
      This space for rent.
    7. Re:epic FAIL by ifrag · · Score: 4, Funny

      It could have been worse, they could have scanned it with McAfee and rendered the machine unable to boot.

      --
      Fear is the mind killer.
  2. Then why the adminision of guilt? by Anonymous Coward · · Score: 2, Insightful

    Samsung did knowingly put this software on the laptop to, as he put it, "monitor the performance of the machine and to find out how it is being used."

    1. Re:Then why the adminision of guilt? by TheCRAIGGERS · · Score: 2

      Yeah, but wasn't the admission of guilt quoted from an email of the original finder? It's not like we saw a Samsung press release on this.

    2. Re:Then why the adminision of guilt? by LordLimecat · · Score: 2, Insightful

      This is why they didnt give you a supervisors name, or any further details on the phone call. There was nothing resembling evidence; it was all rumor and assertion.

  3. Appropriate quote by _merlin · · Score: 4, Insightful

    The following fortune quote accompanied this story for me:

    It is not good for a man to be without knowledge, and he who makes haste with his feet misses his way. -- Proverbs 19:2

    Disturbingly appropriate, considering the story is about people jumping all over a false assumption. But I'm constantly surprised at the number of times a Windows installation with full multilingual support trips anti-malware or anti-virus software. Don't these guys even use their MSDN subscriptions to get a full set of Windows installs to test against?

    1. Re:Appropriate quote by mlts · · Score: 4, Informative

      I have found that AdBlock does far more to keep malware off a system than any antivirus program out there. Couple that with a decent firewall/NAT box/router, common sense about not running downloaded stuff, and a solid backup system, and that will pretty much make for malware-free computer usage. Using sandboxie doesn't hurt either.

    2. Re:Appropriate quote by Ja'Achan · · Score: 2

      Or apply the Sagan standard "extraordinary claims require extraordinary evidence".

      Unfortunately, "Company puts spyware on their products" is no longer an extraordinary claim

  4. Good for Slashdot for following up by HawkinsD · · Score: 4, Insightful

    At least Slashdot has the journalistic ethics to post the follow-up. Good for them. I note that Network World is doing the same.

    Yes, I said "journalistic" in the same sentence as "Slashdot." It's important.

    --
    Never attribute to malice that which can be explained by mere idiocy.
    1. Re:Good for Slashdot for following up by Blakey+Rat · · Score: 3, Insightful

      Wouldn't it be better if they updated the *original* story with the correction, instead of posting a new one?

      Anybody linking to this story on Slashdot is still linking to an uncorrected version. It's not enough to correct the article; you have to correct the article at the same URL.

      --
      Comment of the year
  5. Re:Oh noes by Sonny+Yatsen · · Score: 2

    Even if they could, which I doubt, why would they want to bring extra attention to this when it'll just go away tomorrow?

    --
    My postings are informational and does not constitute legal advice. Act on it at your risk.
  6. Makes no sense by StillNeedMoreCoffee · · Score: 3, Insightful

    The earlier article quoted Samsung as admitting to placing the software on their computers to gather information. Either that part of the earlier story is false or the current one is. This is not good journalism.

    1. Re:Makes no sense by Anonymous Coward · · Score: 3, Informative

      It was confirmed by a low level support person who may or may not have understood what was going on.

      All the PR and Legal depts had "No Comment" till it was more thoroughly researched.

  7. I don't care about facts. by mevets · · Score: 4, Funny

    I still hate the keylogging bastards that they are, and I want to see the whole company in jail...

  8. Re:So much for being a CISA CISSP MSIA ... by WrongSizeGlass · · Score: 2

    But the original writer and now famous Security researcher is MSIA, CISSP, CISA ... That must say something no ? what do you mean Security Certification are worthless ?

    I believe you forgot LOL, SOL and GTFO.

  9. Re:Oh noes by MarkGriz · · Score: 4, Insightful

    Could? More like should.

