Backdoored by Lenovo

IT security pros and tech geeks are apoplectic over the news that laptop manufacturer Lenovo purposefully installed malware on its laptops to serve advertising to its unsuspecting users. The program, called SuperFish, contains a security flaw that could allow any knowledgeable and ne'er-do-well hacker to steal passwords, bank credentials, and other valuable information from your laptop while you're scrolling through Facebook posts at Starbucks via their free wi-fi. 

As if that wasn't bad enough, the program also monitors your online activity, uploads your personal information to its servers, and injects intrusive advertising on web sites you visit. Many cyber-security experts consider the Lenovo-SuperFish trojan horse to be the most egregious violation of consumer trust since the 2005 Sony DRM scandal. Says cyber-security expert Marc Rogers:

This is unbelievably ignorant and reckless of [Lenovo]. Its quite possibly the single worst thing I have seen a manufacturer do to its customer base. At this point I would consider every single one of these affected laptops to be potentially compromised and would reinstall them from scratch.

Slate's David Auerbach, meanwhile, is flabbergasted that Lenovo risked its reputation for so little apparent reward:

Whatever commissions Lenovo might have received from Superfish must have been paltry… Lenovo sold its soul to the devil and forgot to get much of anything in return. Homer Simpson would’ve made a better Faustian bargain.

Security experts are also less than thrilled with Lenovo's official response to the backlash; the company has defaulted to corporate PR speak, claiming that it innocently pre-installed the software in order to "enhance the user experience." Word to the wise: whenever a company claims it has taken an action in order to "enhance" your "experience," you may safely assume that this action benefits the company and not you. 

Recently in Birmingham, England I attended a presentation on cyber-security by a pair of (seemingly) 12-year old hackers who put the fear of God into me over my personal data security. My two takeaways: One, never access any banking, e-commerce, or any other sites that require password entry while connected to an open wi-fi network; and two, whatever your routine for choosing and remembering passwords for your sensitive web sites, you may be assured that it's not good enough.  The hackers recommended choosing a password manager tool to secure access to sensitive data. Lifehacker recently posted their list of the five best password managers. Stay safe out there.