Security Researcher Punches Holes In NBC's 'Everyone Going To Sochi Will Be Hacked" Story; NBC Doubles Down In Response
from the because-'being-careless-will-get-you-hacked'-isn't-headline-material dept
Earlier this week, NBC "reported" that journalists and visitors to Sochi are being immediately hacked virtually as soon as they acquire a connection. [AUTOPLAY WARNING.] NBC presented this as something completely inescapable in its report, which purportedly showed NBC journalist Richard Engel's cellphone and laptop being compromised "before he even finished his coffee."
All very scary but all completely false.
Errata Security points out that the entire situation was fabricated.
The story shows Richard Engel "getting hacked" while in a cafe in Russia. It is wrong in every salient detail.While your average person might be lured to sketchy sites supposedly related to the Olympics, most of these people wouldn't have disabled the default locks on their phone, as Robert Graham at Errata Security points out.
They aren't in Sochi, but in Moscow, 1007 miles away.
The "hack" happens because of the websites they visit (Olympic themed websites), not their physical location. The results would've been the same in America.
The phone didn't "get" hacked; Richard Engel initiated the download of a hostile Android app onto his phone.
...and in order to download the Android app, Engel had to disable a lock that prevents such downloads -- something few users do [update].
The truth makes for a much less interesting story, however, and as Graham points out, Engel's use of the passive voice ("the phone was hacked" rather than "I downloaded a virus") deliberately obscures what's actually happening on the video. It's not Sochi's wireless connections that are "infected," it's the sites themselves. No one's getting hacked instantly unless they're going out of their way to act carelessly in a potentially hostile environment. Following normal internet safety procedures should keep journalists and Olympic fans protected -- preventative measures that NBC could have chosen to deliver with its report, except that they would undercut the narrative it was crafting. There is no doubt that the influx of out-of-town visitors presents an enticing target for aspiring hackers, but there's no reason to believe any device will be insta-compromised the moment it connects to the internet.
NBC, for its part, seems to think the only way to wipe this egg of its face is to apply more egg, as c|net reports:
"The claims made on the blog are completely without merit," according to a representative from NBC News.But NBC's story carried this headline:
The NBC rep also noted that the report made it clear from the beginning that the taping was done in Moscow. The report was intended to demonstrate that a person was more likely to be targeted by hackers while conducting searches in Russia, the representative added, acknowledging that these attacks can happen anywhere in the world. In addition, the story was designed to show how less technically savvy people can fall victim to such a cyberattack.
Hacked Within Minutes: Sochi Visitors Face Internet MinefieldEven with the appended disclaimers, the report was obviously intended to present Sochi as a hackers' paradise where anyone -- even those not stupid enough to visit rogue websites or purposefully sideload sketchy apps -- can be compromised before their coffee cools. And the phrasing used by the reporters is equally as misleading. The following quotes are taken from the transcript (which, to NBC's credit, opens up with "Welcome to Moscow").
>> reporter: good evening, brian. the state department warns the travelers should have no expectation of privacy. even in their hotel rooms. you are immediately exposed as soon as you try to communicate with anything. one of the first thing visitors to russia will do is log on. hackers here will count on it. we decided to find out how dangerous that could be.This would be the malware consciously downloaded by the reporter. Note that it's stated that the phone is downloading the malware on its own, rather than with any assistance by the journalists.
>> reporter: with our new computers loaded with attractive data, we headed for a restaurant, where we used a new smart phone to browse for information about the sochi olympics. almost immediately we were hacked.
>> did you see where it said downloading?
>> i did.
>> it's actually downloading a piece of malware.
>> malicious software hijacked our phone before i even started my coffee.
>> back at the hotel will hoyt was using specialized software to monitor my two computers. and sure enough, they had also been hacked.No mention of visiting unknown sites. The assumption is that hackers accessed the computers on their own, rather than having a door propped open by Engel's visit to malicious sites, most likely sites that any decent browser/search engine would have warned might be an unsafe place to visit.
>> it had taken hackers less than one minute to pounce. within 24 hours they had broken into both computers and started helping themselves to my data."Pounce?" On what, the Welcome mat the journalists laid out? God helps those who help themselves to data, but the devil's editor visits compromised sites in search of a good story.
>> reporter: american athletes and fans now coming to russia by the thousands are entering a minefield. the instant they log on to the internet."The instant they log on…" Obviously false. Pre-priming your devices for failure will "allow" you to be hacked before your coffee cools, but following some very basic security measures will keep devices safer. Sure, there's likely a higher concentration of hacking activity in Sochi with so many potential targets in the area, but that's no excuse to promote fear over facts and for journalists to intentionally sabotage their own equipment just to ensure the eyeball-grabbing headline actually fits the content. It's not just bad journalism, it's also irresponsible. NBC could have used this time to outline the same basic safety precautions Graham does in its blog post, but was obviously more interested in reinforcing its viewers' perception that Russia is the Internet Wild West, where even the safest surfer will be hacked to unrecognizability by malicious electro-bandits at the faintest whiff of a wi-fi signal.
>> the best way to protect yourself is quite simple, if you don't really need a device, don't bring it. try to avoid the public wifi. and if there's anything particularly and uniquely important on your computer or phone, banking information or photographs, remove it before coming to russia.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hacking, olympics, richard engel, sochi
Companies: nbc
Reader Comments
Subscribe: RSS
View by: Time | Thread
Stupid people do stupid things!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
its funny TD ran with it as well
[ link to this | view in chronology ]
Mis-information?