    The title of the article was not "Did Samsung install keylogger on its laptop computers?"

    No, the title was "Samsung installs keylogger on its laptop computers", though it looks like they've updated it now to
    "UPDATE: Samsung keylogger could be false alarm"

    Great journalism there. Leap out of the gate screaming "keylogger!!!!" with zero fact checking, but later back off and say "oops we could be wrong"

    --
    Beauty is in the eye of the beerholder.
  10. What about their use of Carrier IQ on Android? by Bill+Dimm · · Score: 2

    http://yro.slashdot.org/comments.pl?sid=2061772&cid=35672358

  11. Wife's Laptop by Cytlid · · Score: 3, Interesting

    My wife has a Samsung R580 which is almost a year newer than the laptops the guy mentioned in the article. I was going to scan it with some decent rootkit programs (like f-secure blacklight or rootkit revealer) only to find out some of my favorites don't work with 64bit Win7. I wrote to the guy who wrote the article, asking about the name of the "commercial security scanner" he installed. He never replied back. I booted my wife's laptop into Linux last night using a Live CD, and performed some find commands for supporting files of the StarLogger program (which showed up in a google search). Nothing. I was thinking if this was true, hers was exempt because it was almost a year older. Turns out, I find out today, I did more research than this supposedly "phd security expert" had.

    --
    FLR
  12. Inb4... by supersloshy · · Score: 2

    Inb4 all of the commenters from the previous Samsung article come in here and act like they didn't assume that the keylogger was real, didn't yell about how Samsung should/will be persecuted for this, and didn't ask for people to boytt Samsung ;)...

    I always hear Slashdotters complaining about "moral panic" and complaining about the "idiots" who don't do their research before making claims... How is this any different? Really, it's no different. Is the level of "corporate hate" on Slashdot really that high as to exclude any common sense (apparently not so common) when dealing with a subject like this where it's impossible to tell whether he was right? He said he was right in the previous article, but why did you blindly trust him? All it takes for a simple, non-assuming comment is to add "If this is true," to the beginning of your comments. It isn't very hard and it doesn't make you look like an idiot when the entire reason you said those things turned out to be bullcrap.

    --
    "Our country is not nearly so overrun with the bigoted as it is overrun with the broadminded." -Archbishop Fulton Sheen
  13. where is the outrage? by pablo_max · · Score: 2

    Turn on the TV. Go to any "News" site. Everything is designed to make you react in some way. They especially like to find the most "outraged" person and interview them.
    It is a bit sad. People will freak out about stuff like this and demand action, yet your government erodes your rights and destroys your country a little bit more each day and the same people are quite.
    Tell me /., where is the outrage for things that matter?

  14. Won't slow down your PC! by evilgrug · · Score: 2

    The tagline for VIPRE AntiVirus is 'Finally Antivirus Software That Won't Slow Down Your PC!'.

    I guess we know why. Who wants to spend all those CPU cycles searching through binaries both in RAM and on disk, comparing them against a database of virus patterns, and performing advanced heuristics checks when it's so much easier to match directory names and call it a day?

  15. Slovenian StarLogger by BitterKraut · · Score: 4, Insightful

    From Samsung's comment at http://www.samsungtomorrow.com/1071 it seems that the security program used identified the folder as StarLogger based solely on the fact that the folder's name is SL for Slovene. Incredible.

    1. Re:Slovenian StarLogger by jcla · · Score: 4, Informative

      I checked my newly purchased Samsung laptop last night after I saw the article and it had the /sl folder on it, but it took about half a second and an ounce of brainpower to notice that there was a large number of similar directories that all looked like language/country codes. And they all had the same kind of non-executable file in them. I'm not Slovenian. J

  16. IT World standard practice by PhreakOfTime · · Score: 2

    My initial reaction was more along the lines of "That sounds unlikely" than "Burn them!".

    My initial response was;
    It's a Network World/IT World article, so its probably made up garbage that will be debunked within hours.

