Forgot your password?
typodupeerror
Security The Media Your Rights Online

Confirmed: CBS News Reporter's Computer Compromised 176

Posted by timothy
from the all-the-cool-kids-have-their-lines-tapped dept.
New submitter RoccamOccam writes "Shortly after the news broke that the Department of Justice had been secretly monitoring the phones and email accounts of Associated Press and Fox News reporters (and the parents of Fox News Correspondent James Rosen), CBS News' Sharyl Attkisson said her computer seemed like it had been compromised. Turns out, it was. 'A cyber security firm hired by CBS News has determined through forensic analysis that Sharyl Attkisson's computer was accessed by an unauthorized, external, unknown party on multiple occasions late in 2012. Evidence suggests this party performed all access remotely using Attkisson's accounts. While no malicious code was found, forensic analysis revealed an intruder had executed commands that appeared to involve search and exfiltration of data.'"
This discussion has been archived. No new comments can be posted.

Confirmed: CBS News Reporter's Computer Compromised

Comments Filter:
  • by gweihir (88907) on Friday June 14, 2013 @07:19PM (#44012221)

    A good example why reporters (and others) need to care about IT security.

    • by masdog (794316) <masdog@@@gmail...com> on Friday June 14, 2013 @07:23PM (#44012235)
      I'm not sure better security would help in this case. It's not like the government has compromised the major OS vendors/projects. In fact, I think there's no such agency dedicated to that task.
      • by gweihir (88907) on Friday June 14, 2013 @07:34PM (#44012299)

        While it is known that MS has given vulnerabilities to the NSA before patching them, it is highly doubtful the same is going on with Linux or the free BSDs. The risk of being discovered would just be too big.

        • While it is known that MS has given vulnerabilities to the NSA before patching them

          Citations?

          • by monkeyhybrid (1677192) on Friday June 14, 2013 @07:43PM (#44012365)

            Please excuse my sceptism. I just googled the topic and it seems there's some evidence they've been doing this along with contributing to PRISM. Very enlightening to say the least!

          • by AxemRed (755470) on Friday June 14, 2013 @07:45PM (#44012379)
            • by cffrost (885375)

              It seems to me that when Microsoft's involved, "responsible disclosure" guidelines should be adjusted to immediate public release, as long as MS is feeding exploits to hackers before fixing them.

              • by mcgrew (92797) *

                It seems to me that when Microsoft's involved, "responsible disclosure" guidelines should be adjusted to immediate public release, as long as MS is feeding exploits to hackers before fixing them.

                It seems to me that ALL vulnerabilities should be disclosed immediately. Vuln in FireFox? No problem, use IE or Opera. Vuln in PDF? Uninstall it until it's fixed or use a different reader or writer. It's not like there's only one OS, spreadsheet, browser, image editor, etc.

                It seems to me that when a white hat finds

                • tell ME, the user, so I can stop using the vulnerable software until it's fixed.

                  Yes, tell you the user that there's a problem in a piece of software, and what part of that software, but also give the vendor some amount of time to fix it before dumping the exploit into metasploit. I once called this Informed Disclosure [bfccomputing.com] for lack of a better term.

                • by cffrost (885375)

                  I agree with you; I support immediate public disclosure as well.

                  The reasons I wrote what I did last night were that a) I didn't want to sidetrack the discussion into one about immediate versus "responsible disclosure" in general, and b) I wanted to make a point that might persuade those in support of "responsible disclosure" that Microsoft has shown that it doesn't deserve whatever benefits it may receive from the practice, since they've been colluding with a known hacker organization that's been violating

            • Funny. So remember everyone - if you find a critical bug in Windows, do what this guy did. [slashdot.org] Disclosing it confidentially to Microsoft instead would be highly irresponsible.

          • by erroneus (253617)

            You don't need "malware" when you've got Windows.

        • Re: (Score:3, Interesting)

          by Anonymous Coward

          There's no need to insert vulnerabilities into Linux. The Linux kernel is riddled with vulnerabilities.

          If you've ever wondered to yourself, "how the heck do those Linux developers commit such huge changes between minor versions without introducing bugs", well I have some news for you....

          If you want to run a secure system, try OpenBSD or NetBSD. Development occurs at a slower, more conservative pace, particularly with OpenBSD. And there are virtually none of the "dump and run" feature submissions that are so

          • by gweihir (88907) on Friday June 14, 2013 @08:09PM (#44012499)

            When you are talking about local exploits, maybe. But this is about remote exploits. When you have compromised an user account, you do not need privilege escalation to spy on them, you just need to get in as said user. That limits the scope of what needs to be looked at rather dramatically.

            Also, for security critical operation, a vanilla Linux is not a good idea. Use AppArmor or SELinux with custom, restrictive configurations. (Yes, I know that SELinux is from the NSA, but the risk of putting in back-doors is just to big.) Running a server is different. There, the largest risk is from the server software. Things like OpenSSH and Postfix are very secure, Apache2 without modules less so and Apache2 with modules can be a real nightmare, depending on the modules.

            I do agree on the development model though. But you need to take into account that most of the fast development in Linux is the drivers. The rest is done a lot more carefully and with significantly more review.

