May 30, 2011

The NY Times reports today that PBS was breached.  The hackers managed to change the news pages, resurrecting Tupak.

The breach highlights how hacking has become industrialized.  Hackers used automated software to probe and ultimately breach the PBS system. How does this hack work? 

Step 1:  Find as many as possible vulnerable pages.  To do so, use:

1) “Google dorks” where hackers use Google to search for vulnerabilities on websites:Dorks

2) Or an automated vulnerability scanner (more likely of the two).  There are many open source tools available:  http://sectools.org/

Step 2:  Once you’ve identified vulnerable sites, harvest the data.  There are tools to do so, and the one used by the PBS hackers is called Havij.  Imperva's Application Defense Center managed to get several pictures of the PBS breach as shown on hacker forums (click on each for a larger image):

Here’s a screenshot of several username and passwords for the main PBS website, including the admin:

  Pbs1
 

Here’s a screenshot of usernames and password for PBS’ program, Frontline:

Frontline
 

Here’s the screenshot of harvested usernames and passwords for the PBS pressroom, i.e., reporters who access the PBS website (note:  their password choices are pretty bad):

Pbs3

Step 3:  In this final stage, with the harvested data, hackers simply login into the websites. They can alter content, as they did in this case (bringing Tupak back to life).  In this case, its noteworthy that hackers were "nice."  They only changed content that didn't carry an economic impact--no one loses or gains money on Tupak's resurrection.  But what if they had posted fake headlines like:

  • Steve Jobs Dies
  • Company XYZ Pre Announces Dramatic Drop in Earnings
  • Second Tsunami Hits Japan

As a final thought, it’s important to emphasize the responsibility news organizations have to protect and secure their digital assets.  We know of at least one major news outlet with a significant, unresolved vulnerability.  We tried to contact them numerous times:  email, phone, web and screaming from the mountain tops.  Nothing.  Let’s hope the PBS experience will serve as a wake up call to this new organization as well as many others.

 

Share:

Posted by Imperva Blogger at 10:56:13 AM


Tags:

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.