Contrite. That's the best way to describe Lenovo after the Superfish fiasco and subsequent Lizard Squad attack on its Web site. The world's largest PC maker is vowing to put the kibosh on bloatware and adware like Superfish and emerge as a leader in manufacturing "cleaner, safer PCs."
The bloatware-free promise is the latest in a series of mea culpas after security experts discovered a serious vulnerability in preloaded software called Superfish. Not only did Superfish show unwanted ads on users’ PCs, it also made the PCs vulnerable to data hijacking in supposedly secure encrypted HTTPS connections. The flaw left the PCs vulnerable to so-called man-in-the-middle attacks that could be used to steal banking information or sensitive e-mails.
Lenovo was quick to apologize and release an automated tool that removed the Superfish adware from PCs. But as quick as Lenovo got that apology out, a hacker group known as the Lizard Squad found its way into the company's Web site, posting an e-mail exchange among Lenovo employees discussing Superfish, and promising to air more "interesting things later."
'Our Goal is Clear'
Beyond an apology and an automatic removal tool, Lenovo is also offering its customers affected by the issue a free, six-month subscription to the McAfee LiveSafe service, or a six-month extension for existing subscribers, along with a big promise.
"The events of last week reinforce the principle that customer experience, security and privacy must be our top priorities," Lenovo said in a statement. "With this in mind we will significantly reduce preloaded applications. Our goal is clear: to become the leader in providing cleaner, safer PCs."
Lenovo is not wasting any time. When it launches its Windows 10 products, the company said its standard software installation will only include the operating system and related software, software required to make hardware work well, security software and Lenovo applications.
"This should eliminate what our industry calls 'adware' and 'bloatware,'" Lenovo said. "Lenovo will post information about ALL software we preload on our PCs that clearly explains what each application does. And we will continuously solicit feedback from our user community and industry experts to ensure we have the right applications and best user experience. We view these actions as a starting point. We believe that these steps will make our technology better, safer and more secure."
Back to Lizard Squad
We turned to Tom Landesman, a researcher at Cloudmark, a company that provides protection against spam, viruses, phishing and similar threats that affect e-mail, to get his thoughts on the fallout from Lizard Squad, which also redirected Lenovo searches on Google.com to an embarrassing site. He told us the public may be quick to blame this on Lenovo and Google for losing control of their Web sites.
"In fact, this issue was not a fault of theirs but arose due to a weakness within the registrar who was tasked with securely and properly routing users to the site," Landesman said. " It appears that the registrar in question, Webnic.cc, was compromised directly by Lizard Squad and used to lead users towards fake versions of Lenovo's and Google's sites."
According to Landesman's research, two of the individuals called out by the hacked sites, Ryan King and Rory Andrew Godfrey, are actually accused of being members of Lizard Squad by the media -- despite other claims to the contrary. However, he said, both have ties from a previous hacking group to a known, current member of Lizard Squad.
"While this attack was outside of the control of either Lenovo or Google, using Webnic may have been a poor choice by both companies. Webnic's popularity among hacker forums and underground bazaars may make some dubious of the registrar's practices," Landesman said. "However, as Krebs reports, it's probably not a coincidence that over the past several years, many of these sites have also been hacked. Perhaps both Lenovo and Google should explore less-suspect registrars in the area."
Posted: 2015-02-27 @ 4:41pm PT
A step in the right direction. However the McAfee thing is ridiculous. Identity theft risk following the incident does not go away by itself after six months.
And if Lenovo is really serious about cleaning the slate, it should also offer its hardware without bundling Windows at all. Lenovo's hardware is known to work very well under Fedora, Ubuntu, FreeBSD and many other alternative operating systems.