Security Researcher Punches Holes In NBC's 'Everyone Going To Sochi Will Be Hacked" Story; NBC Doubles Down In Response
from the because-'being-careless-will-get-you-hacked'-isn't-headline-material dept
Earlier this week, NBC “reported” that journalists and visitors to Sochi are being immediately hacked virtually as soon as they acquire a connection. [AUTOPLAY WARNING.] NBC presented this as something completely inescapable in its report, which purportedly showed NBC journalist Richard Engel’s cellphone and laptop being compromised “before he even finished his coffee.”
All very scary but all completely false.
Errata Security points out that the entire situation was fabricated.
The story shows Richard Engel “getting hacked” while in a cafe in Russia. It is wrong in every salient detail.
They aren’t in Sochi, but in Moscow, 1007 miles away.
The “hack” happens because of the websites they visit (Olympic themed websites), not their physical location. The results would’ve been the same in America.
The phone didn’t “get” hacked; Richard Engel initiated the download of a hostile Android app onto his phone.
…and in order to download the Android app, Engel had to disable a lock that prevents such downloads — something few users do [update].
While your average person might be lured to sketchy sites supposedly related to the Olympics, most of these people wouldn’t have disabled the default locks on their phone, as Robert Graham at Errata Security points out.
The truth makes for a much less interesting story, however, and as Graham points out, Engel’s use of the passive voice (“the phone was hacked” rather than “I downloaded a virus”) deliberately obscures what’s actually happening on the video. It’s not Sochi’s wireless connections that are “infected,” it’s the sites themselves. No one’s getting hacked instantly unless they’re going out of their way to act carelessly in a potentially hostile environment. Following normal internet safety procedures should keep journalists and Olympic fans protected — preventative measures that NBC could have chosen to deliver with its report, except that they would undercut the narrative it was crafting. There is no doubt that the influx of out-of-town visitors presents an enticing target for aspiring hackers, but there’s no reason to believe any device will be insta-compromised the moment it connects to the internet.
NBC, for its part, seems to think the only way to wipe this egg of its face is to apply more egg, as c|net reports:
“The claims made on the blog are completely without merit,” according to a representative from NBC News.
The NBC rep also noted that the report made it clear from the beginning that the taping was done in Moscow. The report was intended to demonstrate that a person was more likely to be targeted by hackers while conducting searches in Russia, the representative added, acknowledging that these attacks can happen anywhere in the world. In addition, the story was designed to show how less technically savvy people can fall victim to such a cyberattack.
But NBC’s story carried this headline:
Hacked Within Minutes: Sochi Visitors Face Internet Minefield
Even with the appended disclaimers, the report was obviously intended to present Sochi as a hackers’ paradise where anyone — even those not stupid enough to visit rogue websites or purposefully sideload sketchy apps — can be compromised before their coffee cools. And the phrasing used by the reporters is equally as misleading. The following quotes are taken from the transcript (which, to NBC’s credit, opens up with “Welcome to Moscow”).
>> reporter: good evening, brian. the state department warns the travelers should have no expectation of privacy. even in their hotel rooms. you are immediately exposed as soon as you try to communicate with anything. one of the first thing visitors to russia will do is log on. hackers here will count on it. we decided to find out how dangerous that could be.
>> reporter: with our new computers loaded with attractive data, we headed for a restaurant, where we used a new smart phone to browse for information about the sochi olympics. almost immediately we were hacked.
>> did you see where it said downloading?
>> i did.
>> it’s actually downloading a piece of malware.
>> malicious software hijacked our phone before i even started my coffee.
This would be the malware consciously downloaded by the reporter. Note that it’s stated that the phone is downloading the malware on its own, rather than with any assistance by the journalists.
>> back at the hotel will hoyt was using specialized software to monitor my two computers. and sure enough, they had also been hacked.
No mention of visiting unknown sites. The assumption is that hackers accessed the computers on their own, rather than having a door propped open by Engel’s visit to malicious sites, most likely sites that any decent browser/search engine would have warned might be an unsafe place to visit.
>> it had taken hackers less than one minute to pounce. within 24 hours they had broken into both computers and started helping themselves to my data.
“Pounce?” On what, the Welcome mat the journalists laid out? God helps those who help themselves to data, but the devil’s editor visits compromised sites in search of a good story.
>> reporter: american athletes and fans now coming to russia by the thousands are entering a minefield. the instant they log on to the internet.
