PBS Breached: How Hackers Probably Did It

How-Hackers-Probably-Did-It-st1

The NY Times reports today that PBS was breached.  The hackers managed to change the news pages, resurrecting Tupak.

The breach highlights how hacking has become industrialized.  Hackers used automated software to probe and ultimately breach the PBS system. How does this hack work?

Step 1:  Find as many as possible vulnerable pages.  To do so, use:

1) “Google dorks” where hackers use Google to search for vulnerabilities on websites:

2) Or an automated vulnerability scanner (more likely of the two).  There are many open source tools available:  http://sectools.org/

Step 2:  Once you’ve identified vulnerable sites, harvest the data.  There are tools to do so, and the one used by the PBS hackers is called Havij.  Imperva’s Application Defense Center managed to get several pictures of the PBS breach as shown on hacker forums (click on each for a larger image):

Here’s a screenshot of several username and passwords for the main PBS website, including the admin:

how-hackers-probably-did-it-st2
Here’s a screenshot of usernames and password for PBS’ program, Frontline:

how-hackers-probably-did-it-st2-1

Here’s the screenshot of harvested usernames and passwords for the PBS pressroom, i.e., reporters who access the PBS website (note:  their password choices are pretty bad):

how-hackers-probably-did-it-st2-2

Step 3:  In this final stage, with the harvested data, hackers simply login into the websites. They can alter content, as they did in this case (bringing Tupak back to life).  In this case, its noteworthy that hackers were “nice.”  They only changed content that didn’t carry an economic impact–no one loses or gains money on Tupak’s resurrection.  But what if they had posted fake headlines like:

  • Steve Jobs Dies
  • Company XYZ Pre Announces Dramatic Drop in Earnings
  • Second Tsunami Hits Japan

As a final thought, it’s important to emphasize the responsibility news organizations have to protect and secure their digital assets.  We know of at least one major news outlet with a significant, unresolved vulnerability.  We tried to contact them numerous times:  email, phone, web and screaming from the mountain tops.  Nothing.  Let’s hope the PBS experience will serve as a wake up call to this new organization as well as many others.

Tags: