Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Lessons to learn from Lenovo’s website hack

Oh Sieng Chye, Researcher, ESET Asia-Pacific | March 9, 2015
Ultimately, the best way to avoid a data breach in your enterprise is to continuously prepare, protect and secure the organisation's network and its information, says ESET's researcher.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

A week ago, Chinese computer and smartphone firm Lenovo were notified that its website had been compromised. The hack came on the back of Lenovo's first security blemish for the year, relating to a pre-installed software on its laptops called Superfish.

Lizard Squad, an infamous hacking group who has been known for other high-profile attacks, claimed responsibility for bringing down Lenovo's website. According to Lenovo, the attackers were able to breach the domain name system (DNS) associated with the company, redirecting visitors from lenovo.com to another address, while simultaneously intercepting the beleaguered company's internal email.

DNS is a protocol that transforms a readable domain name such as "www.lenovo.com" into an Internet Protocol (IP) address, usable by computers on a network, for example, 72.32.67.100. The DNS protocol plays an important role in simplifying how we use the Internet on a day-to-day basis, as it's almost impossible to remember IP addresses for every website. The DNS, like other computer systems, can be subjected to attack and exploitation. In this instance, the attackers successfully compromised the DNS and made changes to its records.

It is believed that the Lizard Squad were upset with the security loophole created by Superfish, which allowed potential points of access into Microsoft Windows computers. As described by Lenovo, "SuperFish intercepts HTTP(S) traffic using a self-signed root certificate. This is stored in the local certificate store and provides a security concern." Essentially, this meant opening up possibilities for ill-intent cybercriminal to intercept the network traffic and cause more harm to the user.

Classified as adware, the pre-installed software was found on selected models of Lenovo machines and its main function was delivering ads to the user. As a Lenovo self-signed certificate, it severely compromised user security. When the flaw was exposed, it understandably caused a major furore within the tech and consumer community. The security risk Superfish poses is so advanced that it prompted Lenovo's CTO Peter Hortensius to comment in the media, "We messed up badly. We are taking our beating like we deserve on this issue."

After unleashing their brand of revenge for Superfish on Lenovo, the Lizard Squad proceeded to also publically release an email exchange between Lenovo employees discussing thesame issue. The emails showed that Lenovo's security researchers alreadyknew that the adware made its machines vulnerable to attack.

Even though Superfish only affected Lenovo's consumer models, this should be a huge lesson for enterprises. Companies should adopt the best-practice of wiping newly purchased machines of pre-installed softwareand installing what's called a company-built image. This ensures only thoroughly vetted and approved applications are installed on the machine before it is assigned for employee use, thus minimizing security vulnerabilities.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.