Several prominent media sites and a few media-related Twitter feeds went down Tuesday following an apparent attack by the Syrian Electronic Army (SEA), the New York Times reported. Among the sites affected were the NYT itself, the Washington Post, the Financial Times, NPR, and Twitter feeds for Reuters, the AP and BBC Weather.
The Syrian Electronic Army, a group of hackers that promotes the Assad regime in Syria, is also taking responsibility for taking control of the media sites. Contemporaneous data from Internet registrars named the Syrian Electronic Army as the sites' administrator.
Media is going down.... | http://t.co/Gd1zB70v0g | http://t.co/8NUe7Cs2jm | http://t.co/QDdNdEuuVX | http://t.co/W9nmxo95PQ — SyrianElectronicArmy (@Official_SEA16) August 27, 2013
The NYT reported that its domain name registrar, Melbourne IT, was hacked as part of the attack.
“The credentials of a Melbourne IT reseller were used to access a reseller account on Melbourne IT’s systems,” said Tony Smith, general manager of corporate communications for Melbourne IT.
The DNS records of several domain names on that reseller account were changed including nytimes.com. After they were notified of the hack, Melbourne IT changed the affected DNS records back to the previous values, locked the records from further manipulations and changed the reseller credentials to prevent further modifications. They have yet to confirm the identity of the hacker.
David Ulevitch, the founder and CEO of OpenDNS, a cloud-delivered Internet security network, said that the SEA appeared to have compromised the registrar's security, thereby gaining the ability to redirect domain names to anywhere they wanted.
This screenshot was taken around 2:30 p.m. Pacific Time and shows the Syrian Electronic Army as the administrators of Twitter.com.
Melbourne IT is the registrar for many prominent media sites, including Twitter and ShareThis. “ShareThis can be threatening because you can establish code that they could execute that would steal users’ passwords and compromise embedded posts.” Ulevitch said.
The NYT encouraged employees to stop sending emails when they found out about the suspected hack in an effort to safeguard personal information.
OpenDNS was already blocking malicious Syrian Electronic Army IP addresses. OpenDNS users that tried to access the sites when they were first attacked would see a notification about malicious software, not because the New York Times was hosting malware, but because the IP address that was associated with the domain at the time was that of the SEA.
“We have moved to reset Twitter and the New York Times back to their settings even though the rest of the Internet hasn’t caught up yet,” Ulevitch said. NYT CTO Rajiv Pant encouraged readers who are having trouble reaching the site to use OpenDNS for now.
OpenDNS already boasts over 50 million users, and Ulevitch is anticipating an increase in users as a result of Tuesday’s massive hack.
This is the latest in the SEA's history of attacking prominent news sites. They have compromised the Associated Press Twitter account, NPR's website and Twitter accounts, the Washington Post, and The Financial Times in recent months.
Dropbox has had its share of security woes. One day, wayward code breaks authentication protocols. Another time, user logins get stolen from third-party sites. Now it's a couple of researchers stretching their hacking muscles and proving they could lay waste to Dropbox's security measures.
For users, this may be genuinely alarming news—particularly for those who depend on Dropbox heavily. I certainly do. So perhaps I should feel upset or unnerved by this. But I'm not. At all.
How Dropbox Got Ripped Open
What's clear is that these researchers have no bad intentions. Dhiru Kholia and Przemyslaw Wegrzyn, authors of the paper "Looking inside the (Drop) box" (PDF), just wanted to prove they could do it. And they did. They wowed the developer community by reverse engineering the cloud storage service's desktop application.
Reverse engineering, or figuring out an app's development by working backwards starting with its finished product, is a fairly common practice. But few thought Dropbox could be vulnerable to it.
The app was written in Python and relied heavily on obfuscation, meaning it was intentionally designed to conceal source code. But that didn't stop Kholia and Wegrzyn. They write:
We describe a method to bypass Dropbox’s two-factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented.
In other words, they were able to make modifications without altering Dropbox's original source code. They also exploited the “Launch Dropbox Website” feature, an item located in the Windows system tray that lets users auto-login to the website. The handling of that in the current version of Dropbox is more secure than in the previous ones, but legacy users could still be at risk of having their accounts breached.
This is an impressive feat, even if it is fraught with some scary potential. The team showed that it's possible to blast through Drobox's two-step login security, hijack accounts and expose code that could allow crafty hackers to devise some ingenious (or malicious) programs.
Fortunately, the researchers have no mischief in mind. They only wanted to prove a point: Blocking access to underlying code doesn't necessarily stop hacks. All it does is impede well-meaning developers from vetting it properly.
Prepping For Cloudy Days
See also: Sorry, Dropbox: The Hard Drive Is Here To Stay
Of course, that doesn't mean some black-hat hacker won't use these exploits to plunder Dropbox users' data. That's no small matter, considering the company has 175 million users.
That's a lot of gigabytes pulsing through the Dropbox cloud. For my part, I make sure that my most sensitive information isn't among them. I store important logins and other personal data locally (either in my laptop or on an external drive). Some files, of medium importance, get either encrypted or password protected. What remains is detritus or items of lower priority.
I may be atypical, but while I like and use services like Dropbox for convenience, I do so knowing they aren't impregnable. In fact, I operate under the assumption that hacks and breaches are inevitable. That's either paranoid or savvy, depending on your point of view. Either way, it offers some peace of mind whenever the clouds get a little stormy.
Feature image courtesy of Flickr user Derek Key
UPDATE: I reached out to Dropbox for a comment, and received the following via email from a company spokesperson:
We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe. However, we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board.
Yet another reason to secure those computers. Spread the word.
