Image 01 Image 03

What can the latest Syrian Electronic Army attack teach us?

What can the latest Syrian Electronic Army attack teach us?

A few readers who noticed have asked me why I didn’t refer to yesterday’s attack by the Syrian Electronic Army as a “hacking” in my coverage (other than referring to SEA as “hackers” for simplicity’s sake).  It’s a good question, and one from which we can learn.

To summarize what happened yesterday, the attack was not on the NY Times, Twitter or Huffington Post UK directly.  The source of the problem was a web hosting and domain registration provider, Melbourne IT, of which the aforementioned are customers.  An individual(s) was able to obtain the login credentials of one of Melbourne IT’s reseller partners and then use those credentials to access the system and change the DNS records of several domain names on that reseller account. Once the changes were made, they were applied at a higher level of domain management.

What that means in layman’s terms is that when you typed “” into a browser, the system was unable to recognize the site by its name, versus by its numerical IP address.  For Twitter, the issue impacted one of its domains used for image serving.

I’m simplifying this significantly so as not to bore anyone with the technical details.

Whether you care anything about the NY Times or Twitter or any other site for that matter, what’s important about yesterday’s attack is that it could have happened to just about anyone in any other number of circumstances.

Sometimes it doesn’t take “hacking” to gain access to something you’re not supposed to be permitted to access.

More has come out since last night, explaining that the individual(s) with Syrian Electronic Army were successful in gaining access to make changes to records in the first place because of a phishing email – that’s an email that tricks the reader into performing an action by appearing to be legitimate.

From the LA Times:

The U.S.-based sales partner’s credentials ended up in the hackers’ hands after a targeted phishing attack was directed at the firm’s staff, Melbourne IT Chief Technology Officer Bruce Tonkin said early Wednesday. Essentially, several people at the U.S. firm were duped by emails that coaxed them into giving up log-in credentials.

“We have obtained a copy of the phishing email and have notified the recipients of the phishing email to update their passwords,” Tonkin said in an email. “We have also temporarily suspended access to affected user accounts until passwords have been changed.”]

Late Tuesday, Melbourne IT spokesman Tony Smith said said the company was reviewing how to improve security.

“We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies,” he added.

Why should I care, you ask?

Because this can happen to everyday people, too.  You could be asked to verify login credentials that appear to be from your bank, or another email account, or your Amazon wish list, any number of things.  And if you give them up to an imposter, you could create some trouble for yourself.

And as far as the media being targets to these tactics – it’s by no means the first time the Syrian Electronic Army, for one, has done this – there are greater dangers about this that should concern us.  Like it or not, agree with their point of view or not, media are influencers and the items they report can have an impact on the public.  In the wrong hands, that can go badly.  I often point to the incident in which the SEA hijacked an AP Twitter account and sent out a false tweet that there had been explosions at the White House, which in turn temporarily sent the Dow plummeting.

The same concept could theoretically be applied to situations on the ground.  As we read the news about conflicts across the globe, we are dependent upon the media to keep us informed.  If a media account is compromised and false information sent out in certain situations, it has the potential to agitate conflicts on the ground.  Luckily we’ve not really seen such an instance happen to date that I can recall (we could have, though).  But media have a responsibility to insure that they are taking precautions to prevent such a thing from happening.  And we as a news consuming public must, as we always do, remain skeptical and challenge information that might not seem to be exactly quite right (and I’m of course referring to reports outside the typical, usually justified, gripes of bias).

But that prevention also depends upon every link in the chain also taking security precautions.

This isn’t limited to the Syrian Electronic Army, this is part of the new age of information and social media, where news flies at the speed of light and can be very difficult to stop when it’s out of the gate. While hijackers, imposters, hackers and the like are often just looking for attention, it doesn’t hurt to think about and do some preventive planning for worse possibilities.

The same applies to each of us personally, it doesn’t hurt to be cautious and practice our own security measures.



Donations tax deductible
to the full extent allowed by law.


PersonFromPorlock | August 28, 2013 at 6:42 pm

A suggestion: publish your IP address so we can store it against the evil day. And maybe we can encourage browser designers to incorporate automatic storage of IP addresses in their bookmarks?

If we had an actual news media that checked facts and reported truthfully I would agree. However who believes anything that comes out now without independant verification from another source? Hate to be a stickler but it seems that the people now have to be the ones checking for 2 independant sources of news now instead of the reporters who just run with anything they want. I don’t read the Enquirer for a reason and many of these other sources and headed to the same place as far as I am concerned.

    People in some other countries, many of them currently in the throes of protest and conflict, don’t necessarily view media the same as we do in the US. Some are skeptical, yes, but not all. Those are the places I’m concerned with.

    As far as the US, stuff like this doesn’t make me as optimistic that everyone is as responsible about checking news sources.

      Estragon in reply to Mandy Nagy. | August 29, 2013 at 2:01 am

      True, but following the news has always been lower in the 18-30 group.

      They used to compensate society for their ignorance by not voting – until Obama.

I have previously run into name server issues regarding Drudge, so much so I saved the IP address for Drudge as a browser bookmark thus bypassing DNS altogether.

Try it:

    open up notepad, go to c:/WINDOWS/System32/drivers/etc/hosts and add this line for drudge

    then just save.

That’s still hacking. Hacking is about gaining access to systems your not supposed to be able to access. Social Engineering is just one of those hacking methods. They didn’t even need to do this to uproot the NYT. They could have ddos’d the name servers or poisoned the dns relays. There are about upteen million ways to take someone down.

Subotai Bahadur | August 29, 2013 at 12:03 am

I may have missed this, but the article seems to say how the DNS changes were made, but other than the claims, and the SEA has supposedly done similar things in the past; what evidence is there that it was the putative SEA that did this?

We are in territory where if we are told by the government or its known allies that the sun will rise in the east; it is necessary to doubly confirm it.

Consider another scenario. A phishing expedition is done by the NSA, or they just use the information they have from years of spying on everybody on the internet. The attack does no real damage. The fact that the NY Times is affiliated with the regime makes the DNS attack appear to be an attack on the government at a time when the Narrative is about the EVIL Syrians. Thus creating a news story about the nasty Syrians just before we are going in to bomb them without legal or constitutional standing to do so.

Is there anything to indicate that this is not a false flag for AgitProp purposes?

Subotai Bahadur

The Drill SGT | August 29, 2013 at 5:47 am

one minor nit. I’d call that “spear phishing”. The targeting of selected people at a selected target for a specific purpose.

“phishing” alone generally refers to bulk or random targeting attempting to collect ID info or passwords. Like the phishing attacks on bank customers rather than bank system administrators.

Another lesson is that they believe their own propaganda. They think that the anti-Semitic, anti-Israel, New York Times is a Zionist tools.