The story has been fined down over the next few news editions to mask the factual complaints raised.
Any-One want to bet on when a "story breaks" that "US zone" of the Internet is better managed and safer because. (fill in your favorite government agency name), is soooo active.
[ link to this | view in chronology ]
Re: Mis-information?
We're accessing a global network, the endpoint's location (with extreme exceptions, like china, UK) have little to no affect on the content.
[ link to this | view in chronology ]
Mis-information?
The story has been fined down over the next few news editions to mask the factual complaints raised.
Any-One want to guess on when a "story breaks" that "US zone" of the Internet is better managed and safer because. (fill in your favorite government agency name), is soooo active.
[ link to this | view in chronology ]
More pseudo news entertainment for the masses
[ link to this | view in chronology ]
NBC incompetence
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
No Bloody Clue
[ link to this | view in chronology ]
Re:
Cock-sucking Bastard Sons-of-bitches.
[ link to this | view in chronology ]
This is why...
[ link to this | view in chronology ]
Re: This is why...
[ link to this | view in chronology ]
you don't just turn on a device to find that something is downloading unless you have enabled such a thing yourself. at least not yet anyway.
I have to question whether this is just more entertainment or [puts tin foil hat on] are they preparing people for a future where devices are designed so poorly that you'll see things like this actually happening even on brand new devices that have just established their first connection?
[adds tinfoil hat to device before clicking submit]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
the wiki on it says:
This worm was named Sasser because it spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service)
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
What is this the 60s? I thought you guys stopped the commie hating, but what goes on now is sad.
Its obvious that the US tries to discredit Russia at every opportunity. The only problem I see with sochi is that they havent finished it in time. But this whole "everyone gets hacked", "gays are thrown in gulags" and the latest "Putin should smile more"...
Seriously guys, if you still believe what the media says
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Most sane people have, but there are notable holdouts.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Likely Reality
[ link to this | view in chronology ]
So full of fail
I'm quite sure I could take my laptop (which is running OpenBSD) (and not on an x86-based CPU)in there and do just fine.
[ link to this | view in chronology ]
Re: So full of fail
For most, good security, even on Windows, is being careful about where one visits and keep the OS and software fully updated. Most of my older friends and family rarely get any malware on Windows by following good practices.
[ link to this | view in chronology ]
Re: So full of fail
While that may be true for some people who understand security, it isn't true for all. Many simply limit what information they make available through those devices and means and follow best practices otherwise. There is plenty of low hanging fruit out there for the malcontents to pick after all.
[ link to this | view in chronology ]
Re: So full of fail
Simply not true. People who actually understand security know that it's a terrible, and really common, mistake to think of some platforms as insecure and others as secure.
Security experts treat all systems as insecure and do two things to reduce (you can never eliminate) the risk: adopt proper habits, and know how to use high-quality security software and use it correctly.
The various Unices are easier to secure because of their design, but it is possible (and not really that hard) to harden any other OS to an acceptable degree as well.
[ link to this | view in chronology ]
Rinse, Repeat.
The General Motors lawsuit and subsequent settlement was arguably the most devastating blow for NBC in a series of reputation damaging incidents during the 1990s and early 2000s.
http://en.wikipedia.org/wiki/Dateline_NBC#General_Motors_vs._NBC
[ link to this | view in chronology ]
Re: Rinse, Repeat.
[ link to this | view in chronology ]
NBC also messed with Zimmerman's 911 phone call
They were alright during the worst of the Bush days, but now they're fake "left" FOX News like the latter is fake "right".
[ link to this | view in chronology ]
Re: NBC also messed with Zimmerman's 911 phone call
[ link to this | view in chronology ]
Re: Re: NBC also messed with Zimmerman's 911 phone call
[ link to this | view in chronology ]
Re: NBC also messed with Zimmerman's 911 phone call
Fox News is right wing no doubt, but I wouldn't say NBC is left, more like schizophrenic.
[ link to this | view in chronology ]
NBC in Russia
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Not sure what I was saying. Not like they have ever done anything like that in the past.
[ link to this | view in chronology ]
Techdirt: sorry, but wrong too
Downloading a virus is not the same as sideloading. Any browser will download files automatically, no matter if they are JPGs, PDFs or viruses. But this act of downloading doesn't mean the malware will ever get installed or executed.
So it's correct to say "it is downloading". You visit a website, and it starts downloading all of itself.
Implying that this means you are infected, is the wrong part.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
trying to re-enter the US.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
>> back at the hotel will hoyt was using specialized software (Internet Explorer 6) to monitor my two computers. and sure enough, they had also been hacked (someone installed the ask.com toolbar).
[ link to this | view in chronology ]
News?
The American US media's job hasn't been to report news in over a decade. Their job is to either entertain or scare people.
Period.
Expecting Facts, investigations and or news out of the American media these days is like expecting a TSA agent to laugh at a bomb joke and wave you through...
[ link to this | view in chronology ]
Re: News?
And .... spread propaganda, misinformation and outright lies.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
This is why I say there is no mainstream journalism in the US, and hasn't been for quite a long while. It's all propaganda and lies. (And, I maintain, this is the real reason that newspapers are dying.)
[ link to this | view in chronology ]
Corporate synergt at work
I don't remember NBC running these kinds of scare stories during the Beijing Olympics. Is that because Russians are evil hackers and the Chinese aren't?
[ link to this | view in chronology ]