In May of last year, PBS reported online that "prominent rapper Tupac has been found alive and well in a small resort in New Zealand." The U.K.-based The Sun devoted its front page in July to a report that media mogul Rupert Murdoch had died from a suicidal drug overdose. The same month, Fox News Politics tweeted that President Barack Obama had been assassinated; not long after, NBC News's Twitter account reported that two flights had been hijacked and were headed for Ground Zero. These morbid stories were all fake, of course, planted by mischievous hackers seeking infamy and amusement.
The Reuters hacktivists wanted their fake stories to be taken as fact
But the hackers who planted fake news stories on Reuters's website earlier this month weren't doing it for fun. Reuters was caught in the middle of an "intensifying conflict in cyberspace between supporters and opponents of Syrian President Bashar al-Assad," in the words of one of its reporters, as hackers attempted to co-opt the news agency's credibility in order to support government forces in the Syrian national conflict.
Major news sites have always attracted hackers. In the early aughts, a hacker using the alias "Fluffi Bunni" repeatedly posted a picture of pink plush bunny on a variety of websites including the New York Times. Like the pink bunny, the fake Tupac story was left as a signature: Someone wuz here!
By contrast, the Reuters hacktivists wanted their fake stories to be taken as fact.
Earlier this month, hackers took over one of Reuters's Twitter accounts and sent out eight fake tweets, including "Obama signs executive order banning any further investigation of 9/11" and "White house spokesperson says financial and technical support given to #AlQaeda operatives in #Syria." The account was shut down. Hackers then broke into the agency's blogging platform on two separate occasions and posted short, realistic "reports" of fake news that favored the Syrian government in its ongoing clashes with the rebel Free Syrian Army.
The stories were posted on blogs.reuters.com, the opinion section where journalists including the popular finance writer Felix Salmon air their views. Reuters is still investigating the source of the attacks. In the meantime, it has shut down blogs.reuters.com, redirecting readers to the straight news at reuters.com.
To Americans and anyone accustomed to a free press, it should have been easy to spot the one-sided propaganda in the middle of less histrionic material. But the hackers tried to pass their message off as news. The fake posts were written in a plain, straightforward, newsman-like style, with appropriate headlines ("Riad Al-Asaad: Syrian Free Army pulls back tactically from Aleppo") accompanied by appropriate photos. "Certainly the attack on Reuters was more subtle than most," said Richard Wang, a US manager at the computer security firm Sophos. "They tried to put up content that would at least at first glance would be in context for the site."
"Certainly the attack on Reuters was more subtle than most."
It's hard to say how much credit the hackers deserve, as they seem to be both savvy and clueless. Reuters publishes first-responder wire reports that get reprinted or replicated by other publications, making it an ideal origin point for a disinformation campaign. Did the hackers know this? They targeted an English-language news site as opposed to an Arabic one, ensuring the broadest possible base of readers. Was that calculated to spread the message faster? And if so, after all that, couldn't they have found a native speaker to do a final copy edit?
The chief leader of Syrian Free Army (FSA) has stated on Friday that the Syrian Free Army has withdrawn tactically from Aleppo province after severe clashes took place yesterday between the regular army and FSA.
Al-Asaad confirmed on a phone call to Reuters that the regular army killed 1000 soldiers of Free Syrian Army and arrest around 1500....In his first "unusual" statement, Riad Al-Asaad said that the Syrian Free Army will withdraw from all Syrian cities due to the huge losses caused upon the soldiers, as well, the betrayals made by rebels, due to in-fighting amongst them, for money and positions.
Thomson Reuters operates one of the most influential news organizations in the world, with 3,000 journalists in almost 200 bureaus filing more than a million stories a year. The company wrote about the threat of cyberattack in the "risk factors" portion of its 2011 annual report — but just in reference to its financial data and trading products. There's no mention of what might happen if someone tried to hack the news.
The Wall Street Journal reported that Reuters may have been hacked because it was running an older version of an open source publishing platform, but this has not been confirmed. The basis of the Journal's report was a speculative comment by an independent open source developer.
Reuters was using the free version of WordPress, which powers many major news sites including parts of the New York Times and CNN sites. WordPress maker Automattic has offered to help investigate the attacks, said Automattic CEO Toni Schneider, even though Reuters was not a paying WordPress client.
Embarrassingly enough, the breach could have been due to a cracked, leaked, or stolen employee password
It seems just as likely that the Reuters breach was less sophisticated. Embarrassingly enough, the breach could have been due to a cracked, leaked, or stolen employee password. After the hacks, Reuters started educating staffers about phishing attacks. The staff received an email warning them not to click on any URLs from emails. Those who had access to Reuters Twitter accounts were told to change the passwords, and to phone the new passwords into headquarters rather than send the information by email. The company is preparing for an all-hands call this week to debrief after the attacks.
The odds of identifying the culprits are "generally very small," Wang said, although a political group may claim credit. "There are a vast number of attacks like this going on. If the guys behind it are competent, then they'll be hiding where they're attacking from," he said. It's suspected that a hacker group calling itself the Syrian Electronic Army may be behind the attacks. Reuters declined to comment on the hacks.
News sites are vulnerable
"Hackers know information is power. That's their mantra," said Dug Song, cofounder of the online account security firm Duo Security, which specializes in advanced password security. "We're starting to get to the point where, particularly with all the cultural zeitgeist of Anonymous and the Occupy movement and so forth, they realize that the media is a strong tool for control and there is a lot of opportunity there for attackers."
