SEA Hackers Muck Up CNN Sites
If the SEA's goal is tantamount to egging a house, its efforts have been successful. However, if the group intended to actually damage its targets, it seems it's been firing a lot of blanks. One thing it almost certainly has accomplished is to raise awareness of the phishing techniques it favors to gain access to victims' sites. There are ways to recognize and defend against social engineering.
Jan 24, 2014 2:39 PM PT
The SEA hacked into and defaced various CNN social media accounts and blogs, the network's Catherine Shoichet reported.
"Tonight, the #SEA decided to retaliate against #CNN's viciously lying reporting aimed at prolonging the suffering in #Syria," the SEA tweeted Thursday.
"If you're a media person or media company, you ought to realize these guys are out to compromise you," Chester Wisniewski, senior security adviser at Sophos, told TechNewsWorld. "These guys started hitting the big media outlets -- the BBC, The New York Times, CBS -- about a year ago."
The attacks on CNN and Microsoft this week indicate "they don't realize they are targets, and haven't implemented two-factor authentication," Wisniewski continued. "This is the 21st Century, and they should wake up by now."
CNN did not respond to our request for further details.
The Hack Attack
The SEA hit CNN's main Facebook account, CNN Politics' Facebook account, and the Twitter pages for CNN and CNN's Security Clearance, as well as blogs for Political Ticker, The Lead, Security Clearance, The Situation Room and Crossfire.
It posted criticisms of CNN's coverage on the affected sites.
Those criticisms can be viewed on SEA's Twitter feed.
Killers or Clowns?
The SEA's underlying motives for its hacks remain confusing.
In addition to major American media outlets and social media sites, the group's victims include the United States Marines, Harvard University, Al Arabiya, Skype, the Qatar Foundation, the soccer governing body FIFA, and the entertainment news site E!
Among its messages, the SEA posted the claim on E!'s site that pop singer Justin Bieber is gay.
"Their activities range from nuisance defacement to crippling outages, so from a threat perspective they should be viewed similar to other advanced adversaries," Scott Greaux, vice president at PhishMe, told TechNewsWorld.
However, "I believe it's more for the Lulz ," Sophos' Wisniewski said, pointing out that SEA merely defaces websites rather than using the access gained to launch more harmful actions.
There are divided opinions on the group's technical prowess as well.
Targeting large organizations such as The New York Times, Twitter and The Huffington Post "both demonstrates SEA's technical capabilities to disrupt key Internet sites and services, and to make political statements through their attacks," Jeff Debrosse, a director of security research at Websense, told TechNewsWorld.
On the other hand, "their techniques are not sophisticated -- they're using social engineering," Sophos' Wisniewski pointed out. "They're not technologically sophisticated."
Simplicity Can Hurt
Although phishing is a relatively simple method of attack, it "works at every level, and if someone's good at it they can hit more and more sites," Wisniewski said. "There's no software fix for human vulnerability."
Simulated phishing attacks show that C-level executives may be most likely to fall prey to phishing attacks, according to Wombat Security.
They succumb to fake faxes, false conference registrations, shipping confirmations and social media password resets, and some even submit login credentials.
Arming Against the Phishermen
"Statistically, this attack vector has a high chance of succeeding," Alex Watson, a director of security research at Websense, told TechNewsWorld.
Training is one option: A 12-month study by KnowBe4 of 372 companies whose phish-prone employees had undergone security awareness training found risky behavior was reduced by more than 12 times. Nearly 40 percent of the firms were financial entities, which are typically more aware of risk and have tighter restrictions than companies in other sectors.
In addition to training executives in phishing defense, it's important to train assistants who may have access to their email, Wombat recommended.
"Cultivating a user base that recognizes malicious email is an important defense against the types of attacks the SEA has carried out with such success," said PhishMe's Greaux.
Other options are advanced security systems that can apply context, Watson suggested, include noting whether a login from abroad makes sense, and enforcing two-factor authentication.