AfterDawn: Tech news

Samsung did not install keylogger on notebooks

Written by James Delahunty @ 31 Mar 2011 8:52 User comments (13)

Samsung did not install keylogger on notebooks Contrary to reports online, the South Korean tech firm did not install spy software on some of its notebooks.
Mohamed Hassan, MSIA, CISSP, CISA and the founder of NetSec Consulting Corp, a firm that specializes in information security consulting services, said he first became aware of spy software installed on a Samsung R525, last month. He claimed he deleted the keylogging software (StarLogger) from the system immediately, using a "licensed commercial security software," that he failed to name.

"After an in-depth analysis of the laptop, my conclusion was that this software was installed by the manufacturer, Samsung," wrote Mr Hassan.

Just a couple of weeks later, after experiencing problems with the "video display driver", he returned the R525 and picked up an R540 instead at a different store. Once again, he was alerted to the same keylogging software as he was with the first notebook and again, deleted it.



"Again, after the initial set up of the laptop, I found the same StarLogger software in the c:windowsSL folder of the new laptop," Hassan claims.

"The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years. The fact that on both models the same files were found in the same location supported the suspicion that the hardware manufacturer, Samsung, must know about this software on its brand-new laptops."

In a follow-up article, Hassan describes his contact with Samsung Support. The support personnel denied the presence of any such software on the Samsung notebooks. Then, Hassan alleges, after being told the same software was found on both the R525 and R540, the staff "changed its story" and referred him to Microsoft since "all Samsung did was to manufacture the hardware."

Hassan was then redirected to one of the support supervisors. Here's where it gets very interesting. First the supervisor allegedly claimed to not be sure how the software could have gotten there. Then, after leaving Hassan on hold for a while, he admitted that Samsung did knowingly put the software on the laptop to, "monitor the performance of the machine and to find out how it is being used."

That would seem like a damning admission, and indeed, Hassan's articles, published with some extras by Mich Kabay on networkworld.com, relates it to the Sony BMG rootkit incident and name-drops Mark Russinovich, Microsoft technical fellow (who was of Sysinternals at the time).

Kabay's final comment on the second article sums up the general tone of both articles...

We contacted three public relations officers for Samsung for comment about this issue and gave them a week to send us their comments. No one from the company replied.

Good luck, Samsung! We see a class-action lawsuit in your future…"

Indeed, if true, this would be a legal catastrophe for Samsung. Luckily for Samsung, it is not true at all and there is a much simpler explanation of what really has happened here.



The firm was surprised by the allegations and opened an investigation immediately. It turns out that there is no keylogging software on either model. Instead, VIPRE security software incorrectly reported the Slovene language folder for some Microsoft software as StarLogger. The false positive was for the c:/windows/SL directory.

Here is the full statement from a Korean Samsung site, along with a screenshot of VIPRE security software alerting the false positive.

"The statements that Samsung installs keylogger on R525 and R540 laptop computers are false.

Our findings indicate that the person mentioned in the article used a security program called VIPRE that mistook a folder created by Microsoft’s Live Application for a key logging software, during a virus scan.

The confusion arose because VIPRE mistook Microsoft's Live Application multi-language support folder, "SL" folder, as StarLogger.

(Depending on the language, under C:windows folders "SL" for Slovene, "KO" for Korean, "EN" for English are created.)

Samsung will continue to respect customer needs by providing the highest quality products and services.



So while it is a great thing for customers who own these R525 and R540 products to know its a false positive, how much damage has potentially been done to Samsung? A Google search today of the directory in question (c:/windows/SL) pulled up the first result as "How to Find and remove StarLogger from Samsung Laptops" (they have since put a note on the page reflecting Samsung's denial and the explanation for the false positive, but perhaps the best course of action would be to remove the page entirely or at least change the title?). Perhaps more worrying is that (at the time of writing) a Google search for "Samsung R525" displays the networkworld.com article, titled "Samsung installs keylogger on its laptop computers", in the first 10 results.



