Credit: TAKA@P.P.R.S
Asks companies to provide information in 20 days about contracts, ‘financial arrangements,’ testing, much more

Three days after Chinese computer maker Lenovo promised to flush “crapware” from its consumer PCs, Connecticut’s state attorney general announced a probe into the company’s practice of bundling adware.

“It’s extremely concerning that, based on published reports, Lenovo installed this software — which appears to have no meaningful benefit to the consumer — on devices without the purchaser’s knowledge,”

Lenovo’s domain name lenovo.com appears to have fallen victim to cyber-mischief-makers Lizard Squad.

The domain’s nameserver settings were suspiciously updated today to point at DNS servers belonging to web hosting biz CloudFlare.

It appears Lenovo has managed to claw back control of its domain, and is now pointing it at a legit server behind the IP address 64.26.251.145. CloudFlare security researcher Marc Rogers just tweeted

Finally, it’s feared Lenovo’s domain registrar, Webnic.cc, was compromised by attackers to accomplish today’s DNS hijacking. Webnic.cc is down at time of writing.

Lenovo bagged a paltry US$250,000 from the deal that saw it install the Superfish certificate slurper onto PCs, according to reports.

The PC maker was last month caught installing the ad/bloat/malware into its consumer PCs, sparking a very considerable backlash once the software’s ability to intercept encrypted website communications was revealed.

Forbes sources’ now say Lenovo made between US$200,000 to US$250,000 from the deal to pre-install Superfish, a paltry amount given its net profit was US$253 million in the three months to December.

At $250,000 the return on investment for Superfish is abominable: Lenovo initially defended the installation as a helpful tool for online shoppers, but quickly back-pedalled and started wheeling out senior execs at all hours of day and night to make apologetic utterances.

Mozilla, meanwhile, has decided to blast Superfish with its hot lizard breath. The outfit will eradicate self-signed Superfish certificates from the latest version of its Firefox web browser

The Superfish PR disaster has also snowballed into a lawsuit

Two days ago, attackers allegedly associated with the fame-seeking group Lizard Squad briefly hijacked Google’s Vietnam domain (google.com.vn). On Wednesday, Lenovo.com was similarly attacked. Sources now tell KrebsOnSecurity that both hijacks were possible because the attackers seized control over Webnic.cc, the Malaysian registrar that serves both domains and 600,000 others.

On Feb. 23, google.com.vn briefly redirected visitors to a page that read, “Hacked by Lizard Squad, greetz from antichrist, Brian Krebs, sp3c, Komodo, ryan, HTP & Rory Andrew Godfrey (holding it down in Texas).” The message also included a link to the group’s Twitter page and its Lizard Stresser online attacks-for-hire service.

Barely a week after the breaking of the Superfish scandal, Lenovo has done a complete reverse ferret on bloatware – promising that by the time Windows 10 comes out its systems will be as pure as they can be.

“The events of last week reinforce the principle that customer experience, security and privacy must be our top priorities,” the firm said in a statement supplied to the Register today. “With this in mind, we will significantly reduce preloaded applications. Our goal is clear: To become the leader in providing cleaner, safer PCs.”

The company has been in frantic firefighting mode since the discovery of the SSL-busting Superfish code in a wide range of its consumer PCs caused an uproar. It has since issued automated tools to get rid of Superfish and has worked with antivirus vendors to get the Komodia library and certificate in the adware removed.

Until its advertising software was discovered deep inside Lenovo personal computers two weeks ago, a little company called Superfish had maintained a surprisingly low profile for an outfit once named America’s fastest-growing software start-up.

In 2013, Superfish revenues had increased more than 26,000 percent over the previous three years to $35.3 million. It had advertising deals with some of the biggest names in e-commerce — Amazon, eBay and Alibaba among them.

But as the start-up, based in Palo Alto, Calif., searched for new income sources last year, it landed a deal with Lenovo, the world’s largest PC maker, to put its software — often called adware — on several Lenovo consumer PCs.

That deal has proved disastrous. Not only has it called into question the business practices of both Lenovo and Superfish, it has shined an unflattering light on makers of this sort of advertising technology.

Superfish’s software, a security researcher revealed, was logging every online movement of the people using those Lenovo machines and hijacking the security system that is supposed to protect online communications and commerce. The Department of Homeland Security even warned Lenovo PC users to remove the software because of the risk it presented.

Superfish’s technology, security experts now say, is a particularly aggressive example of the targeted advertising technology that tracks consumers’ online movements without their knowledge.

What made its adware particularly bad, experts say, is that it fooled Lenovo customers into thinking that private sessions with their email service, or bank — secured with encryption that is often represented by the tiny padlock that appears in their web browser — were private, when Superfish, and potentially hackers, could see everything.

“The padlock is a means of telling you that who you are talking to is who you think you are talking to. Superfish made that mechanism ineffective,”

Lizard Squad has claimed responsibility for a defacement of Lenovo’s website. This follows last week’s revelations that Lenovo installed Superfish adware on consumer laptops, which included a self-signed certificate authority that could have allowed man-in-the-middle attacks.

