
Syrian Electronic Army hacks Washington Post Web site - selamattidur
http://www.washingtonpost.com/lifestyle/style/syrian-group-hacks-washington-post-web-site/2013/08/15/4e60d952-05bd-11e3-88d6-d5795fab4637_story.html
======
dkoch
So many media sites have a ton of javascript widgets: ad networks serving
third-party ads serving third-party tracking scripts, recommendation tools,
analytics, etc. It really increases the attack surface.

How do publishers know that the scripts that go on their pages are safe?

~~~
seliopou
Publishers should use AdSafe[1], which is a system for sandboxing widgets.
AdSafe provides widget authors an API for access object properties and the
DOM, as well as a static check to ensure that widgets are using this API
properly. Given that the static check passes, and the library implementing the
API is correct, then your widget is properly sandboxed and attacks like that
can't happen. Check out the AdSafety paper[2] for more details about the
extent to which AdSafe has been verified.

Disclosure: I'm an author on the paper.

EDIT: Here's a great talk by Arjun on AdSafety:
[https://www.usenix.org/conference/usenix-
security-11/adsafet...](https://www.usenix.org/conference/usenix-
security-11/adsafety-type-based-verification-javascript-sandboxing)

[1]: [http://www.adsafe.org/](http://www.adsafe.org/)

[2]:
[http://cs.brown.edu/research/plt/dl/adsafety/v1](http://cs.brown.edu/research/plt/dl/adsafety/v1)

~~~
bentlegen
AFAIK, there was nothing vulnerable in the widget itself: the hackers accessed
Outbrain's admin panel, and changed the content of their recommended links to
point to their website instead.

The hackers posted screenshots of accessing the admin panel:
[http://mashable.com/2013/08/15/outbrain-
hacked/](http://mashable.com/2013/08/15/outbrain-hacked/)

~~~
seliopou
What was reported[1] was that certain stories were redirecting users to the
SEA's site. This implies that they weren't just rewriting recommended links,
but were changing the code of the widgets, which resulted in that behavior.

[1]: [http://www.politico.com/blogs/media/2013/08/washington-
post-...](http://www.politico.com/blogs/media/2013/08/washington-post-
hacked-170594.html)

~~~
bentlegen
Ah, you're right. This screenshot actually shows the HTML they injected:
[http://rack.0.mshcdn.com/media/ZgkyMDEzLzA4LzE1L2E1L3RpbWVzY...](http://rack.0.mshcdn.com/media/ZgkyMDEzLzA4LzE1L2E1L3RpbWVzYWZmZWN0Ljg0OWQ0LmpwZwpwCXRodW1iCTEyMDB4OTYwMD4/ac8169ff/d19/times-
affected-outbrain-admin-panel.jpg)

------
wil421
So if the most common way these hacker "groups" actually "hack" websites are
through phishing attacks. How do protect against phishing attacks in a way
that will stop them. Obviously educating Martha the secretary to not click
links in emails from people she doesn't know isnt working.

How can we make phishing attacks less successful or remove these attack style
altogether. 9 times out of 10 when I hear about some major hack its because of
phishing.

~~~
tlarkworthy
In your contrived story: why did you choose a woman? and why did you pick on a
secretary?

the undercurrents of misogyny is depressing.

~~~
nsmartt
I'm not entirely convinced this was misogynist.

Right now, I'm trying to think of jobs for a news provider that wouldn't
require tech savvy. "Secretary" is the only one that comes to mind.
Secretaries are stereotypically women.

------
INTPenis
So what are best guesses here? Weeks of surveillance and social engineering or
a 0-day/unpatched software?

I just feel like these sites should be getting scanned daily by all kinds of
frameworks like metasploit so unpatched known vuln seems unlikely.

More likely is exploiting the employees with spear phishing or social
engineering, or 0day. And of those three I'd have to lean towards 0day, if it
truly was Syrians that did it.

And if they got socialflow at almost the same time I'm betting they were using
something in common.

Though considering the post claims an employee account was hacked through
phishing, maybe they had shared accounts for columnists or something.

~~~
peterwwillis
You need insight into how these kind of sites are run to understand how
attacks typically work on them.

Backend: lots of technology feeding them content and sending their content out
other places. App servers, content sinks, message buses, databases, FTP'd
stories, etc etc. Nobody ever attacks these because you have to have some kind
of basic reconnaissance on what they do and how they do it. And they're not
very secure because of the low visibility. But if you do know how most news
sites get their content, there's some fun holes to play with.

Frontend: SQL injection, misconfigured services, bad firewalls, shared or
easily-guessed accounts. You don't need anything fancy most of the time. There
is no Security Czar making sure everything is secure on the frontend. There's
supposed to be, but their lack of authority or motivation prevents them from
really trying to secure everything in a big-picture way.

Development: The site is constantly being developed, and not always by the
same staff. Sometimes a new guy who writes really shitty code will push
something to production which is clearly hazardous to security. It gets
through code review and policies and procedures because everyone's busy trying
to get real work done. Often these holes go unnoticed for years.

Third-party content: There is nothing ensuring content you're getting from a
3rd party is what you expect it to be. If it's not being served by your
servers, it's subject to attack. Often sites get taken down not because of
attack, but because an ad network is timing out, causing the page to stop
being loaded, effectively DoSing the page. SLAs mitigate this to a small
extent by encouraging the 3rd party not to lose money to their customers by
being hacked.

Phishing: This will work 90% of the time. Professional pen-testers have
agreements not to phish or social engineer their targets more than a certain
amount, because it almost always works; there's not much need to test it. But
keep in mind that if this were Syrians, their lack of mastery of English could
present a problem. Maybe it'd only work 60% of the time in this case.

 _" I just feel like these sites should be getting scanned daily"_: Nope. The
vast majority of sites don't get constantly hammered by attackers looking for
a way in, because 99% of the attacks seen on large-traffic sites are trivial
automated things like botnets, which try one or two common holes across
millions of sites. Even the most basic security measures prevent these.

Real, targeted attacks are rare, and often get lost in the noise of constant
botnet barrage. There just aren't a whole lot of SEA's out there trying to
take over every single website. Usually when they do try, they succeed, in
some fashion or another; if they were to do this to every popular website on
the internet, it would take them months or years to get around to it all. And
they probably have day jobs.

The very last attack that works is a 0-day. It's called a 0-day because
(typically) it is patched a day or two after it's announced, and they are
rare. If you have one, you don't use it just to attack one news site.

