Software vulnerabilities, including an outdated operating system used by PBS.org, allowed the pirate band of hackers LulzSec to sail deep into the innards of the network’s main website over Memorial Day weekend. The marauders were retaliating for a Frontline documentary about WikiLeaks broadcast five days earlier.
The hackers gave their assault a playful air, invading PBS NewsHour’s site and briefly posting a false report that the late rappers Tupac Shakur and Biggie Smalls were actually hanging out in New Zealand.
Techs at PBS.org and at the NewsHour spent hours regaining control as the cyberattack exposed contact information for hundreds of staffers, stations, producers and press, as well as several internal PBS databases.
Site managers “were playing cat and mouse” with LulzSec, said Travis Daub, NewsHour creative director. “I’d change something, they’d change it right back.”
On June 9, blogging software developer Six Apart cited a “previously undiscovered security flaw in Movable Type 4” as the culprit in the PBS.org attack and posted a mandatory security update. The firm said it is “working closely” with PBS to follow up on the incident.
A LulzSec member using the handle Whirlpool told Forbes that the hackers disliked the May 24 Frontline broadcast “WikiSecrets,” which profiled Bradley Manning, the alleged source of WikiLeaks’ big trove of secret U.S. documents. NewsHour broadcast a Frontline clip and posted a web chat with “WikiSecrets” reporter Martin Smith on the night of the doc’s premiere.
The date of the attack, May 29, marked the one-year anniversary of Manning’s detention.
“While our main goal is to spread entertainment,” Whirlpool told Forbes, “we do greatly wish that Bradley Manning hears about this, and at least smiles.”
David Fanning, Frontline executive producer, was not amused. “We have been very open to publishing criticism of the film, and the film itself included multiple points of view,” he said in a statement. “Rather than engaging in that spirit, [the hackers’ response] is an attempt to chill independent journalism.”
Frontline posted Fanning’s statement May 30. LulzSec promptly replaced it with an obscenity, prompting staffers to take the Frontline site offline and route viewers to the program’s page on PBS Video.
PBS declined to discuss the cyberattack. “Given the ongoing activity of LulzSec and other hackers, we aren’t able to share more specific information about our security configuration or changes since this might provide information that could be used to compromise our site again,” spokesperson Anne Bentley told Current in a statement. “Hackers are constantly trying to breach our servers, as they are with most high-profile organizations.”
What the heck’s a LulzSec?
If some hackers are white hats, who draw attention to security problems, and others are black hats who invade websites to flaunt their power or stuff their pockets, LulzSec hackers seem to be gray hats, poking fun at online weaknesses by poking holes in them. Their website plays the theme music from the 1970s sitcom The Love Boat, and the mute button turns the volume up.
“Lulz” is a variation of LOL (laughing out loud). “Sec” is for security.
The group is new but active. Since it first appeared early in May, it has hit sites for the upcoming TV show X Factor, databases at Fox and an ATM database in Britain. After PBS, it targeted Sony Pictures, Nintendo — even InfraGuard Atlanta, a nonprofit working with the FBI on cybersecurity.
The Forbes interview said four individuals claimed responsibility for the PBS attack. “They were pretty good,” Daub admitted. “If you have an attitude of, oh, it’s just a bunch of kids, you’re just making yourself weaker because you’re underestimating their ability.”
The incident began with a Twitter message from LulzSec on Sunday night, May 29.
“Oh shit, what just happened @PBS?”
Then: “What’s wrong with @PBS, how come all of its servers are rooted? How come their database is seized? Why are passwords cracked? :(”
A torrent of tweets followed, with links to passwords and internal PBS databases, and, “By the way, WikiSecrets sucked.”
Then: “TUPAC IS ALIVE!”
Daub’s phone beeped, alerting him to a sudden spike in the NewsHour’s web traffic. That’s odd, he thought. He called up the site to discover a smiling photo of Shakur, who died after a shooting in Las Vegas in 1996, and a story with the headline: “Tupac Still Alive in New Zealand,” posted at 11:30 p.m.
Daub got to work on repairs. Teresa Gorman, NewsHour’s social media production assistant, was already on damage control. She tweeted to the show’s 142,444 followers: “We’re sorry, that is not a PBS NewsHour story — updates soon ^TG” And at 12:54 a.m., a post on NewsHour’s Facebook: “UPDATE: Our site is currently experiencing difficulties due to outside hacking — please stay with us as we work on it.”
LulzSec posted a cryptic message on PBS.org decorated with its trademark pirate-ship image composed of alphanumeric characters. “Greetings, Internets. We just finished watching WikiSecrets and were less than impressed. We decided to sail our Lulz Boat over to the PBS servers for further . . . peru-sing. . . . Say hello to the insides of the PBS servers, folks. They best watch where they’re sailing next time.”
The hackers didn’t give details of their complaints against Frontline, but the film did paint an embarrassing picture of Manning, the unhappy young soldier accused of leaking federal secrets to WikiLeaks. It also pointed to a possible vulnerability in the defense of WikiLeaks founder Julian Assange: Manning allegedly contacted Assange directly, violating the WikiLeaks founder’s stated practice of keeping leak sources at arm’s length.
Intention: to shame PBS
LulzSec also splashed a how-to guide for hacking PBS.org on Pastebin.com, a programmers’ hangout. “We did not take over the homepage of PBS.org although we could have,” it read. “You know what you call that? Class.”