>> the best way to protect yourself is quite simple, if you don’t really need a device, don’t bring it. try to avoid the public wifi. and if there’s anything particularly and uniquely important on your computer or phone, banking information or photographs, remove it before coming to russia.
“The instant they log on…” Obviously false. Pre-priming your devices for failure will “allow” you to be hacked before your coffee cools, but following some very basic security measures will keep devices safer. Sure, there’s likely a higher concentration of hacking activity in Sochi with so many potential targets in the area, but that’s no excuse to promote fear over facts and for journalists to intentionally sabotage their own equipment just to ensure the eyeball-grabbing headline actually fits the content. It’s not just bad journalism, it’s also irresponsible. NBC could have used this time to outline the same basic safety precautions Graham does in its blog post, but was obviously more interested in reinforcing its viewers’ perception that Russia is the Internet Wild West, where even the safest surfer will be hacked to unrecognizability by malicious electro-bandits at the faintest whiff of a wi-fi signal.
Filed Under: hacking, olympics, richard engel, sochi
Companies: nbc
Comments on “Security Researcher Punches Holes In NBC's 'Everyone Going To Sochi Will Be Hacked" Story; NBC Doubles Down In Response”
Stupid people do stupid things!
News at 11!
You trusts mainstream media these days?
its funny TD ran with it as well
just saying
Mis-information?
Yesterday their was a techdirt article on the GCHQ running Operations using journalists &/or their Identities to trick their targets. Now we have a story run on major media telling us what a wild and dangerous place the Internet is, especially in (pick country).
The story has been fined down over the next few news editions to mask the factual complaints raised.
Any-One want to bet on when a “story breaks” that “US zone” of the Internet is better managed and safer because. (fill in your favorite government agency name), is soooo active.
Re: Mis-information?
This.
We’re accessing a global network, the endpoint’s location (with extreme exceptions, like china, UK) have little to no affect on the content.
Mis-information?
Yesterday their was a techdirt article on the GCHQ running Operations using journalists &/or their Identities to trick their targets. Now we have a story run on major media telling us what a wild and dangerous place the Internet is, especially in (pick country).
The story has been fined down over the next few news editions to mask the factual complaints raised.
Any-One want to guess on when a “story breaks” that “US zone” of the Internet is better managed and safer because. (fill in your favorite government agency name), is soooo active.
More pseudo news entertainment for the masses
Frickin fear mongers. I smell a new Dateline special in the same vein as “To Catch a Predator”.
NBC incompetence
The article is blatant attempt to discredit Russia by implying the Russians are behind the supposed hacks. If they are getting hacked as fast they claim it is because they are not following or using proper security practices for their devices.
Wait, so who exactly in the US is 100% guaranteed to be NSA surveillance proof given that the Snowden leaks revealed they have cracked most VPN encryption and are doing everything possible to compromise TOR? We’re one Snowden like contractor with less moral righteousness or a hacker who gains access to the NSA data farm away from a thief nabbing unheard of amounts of data, but we’re supposed to be shaking in our boots because the (according to the same media) inept Russians who can’t do anything right are also master hackers at the same time? Whatever this is, is not journalism.
Re: Re:
I don’t think openvpn is easily crackable even by them. pptp and maybe even l2tp/ipsec yeah…and don’t get me started about the new ms proctocol SSTP…
Ah NBC….
No Bloody Clue
Re: Re:
CBS
Cock-sucking Bastard Sons-of-bitches.
This is why...
when I sideload Android apps, I get them only from sites I trust and study the permissions on them as carefully as I study the permissions on the apps I get from Google Play.
Re: This is why...
Yup, and not just for sideloaded apps. I also firewall them off from the net, so if they’re doing any data snarfing, they can’t send that data back home.
the lies on tv are so many and so obvious. this is no exception. you’d think that anyone would have noticed how phony and how staged that report was.
you don’t just turn on a device to find that something is downloading unless you have enabled such a thing yourself. at least not yet anyway.
I have to question whether this is just more entertainment or [puts tin foil hat on] are they preparing people for a future where devices are designed so poorly that you’ll see things like this actually happening even on brand new devices that have just established their first connection?
[adds tinfoil hat to device before clicking submit]
Re: Re:
There was an annoying windows virus back then called LASSER or something like that…you could wipe out the hard drive, reinstall windows, and if you didn’t have pre-installed third party security you would get it over and over again. A window would appear and start a 30 seconds countdown and reboot the machine over and over. I was really in total disarray that somebody could manage to have so much crap on their computer that their IP was permanently targeted like that. It was during the 2k/xp days.
