James Delahunty
2 Apr 2011 3:20
GFI, the company that owns the VIPRE security products, has apologized for its part in a claim made earlier this week that Samsung pre-installed keylogging software on new laptops.
The headlines of Samsung pre-loading spying software on its laptops made waves online on Wednesday and through Thursday. The claim was originally published by NetworkWorld.com through a guest contributor, Mohommad Hassan. Some contributions were also made to the articles by Mich Kabay.
Original Reports - Disocvery
The two part report from Hassan and Kabay separates the story into the discovery of the keylogging software, and then Samsung's response and alleged admission to it being there.
Some problems with the claims were immediately noticeable. Firstly, on the discovery article, Hassan claims to have been alerted to the presence of the threat on a new Samsung R525 by a "commercial security software" he installed on the system. Hassan never names the security product that fingered the threat, which is bizarre by itself in such a report, and taking into account the gravity of the accusation against Samsung.
Nevertheless, the security product did flag the C:WindowsSL directory as the "StarLogger" keylogger, a commercial tool used for spying on activities. This was also the case for a second Samsung laptop, R540, that he got weeks later after experiencing problems with the video display driver in the R525.
Hassan interpreted the presence of the same alleged threat on two Samsung laptops, discovered by the same security software, as supporting his own position that the manufacturer had placed it there. He ruled out a false positive since he had been using the tool that discovered it for six years and never experienced one.
This turned out to be a disastrous assumption on his part. After contacting Hassan, Samsung did its own tests and quickly confirmed that there is no keylogger on either laptop. Instead, VIPRE security software incorrectly reported the C:WindowsSL directory as the StarLogger program.
GFI apologizes for false positive
Using a company blog, Alex Eckelberry, general manager of GFI Security, posted an apology. He acknowledged that VIPRE did produce a false positive for a directory used for the Slovenian language with Windows Live products. Unfortunately, the same directory is also known to be used with StarLogger.
"The detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic. I want to emphasize 'rarely', as these types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process," Eckelberry wrote.
"We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive. False positives do happen, it’s inevitable and like all antivirus companies, we continually strive to improve our detections, while reducing any chance of a false positive. This one (admittedly, an incredibly embarrassing one) made it through our processes, and I have met with the senior managers in the area this morning to handle what happened and to continue to improve our processes."
Samsung admission of guilt?
According to a NetworkWorld.com article posted on Thursday, it was this reliance on the accuracy of VIPRE's scan results and "oral confirmation" that ultimately led to the mistake. The oral confirmation refers to an alleged admission that Samsung does install the software on its laptops to, "monitor the performance of the machine and to find out how it is being used."
This admission allegedly comes from a supervisor of Samsung Support, which Hassan was transfered to by tech support staff. "The supervisor who spoke with me was not sure how this software ended up in the new laptop thus put me on hold. He confirmed that yes, Samsung did knowingly put this software on the laptop," Hassan wrote.
This alleged confession is also very bizarre and it would be interesting to hear something from Samsung about this claim. Still, we're not entirely sure that the word of a tech support supervisor should have been used as actual evidence of guilt.
So what has happened since?
According to updates posted on NetworkWorld.com, Samsung handed over two fresh laptops for analysis, probably just to be thorough.
[UPDATE 3/31/11: Mich Kabay writes: A Samsung executive personally flew from Newark, N.J., to Burlington, Vt., carrying two unopened boxes containing new R540 laptop computers. These units were immediately put under seal and details recorded for chain-of-custody records. At 17:40, Dr Peter Stephenson, Director of the Norwich University Center for Advanced Computing and Digital Forensics, began the detailed forensic analysis of the disks. We expect results by Monday.]