OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

NBC severely overhypes Sochi hacking story

Published February 6th, 2014 at 5:03 PM EST , modified February 7th, 2014 at 4:01 PM EST

On Tuesday night, NBC aired a segment on the nightly news warning about widespread hacking at Sochi. As the story implied, any electronic devices brought to Russia would be hacked immediately, as soon as they are connected to a network. Unfortunately, these implications reached farther than the facts support. NBC’s reporting of the story was extremely misleading.

For those who don’t want to load Flash Player so they can watch the video, Brian Williams introduces the segment with statements like, “[…] if they fire up their phones at baggage claim, it’s probably too late to save the integrity of their electronics […],” and “[…] it’s not a matter of if, but when.” Already, the stage is being set to tell the watcher that every device connected to a network in Sochi will be compromised immediately.

We then see Richard Engel, who meets with a “top American security expert,” who supplies two brand new laptops (one Windows and one Mac) and a Samsung phone, and which he loads up with a fake social media “profile” (precisely what that means is unclear) for Richard Engel. The two unbox the laptops (shredding the Mac box in a manner that would make a Mac purist cringe), then proceed to go out to a coffee shop. At the coffee shop, the Samsung phone is immediately fooled into downloading a malicious app. How this happens, exactly, is unclear, but… well, come on, it’s a Samsung phone. It doesn’t take much to infect Android. Not particularly surprising.

Back in the hotel room, it seems that the laptops have both been hacked somehow. According to Engel, “It had taken hackers less than one minute to pounce.” He then proceeds to say that, “Within 24 hours, they’d broken into both computers and started helping themselves to my data.” Again, how exactly this was done is left to the imagination, but the story leaves us with a strong impression that these machines were hacked simply by taking them out of the box, turning them on and connecting them to the network.

But wait… that’s not supposed to be possible on a Mac, right? And recent versions of Windows are pretty darn secure, too. What’s going on here? How is this happening!

Well, it turns out that everything was seriously overstated, and many vital details were omitted. NBC has since posted a “behind-the-scenes” video that includes more details. It turns out that the Windows machine was only infected because the fake e-mail address it was set up with was sent a malicious Microsoft Office document, which the two opened, using the outdated Microsoft Office 2007. Okay, plausible, but not exactly the “all by itself” sort of occurrence that was originally implied.

As for the Mac, that was only compromised because the malicious network redirected the machine’s web browser to a fake anti-virus scam site. They downloaded and installed this anti-virus software, thus infecting the machine. (With what, I’d love to know! But alas, that’s a detail we will probably only find out if some responsible security researchers research this and release their findings.)

Honestly, these are things that could happen anywhere, anytime. This isn’t unique to Sochi. If you happen to be in New York City and connect to a wifi network claiming to belong to Starbucks, for example, it could be a malicious network that actually has nothing to do with Starbucks. When you connect, your activity will be monitored and your web browser will be redirected to malware sites. This kind of thing really requires nothing more than a laptop and the right software… and maybe a wifi router, for greater range. And everyone is familiar with malicious attachments on junk e-mail… you don’t have to go to Russia to find those!

If you happen to go to Sochi, and if you take your electronic devices, all the usual precautions apply. Don’t trust free wifi networks, and especially don’t download anything or visit sensitive websites while on such a network. If you get an e-mail attachment you weren’t expecting, don’t open it. If you get a pop-up on a web site telling you that you need anti-virus software, ignore it. Although there certainly are people out there who may fall for these tricks, there’s nothing more dangerous in Sochi than the world of cyberspace that we’ve been living with for years already. It sounds like it may just be easier to find a malicious network there, that’s all.

Updates

February 7, 2014 @ 1:00 pm EST: There are some very interesting conversations on Twitter, between Robert David Graham (@ErrataRob) and the security expert featured in the video, Kyle Wilhoit (@lowcalspam). Sounds like Mr. Wilhoit was not very happy with the way this story was reported, and will soon be publishing a paper on what he actually did and what the results were. One interesting note: he says they didn’t actually allow him to leave Moscow, so this story really isn’t related to Sochi (more than 1,000 miles away from Moscow) in any way at all.

Some interesting things were also said in a post on Robert David Graham’s blog.

February 7, 2014 @ 3:52 pm EST: Mr. Wilhoit’s paper on the NBC story is now available. Sounds like NBC seriously misrepresented things! We also now know what was installed on the Mac used in the story: Aobo Keylogger. The app is not signed with a valid developer ID, so it wouldn’t be easily opened… that would be sufficient for most people to stop the attack in its tracks, since most people don’t know how to bypass this, and probably wouldn’t follow the strangely-spelled directions shown in Wilhoit’s screenshot.

As Wilhoit points out in his paper, “all infections required user interaction and several risky behaviors to succeed.”

Tags: , , , ,

One Comment

  • Ian MacGregor says:

    Sounds like nothing more than social engineering.. which can happen anywhere on the planet. I can’t believe people still fall for these tricks.

This post is more than 90 days old and has been locked. No further comments are allowed.