Major US Media Succumb to Unsophisticated Syrian Hack Attacks
The hack attacks perpetrated by the Syrian Electronic Army this week weren't exactly on the cutting edge. Rather, they relied primarily upon phishing and social engineering to gain access to The Washington Post, Time and CNN. "As far as I can tell, the only thing exploited was human nature -- that's not something that is easily patched," said security researcher Craig Young.
Aug 16, 2013 12:04 PM PT
The Syrian Electronic Army on Thursday claimed credit for hack attacks that took control of portions of a handful of U.S. news sites via an article-recommendation service they all use.
Included among the hacked sites were The Washington Post, Time and CNN. SEA reportedly gained control of them by entering an administration portal for Outbrain and inserting links in some of the recommended articles at the bottom of the Web page, thereby redirecting readers to its own site.
"@TIME, @CNN, @Washingtonpost websites hacked in one strike by hacking @outbrain," the group wrote in a tweet on Thursday, adding the hashtags #SEA, #SyrianElectronicArmy and #Syria.
It was, in fact, a very busy week for the SEA, which also attacked the New York Post and social media optimization company SocialFlow.
The hacks were payback for Twitter's campaign against its presence on the social network, a SEA member told The Daily Beast.
Still a Social Engineering World
What is perhaps most discouraging about the week's events is that the SEA didn't exactly use advanced, sophisticated hacking attempts to gain control of these sites. Instead, phishing and social engineering appeared to be the main tactics employed, Craig Young, security researcher for Tripwire, told TechNewsWorld.
"As far as I can tell, the only thing exploited was human nature -- that's not something that is easily patched," he said.
The answer, however, is simple, Young added. Specifically, more education is needed, including among media outlets, which are a ripe target for hackers looking for instant and widespread publicity, he explained.
"Media outlets need to be doing more to educate employees," Young said. "There needs to be a direct effort to teach them how to recognize and respond to phishing emails.
"In the same way organizations hire penetration testers to assess the security of their network, companies must also assess and improve security as it pertains to the human element," he added.
'Educate People About Attack Modes'
Indeed, companies have to teach their employees and partners to have a more cynical and suspicious attitude in their online dealings, Bill Curtis, chief scientist at CAST and director of The Consortium for IT Software Quality, told TechNewsWorld.
"Educate people about attack modes so that they are not as susceptible to phishing messages posing as 'safe' internal emails, the source for at least some of these attacks," he urged.
"Treat software security as a supply chain requirement so that all software from other vendors used on your site has adequate safeguards against allowing your site to be hacked from penetrations of their software," Curtis continued. "Make sure you have adequate security safeguards against unwanted intrusions attacking through third-party software that you 'trust.'"
In short, think of third-party software suppliers as a "NATO ally" and "develop common defenses against attacks made at any of the software applications," he suggested.
'The Infection Spreads'
Hackers are drawn to media companies like predators to a watering hole.
"Major media outlets allow for quick access to massive user bases to spread malware and propaganda," JD Sherry, vice president of technology and solutions for Trend Micro, explained.
"Breaching media outlets also creates sensationalism, shock and awe, which further fuels the efforts of the attackers," Sherry told TechNewsWorld. "Much of this is in the form of hactivism and geopolitical posturing."
Watering hole attacks are also "often hard to recognize and mitigate internally," he pointed out. "Once infected with a watering hole attack, the site or a piece of the site becomes a malware delivery mechanism for all innocent visitors. The infection spreads with great ease and conviction from there."
It's not yet clear how much damage was done with this latest attack, Sherry noted, so people dismissing it as a stunt may well be premature.
"In most cases, the early indications of damage or impact are not the only instances," he concluded. "As the incident response and forensics evolve, further evidence will show any other collateral damage."