This week News Corp. execs James and Rupert Murdoch were dragged before a investigatory committee of Parliament over the U.K.’s phone-hacking scandal. Meanwhile hacktivists LulzSec decided to take matters into their own hands, and targeted the website of News Corp. paper The Sun, replacing its homepage with a faked edition. Shortly afterward, LulzSec said it had also acquired a huge amount of corporate emails from the Murdochs. They’ve since pledged not to release them, lest they compromise ongoing legal cases against News Corp. and its executives, but the Murdochs may still face having their email dirty laundry aired in the future.
How is this kind of hack pulled off? We spoke to our expert adviser, Nick Percoco of Trustwave’s Spiderlabs, to gain an insight, based on his expertise as an ethical hacker–hired to pull off these kinds of attack by companies themselves.
The Website Hack, Simply Done
Website redirects are pretty common nowadays–it’s a relatively low-grade kind of hack, and the other large online hacktivist group Anonymous was itself a victim of a website hack this week.
One redirect involves gaining access to the Domain Name Server infrastructure–the code and hardware that directs a visiting web surfer’s browser to an IP address when you type in a web URL to a browser address bar (because servers call themselves a relatively boring set of numbers rather than companynameX.com). Hackers can do this by either a frontal password-cracking assault on the domain account at the relevant third party Domain Name managing company, or by pulling off a social engineering trick.
As Nick points out to us, it’s relatively easy to call up a company like this, acting all frustrated and pretending to be a power user from News Corp. (or whatever the target is, picking something newsy) and say “this is related to the phone hacking scandal and we need to make some DNS changes and blah blah…I need to reset my password.” If you’re lucky, the person you’re speaking to will be fairly junior in the company, and probably in their career, and with chutzpah you get the passwords and then access.
Percoco highlights how powerful this attack is: “If I were to gain access to someone’s DNS system, I could redirect the website in probably 30 seconds.” Because once you’re in, it’s just a question of filling in a webform, or editing a file, clicking “save” and then anyone visiting companynameX.com is redirected to a different IP address, where you have your alternative web page.
The Website Hack, Done More Cleverly
A more sophisticated attack on a target, Percoco says, involves “trying to hack into their infrastructure directly”–more like the hacking you see in the movies. In his work, Percoco’s worked with larger companies that have thousands of sites in their infrastructure. Some may be old, set up for something like a marketing campaign that has since ended.
This is the hacker’s in-point, because a site that’s been sitting online for several years, without being upgraded or checked from a security standpoint, is bound to have vulnerabilities. This is because the cutting edge of cybersecurity and attacks will have moved on long since, but the old site hasn’t been maintained to keep up. A very similar method was actually used by the LulzSec to access the Sun‘s online presence, through a “retired” server that was used to manage the Sun‘s micro website content.
A third way in, especially with a site like the Sun, is through its Content Management System, the code that organizes how stories are published to its website. By hacking into this, via a known exploit or simply by cracking a user password (such as may be used by a journalist working remotely, to gain access to their account), hackers can then gain access to the published web content on a target’s website directly, and chaos will ensue. It’s not always tricky to do this, because we are all pretty bad at using secure passwords. An attack like this is roughly what hit Gawker Media earlier this year.
The Email Hack
LulzSec’s attack on News Corp.’s email system has potentially more damaging implications. It’s easy to restore your website, but there’s possibly plenty of compromising, or at least private, data in a high-profile user’s email account.
If LulzSec gained access to News Corp.’s web servers and other systems, presumably they could also gain access to other accounts, says Percoco, perhaps even an IP administrator’s account or someone else who has access to mail servers. Via these sources, hackers could gain direct access to the company email account. “Firstly I’d try to see if they had any external web-based mail system, like a Microsoft Active Sync system,” says Percoco, and then it’s a game of working out a user name and guessing a user’s weak password (and hoping the system lets you try a large number of times without locking the account).
Or, assuming you’ve gained access to the company’s network via a website hack, you may be able to work out where user-account data is kept and then extract it. When you crack it, offline, you’d have a list of usernames and passwords directly. Then it would be as simple as pretending to be a new device like an iPhone syncing up to a perfectly normal user account, and you’d identify to the network as a real user–and then their whole email history is synced to your device. This likely wouldn’t raise red flags with IT since it’s exactly what happens when a genuine user connects to a real account.
What You Can Do To Protect Yourself
News Corp. was pretty aggressively penetrated by hackers, who seem to have carried out a coordinated and sophisticated assault. But many companies are similarly vulnerable and would have their business compromised if 4GB of executive email was sequestered and plopped onto a file-sharing website. The defenses are manyfold, but pretty straightforward: Keep your web properties well managed, and ensure that no old “appendix” webpages are left online with vulnerabilities ready to be infected. This plan could even involve making sure there’s good information sharing among IT staff–who tend to have a pretty high churn rate. Companies can check their online systems repeatedly, and also hire white-hat hackers to detect loopholes on contract–before a hacker with malicious intent does it for you.
[Image: Flickr user powtac]