This article is from the source 'bbc' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.bbc.co.uk/news/technology-34920197

The article has changed 2 times. There is an RSS feed of changes available.

Version 0 Version 1
Dell faces fresh security questions as new issue found Dell faces fresh security questions as new issue found
(about 1 hour later)
Dell is facing further questions after admitting to a second security issue with its computers this week.Dell is facing further questions after admitting to a second security issue with its computers this week.
The new problem - similar to the first - could leave users' personal information vulnerable, researchers backed by the US government said.The new problem - similar to the first - could leave users' personal information vulnerable, researchers backed by the US government said.
Dell said it had again released a fix, after doing the same for the first problem earlier this week.Dell said it had again released a fix, after doing the same for the first problem earlier this week.
The repeated issues raised concerns about the company's attitude towards security, one expert told the BBC.The repeated issues raised concerns about the company's attitude towards security, one expert told the BBC.
In a statement, Dell said that the second problem affected users who downloaded its Dell System Detect product between 20 October and 24 November 2015. It said the second issue was not pre-installed on computers - as the first was.In a statement, Dell said that the second problem affected users who downloaded its Dell System Detect product between 20 October and 24 November 2015. It said the second issue was not pre-installed on computers - as the first was.
It said the product was removed from its site once the issue was spotted and a replacement application was made available.It said the product was removed from its site once the issue was spotted and a replacement application was made available.
Earlier this week, Dell said it had inadvertently opened up a security hole in its computers when it pre-installed software on them. A self-signed root certificate authority (CA), which is used to identify trustworthy websites, was "implemented as part of a support tool and intended to make it faster and easier for our customers to service their system", Dell said.Earlier this week, Dell said it had inadvertently opened up a security hole in its computers when it pre-installed software on them. A self-signed root certificate authority (CA), which is used to identify trustworthy websites, was "implemented as part of a support tool and intended to make it faster and easier for our customers to service their system", Dell said.
But the CA it installed, called "eDellRoot", allowed hackers to intercept a Dell user's internet traffic, while the private key that came installed with it could be used to trick the computer into thinking that unsafe websites were safe, security researchers pointed out.But the CA it installed, called "eDellRoot", allowed hackers to intercept a Dell user's internet traffic, while the private key that came installed with it could be used to trick the computer into thinking that unsafe websites were safe, security researchers pointed out.
'Impersonation''Impersonation'
The second vulnerability, another CA called "DSDTestProvider", worked in much the same way, according to the Germany-based journalist who found it: Hanno Böck. The second vulnerability, another CA called "DSDTestProvider", worked in much the same way, according to the Germany-based journalist who reported it to US Department of Homeland Security-backed researchers at Carnegie Mellon University: Hanno Böck.
His findings were endorsed by US Department of Homeland Security-backed researchers at Carnegie Mellon University, in Pittsburgh, in America. In their subsequent report, the researchers wrote: "An attacker can generate certificates signed by the DSDTestProvider CA. Systems that trusts the DSDTestProvider CA will trust any certificate issued by the CA.
In a report, Carnegie Mellon University CERT wrote: "An attacker can generate certificates signed by the DSDTestProvider CA. Systems that trusts the DSDTestProvider CA will trust any certificate issued by the CA.
"An attacker can impersonate web sites and other services, sign software and email messages, and decrypt network traffic and other data."An attacker can impersonate web sites and other services, sign software and email messages, and decrypt network traffic and other data.
"Common attack scenarios include impersonating a web site, performing a [man-in-the-middle] attack to decrypt HTTPS traffic, and installing malicious software." Such an attack involves the hacker intercepting internet traffic between the user's browser and the site they are accessing."Common attack scenarios include impersonating a web site, performing a [man-in-the-middle] attack to decrypt HTTPS traffic, and installing malicious software." Such an attack involves the hacker intercepting internet traffic between the user's browser and the site they are accessing.
The Surrey University security expert Prof Alan Woodward said: "To paraphrase Oscar Wilde, to have one self-signing certificate installed could be a mistake; to have two looks like carelessness.The Surrey University security expert Prof Alan Woodward said: "To paraphrase Oscar Wilde, to have one self-signing certificate installed could be a mistake; to have two looks like carelessness.
"The fact that there appears to be a second self-signing certificate does make you wonder what else might be lurking on the machine.""The fact that there appears to be a second self-signing certificate does make you wonder what else might be lurking on the machine."
A Dell spokesman said: "When we became aware of eDellRoot earlier this week, we immediately dug into all our applications that get loaded on Dell PCs. We can confirm we have found no other root certificates on the factory-installed PC image.A Dell spokesman said: "When we became aware of eDellRoot earlier this week, we immediately dug into all our applications that get loaded on Dell PCs. We can confirm we have found no other root certificates on the factory-installed PC image.
"What we did find was that the Dell System Detect application and its DSDTestProvider root certificate had similar characteristics to eDellRoot."What we did find was that the Dell System Detect application and its DSDTestProvider root certificate had similar characteristics to eDellRoot.
"The application was removed from the Dell support site immediately and a replacement application without the certificate is now available.""The application was removed from the Dell support site immediately and a replacement application without the certificate is now available."