Mohamed Hassan, MSIA, CISSP, CISA and the founder of NetSec Consulting Corp, a firm that specializes in information security consulting services, said he first became aware of spy software installed on a Samsung R525, last month. He claimed he deleted the keylogging software (StarLogger) from the system immediately, using a "licensed commercial security software," that he failed to name.
"After an in-depth analysis of the laptop, my conclusion was that this software was installed by the manufacturer, Samsung," wrote Mr Hassan.
Just a couple of weeks later, after experiencing problems with the "video display driver", he returned the R525 and picked up an R540 instead at a different store. Once again, he was alerted to the same keylogging software as he was with the first notebook and again, deleted it.
"Again, after the initial set up of the laptop, I found the same StarLogger software in the c:windowsSL folder of the new laptop," Hassan claims.
"The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years. The fact that on both models the same files were found in the same location supported the suspicion that the hardware manufacturer, Samsung, must know about this software on its brand-new laptops."
In a follow-up article, Hassan describes his contact with Samsung Support. The support personnel denied the presence of any such software on the Samsung notebooks. Then, Hassan alleges, after being told the same software was found on both the R525 and R540, the staff "changed its story" and referred him to Microsoft since "all Samsung did was to manufacture the hardware."
Hassan was then redirected to one of the support supervisors. Here's where it gets very interesting. First the supervisor allegedly claimed to not be sure how the software could have gotten there. Then, after leaving Hassan on hold for a while, he admitted that Samsung did knowingly put the software on the laptop to, "monitor the performance of the machine and to find out how it is being used."
That would seem like a damning admission, and indeed, Hassan's articles, published with some extras by Mich Kabay on networkworld.com, relates it to the Sony BMG rootkit incident and name-drops Mark Russinovich, Microsoft technical fellow (who was of Sysinternals at the time).
Kabay's final comment on the second article sums up the general tone of both articles...
We contacted three public relations officers for Samsung for comment about this issue and gave them a week to send us their comments. No one from the company replied.
Good luck, Samsung! We see a class-action lawsuit in your future…"
Indeed, if true, this would be a legal catastrophe for Samsung. Luckily for Samsung, it is not true at all and there is a much simpler explanation of what really has happened here.
The firm was surprised by the allegations and opened an investigation immediately. It turns out that there is no keylogging software on either model. Instead, VIPRE security software incorrectly reported the Slovene language folder for some Microsoft software as StarLogger. The false positive was for the c:/windows/SL directory.
Here is the full statement from a Korean Samsung site, along with a screenshot of VIPRE security software alerting the false positive.
"The statements that Samsung installs keylogger on R525 and R540 laptop computers are false.
Our findings indicate that the person mentioned in the article used a security program called VIPRE that mistook a folder created by Microsoft’s Live Application for a key logging software, during a virus scan.
The confusion arose because VIPRE mistook Microsoft's Live Application multi-language support folder, "SL" folder, as StarLogger.
(Depending on the language, under C:windows folders "SL" for Slovene, "KO" for Korean, "EN" for English are created.)
Samsung will continue to respect customer needs by providing the highest quality products and services.
So while it is a great thing for customers who own these R525 and R540 products to know its a false positive, how much damage has potentially been done to Samsung? A Google search today of the directory in question (c:/windows/SL) pulled up the first result as "How to Find and remove StarLogger from Samsung Laptops" (they have since put a note on the page reflecting Samsung's denial and the explanation for the false positive, but perhaps the best course of action would be to remove the page entirely or at least change the title?). Perhaps more worrying is that (at the time of writing) a Google search for "Samsung R525" displays the networkworld.com article, titled "Samsung installs keylogger on its laptop computers", in the first 10 results.
It is a tad surprising that with the credentials listed for Mr Hassan, as well as the fact that he is founder of NetSec Consulting Corp, a firm that specializes in information security consulting services, he didn't suspect a false positive on the grounds that he has used the same commercial security software for six years and didn't get one yet? And why wasn't the VIPRE software mentioned (in the networkworld article) so other IT consultants could see for themselves if it was false positive by simply creating the c:/windows/SL directory on their clean systems?
This all just seems to be a mistake/embarrassment that could have been completely avoided by some simple research. It's hard to see how Mr Hassan's "in-depth analysis" of his laptop led him to the conclusion that one of the biggest consumer electronics firms in the world would be so stupid as to pre-load spying software into customer's laptops. I mentioned the name dropping of the respectable Mark Russinovich for a reason, his Sysinternals tools contain a bunch of tools that would have been very helpful in checking for such spying software, such as Process Monitor, Process Explorer or Autoruns, none of which require any kind of specialist IT skills to use.
Perhaps this is all just a big misunderstanding that got blown out of proportion. The good news is it is not true. We have not yet entered the terrifying world of pre-installed spy software on our OEM products just yet.
UPDATE: I am a tad bit surprised that networkworld.com is still running this as a top story and has yet to even mention Samsung's statement clearing the issue up (14:15pm, GMT+1). The top news story on the site right now is "Samsung investigating report of keylogger on its laptops", while a graphic (shown on the right and sourced on networkworld.com homepage) still asserts that "Samsung is pre-loading keyloggers on its laptop computers."
This issue has been corrected almost everywhere online except networkworld.com. What's going on guys? It's a two page article and it still doesn't even link to Samsung's latest response? Oh and that second page actually doesn't have any relevant content on it at time of writing either, it simply declares that "IDG, the parent company of the IDG News Service, also publishes Network World."
Comments published to the article seem to be from pretty underwhelmed users. "Wow, amateur hour here at Network World. I hope Samsung drags your asses into court. Your software reports a false positive and you don't confirm with other software or your own analysis? Good luck." posted by Anon on Thu, 03/31/2011 - 7:24am.
"I found disturbing all the blogosphere is all ready posting Samsung reaction on the storing about a some guy making false claim based on crappy anti spyware, this guy should not touch windows again. Beside, Network World fail to covert the whole story and fail to come back with update to correct their mistakes." another comment from an "Anon" source reads, posted By Anon on Thu, 03/31/2011 - 8:59am.
UPDATE 2: NetworkWorld seems to be caught up with the rest of us now. Along with the new news item, the first article that was attributed to Hassan and Kabay has been updated to reflect the change.
"Samsung has launched an investigation into the matter and is working with Mich Kabay and Mohamed Hassan in the investigation. Samsung engineers are collaborating with the computer security expert, Mohamed Hassan, MSIA, CISSP, CISA, with faculty at the Norwich University Center for Advanced Computing and Digital Forensics, and with the antivirus vendor whose product identified a possible keylogger (or which may have issued a false positive). The company and the University will post news as fast as possible on Network World. A Samsung executive is personally delivering a randomly selected laptop purchased at a retail store to the Norwich scientists. Prof. Kabay praises Samsung for its immediate, positive and collaborative response to this situation."
Immediate, positive and collaborative response? That is quite a tone change compared to the "class-action lawsuit" predicted for their future in the second article. At least Samsung is being cleared of any wrong-doing, as with today's ruthless competition in the media, it is quite easy for reputations to be destroyed needlessly.
Written by: James Delahunty @ 31 Mar 2011 8:52