Forget all the Big Data numbers you've seen. The reality is that no one has a clue how much Big Data adoption there is, because few actually know what Big Data means.
Ian Bertram, managing vice president at Gartner, points this out, arguing that the industry is completely muddled over what Big Data means. According to Gartner research, 50% of enterprises cite data variety, not data volume, as the primary driver of Big Data adoption. In fact, "big" is hardly a factor at all.
Marketo's Jon Miller suggests that "big data is a catch-all term for data sets that are so large and complex that they necessitate new forms of processing beyond the SQL databases prevalent since the early 1980s." Given that the term is merely a catch-all, how can we even be sure that a given application is a "Big Data application"?
We can't. That's why I wonder how much credence we can give to surveys like this:
This isn't a Gartner problem. It's an industry problem. We've invented a meaningless term that essentially means everything, and hence nothing.
Hence, when Wikibon tries to quantify the Big Data businesses of a range of vendors, it's hard to see how they (or anyone) can truly get anywhere near the right answer:
I suspect that what we're really talking about with "Big Data" is merely data. We just mean that we've gained the ability to put more data to work in our applications. It's not really a matter of "big," though. It's just a matter of "more." Bertram seems to concur:
The question I would like pose is—why call it “Big Data” at all, what makes it big? Rather why not call it just “data” or “Information” as aren’t we just talking about different sources and extracting value from the combination of these sources? Aren’t we trying to find patterns to build models, identify risk, understand intent and sentiment and develop networks?
In other words, aren't we just trying to do the same things that we've always tried to do, but with new tools like Hadoop and NoSQL that make it easier, more powerful and cost effective. The tools have changed, but the desire to put data to use has not.
Johnson is a big proponent of making Zite shine on each mobile operating system. The app started on the iPad but has expanded down the line to Android and Windows Phone. Johnson is the type of mobile nerd who sees something great in each of the platforms. As such, he wants to see Zite shine on each operating system.
Zite also announced today that version 2.0 of its app is coming to Android. Zite 2.0 was first shipped to the iPad in December 2012 and since then the company has been working to build the next generation of Zite for Android based on its iOS redesign. Instead of a straight port from the iPad app to Android, Johnson said that the Zite team wanted to make sure the app was very “Android-y” while still retaining the magazine feel that people like on iOS.
“Before we got Zite completely working on Android, looking at some of our competitors you notice that they really have just taken the iOS version and ported it over to Android. I really wanted to avoid that, I really wanted to take advantage of all the great features that Android has to offer,” Johnson said.
Zite will offer a dynamic widget for device home screens, an Android-style quick list, better personalization of news content and even integration with Samsung’s S Pen stylus on Galaxy Note devices.
Johnson said that Zite will also have a fully functional refresh of the app for iOS 7 when it is released to the public sometime in September.
Johnson likens Google Glass to the first time he saw the World Wide Web on a Mosaic browser, the now-ancient (in Internet time) ancestor of modern browsers.
“I remember that moment in my life and was like, holy shit, there is something here, there is a revolution coming,” Johnson said. “I actually felt the same way when I put on my Google Glass for the first time and forced myself to use it. I thought, wow, there is something here that is going to be hard to explain to people what is coming.”
Zite the company actually started as a semantic search engine called Worio, but changed course in 2011 to focus on news with a mobile-only focus. Its new app launched in the early days of the iPad and has expanded to the iPhone, Android smartphones and Windows Phone. Google Glass is a natural extension of that approach—albeit one heavily influenced by Johnson’s belief that Glass is just really cool.
The other reason to develop for Glass—the fear of missing out—also plays a factor. Internet disruption caught the media industry unprepared. With mobile now ascendant, media companies don’t want to miss the boat again. If that means building for platforms that ultimately may have no meaningful consumer adoption, so be it. It's better to cover the bases early than be the company that has to catch up to everyone else.
Zite is also bringing version 2.0 to Android
“I really want to be in early on that,” Johnson said. “I think it is important for us to be experimenting on these platforms which are going to be critical for people getting their news and information. And I want to make sure that as this revolution comes about, we are going to understand what consumers want and are going to be prepared for when Google Glass and other kinds of wearables like watches and whatnot become mainstream.”
The question plaguing many developers where Google Glass is concerned is simple: Why? Why spend time and resources building an app for a device that only a few thousand extremely select people currently use, and which has no guarantee of ever being a mass-market hit like smartphones and tablets?
Google hasn't announced a public launch date for Glass, and rumors of the spectacles coming in 2014 at a budget-friendly price of $299 appear to be unfounded. Google’s moonshot is a cool idea, but it's still just a beta product wrapped within a beta product. So why bother?
Johnson cites two reasons: The fear of missing out, and the ability to build for some cool technology that has the potential to be huge.
“When I got this pair of Glass I was really honored to be in the program but I thought, honestly, is that it is just a gimmick,” Johnson told ReadWrite. “As I started using them I realized that a revolution is coming, a revolution that is going to be pretty impossible for people to ignore. Not just for we that develop applications, but for consumers as well.”
Depending on who you ask, wearable computers will either be the next big thing in technology or a completely superfluous and socially unacceptable line of gadgets only for pretentious techno-nerds. Mark Johnson wants you to know he's in the former group, at least where Google Glass is concerned.
Johnson is the CEO of Zite, a personalized mobile news app that's making the transition to Google Glass. The new Glass app, which it's announcing today, will deliver the top 10 stories in a user’s Zite app straight to the screen hanging in front of her face. The app will also be able to read news stories aloud. Zite follows other publishers such as the New York Times, Twitter and Facebook, all of whom have already released Glass apps.