Samsung and I Got Bit by a VIPRE

Yesterday I reported that Samsung laptops were infected with a keystroke logger. This certainly appeared to be the case as a Samsung supervisor reportedly confirmed (http://www.networkworld.com/newsletters/sec/2011/040411sec1.html) that Samsung shipped infected laptops. Samsung has since indicated that this is not the case. This incident has some very important lessons. My entire information supply was polluted and so the output was predictably garbage. But how does this happen? It takes an amazing combination of events.

The first event that happened was VIPRE, an antivirus product by GFI Security (formerly Sunbelt) had a false positive on an empty directory. False positives happen to every antivirus vendor, even ESET has and will have false positives from time to time.

So a false positive got the ball rolling and that is exactly where the ball should have stopped, but an unbelievable comedy of errors ensued. The person who found the false positive is one Mr. Mohamed Hassan. Reputation is very important to all of us in attempting to assess the validity of information we are presented with, so when a person who has a master’s degree in information assurance says there’s a problem, you kind of assume he verified that he had information. That is a faulty assumption. The false positive was on a directory and not on a file. A keystroke logger is file. That assumption aside, you would guess that the owner of a computer security company would understand what a false positive is and that they do happen. Mr. Hassan has an MSIA degree, CISSP certification, and CISA certification. You would expect that he would understand what it means when an antivirus program sends out an alert.  A report of a virus or, in this case a keystroke logger, does not mean that such a threat is present, it means that a fallible program written by human beings came across a condition that resulted in a programmatic response. Usually the program gets it right, but it is never a given. The first step is to prove that the detection is not a false positive. Unfortunately, Mr. Hassan neglected to perform this very, very basic and essential step or the issue would have never made the press. Getting a second opinion is also a great part of the process. In this case, about 30 professional opinions would be easy to obtain through Virus Total, and if that had been attempted, it would have been quickly discovered that not only was there no keystroke logger, but there was nothing at all but an incorrect programmatic response to a directory name.

Moving along the reputation chain, Mr. Hassan is a colleague of Mich Kabay. Mr. Kabay is very well respected in the computer security industry and when I and several other researchers read that Mr. Kabay had weighed in on the alleged keystroke logger, going as far as to say “Good luck, Samsung! We see a class-action lawsuit in your future….” There is a lot of credibility there.

At this point I would not go out on a limb and accuse Samsung of shipping infected laptops however. I have met and spoken with Mr. Kabay before and respect his knowledge, but I needed more information. The article in Network World claims that a supervisor at Samsung confirmed that Samsung had placed a keystroke logger on the laptops they sold. So, you have pedigree, reputation and the actual company admitting to something that didn’t even exist. The entire information system, from manufacturer to security “experts” who teach information security at a university was completely polluted. With data that poor, yet cleverly concealed as high quality, the only predictable result is a purely believable, but completely inaccurate conclusion.

I just have one request for Mr. Hassan and Mr. Kabay… Patience is a virtue. Next time can you please wait two more days until April 1 when you pull a stunt like this? Speaking of patience, I’ll try to wait for global PR next time before believing that a support manager can speak for a global company.

For Samsung, please do not corroborate April Fools jokes on March 30th.

As for me, I apologize for publishing inaccurate information and I am heartbroken that every great idea I had for an April fool’s blog just seems lame after this little stunt.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America