By: Heidi Kulicke
Hackers have been wreaking havoc on websites since the early days of dial-up. But as the Internet has become more sophisticated, so have hackers. Victims range from financial companies, retail sites, and government entities, to media companies, but with the right tools and attention, newspapers can take the necessary steps to safeguard their sites.
The Rise of Hactivism
Despite the potential for financial gain, most hackers are actually activists who use the Internet as a platform to make political statements. Such was the case when PBS.org was hacked late Sunday night before Memorial Day. Usernames and passwords for PBS website users and administrators, as well as login information and passwords for PBS affiliate television stations, were all released. For added chutzpah, the hackers posted a fake news story that said deceased rapper Tupac Shakur was actually “alive and well” in New Zealand. LulzSec (part of larger hacking group Anonymous) took responsibility, claiming the attack was in retaliation for PBS’ documentary on WikiLeaks and its portrayal of U.S. soldier Bradley Manning — who was arrested in Iraq for leaking information — and WikiLeaks founder Julian Assange.
Like many other news organizations, PBS had never had its website hacked and had been “lulled into a sense of complacency,” said Travis Daub, creative director for PBS NewsHour. Daub was instrumental in taking charge of the compromised site and working with CMS provider Movable Type throughout the month of June to rebuild security and add layers of complexity to the CMS.
Daub said the nature of Web publishing is such that a site can never be 100 percent secure. “There are going to be vulnerable points, and if hackers are persistent enough, eventually they will find weaknesses. Our site was severely harmed for pretty much a month,” he said. While Movable Type put new security measures in place, the number of stories they could post was limited. “We were frustrated because we weren’t able to do our jobs as efficiently as we wanted to. For four solid weeks our ability to publish to our site was really hindered.”
Despite the setback, PBS was still able to reach viewers through its various social media channels. Daub’s advice to other publishers in the event of a hack is to maintain communication with your audience in whatever way possible. “Having that support even when you don’t have a crisis is important, so that when you do, you can still reach part of your audience.”
Unable to post stories, photos, or videos to its regular site, PBS relied heavily on its Facebook, Tumblr, and YouTube accounts. “It would have been a different story if social media didn’t exist and if we didn’t already have a strong presence there. We felt connecting with our audience was really critical for us during that time,” he said. “It’s scary that we live in a world where free speech is attacked in this way by hackers,” Daub said.
LulzSec has also claimed responsibility for hacking, among others, British newspaper The Sun; government entities such as the CIA, FBI, and the Arizona state police department (in retaliation for anti-immigration legislation); and a series of Sony hacks, reported to be the largest in Internet history. Sony closed its PlayStation servers for a month earlier this year while it fixed the compromised site. The Sony attacks were presumably in retaliation for a lawsuit Sony brought against a hacker who reverse-engineered the PlayStation 3 to run unapproved third-party applications.
Social media accounts are also vulnerable to hacking groups. One of Fox News’ various Twitter accounts, @FoxNewsPolitics, was hacked by a group called The Script Kiddies. The group sent out false information regarding the assassination of President Obama, which subsequently raised questions of social media account security. The group does not appear to be linked to LulzSec or Anonymous.
The Cost of Cyber Attacks
The Ponemon Institute’s sixth annual U.S. Cost of a Data Breach Study found the average total per-incident cost of these and similar attacks was $7.2 million in 2010 alone. Data breach incidents cost U.S. companies on average more than $4 million in lost business. Brand damage and customer trust, in some cases, can be irreparable.
Unfortunately, many companies are completely unaware of harmful activity. According to the 2010 Verizon Data Breach Investigations Report, it is common for weeks or even months to go by between the initial attack and discovery. The report found that 37 percent of incidents take months to discover. Additionally, companies most commonly learn of the security breach through third parties.
Internet security firm Symantec discovered 286 million new and unique threats last year from malicious software, or about nine per second, up from 240 million in 2009. The company claims as many as one in every 10 Web downloads includes harmful programs. On top of that, the company found that in 2007, the amount of harmful software in the world passed the amount of beneficial software.
