Cybersecurity: The vulnerability of online media

The Syrian Electronic Army has struck again, said Matt Buchanan in NewYorker.com. If you were on Twitter or NYTimes.com last week, you may well have seen the mysterious hacker collective’s coat of arms instead of the news you sought. Twitter recovered quickly, but the Times’ website remained down for almost a day. It’s far from the first time the SEA has waged war on media organizations. Last year, it hijacked Al Jazeera’s website, Twitter accounts, and SMS text service. This year, it’s commandeered the Twitter accounts of numerous media outlets, and directly vandalized sites belonging to Time, CNN, The Washington Post, and NPR. In last week’s attacks, it gained access to an Australia-based domain-name registration service used to manage the Times’ and Twitter’s Web addresses, a feat one Times official compared to “breaking into Fort Knox.” Its method was surprisingly simple: It acquired a legitimate login for the Melbourne facility by spear phishing, or tricking people “into voluntarily revealing information in response to what appears to be a message from a legitimate website or service.”

Here’s more proof, as if we’d needed it, that borders in cyberspace are “badly defended,” said James Lewis in CNN.com. The message of these most recent attacks on Western media has been “one of scorn, ridicule, and belittlement.” But make no mistake—these attacks can have consequences. When the SEA hijacked the AP’s Twitter account in April and tweeted, “Breaking: Two explosions in the White House and Barack Obama injured,” the Dow Jones industrial average briefly plunged more than 150 points, temporarily wiping out $136.5 billion in stock value. And “if the Syrian Electronic Army can slip by feeble defenses to make fun of the media, someone else might be able to get in and cause more serious disruption.”

Website owners should take the hint, said Steven J. Vaughan-Nichols in ZDNet.com. All employees should be warned against phishing emails and reminded to always double-check emails and links from service providers or websites to make sure they’re not handing over passwords to hackers or thieves. There’s an easy fix to make sure your website doesn’t suffer the same fate as the Times’: Ask your domain registrar to set up a “registry lock,” which prevents anyone from making changes alone. If you don’t take that precaution, maybe you’ll risk only the inconvenience of your site being down for a few hours. But there could be a far higher cost: “having your online reputation ruined and your customers buried in malware.”

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up