It is a tad surprising that with the credentials listed for Mr Hassan, as well as the fact that he is founder of NetSec Consulting Corp, a firm that specializes in information security consulting services, he didn't suspect a false positive on the grounds that he has used the same commercial security software for six years and didn't get one yet? And why wasn't the VIPRE software mentioned (in the networkworld article) so other IT consultants could see for themselves if it was false positive by simply creating the c:/windows/SL directory on their clean systems?

This all just seems to be a mistake/embarrassment that could have been completely avoided by some simple research. It's hard to see how Mr Hassan's "in-depth analysis" of his laptop led him to the conclusion that one of the biggest consumer electronics firms in the world would be so stupid as to pre-load spying software into customer's laptops. I mentioned the name dropping of the respectable Mark Russinovich for a reason, his Sysinternals tools contain a bunch of tools that would have been very helpful in checking for such spying software, such as Process Monitor, Process Explorer or Autoruns, none of which require any kind of specialist IT skills to use.

Perhaps this is all just a big misunderstanding that got blown out of proportion. The good news is it is not true. We have not yet entered the terrifying world of pre-installed spy software on our OEM products just yet.

UPDATE: I am a tad bit surprised that networkworld.com is still running this as a top story and has yet to even mention Samsung's statement clearing the issue up (14:15pm, GMT+1). The top news story on the site right now is "Samsung investigating report of keylogger on its laptops", while a graphic (shown on the right and sourced on networkworld.com homepage) still asserts that "Samsung is pre-loading keyloggers on its laptop computers."



This issue has been corrected almost everywhere online except networkworld.com. What's going on guys? It's a two page article and it still doesn't even link to Samsung's latest response? Oh and that second page actually doesn't have any relevant content on it at time of writing either, it simply declares that "IDG, the parent company of the IDG News Service, also publishes Network World."

Comments published to the article seem to be from pretty underwhelmed users. "Wow, amateur hour here at Network World. I hope Samsung drags your asses into court. Your software reports a false positive and you don't confirm with other software or your own analysis? Good luck." posted by Anon on Thu, 03/31/2011 - 7:24am.

"I found disturbing all the blogosphere is all ready posting Samsung reaction on the storing about a some guy making false claim based on crappy anti spyware, this guy should not touch windows again. Beside, Network World fail to covert the whole story and fail to come back with update to correct their mistakes." another comment from an "Anon" source reads, posted By Anon on Thu, 03/31/2011 - 8:59am.

UPDATE 2: NetworkWorld seems to be caught up with the rest of us now. Along with the new news item, the first article that was attributed to Hassan and Kabay has been updated to reflect the change.

"Samsung has launched an investigation into the matter and is working with Mich Kabay and Mohamed Hassan in the investigation. Samsung engineers are collaborating with the computer security expert, Mohamed Hassan, MSIA, CISSP, CISA, with faculty at the Norwich University Center for Advanced Computing and Digital Forensics, and with the antivirus vendor whose product identified a possible keylogger (or which may have issued a false positive). The company and the University will post news as fast as possible on Network World. A Samsung executive is personally delivering a randomly selected laptop purchased at a retail store to the Norwich scientists. Prof. Kabay praises Samsung for its immediate, positive and collaborative response to this situation."

Immediate, positive and collaborative response? That is quite a tone change compared to the "class-action lawsuit" predicted for their future in the second article. At least Samsung is being cleared of any wrong-doing, as with today's ruthless competition in the media, it is quite easy for reputations to be destroyed needlessly.

Tags: Samsung
Previous Next  

13 user comments

131.3.2011 09:33

Added Update.

231.3.2011 12:37

Awesome article Dela, Thank you.

...And WOW... Fail much?
(My guess is Network World did not want to change the title because its getting massive hits on its website due to it.)

331.3.2011 18:54

Seems like a lot of pointing fingers and covering of their own rears.

