Why the Syrian Electronic Army Didn't Hack the NY Times

I'm just going to come out and say it. The Syrian Electronic Army (SEA) is a fraud. They didn't "hack" the New York Times, or any other high visibility websites today.

All SEA did today was an extremely old trick of domain hijacking.  For those not familiar with it, here's a great writeup on how domain hijacking works.

Now it's possible that SEA performed the domain hijacking through compromise of MelbourneIT, this in itself is also unlikely, based upon previous successful "attacks" using low-tech spearphishing (targeted social engineering) to obtain credentials of target organizations.

Previously, Syrian Electronic Army gained control of the Associated Press' Twitter account, The Onion's Twitter account, and the advertising service "Outbrain", all through spearphishing attacks.

Sensationalize their "hacking abilities" all you want. The Syrian Electronic Army has so far displayed very little technical skill, instead attacking "soft targets" and using social engineering. While these attacks have so far been effective, they only point out the lack of security awareness training in today's workforce, and not any serious software flaws.

Any organization which has been directly hit by SEA (and that excludes the victims of domain hijacking) should seriously reexamine their employee security awareness training, and possibly consider bringing in an outside consulting company to help identify deficiencies.

The weakest link in any network will always be uneducated users.

No comments:

Post a Comment