Re: Re: Re:
wow, I could be thinking of something else but it seems like I remember something about that. the name even sounds familiar. I also remember one called Sasser worm but that was a worm.
the wiki on it says:
This worm was named Sasser because it spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service)
Re: Re: Re: Re:
That’s what it was 🙂 Had to preinstall a lot of stuff because I couldn’t get any time to download any security programs (free ones, when AntiVir(avira) and SpyBot were more than enough for most people) to repair that person’s computer, I was really amazed then that someone’s computer was so messed up I couldn’t repair it live there without bring stuff burned to CD first.
Re: Re:
Could just be retribution for Russia not finishing their hotel room in time… or would that be too puerile?
Media spreading propaganda about russia…
What is this the 60s? I thought you guys stopped the commie hating, but what goes on now is sad.
Its obvious that the US tries to discredit Russia at every opportunity. The only problem I see with sochi is that they havent finished it in time. But this whole “everyone gets hacked”, “gays are thrown in gulags” and the latest “Putin should smile more”…
Seriously guys, if you still believe what the media says
Re: Re:
Especially since they aren’t commies at all anymore. Just good old disguised fascism like in most countries of this planet.
Re: Re:
Re: Re:
The guy who wrote the Target card-hacking code…where’s he from?
Re: Re:
“I thought you guys stopped the commie hating”
Most sane people have, but there are notable holdouts.
Re: Re: Re:
The government has changed its focus. Now instead of commies, it’s Al-CIAda, pedosexuals, Constitutionalists, and mythical terrorists.
Likely Reality
NBC takes one well known nugget of truth: Sites can load malicious software to devices automatically if proper security precautions are not taken then combines that with the image of Russia being and evil and dangerous country which requires us to be “protected” by the government surveillance machine that the government wants to further and the hype that surrounds the Olympics, to craft a sensationalistic story complete with an accompanying headline. They then load devices with “attractive data” merely so that they can make that claim, have a researcher find a site that will automatically download such malware, and then have the reporter on camera visit the specific site to demonstrate the download. This isn’t just surfing and accidentally getting infected. No they went looking for a site with malware on purpose to make their story and left out the little detail that the chances of getting exploited could be dramatically reduced if some basic security precautions are taken. If they had presented their demonstration from the perspective of “These are the precautions that people need to take.” This would have been fine, but that wouldn’t have served the purpose of generating the FUD that implies the necessity of the government surveillance machine by demonizing Russia.
So full of fail
People who actually understand security don’t use smartphones. Or Windows. Or MacOS. Or Facebook. Or LinkedIn. Or any of the other various combinations of {hardware, OS, applications, web sites, Internet services} that are known-insecure.
I’m quite sure I could take my laptop (which is running OpenBSD) (and not on an x86-based CPU)in there and do just fine.
Re: So full of fail
My first reaction to the article was I would like to take my computer to Moscow and see if I could replicate the problem. I use various Linux distros so the attacks would need to target Java not Java applets.
For most, good security, even on Windows, is being careful about where one visits and keep the OS and software fully updated. Most of my older friends and family rarely get any malware on Windows by following good practices.
Re: So full of fail
“People who actually understand security don’t use smartphones. Or Windows. Or MacOS. Or Facebook. Or LinkedIn. Or any of the other various combinations of {hardware, OS, applications, web sites, Internet services} that are known-insecure.”
While that may be true for some people who understand security, it isn’t true for all. Many simply limit what information they make available through those devices and means and follow best practices otherwise. There is plenty of low hanging fruit out there for the malcontents to pick after all.
Re: So full of fail
“People who actually understand security don’t use smartphones. Or Windows. Or MacOS.”
Simply not true. People who actually understand security know that it’s a terrible, and really common, mistake to think of some platforms as insecure and others as secure.
Security experts treat all systems as insecure and do two things to reduce (you can never eliminate) the risk: adopt proper habits, and know how to use high-quality security software and use it correctly.
The various Unices are easier to secure because of their design, but it is possible (and not really that hard) to harden any other OS to an acceptable degree as well.
Rinse, Repeat.
Dateline’s footage showed a sample of a low-speed accident with the fuel tank exploding. In reality, Dateline NBC producers had rigged the truck?s fuel tank with remotely controlled model rocket engines to initiate the explosion. The program did not disclose the fact that the accident was staged.
