In RetroTech: NetLingo Blog

The Syrian Electronic Army struck us last year, said Matt Buchanan in NewYorker.com. If you were on Twitter or NYTimes.com, you may well have seen the mysterious hacker collective’s coat of arms instead of the news you sought. Twitter recovered quickly, but the Times’ website remained down for almost a day. It’s far from the first time the SEA has waged war on media organizations. Last year, it hijacked Al Jazeera’s website, Twitter accounts, and SMS text service.

It also commandeered the Twitter accounts of numerous media outlets, and directly vandalized sites belonging to Time, CNN, The Washington Post, and NPR. In its most recent attacks, it gained access to an Australia-based domain-name registration service used to manage the Times’ and Twitter’s Web addresses, a feat one Times official compared to “breaking into Fort Knox.” Its method was surprisingly simple: It acquired a legitimate login for the Melbourne facility by spear phishing, or tricking people “into voluntarily revealing information in response to what appears to be a message from a legitimate website or service.”

Here’s more proof, as if we’d needed it, that borders in cyberspace are “badly defended,” said James Lewis in CNN.com. The message of these most recent attacks on Western media has been “one of scorn, ridicule, and belittlement.” But make no mistake—these attacks can have consequences. When the SEA hijacked the AP’s Twitter account in April and tweeted, “Breaking: Two explosions in the White House and Barack Obama injured,” the Dow Jones industrial average briefly plunged more than 150 points, temporarily wiping out $136.5 billion in stock value. And “if the Syrian Electronic Army can slip by feeble defenses to make fun of the media, someone else might be able to get in and cause more serious disruption.”

Website owners should take the hint, said Steven J. Vaughan-Nichols in ZDNet.com. All employees should be warned against phishing emails and reminded to always double-check emails and links from service providers or websites to make sure they’re not handing over passwords to hackers or thieves. There’s an easy fix to make sure your website doesn’t suffer the same fate as the Times’: Ask your domain registrar to set up a “registry lock,” which prevents anyone from making changes alone. If you don’t take that precaution, maybe you’ll risk only the inconvenience of your site being down for a few hours. But there could be a far higher cost: “having your online reputation ruined and your customers buried in malware.”

Subscribe to the NetLingo Blog via Email or RSS here!