Part of the opportunity comes from poor security at news media sites as compared to other sectors like financial services and information technology. It took the news media a long time to adapt to publishing on the internet, Song said, and rigorous tech security is just "not in the DNA."
Editorial staffers usually have individual logins with some level of access to the public-facing site; some often have administrative privileges but may be oblivious to the dangers of using weak or repetitive passwords. Based on this reporter's experience in the news industry, password security is not always robust. That goes double for cash-strapped local newspapers, many of which have outdated websites.
Gawker Media owner Nick Denton and CTO Tom Plunkett. Source: Gawker
Even new media sites that tend to be more tech savvy can also be oblivious to the threat of hackers. When Gawker Media was hacked in late 2010, the tech team took the full blame. As CTO Tom Plunkett wrote to the staff, "It is clear that the Gawker tech team did not adequately secure our platform from an attack of this nature. We were also not prepared to respond when it was necessary." Since then, Gawker has beefed up its security. The company has hired outside security consultants, made changes to the site's infrastructure, and added employee policies designed to enhance security. Gawker is also using the online identity services provided by Google, Facebook, and Twitter for its users, rather than asking them to create a login and password.
Guarding against hackers is expensive, however. "The costs are highly asymmetrical," Song said. "Hackers continuously look for ways to get in at the cost of nothing to do so. You have to dedicate a full-time staff to keep them out... hackers definitely have the upper hand these days." In a time of cutbacks and slashed budgets in the industry, many news outlets may be living below the theoretical Security Poverty Line, where a company can't afford the cost of basic security.
"Hackers definitely have the upper hand these days."
The politics blog Talking Points Memo was targeted by hackers last year who briefly shut down the site by flooding it with queries through a distributed denial of service (DDOS) attack. "We took some steps to respond to our emergency last year that were probably one-time only," publisher Josh Marshall said in a statement. Still, because TPM is small and has had very few attacks, anti-hacking measures are low priority.
There's more than one way to break news
Clan Vv3, the crew that broke into tech reporter Mat Honan's personal accounts, wasn't trying to impersonate a news organization. The hackers told Honan they only wanted his three-character Twitter handle. But one or a few members of Vv3 did hack CNN in May, albeit indirectly.
Watching the news yesterday I saw they were talking about some news story of some charity that has stolen 56 million dollars in donations it has received, knowing we are men of justice we took into action with our swords and 22′s. Visited a few URL’s found out all of the information of the president of the group. Then we took her email from her and sent an email to the CNN reporter that was requesting her to interview and in the reply I got me some careless whisper lyrics. Now that’s all done the results were better than expected.
Did you follow that? A hacker decided to intervene in a CNN investigation by impersonating Precilla Wilkewitz, the president of a crooked veteran's organization who had refused to do interviews for two years. The hacker got control of Wilkewitz's email address and emailed the CNN producer the lyrics to George Michael's "Careless Whisper."
CNN's Drew Griffin emailed back incredulously and received this response from the hacker impersonating Wilkewitz: "Yes all we have to say right now is the Careless Whisper lyrics, although we will come up with more later, thank you."
Griffin and Anderson Cooper took the email at face value, airing the statement on Anderson Cooper 360 and attributing it to Wilkewitz. The reporters chuckled over the "mind-boggling, and bordering on outright bizarre" statement and even spliced in a clip from the "Careless Whisper" music video. It took the producers a day to realize they'd been punked.
The Verge reached Vv3 member Welfare by email. "I watch AC360 every night so I figured this would be perfect," Welfare wrote, although "I was more hoping for the RidicuList." Welfare didn't have a political agenda, but the prank was insidious in its subtlety — and it almost worked.
Trust no one
We're in a golden era for internet hackers collecting scalps from the likes of Sony, Visa, Mastercard, and other big brands. Mass password breaches such as the ones at LinkedIn, eHarmony, and Last.fm seem to be increasingly common. We're reading about Russian hackers, Chinese hackers, and Syrian hackers. Occasionally we'll read about the FBI investigating such hacks. Even more rarely, we'll read about prosecutions.
So what's so special about news sites, when every site on the internet is at risk? News organizations have worked hard to earn the trust of their readers, and brands are what differentiates a press release on a random blog from a reported story by the New York Times. The Reuters hacks were ham-handed, but they hint at a new wave of sophisticated hackers who can cleverly insert disinformation deep into the pages of the BBC or The Washington Post in order to push a political agenda, move a stock, or just have a few laughs at the cost of misinforming the public.
So what's so special about news sites, when every site on the internet is at risk?
None of the mainstream news organizations contacted by The Verge were interested in discussing their efforts to guard against cyberattacks. "This is a sensitive subject obviously, so unfortunately we’re not able to help you with your story," a representative for The New York Times said in an email. "We don't comment on security issues," said a rep for CNN. The Huffington Post did not respond to a request for comment.
In the past, it would take a mammoth effort to print and distribute a fake version of say, The Guardian, and hardly worth the time. That's not the case online. Imagine squinting at each news story on guardian.co.uk and wondering if it was written by a journalist or an imposter. The news industry could set itself up for a massive credibility loss by ignoring the threat from hackers, and once again sabotage itself by underestimating the disruptive power of the internet.