Newspapers Aren’t Immune
In July, hackers cracked The Washington Post jobs site and obtained user IDs and email addresses. No passwords or other personal information was leaked, said Post communications director Kris Coratti. Immediate action is of the essence, especially when it involves customer information. “Once we became aware of the breach, we determined exactly how the attacks took place and then implemented security measures to prevent such attacks from recurring,” Coratti said. The Post was able to provide accurate information about the nature of the breach to customers as a result of thorough investigation and quick timing, and is confident in the overall security of its updated IT systems.
News Corp.-owned The Sun was another victim of the LulzSec operation, which subsequently took control of other News International websites. The group posted a fake Sun article about Rupert Murdoch’s sudden death. In this instance, the purpose for the attack was to bring justice to the victims of phone hacking, which ultimately led to the demise of sister paper News of the World.
With hacking so prevalent in the Internet world, The New York Times even poked some fun at the topic in an Op-Ed column titled “Are You Reading This? That Is So Cool.” The satire was written from the point of view of a hacker who had tapped into the Times’ site but was actually composed by Steve Bodow, co-executive producer of “The Daily Show with Jon Stewart.” The Times paywall has been the recipient of numerous mini-hacks that allow users to easily access restricted content without paying for a subscription.
Outsourcing and CMS Help
As publishers look for cost-cutting opportunities, outsourcing is often an attractive option. However, when it comes to outsourcing customer information or hiring an email marketing firm, publishers should exercise caution, as these firms are not immune to cyber attacks. A stolen email address becomes problematic when combined with other stolen basic information, providing cyber criminals the tools necessary to steal an identity or launch a convincing phishing attack — which, in turn, fools some customers into revealing Social Security numbers, user IDs, passwords, and PIN numbers.
The last thing any customer wants is a notification letting them know their private information was compromised. “While internal staff information was released, no customer information — including email addresses — was released. I’m grateful we didn’t have to apologize specifically to affected readers,” PBS’ Daub said.
The PBS hack was attributed to a security flaw in the site’s Movable Type CMS, one of many open source content management systems that have come under recent scrutiny. Open source CMS is appealing because of the low cost and flexibility associated with the product. The main issue with open source systems is not the code, but the fact that owners don’t keep up with regular security updates and patches designed to correct bugs in the software. Six Apart, the developer of Movable Type, worked with PBS to fix the flaw and encourage users to upgrade to the newer version as soon as possible. Because the code is in the public domain, however, hackers have the ability to probe it for any sign of vulnerability.
The reality is that no CMS software is perfect, and security vulnerabilities are not limited to open source systems. But if Web teams make it a priority to be disciplined with installing patches and updates, keeping an eye on plug-ins, adding additional layers of authentication, and keeping passwords strong, the chances of getting hacked decrease.
If You Get Hacked
From a blog post by PBS NewsHour’s social media production assistant Teresa Gorman, who handled the PBS.org hack in late May. Used with permission.
1 Don’t Panic Remember to stay calm, especially in your online presence. The sooner you realize it could be a bumpy ride for a while, the sooner you can start making things right.
2 Be Quick Should your site suddenly become the news due to a hacking, you must respond as quickly as possible to minimize the harm. As a news organization, understand that you want to be the one quoted in the inevitable articles and the primary source that gets retweeted the most, so watch your words.
3 Be Personal Your first response could be as simple as tweeting, “Yes, something is going on. We’re working on it and we’ll get you more details soon. Thanks for your understanding,” and including your initials, or using your personal account to respond. If people can connect a real person to a brand on Twitter, they’re generally more likely to forgive anything from typos to corrupted servers.
4 Cover All Accounts Twitter may be the best way to send out several updates, but don’t forget other social media accounts. To see if false information is spreading to other places that might merit a response, be sure to search kurrently.com, search.twitter.com, facebook.com/search, and Google.
5 Repeat, Repeat, Repeat Repeat your updates as much as needed. Reword as the situation changes, but remind everyone that you are aware of the problem, working to fix it, and appreciate their patience.
6 Know Your Limits After hours of staying on top of the situation, anyone is bound to feel worn out. It’s important to know your limits and stop before you make a dumb mistake. Let your followers and fans know that you’ll be back on the case in a few hours.