//Kevin Anderson /june 3 / 2013
Hacked news organisations help you spot the next attack
The hacktivist group, the Syrian Electronic Army, has been on a roll recently, tricking journalists at some of the most well-known news organisations, including the Associated Press, Thomson-Reuters, the BBC and the Financial Times into giving up their usernames and passwords. The hacktivists have then used the Twitter and WordPress accounts of these news outlets to damage their credibility and spread pro-Assad government messages.
These incidents have been embarrassing, and the natural response is to play them down. However, two news groups – the American satirical news site, The Onion, and the Financial Times – have resisted the urge to sweep the attacks under the carpet and have instead detailed them.
Not only does this caryy the best tradition of journalism into the digital age with the news organisations practicing the transparency that journalists so often call on others to embrace, it also provides a valuable public service to other news businesses on how to spot these sophisticated attacks and prevent themselves from also becoming victims.
Attacks rely on trusted sources
The popular image of a hacker is one of a technical savant so steeped in the ways of computers and network security that no lock is strong enough to keep them out. While this does describe a small elite, most hackers do not rely on complex technical attacks, instead relying on tricking you out of your usernames and passwords, a process known as social engineering in the hacking community.
One of the key elements of these attacks is that they rely on networks of trust – either in colleagues or in trusted sources. Most of these attacks begin with phishing and spear phishing attacks. At The Onion, staff began receiving emails from “strange, outside addresses”. But that’s not all. The example The Onion gives in its write up of the attack is a faked email from Elizabeth Mpyisi from a UNHCR address. Many journalists would be familiar with UNHCR, the United Nations High Commissioner for Refugees, and a quick search turns up a skeletal LinkedIn profile for an Elizabeth Mpyisi. The attackers are counting on the fact that journalists would be familiar with UNHCR and would trust it as a source of information. As for the social media profiles connected to Elizabeth Mpyisi, do not take this as evidence that the email is legitimate. Hoaxers and hackers have been known to set up fake social media accounts to support their attacks.
However, journalists and editors must immediately ask why anyone from UNHCR would be contacting them with this brief and slightly cryptic email. Also, Mpyisi is listed as a community services officer, and her LinkedIn account is listed as being registered in Uganda. Why would a Ugandan employee of UNHCR be contacting employees of The Onion? Journalists are professional sceptics, and in this age of frequent digital attacks, it is worth employing this scepticism to keep yourself from being the next victim.
In the case of the FT attack, the Syrian Electronic Army had first targeted the personal email accounts of FT journalists, according to FT lab co-founder and director Andrew Betts.
In the emails to both The Onion and the FT, they contained links that appeared to be to news stories in the Washington Post or CNN. However, the links actually redirected to a hacked WordPress site, “rather a high profile one but we thought it rude to name them, and they’ve since fixed it”, Betts said. The staff at The Onion were then redirected to a fake Google Apps login. In the case of the FT, the hackers faked the newspaper’s corporate email login pagePageA document having a specific URL and comprised of a set of associated files. A…//read more . Once logged in, the FT employee was redirected to their corporate Gmail inbox and “were none the wiser”, Betts said.
Copying these webmail pages is all too easy. Some news organisations’ corporate webmail login pages can be found using a simple search, and with the increasing use of Gmail for corporate email, it isn’t that difficult to guess the address.
These types of tricks are the common way that most of these attacks now start. The tricks that hackers use are always changing and constantly growing more sophisticated, but the tactics have remained largely the same for much of the past decade.
How the attack escalates
Once the hackers had access to an internal email address, then the attack intensified. Betts said:
By targeting those FT staff that advertise their email address publicly, the hackers eventually managed to secure access to an FT.com corporate email account. With this, they also had access to our global address list and with it the email addresses of every member of FT staff. They began sending the same email to a much larger number of FT.com users, this time from legitimate FT.com email accounts.
In both instances, the attackers use your own email systems against you. Back at The Onion:
After discovering that at least one account had been compromised, we sent a company-wide email to change email passwords immediately. The attacker used their access to a different, undiscovered compromised account to send a duplicate email which included a link to the phishing page disguised as a password-reset link. This dupe email was not sent to any member of the tech or IT teams, so it went undetected. This third and final phishing attack compromised at least 2 more accounts. One of these accounts was used to continue owning our Twitter account.
The FT was able to work with Google to blacklist the site that was being used to compromise the accounts, which meant that any email containing the link would not be delivered, and The Onion forced a company-wide reset of their Google Apps accounts.
The FT shared how they managed to wrest control back of their accounts. One thing stands out, they worked closely with both Google and Twitter. If you use third party services such as these, you will want to make sure that you have good contacts with the companies, and if you are working with major US or European internet companies, try to get a local contact so that you’re not waiting for hours before the US wakes up and comes online.
Lessons from the attacks
The FT and The Onion have done a valuable public service by detailing the attacks, however embarrassing they might be. They also have added several suggestions on how news organisations can defend themselves against such attacks. Here are some of the lessons they have learned.
Widespread services make big targets – In the end, only several Twitter accounts and two out of 60 WordPress blogs were compromised at the Financial Times. As Betts point out, these are some of the most widely used third party services and platforms used by news organisations. “This problem will likely get worse over time as more organisations adopt the same online tools – if a vulnerability is found against one, it can be used against all – increasing the motivation for the hackers to find holes,” Betts said.
Hackers share tips on how to exploit, and they often cooperate. Betts says that there was evidence that the attack against the FT came not only from Syria but also from Russia.
However, it’s not just hackers who share information on how to break into sites, there are several popular guides on how to improve the security of the services you use, including WordPress.
How many people really need high-level access? One step the FT took after the attack was to re-examine its security procedures and limit high-level access to only those staff who require it. Does everyone need access to your corporate Twitter account? WordPress has the ability to limit access based on roles. For instance, you can set up accounts that allow contributors to submit content but not publish that content live to the site. You will need to strike a balance between allowing access so no process relies on a single technical staff member or editor, but you also don’t want to give everyone access to make major changes to your site.
Make two-factor authentication mandatory – As these attacks have become more widespread, more internet companies have added two-factor authentication. Often this is implemented so that in addition to your username and password, you also need a code that will be sent to your mobile phone to access your account. Google, Facebook and recently Twitter have all added two-factor authentication. Google will also provide you with a set of single use codes you can use if you don’t have mobile phone access. The FT has now made two-factor authentication mandatory. If an internet service provides you with a way to be more secure, use it, without exception.
The Onion’s tech team also recommends using an app such as HootSuite to manage your social media accounts. “Restricting password-based access to your accounts prevents a hacker from taking total ownership, which takes much longer to rectify,” they said. They also suggest using an email to register with Twitter “isolated from your organization’s normal email”.
Educate staff – This is key. Both of these attacks were only possible because members of staff were tricked into surrendering their usernames and passwords. Security training is no longer a luxury. It is essential. Often these attacks are carried out by patriotic hackers, people not employed by the government but sympathetic to it. Out of a sense of national pride, they will attack international and domestic critics of their government.
Digital security is a cat-and-mouse game, with hackers constantly coming up with new ways to trick users into sacrificing their own security, but also with security professionals and staff learning new ways to defend against these attacks. Fortunately, these two news organisations have shared valuable lessons on how to stay safe. Take advantage of their honesty and openness and make sure you’re not the next victim.
Article by Kevin Anderson