            • by LandGator (625199)
              OpenBSD in by no means vanilla, but instead is a much more exotic flavor. Gold Medal Ribbon, maybe? www.baskinrobbins.ca/en/2012/08/01/gold-medal-ribbon
          • But who eyeballs the eyeballs?

          • by manu0601 (2221348)

            Yes, NetBSD and OpenBSD are good for security (so are FreeBSD and DragonflyBSD), but there are still points to note:

            First, local security is an issue. The surface attack is so big that if you let an attacker play with remote access to the shell, he will find a security hole, even in NetBSD or OpenBSD

            Second, OpenBSD security emphasis push them to play down vulnerabilities, because they do not want to recognize them as such. OpenBSD errata have many "reliability fixes" that may be vulnerability fixes. And the

        • by instagib (879544)

          This cooperation between MS and the NSA maybe explains why MS got away in most cases of monopolistic abuses during so many years: it's easier to infiltrate computers worldwide if they all use the same OS.

        • by Shavano (2541114)
          What do you mean being discovered? Of course the NSA and every other security agency in the world wants early access to zero day information. And the NSA has the budget to pay for them. If you think ordinary citizens and businesses are under attack from the NSA, imagine how much effort is bent on extracting the gigatonnes of Top Secret information such an agency has on file. I'm not saying the NSA is above using the information for nefarious purposes. They are, after all, a spy agency. But they also h
          • Well, if we are talking about exploits in Microsoft Windows, it's most likely intended to be used offensively. I doubt NSA stores their top secrets on Windows machines.

        • There is a difference between actively placing backdoors in software and just analyzing it for exploits and not reporting them too... they likely know lots of ways into linux that don't involve tampering with project code.
    • by onyxruby (118189)

      I can't argue your point about the need to care about security and raising awareness. However the idea that locking down your box could stop the government is naive. If they can convince a judge they can get a warrant. With a warrant you simply enter the residence and install something like a hardware keylogger [keelog.com] (that's a commercial one, they come much smaller) or a pinhole camera.

      Your TrueCyrpt secured hard drive hosting your locked down Operating System behind the firewall of doom that only ever connects t

  • by hawguy (1600213) on Friday June 14, 2013 @07:23PM (#44012231)

    Why is the justice department denial so specific:

    To our knowledge, the Justice Department has never compromised Ms. Attkisson’s computers, or otherwise sought any information from or concerning any telephone, computer, or other media device she may own or use.

    It sounds like a carefully worded statement that leaves open the possibility that they planted an old fashioned bug to listen to her in her home, or a GPS tracker on her car, or secretly searched her house, or one of the other many ways they can secretly keep someone under surveillance.

    Why not a simple "We have never had Ms Attkisson under any surveillance or covertly obtained any information about her"?

    Besides, if she used a Verizon Business cell phone, or if the same cell phone meta-data order that was leaked to the press was given to all of the carriers, then the government *did* seek information concerning telephones used by her.

    • by larry bagina (561269) on Friday June 14, 2013 @07:38PM (#44012339) Journal

      When you have an Attorney General who will, under oath in front of Congress, commit perjury, why are any of their other statements considered credible?

      Not posting anonymously because the DOJ and NSA are tracking us either way.

    • by Nutria (679911)

      It sounds like a carefully worded statement that leaves open the possibility ...

      because, as Brett Buck mentioned, it might not have been the DOJ, OR it might have been the DOJ and the people who did it conveniently forgot to pass the information up the chain.

      Plausible deniability, doncha know.

    • by gmuslera (3436)
      Not all hacking comes from the government, but as they say, probably a good part do. That was what i read in their denial, "this time, i think that wasn't us"
      • by jafiwam (310805)

        Not all hacking comes from the government, but as they say, probably a good part do. That was what i read in their denial, "this time, i think that wasn't us"

        I'd like to hear a good argument by those that think this was the government, why they would feel it appropriate (as in, best method of completing the task) to use her accounts to log in?

        Compromised account? Sure that wasn't some 50 year old sysadmin that thought she was hot and was looking for pictures of her she might have put on the computer? Like, what girl doesn't have mirror shots taken from her phone once in a while? He wanted to see some of her skin. Not get her work data.

        I am one of the mor

        • by gmuslera (3436)

          As i said, the government said that weren't them.... probably. But could had been, after all, reporters or press in general are the ones that receive leaks to announce them.

          But odds are high that is just another windows intrusion as there are many, i.e. running a trojan or any new worm, or be a new version of something on the lines of Red October [securelist.com] that could take years on be detected.

    • by Bartles (1198017)
      The DoJ is telling you what they have done with that statement. They issued a denial that only references hardware. They say nothing about email accounts, cloud storage accounts, text messages, voicemail, or anything else that was intercepted going from here to there.
    • Why not a simple "We have never had Ms Attkisson under any surveillance or covertly obtained any information about her"?

      Because that lie would be caught already.

      The real weasel words here are "To our knowledge". Of course it's not "to their knowledge", they would deliberately shield themselves from knowledge of the details if they did it. That's plausible deniability 101.

    • Why is the justice department denial so specific:

      Because the NSA is NOT part of the Justice Department?