41.4.2011 13:58

When you point one finger, look at your hand - 3 of them are pointing back at you.
What a joke this guy Hassan is. I think he should lose some of his creds. I can't believe he would make such a loud accusation without testing with MANY different AV software packages. I think he probably got excited about the potential 'feather in his cap' which would boost his business.
That being said - we've all been there before (hopefully in a less public manner), and I hope he apologizes and learns from this lesson.

51.4.2011 21:05

Samsung did not install keylogger on notebooks...yeah and bill Clinton did not have sexual relation with that woman.


63.4.2011 05:30

Mr Hassan sounds like a bit of a useless consultant to me - aren't they all!!!

Probably using it to try and make some money/increse his business by making false claims.

Makes NetSec Consulting Corp look like complete buffoons.
Corp - Probably a one man band in a hut in Pakistan!

Even a first year security student would know not to just go on the evidence of one simple virus check but to disassemble or examine locations registry memory and at least try a few other antivirus testers.

What a joke!

Addendum:-

Take a look at the netsec website and have a laugh!
I am so prophetic sometimes - It IS a one man band in a hut in Pakistan after all...
lol

http://www.nesecc.com/

lol

mohamed hassan
NetSec Consulting
2101 Islington Avenue
410
Toronto, ON, CA
M9P 3R2
Voice: +1.4165506653

This message has been edited since its posting. Latest edit was made on 03 Apr 2011 @ 5:37

73.4.2011 08:03
twistedss
Unverified new user

Hassan is a certified idiot.
Kabay and Hassan's CISSP certs should both be revoked

85.4.2011 12:05

Samsung did not install keylogger on notebooks...yeah and bill Clinton did not have sexual relation with that woman.


[b]Some people just can't see the light can they..... DXR88[/b]

This message has been edited since its posting. Latest edit was made on 05 Apr 2011 @ 12:06

95.4.2011 18:27

When Sony got rapped for it any manufacturer would be completely mad to do such a thing.

Apart from a massive lawsuit the publicity would kill its sales like it did for Sony at the time so tell me why when these things are so easily discovered would they do it?

Rogue employee maybe but i seriously doubt it this guy was just after a bit of cudos as he had just "graduated" lol

So thats what they call it these days!


Duh

105.4.2011 18:52

Originally posted by numinbah:


Samsung did not install keylogger on notebooks...yeah and bill Clinton did not have sexual relation with that woman.


[b]Some people just can't see the light can they..... DXR88[/b]
Who cares if they did or didn't the fact is, OEMs install stuff far more severe than key loggers every minute of the day, you've got bloatware, crippleware, Norton, OEM backdoors(they call them Assist tools),DRM(aside from the one Vista and 7 already shove down your throat)....and some people are worried about a key logger.

As to yourBOLDED quote no they cant....and the bulbs getting dimmer every day.

115.4.2011 23:05

True bloatware particularly by Sony and Dell is crippling to a laptop!

129.4.2011 15:03

Seems innocent enough on Vipre's part. Anybody that would expect an AV to be infallible needs their heads read. That's why we have ComboFix (from Bleeping Computer). Especially, in regards to false positives. But this guy is a security consultant, right? He patently did not check to see if any suspicious processes were launched or trapped under Active Protection AND likewise not "Send file for Analysis..." under Help.

He obviously did not want to reveal what program he was using for "professional reasons". I.e I'm a big shot security consultant = I take your computer install Vipre, run it, uninstall Vipre, give back with huge bill. :P


EDIT: I no longer support Vipre a an AV... don't bother using it. I am not surprised now that Vipre is at the heart of the issue.

====================================================================

This message has been edited since its posting. Latest edit was made on 24 Jul 2013 @ 12:41

1317.4.2011 22:42

Hey, as a manufacturer, why should I be afraid of selling my products with DRMs, keyloggers, rootkits, etc? Sony did it and they are still in business. It seems like nobody cares...

Comments have been disabled for this article.

News archive