Lizard Squad Hacks Ailing Lenovo's Web Site

Lenovo’s Web site was hacked on Wednesday, giving the PC giant’s security team another black eye before it has even healed from the Superfish fiasco. The Lizard Squad claimed responsibility for the attacks via its Twitter account.

The hacker posted an e-mail exchange between Lenovo employees discussing Superfish, according to a Reuters report. Then the group followed up with another threat on Twitter: “We’ll comb the Lenovo dump for more interesting things later.”

Beyond the e-mail exchanges, the Lizard Squad also hijacked Lenovo’s content and replaced it with a slideshow of young people peering into webcams and the song “Breaking Free” from the movie “High School Musical” playing in the background, The Verge reported.

Lenovo Regrets the ‘Inconvenience’

Lenovo, the world’s largest PC maker, has been criticized for shipping laptops pre-installed with a virus-like software that puts customers in the line of hacker fire. Since June, Lenovo customers have been reporting a program called Superfish, software that automatically displays advertisements in the name of helping consumers find products online.

The problem is more serious than first thought. Last Friday, Facebook's Threat Infrastructure team issued an analysis of the adware, which concluded that “the new root CA (certificate authority) undermines the security of Web browsers and operating systems, putting people at risk."

After that, security researcher Filippo Valsorda called Superfish adware “catastrophic," saying that's “the only way all this mess could have been worse” because the Superfish proxy, which uses a Komodia content inspection engine, can be made to allow self-signed certificates without warnings. That opens the door to man-in-the middle attacks.

"We regret any inconvenience that our users may have if they are not able to access parts of our site at this time," the company said in a published statement. "We are actively reviewing our network security and will take appropriate steps to bolster our site and to protect the integrity of our users' information."

Blind to Risks

We caught up with Ken Westin, a security analyst at advanced threat protection firm Tripwire, to get his thoughts on the attack. He told us the lesson of the Superfish debacle is this: something that seemed like a good idea at the time to one group can have devastating consequences for a company as a whole.

“The deployment of Superfish compromised Lenovo customers’ privacy and security, and now hacking groups have essentially declared it open season against Lenovo. This whole event demonstrates what happens when businesses fail to take security and privacy into consideration, especially when adding new features that can invade customer privacy and weaken system security,” Westin said.

“Unfortunately, those responsible for security and privacy are often not part of the decision-making process, or are even aware these tools are deployed, so organizations may leave themselves blind to these risks," he added.