  • tsk tsk.... (Score:5, Funny)

    by arcite (661011) on Friday June 14, 2013 @07:27PM (#44012263)
    Looks like someone didn't renew their Norton Anti-Virus subscription. They warned you!
  • by checkitout (546879) on Friday June 14, 2013 @07:31PM (#44012283)
    Occam's razor would suggest that she got pwned by a drive-by exploit on some site she visits. In the same way anyone else might. She just happened to be of some level of importance.
    • by gl4ss (559668) on Friday June 14, 2013 @07:37PM (#44012323) Homepage Journal

      Occam's razor would suggest that she got pwned by a drive-by exploit on some site she visits. In the same way anyone else might. She just happened to be of some level of importance.

      but it was an attack by someone who knew the user/pass. like, from her mail or whatever..

    • Re: (Score:3, Insightful)

      by Mista2 (1093071)

      Drive-by hacking, probably not as it doesnt look like they were after money, or extortion, or attempting ransomware installation. In fact, because it attempted to be stealth, its not even an attack for fun, as most vandals like to let you know you got pwnd.
      It might not be internal domestic spying thug, could be from the UK (The Guardian likes to tap phones and listen to voicemails too) or china - (too many examples to list).

      • by Shavano (2541114)
        Or it could have been another news organization using her to do their research for them. It's so embarrassing to get scooped.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        >The Guardian likes to [...] listen to voicemails too
        Are you mixing up the News of the World and The Guardian?
        That's a pretty big mistake to make.

    • by Anonymous Coward

      Total coincidence that she was the only non-Fox reporter looking into Fast & Furious gun running scandal, and this happened right around when that was heating up.

      Obama's people wanted to know if they'd been caught.

  • What data? (Score:5, Interesting)

    by dadelbunts (1727498) on Friday June 14, 2013 @07:37PM (#44012329)
    I love how they fail to mention what data was searched. Im sure that would provide alot of information as to who was doing the searching.
    • by Shavano (2541114)
      Perhaps they just copied everything in in her user profile. If I were going to hack somebody's computer, that's what I'd do. Grab it all while you can and sift it later for whatever you're looking for. You never know when she's going to change her password and you lose access.
    • by ArghBlarg (79067)

      You mean "meta-data". :p

  • I would not trust a commercial operating system to not be loaded with back doors accessible to the NSA. That's not even considering the history of Windows vulnerabilities. If I were in charge of IT for a foreign government, a news agency, a military or any business I would start by banning the use of Windows. With Linux it should be possible to have a computer which can search the Internet and prepare reports with no open ports for external attack. That should be the first step. Following that there ne

    • by DaHat (247651) on Friday June 14, 2013 @07:53PM (#44012409) Homepage

      With Linux it should be possible to have a computer which can search the Internet and prepare reports with no open ports for external attack.

      So you are going to read code line by line to determine that no such exploits exist?

      Anytime you run ANYTHING that you did not build AND control yourself... you run that risk... the best we can do is hope we can trust who we get our OS, router or tank from... and perhaps audit them from time to time (if we have that power) to try to make sure.

      • by drinkypoo (153816)

        So you are going to read code line by line to determine that no such exploits exist?

        It's probably enough just to run an operating system by and for paranoiacs, e.g. OpenBSD. If you really think someone is out to get you, at least take some precautions.

      • Some organisations will audit their code, and when they do so it will be better to start from a small, clean codebase.

    • by Shavano (2541114)

      A computer for work should be a tool, not a toy, and user preference should not be the highest priority. Security should be first.

      For most businesses, first is maintainability via tools that your IT staff knows how to use, then user preference, then productivity, then security.

      For businesses with well-run IT departments, it's either productivity, security, maintainability, preference or security, productivity, maintainability, preference.

      The latter schemes are both valid, depending on what your business's security needs are.

  • by Rick Zeman (15628) on Friday June 14, 2013 @10:42PM (#44013031)

    ...why say DOJ? It could be the Chinese.

    • by c0lo (1497653)

      ...why say DOJ? It could be the Chinese.

      (when looked at with the "common sense eyes", both of them behaves in a totally "alien" way. So, what's the difference?)

  • Just sayin'. NSA may be bad-boy du-jour, but China's the one who's been hacking accounts on media and technology companies. I'd think NSA would be content to just sit there and sniff your traffic.

  • I have friends in state-level law enforcement. A great deal of "private personal" data about search phrases, download histories, email, and sites visited, is shared via FBI-CIA-NSA "cooperation" with the NCIS. It then migrates into lexisnexis and the other legal big data houses.

    Pro Tip: If you value your job, never, ever access a personal home account from a work client, even to plan a trip, play Angry Birds at lunchtime, or pay a bill. Once the two identities are linked, they're linked forever.

    And remember

  • But I actually like the idea of the government snooping around, hacking into accounts, and logging everything. If for no other reason it makes people worried and nervous. And when people are worried and nervous they are less likely to do things they know they shouldn't do for fear of being watched and caught.

    I like it. Yes indeedy I like it a lot.

In 1869 the waffle iron was invented for people who had wrinkled waffles.

Working...