The message revealed that LulzSec exploited a “zero-day” vulnerability in Movable Type 4. That’s a term for an attack that occurs before the developer realizes there’s a problem, so no patch is available.
The Pastebin post also showed that PBS was running an outdated version of a RedHat Linux operating system, so hackers easily acquired deeper access than would have been possible against an operating system that was fully updated with recent security patches.
Threatpost, Kaspersky Lab’s Security News Service for computer professionals, said that “reuse of administrative passwords by PBS IT staff allowed the hackers to further compromise other parts of the broadcaster’s network.”
“The reason we know all that is because the hackers wanted to publicly shame PBS,” said Chris Wysopal, chief tech officer and co-founder of Veracode, a software security testing firm in Burlington, Mass., with clients including the Federal Aviation Administration and Barclays Bank.
Wysopal said he was “pretty surprised” that PBS hadn’t updated its Linux operating system. “Keeping operating systems up to date on servers connected to the Internet — those are pretty critical machines, and most organizations do that,” he said. PBS declined to answer Current’s specific questions about its operating system.
“What a fun battle!”
On the morning after the attack, Andrew Golis, Frontline senior editor and digital media director, was sleeping late while in-laws babysat his daughter. He awoke to a slew of texts from Raney Aronson-Rath, series senior producer, and Sam Bailey, director of new media and technology. From then on, Golis said, “I spent most of that day on the phone.”
The Frontline site defenders’ priority was keeping the “WikiSecrets” documentary accessible. The site had not yet been hit, but they knew an assault was coming. “We were thinking about security holes and coordinating with PBS,” Golis said.
By midday Monday, Bentley issued a public statement that there had been an “intrusion” to the network’s servers. PBS was notifying “stations and other affected parties to advise them of the situation.”
Frontline posted Fanning’s statement and LulzSec immediately responded, tweeting: “Frontline likes making press statements about PBS being hacked. We like defacing said press statements.” It attached a link to the one-sentence obscenity that it posted where Fanning’s statement had been.
Frontline staffers countered LulzSec’s moves, and the hackers repeatedly slapped them back. “At that point, it was clear we were unable to stop what they were doing,” Golis said, “so we just shut down the site.”
They routed visitors to Frontline content — including “WikiSecrets” — on PBS’s video portal, part of the separate COVE system that remained untouched. “That worked fine,” Golin said, “but that platform excluded a lot of things important to us,” such as hundreds of ongoing comments and the transcript of a web chat including a post by Assange.
NewsHour staffers also needed to get content to their online audience. They moved the program’s home page to Tumblr, publishing transcripts and videos from the May 30 show. One commenter wrote, “Turning lemons into lemonade. Kudos NewsHour!”
The jousting continued, with LulzSec tweeting: “Damn @PBS, you’re quick on your toes. We defaced this just now, they already 403’d it,” referring to an error message on a NewsHour page. “What a fun battle!”
After the tornado
Gradually, the cyber-crisis passed. LulzSec turned its attention to a higher-profile attack against Sony. PBS techs regained control. Pages returned. “WikiSecrets” was safe.
Three days after the attack, NewsHour correspondent Judy Woodruff reflected on the experience. “The last time I felt something like my reaction now was when burglars broke into our home,” she wrote on a NewsHour blog. The show produced a segment on the impact of cyberattacks, telling viewers that 70,000 malicious programs are discovered worldwide every day.
Frontline’s previously defaced statement now safely resides on its site, above comments from web visitors such as, “The idiots who hacked into the PBS computers are either anarchists or hooligans and are too stupid to have actually considered fully the ramifications of what they were doing. They would be worthy of pity if they weren’t so destructive.”
And LulzSec was on to new exploits, telling its Twitter audience June 9: “Thank you for 100,000 followers in just a few weeks; the lulz spree continues onward, blasting holes into the drab Internet battle ship. :D”
While an intern at NPR Labs in 2006, Matt Burrough, a Rochester Institute of Technology student, investigated potential computer system security breaches at NPR. “I ended up with nine pages of concerns,” he says. “I passed them around the office and, eventually, addressing them also became my senior thesis for RIT.”
LulzSec’s site. Click on Releases and scroll down to 30/05/11 for screengrabs of the PBS.org attack.
LulzSec posted a statement June 17 explaining their motives and claiming they have access to far more secret information than they’ve revealed.
“The fact that someone, or a group of people, can, by a few clicks on a keyboard, destroy the work of a national news organization, create headaches, if not havoc, in trying to get things up and running again, is a disturbing development,” writes PBS NewsHour Senior Correspondent Judy Woodruff.
A screengrab of LulzSec’s obscene replacement for Frontline Executive Producer David Fanning’s statement on the attack
The Pastebin post in which LulzSec hackers explain to programmers how they attacked PBS.org.
A June 6 MediaShift column by NewsHour’s Teresa Gorman, its social media production assistant, on coping with an online attack. She writes, “I hope you never find yourself or your organization in a similar situation, especially at midnight on a holiday weekend, but in this era of high-profile hacking, everyone needs a plan in case your site, publishing systems, servers or social media suddenly fall under someone else’s control.” Rule No. 1: Don’t panic.
In a Forbes magazine interview, a LulzSec hacker reveals that he didn’t get the idea for planting a fake news story on the PBS site until halfway through the attack. “I was gonna write about [President] Obama choking to death on a marshmallow, but I figured Tupac [Shakur] would be funnier,” he said, adding that he wrote the article, which claimed the deceased rapper was living in New Zealand, in about 15 minutes.