The General Motors lawsuit and subsequent settlement was arguably the most devastating blow for NBC in a series of reputation damaging incidents during the 1990s and early 2000s.
http://en.wikipedia.org/wiki/Dateline_NBC#General_Motors_vs._NBC
Re: Rinse, Repeat.
I remember that. they ended up apologizing for it even.
Re: Re: NBC also messed with Zimmerman's 911 phone call
It’s all in the title.
They were alright during the worst of the Bush days, but now they’re fake “left” FOX News like the latter is fake “right”.
Re: Re: Re: NBC also messed with Zimmerman's 911 phone call
I don’t even have a tv and don’t want one. why would I if it’s just going to be used to try and program and persuade me and tell me what to think and how to think and tell me what tastes good, what’s funny etc…? “TBS, very funny”
Re: Re: Re:2 NBC also messed with Zimmerman's 911 phone call
don’t get me wrong though. I’m not looking to argue either. I’d probably lose anyway. I just personally don’t have or want a tv and those are just my views and opinions.
Re: Re: Re: NBC also messed with Zimmerman's 911 phone call
If by “fake” you mean their stories are completely biased then yeah.
Fox News is right wing no doubt, but I wouldn’t say NBC is left, more like schizophrenic.
NBC in Russia
I think that NBC is not going to be welcomed in Russia very much in the future, barring a VERY large bribe to appropriate federal officials…
But…but…toothpaste tubes!
They have to do this fear-mongering in order to scare people from broadcasting events. This way, they can televise it “live” three days after the event.
Re: Re:
What? I’m listening to the reports of olympics every hour live on CBC Radio One and I actually know somebody who’s there as an athlete, he finished 9th in the snowboard half-pipe competition, canadian.
Re: Re: Re:
Do they televise on CBC Radio One?
Not sure what I was saying. Not like they have ever done anything like that in the past.
NBC: wrong
Techdirt: sorry, but wrong too
Downloading a virus is not the same as sideloading. Any browser will download files automatically, no matter if they are JPGs, PDFs or viruses. But this act of downloading doesn’t mean the malware will ever get installed or executed.
So it’s correct to say “it is downloading”. You visit a website, and it starts downloading all of itself.
Implying that this means you are infected, is the wrong part.
Re: Re:
While it is true that downloading is different than side loading, on Android and many other devices, when a browser downloads a file, it often assumes that the user intends to open the file and looks for an appropriate means of doing so. If the file is a native app that appropriate means is the installation of the app and if the source is not the sanctioned source such as Google Play or Apple’s App Store, then that app’s installation if successful is by definition, side loaded. On Android devices the setting in that they refer to controls apps whether apps are allowed to be side loaded or not and thus would prevent this from happening if set appropriately.
I think they meant:
trying to re-enter the US.
Re: Re:
Yeah, they like to wag their finger at everyone else while totally ignoring the hypocrisy.
Amended/corrected version for NBC:
>> back at the hotel will hoyt was using specialized software (Internet Explorer 6) to monitor my two computers. and sure enough, they had also been hacked (someone installed the ask.com toolbar).
News?
You’re treating this as if it were news?
The American US media’s job hasn’t been to report news in over a decade. Their job is to either entertain or scare people.
Period.
Expecting Facts, investigations and or news out of the American media these days is like expecting a TSA agent to laugh at a bomb joke and wave you through…
Re: News?
“Their job is to either entertain or scare people.”
And …. spread propaganda, misinformation and outright lies.
If our country’s “news” services have slumped to the point of falsehood and deception as a means of selling ads or papers or clicks, then it is no longer news, but simply more fiction. NBC and the NYT are not the National Enquirer or the Sun, so why do they feel it necessary to act like them?
Re: Re:
You’re late to the party. Our country’s news services slumped to that point decades ago. It happened due to, and as the inevitable consequence of, CNN discovering that news can be a profit center, and the consolidation of the newspapers into the hands of a few major corporations.
This is why I say there is no mainstream journalism in the US, and hasn’t been for quite a long while. It’s all propaganda and lies. (And, I maintain, this is the real reason that newspapers are dying.)
Corporate synergt at work
So NBC Sports pays billions of dollars to exclusively air the Olympics in the US, but the news division is actively scaring people away from the Olympics. Great corporate synergy there!
I don’t remember NBC running these kinds of scare stories during the Beijing Olympics. Is that because Russians are evil hackers and the Chinese aren’t?