    And look at that... it was. Shocking.

    I have a friend who likes to sent me IT World articles. It's become a running joke how bad their articles are written. Well, a joke to me at least, he still thinks they are some sort of reputable news source for all things IT and that I am just 'picking on them'.

  17. Re:Oh noes by LordLimecat · · Score: 4, Insightful

    Everyone who left a comment decrying Samsung in the last article is just as much to blame. You give approval to such antics by your reaction.

  18. Re:So much for being a CISA CISSP MSIA ... by sglane81 · · Score: 5, Insightful

    Not to mention these gems:

    I installed ... security software ... The scan found two instances of a commercial keylogger called StarLogger ... This key logger is completely undetectable ...

    So, this program found something which couldn't be found. Check.

    After an in-depth analysis of the laptop, my conclusion was that this software was installed by the manufacturer, Samsung. I removed the keylogger software, cleaned up the laptop

    Removed the keylogger by removing the folder? Check.

    I found the same StarLogger software in the c:\windows\SL folder of the new laptop. The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years.

    So, "false-positive proof." Good to know that your extensive experience running an anti-virus program has yielded perfect results. Don't worry about the fact that you don't actually know what you're talking about.

    ... logged incident 2101163379 with Samsung Support (SS). First, as Sony BMG did six years ago, the SS personnel denied ... SS changed its story ... SS personnel relented and escalated the incident ...

    Can we claim Godwin here? I have a feeling Samsung Support doesn't refer to itself as the SS.

    You obviously have some kind of agenda, Mohamed Hassan, MSIA, CISSP, CISA. I know now to never trust anything NetSec Consulting Corp does. Also, congrats on being an "adjunct professor of Information Systems in the School of Business at the University of Phoenix."

    --
    This is the Internet. You can say "fuck" here. - AC
  19. Security Expert? by stinkbomb · · Score: 2

    "Mohamed Hassan, MSIA, CISSP, CISA is the founder of NetSec Consulting Corp, a firm that specializes in information security consulting services. He is a senior IT Security consultant and an adjunct professor of Information Systems in the School of Business at the University of Phoenix."

    And is now the laughing-stock of the IT security world.

    Nice job moron!

  20. Re:So much for being a CISA CISSP MSIA ... by RoverDaddy · · Score: 2

    Removed the keylogger by removing the folder? Check

    I'm guessing that by 'removing the keylogger', he meant 'let the anti-virus' software do its default recommended action'.

    --
    RETURN without GOSUB in line 1050
  21. Re:One word: by jeek · · Score: 2

    Is "One" the slovenian translation of the English word "Three"?

    --
    If you want to be seen, stand up. If you want to be heard, speak up. If you want to be respected, sit down and shut up.
  22. Knee-jerk response is awesome by ashidosan · · Score: 5, Informative

    John Graham-Cumming has an excellent, level-headed response to Mohamed Assan's entire "research."

    Also confirmed at F-Secure.

  23. Re:Hold on a second. by pclminion · · Score: 2

    Where did the quote come from? It came from an idiot, apparently. If it was true, only an idiot would admit to it. If it was not true, only an idiot would say it was. I tend to discount what idiots say, as should you.

    All those who knew that this was obviously false when it was posted yesterday, raise your hands and link to your comments:

    "This is not believable." Oh, and let me reiterate. Anyone who actually believed a company would do something like this, is a god damned moron. I mean seriously, what the fuck people?

  24. Re:Oh noes by jimicus · · Score: 2

    The Streisand effect is generally associated with people doing something silly, realising their mistake and then trying to shut the door after the proverbial horse has bolted.

    In this case, I think the thing most likely to invoke the Streisand effect would be if the blogger tried to cover up the whole sorry episode by trying to bully sites mentioning either the original article or the subsequent debunking. I reckon Samsung, OTOH, could sue the blogger with relatively little fear of Streisanding. As long as they didn't try to sue everyone else for reporting the story.