~~~
nwh
> The vast majority of sites don't get constantly hammered by attackers
> looking for a way in

I find that hard to believe really.

Even just my residential connections honeypot is stuffed with people trying to
do obscenely stupid things. There's people installing botnet clients, trying
to find databases, you name it. I get a connect every couple of hours, and
there's absolutely nothing else interesting about the IP address other than
the single open port. Funnily enough, most of them fall into the "Chinese
hacker" stereotype, about 90% of the connections I've logged geolocate there.

I can't imagine what a large companies SSH logs must look like.

~~~
peterwwillis
Your expectations are based on a completely different scenario. A honeypot is
designed to attract attackers, and is designed with bad security in mind. No
corporate network runs SSH in the open. There's no need.

What a corporate network needs is to provide remote access to specific
services based on who is authorized. A VPN is the way to accomplish this. It
would be stupid to allow SSH access to everyone (including hackers) when only
a handful of authorized administrators would even have SSH accounts, much less
do anything on the box. You keep it behind the VPN and only allow specific
users access. It reduces the attack surface, creates audit trails, simplifies
revoking network access, etc. This is security 101.

~~~
nwh
> A honeypot is designed to attract attackers, and is designed with bad
> security in mind.

I wouldn't say that. You'd be very hard pressed to find a production server
without SSH, if not on the default port. I'm doing absolutely nothing to draw
attention to myself, so it stands to reason that somebody who is (say, running
a large website) would draw a lot more probes and "hacked" logins.

> amongst them not running SSH in the open

Moving SSH to a different port is the usual "fix" I see, which does next to
nothing really. There's very little in terms of attacks against sshd, and none
when you disable password based authentication. Having an open port is not an
issue unto itself, unless you used an older Debian to generate your keys.

~~~
acheron
Moving SSH to a different port does nothing if your system is being
specifically targeted, but it stops 99% of drive-by bots. Not that they do
much anyway but it at least stops them from showing up in your logs.

~~~
nwh
Just out of interest I tried running on 22 and a very high random port, as you
said significantly less, though not no attempts. I think it's a false sense of
security more than anything.

~~~
diminoten
Security through obscurity is generally frowned upon.

~~~
ISL
Yes, but in combination with good practice, it doesn't hurt.

------
peterwwillis
In an ironic twist, the Syrian Electronic Army's website wins a Pulitzer for
investigative reporting; Jeff Bezos replaces entire editorial staff with six
hackers and a shell script.

------
dmix
Washington post also posted another good article about the hackers:

"The Post just got hacked by the Syrian Electronic Army. Here’s who they are."

[http://www.washingtonpost.com/blogs/the-
switch/wp/2013/08/15...](http://www.washingtonpost.com/blogs/the-
switch/wp/2013/08/15/the-post-just-got-hacked-by-the-syrian-electronic-army-
heres-who-they-are/)

~~~
MisterWebz
_Recently, security researchers say the group has also started to engage in
more sophisticated attacks, including using Trojans and and targeting Voice
over IP (VOIP) services. Those attacks and this week’s Socialflow and Outbrain
compromises suggest the SEA may just be getting started._

Fear mongering at its finest. These people aren't doing anything that isn't
already being done by others.

I'm expecting a lot more "cyber warfare" and terrorism-related fear mongering
in the following months. We already saw an increase in politicians complaining
about Chinese cyber attacks, but the leaks put an end to that. Let's see who
they'll focus on next.

------
dobbsbob
The "Syrian Electronic Army" is just rented Iranian hackers. They also have a
large propaganda chorus you'll see in newspaper article comments just like
Gaddafi did to give the illusion of popular support. They also steal citizen
journalist videos of atrocities in Syria and then make up fake translations
for them to paint the regime in the best light possible. Since most people
never fact check anything they see on youtube largely this strategy works.
It's too late when the Guardian or Al Jazeera reveal the true translation
weeks later damage has already been done.

Shouldn't the Washington Post and other news agencies be running honeypots to
catch these guys?

------
showerst
This same group got socialflow yesterday -
[http://www.ehackingnews.com/2013/08/socialflow-hacked-new-
yo...](http://www.ehackingnews.com/2013/08/socialflow-hacked-new-york-
post.html)

------
late_groomer
The comments at the bottom of the page are pretty funny.

------
chcleaves
Is there a coincidence with the Times being down yesterday and this??

~~~
untog
It's a coincidence. NYT was not hacked yesterday.

~~~
mtgx
Fox News was quick to point out it was hacked, though. Hacking! Cyberwar!
Cyberterrorism! Fear!

------
mtgx
So who did it? NSA with Chinese proxies?

------
sigzero
Simply because they are idiots.

