Reported major security vulnerability with Superfish provides another precautionary lesson for K-12

lenovo-superfish-schoolsThe latest reported major security vulnerability provides another precautionary lesson for K-12 and post-secondary schools as they develop and evolve policies and technologies enabling laptops and other wireless devices to connect to their networks.

Lenovo Group Ltd. pre-installed Superfish Visual Discovery software on its branded personal computers including laptops and sold to consumers.

According to the U.S. Department of Homeland Security, Lenovo personal computers employing the pre-installed software contain a critical vulnerability through a compromised root CA certificate. Exploitation of that vulnerability could allow a hacker to read all encrypted Web browser traffic, impersonate or spoof any Web site or perform other attacks on the affected user’s computer.

Lenovo’s response to queries is limited to information posted on its website: “An automatic removal tool is available on Lenovo.com. Additionally, we will offer Lenovo PC users affected by this issue a free 6-month subscription to McAfee LiveSafe service (or a 6-month extension for existing subscribers).

Lenovo added that the problem with Superfish will result in the manufacturer significantly reducing pre-loaded applications. “Our goal is clear: To become the leader in providing cleaner, safer PCs.”

Next page: Fixes and school examples

Other security experts confirm that the Superfish software can be easily removed with applications from Lenovo and other firms.

“There are multiple fixes available for Superfish now, from Microsoft, Lenovo and various anti-malware companies,” says Aryeh Goretsky, researcher, ESET. “As far as I am aware, they are effective in removing the adware and its associated digital certificate, however, it is a good idea to manually verify the files and certificate are no longer present on the system after their removal.

While apparently none of these laptops were sold directly into the education market, some students may have bought them for their own use on campus.

Typically, K-12 institutions – primarily high schools – will dictate a specific type of device students must have, e.g., an iPad, Chromebook or something else, post-secondary institutions tend to embrace a bring your own device (BYOD) environment. Each provides its own challenges in terms of security.

K-12 need to choose the device that fits best with their environments. So some go with iPads and the Apple environment, some choose devices that work better with Google applications, etc.

For example, Marian Catholic High School, an 1100 student, 9-12 institution in the southern suburbs of Chicago, for example, chose to iPads for students starting in the fall of 2014. The decision followed examination and discussions with other high schools already using the technology, discussions with various technology experts and other research efforts, says Joelyn Carlasare, the school’s director of technology. “It was the most robust in terms of applications. It was a clear choice for us.”

Teachers started with the iPads in 2013 in order to become familiar with the technology, says Steve Totorello, the school’s principal. That year parents and students were informed of the plan to require all students to have the devices at the beginning of the 2014-2015 school year. The school offered workshops and training again before the current school year. Those sessions, letters home and the school’s website all discuss safe computing, Tortorello says.

Mike Carlson, the school’s director of networks, says the school protects itself against malware from infected connected computers and other outside threats through a web filtering firewall and other defenses.

Next page: Relying on technicians at Beaver Country Day

Other schools also rely on their technicians to protect against the threat. Beaver Country Day School, a private 6-12 school in Chestnut Hills, Mass., chose instead to go with laptops of the student’s choosing in order to access the Google suite of products including Google Docs, Google Sheets, etc.

The school’s technology department provides troubleshooting throughout the day while there hardware and software have protection to keep the network free from malware, says Melissa Alkire, technology integration specialist.

Beaver Country Day follows the same BYOD philosophy of many colleges and universities. Professors, administrators, guest lecturers and students all have their device preferences and dictating one type of device. So most colleges and universities opt for the BYOD option rather than requiring that everyone have iPads, or other devices that all run on one operating system.

The school provides guidelines on device choices, including anti-virus and similar software, says Nancy Caruso, assistant head of the school.

Such a policy does present challenges, which colleges and universities tend to handle a couple of different ways. At Lebanon Valley College, Annville, Pa., for example, the network is constantly updated to protect against threats. Students must register their devices to access the network. Devices aren’t authorized unless they have certain security protocols. If the network later detects the device has picked up malware and poses a threat, the device will be quarantined until the problem is corrected, says David Shapiro, the college’s director of information technology.

Many other colleges and universities use similar strategies while others will require devices to have specific software that enables network access while also limiting the devices’ ability to upload malware to the network, according to Shapiro.

“A potentially better solution for organizations might be to adopt a CYOD, or Choose Your Own Device, policy, which instead allows the IT department to provide a range of supported devices to employees [or students] which are then managed by IT,” Goretsky says. “This strikes a mid-way between the cookie-cutter approach of “one size fits all” and the pandemonium caused by having to support sundry configurations of consumer-grade systems, which all too often are often missing the manageability and security features of their business-grade brethren.”

Whether it’s CYOD, BYOD or the K-12 or post-secondary educational institution selecting one device for everyone, the Lenovo-Superfish debacle once again shows that institution’s technical staff have to be ever wary of the growing number of actual and potential security threats.

Phillip Britt is an editorial freelancer with eSchool News.