Lenovo website hacked and defaced by Lizard Squad in Superfish protest
http://www.theguardian.com/technology/2015/feb/26/lenovo-website-hacked-and-defaced-by-lizard-squad-in-superfish-protest

The hacking collective took over the Lenovo site for several hours on Wednesday, redirecting users to a slideshow of bored teenagers

Lenovo, the PC maker at the centre of the Superfish controversy, suffered its own security breach on Wednesday when its main website was defaced, redirecting users to a slideshow of pictures of bored-looking teens (apparently the hackers themselves) set to the song Breaking Free from High School Musical.

The hack was apparently carried out through a “DNS hijack”, an increasingly common method whereby domain name system server, which translates a human-readable web address such as google.cominto a machine-readable IP address such as “8.8.8.8”, redirects visitors to another website – in this case, one controlled by Lizard Squad.

“Two defacements in a single week is normally nothing, but two extremely high-profile defacements from the same registrar in the same week is a definite trend,”

Following the hack, Lizard Squad has been posting screenshots of emails allegedly sent to Lenovo.com addresses, including one discussing Superfish. A DNS hijack can potentially gain access to emails sent during the period the site is taken over, by redirecting the email in the same way as the website. But this would not grant access to the full database of emails.

In a statement, Lenovo said: “Unfortunately, Lenovo has been the victim of a cyber attack.”

EFF unearths evidence of possible Superfish-style attacks in the wild
Crypto-busting apps may have been exploited against visitors of Google and dozens more.
http://arstechnica.com/security/2015/02/researchers-unearth-evidence-of-superfish-style-attacks-in-the-wild/

It’s starting to look like Superfish and other software containing the same HTTPS-breaking code library may have posed more than a merely theoretical danger to Internet users. For the first time, researchers have uncovered evidence suggesting the critical weakness may have been exploited against real people visiting real sites, including Gmail, Amazon, eBay, Twitter, and Gpg4Win.org, to name just a few.

As Ars reported one week ago, ad-injecting software pre-installed on some Lenovo laptops caused most browsers to trust fraudulent secure sockets layer certificates. The software was called Superfish. In the coming days, security researchers unearthed more than a dozen other apps that posed the same threat. The common thread among all the titles was a code library provided by an Israel-based company called Komodia.

The Komodia library modified a PC’s network stack by adding a new root Certificate Authority certificate. Poor choices in both the way the certificate and underlying code were designed caused most browsers to trust fraudulent certificates that otherwise would have generated warnings.

Until now, that danger was nothing more than a troubling hypothetical, but no more. On Wednesday, researchers presented evidence attackers have exploited the weaknesses in Superfish and the other programs to launch real man-in-the-middle attacks on end users as they visited some of the most sensitive HTTPS-protected websites on the Internet.

Dear Software Vendors: Please Stop Trying to Intercept Your Customers’ Encrypted Traffic
https://www.eff.org/deeplinks/2015/02/dear-software-vendors-please-stop-trying-intercept-your-customers-encrypted

Over the past week many more details have emerged about the HTTPS-breaking Superfish software that Lenovo pre-installed on its laptops for several months.

Unfortunately, the security implications have gone from bad to worse the more we’ve learned.

What’s worse is that these attacks are even easier than researchers originally thought, because of the way Komodia’s software handles invalid certificates

an attacker doesn’t even need to know which Komodia-based product a user has (and thus which Komodia private key to use to sign their evil certificate)

To make matters worse, Komodia isn’t the only software vendor that’s been tripped up by this sort of problem.

So what can we learn from this Lenovo/Superfish/Komodia/PrivDog debacle? For users, we’ve learned that you can’t trust the software that comes preinstalled on your computers—which means reinstalling a fresh OS will now have to be standard operating procedure whenever someone buys a new computer.

But the most important lesson is for software vendors, who should learn that attempting to intercept their customers’ encrypted HTTPS traffic will only put their customers’ security at risk. Certificate validation is a very complicated and tricky process which has taken decades of careful engineering work by browser developers.2 Taking certificate validation outside of the browser and attempting to design any piece of cryptographic software from scratch without painstaking security audits is a recipe for disaster.

Lenovo.com has been hacked. Starting at 4PM ET, users visiting the site saw a slideshow of disaffected youths, set to the song “Breaking Free” from High School Musical.

The hack comes on the heels of a wave of public criticism of Lenovo, after the company bundled computers with an encryption-breaking adware program known as Superfish. Lenovo eventually released a program to remove the software and restore affected users, but the debacle left many users unhappy with the company. That lingering mistrust may have contributed to the attack.

The attackers seem to have hijacked Lenovo’s domain record, an attack that would have given them the power to redirect the lenovo.com url to a new server under their control.

But the problem only hit the mainstream after security researcher Marc Rogers wrote about it on Wednesday (here), provoking the angriest reaction against a tech firm since the Sony BMG rootkit affair back in 2005.

Lenovo was deliberately breaking secure connections, making it easier in the process for any attackers to spoof any HTTPS website, say researchers. Obtaining a private key from one Lenovo laptop would allow the technically knowledgeable to snoop on the web traffic of any other Lenovo users on the same network.