Malaysia Airlines Defaced - 404 Plane Not Found
wsj.comBad as the deface is, they're making decent looking takeover pages these days. Not too bad that design
Take away the greetz and the embarrassment and you're halfway to a snazzy landing page
The second defacement reminded me of a geocities page with music playing in the background.
Reference: http://www.nbcnews.com/storyline/isis-terror/lizard-squad-cl...
> hacked by a group claiming be aligned with the Islamic State extremist group
> hackers claiming to be similarly aligned with the Islamic State extremist group
This is either really dishonest or really stupid reporting. They're not actually aligning themselves with ISIS. They're just trolls trying to be edgy.
I don't see how it's dishonest.
Whatever their actual alignment and/or edgy-troll status, they still claimed to be aligned with ISIS, just as the article says.
The job of a journalist is to fact-check and separate fact from fiction.
Which is to say, when the subject of an article claims something, you should probably not print it verbatim without thinking it through at least a little bit, and maybe determine the credibility of what's being said.
It is not the job of a journalist to regurgitate sources blindly.
Otherwise... hey journalists, I am literally the second coming of Jesus, you guys should interview me and tell people I'm the Son of God.
> Otherwise... hey journalists, I am literally the second coming of Jesus, you guys should interview me and tell people I'm the Son of God.
Right, and in that case the article would probably read "potatolicious, who claims to be the second coming of Jesus..." *
Their claim of alignment with ISIS is, in itself, a part of the story. They are reporting that the claims have been made, not that the claims are factually correct.
* This actually happened on British TV: https://www.youtube.com/watch?v=qlSj_imnv7o
In your example journalists would say that you claim to be the son of god. They wouldn't say that you are the son of god.
You seem to be asking journalists to say "he claims to be the son of god (but he isn't, obvs)" which is asking th journalists to provide information they don't have.
My local newspaper stretched it a bit further by saying that the website was defaced bt "sympathizers of IS". Which is doubly funny, because they obviously took the bait.
> hacked by a group claiming be aligned with the Islamic State extremist group
The article claims that the website was hacked by a group claiming to be aligned with the Islamic State.
> hey journalists, I am literally the second coming of Jesus, you guys should interview me and tell people I'm the Son of God.
Good journalism would be to report that you are claiming to be Jesus. Which is what happened here; they reported a claim of affiliation, not the affiliation as a fact. It would actually be bad journalism for the reporter to take a position on your divinity (or an unknown groups actual affiliation with IS).
Traditionally good journalism includes credibility checks and at least gives some kind of possibility to see uncertain facts in bigger context.
Just reporting ( alarming / scandalous ) claims have been usually called tabloid journalism.
How can the journalist reliably evaluate who "Lizard Squad" is aligned with, especially with them repeatedly claiming to support ISIS?
Interestingly enough, despite malaysia airlines claiming that this is just a DNS hijack. It appears that their own CDN (Akamai) is now serving the deface page. (The page was being served by cloudflare before)
Many CDNs work by retrieving the page themselves, caching it, and re-delivering on request. In that case, if the original page changes, the CDN would automatically change too.
Which would imply that their backend was compromised, not just DNS.
The CDN could have simply refreshed its DNS cache couldn't it? That would mean it loaded the files from somewhere else.
Unless there was something horribly wrong with their setup, akamai would have prevented that from happening.
I'm not sure how they are supposed to prevent this. If you have access to the dns, you can change the record for the origin server that the cdn pulls from. Nothing "horribly wrong" with that.
Akamai makes you to set your own DNS server for it to pull records from, the domain getting hijacked should not have any effect on what that DNS server is returning.
I may be missing something, but this:
>It added that its domain name system was compromised.
sounds like their DNS server was compromised.
Also, I've never worked with Akamai, but every cdn I have worked with just follows the ns records and resolves against that, which could be changed with access to the domain/registrar. Does Akamai not do that?
Their domains DNS servers were switched to cloudflare, I'd imagine that's the DNS compromise they're referring to.
Not _their_ DNS servers getting compromised.
Hmm, I figured it was just the records being pointed to cloudflare, since everything I could find makes it sound like that, but you may be correct that the nameservers were changed, as cloudflare's nameservers look like they have a record for the domain, but are returning different records: http://paste.click/s/qKkejf [0]
Which appears to be down now anyways: http://paste.click/s/UlxsWA [1]
However I suspect cloudflare's nameservers might just return A records pointing to cloudflare if they don't exist, I'm not sure.
Though that still doesn't answer the second part. Would Akamai not use the authoritative nameservers to resolve the origin? Cdn providers I've worked with (Level3, edgecast, Highwinds, and others) just resolve based on the authoritative nameservers, and I'm genuinely curious if Akamai doesn't do that.
Edit: forgot that my keybinding throws the js/syntax highlighted url into my clipboard, which is pointless for this, here are the plaintext links to the same thing:
You specify the nameserver for akamai to pull the zone from on the config site. Their "CDN" is quite a bit smarter than what L3 & co. run.
"Hey everyone, go visit this website that's probably serving malware!"
Google ads regularly serve malware[1], are you going to tell people not to visit Google?
This isn't the best way to describe the problem or solution.
Users can be advised to install an ad-blocking plugin for their web browser to protect themselves. Since Google serves adverts from domains other than google.com, users can continue to use the google.com domain for search while at the same time blocking the malware coming from ad networks.
Are you referring to contents of the linked article or that this is on HN? Need more words.
Surely, if the second - linking to wsj isn't known to serve malware.
Further, if you do not have some trust in your browser to go to potentially compromising sites - you need to change browser or stop browsing.
ryanlol already mentioned you could have ran a curl to check what's being delivered.
But, you can also use the Web Archive and check every domain yourself within their waterfall chart: http://web.archive.org/web/20150126072317/http://www.malaysi...
Looks like a bunch of static assets delivered by: fonts.googleapis.com, fonts.gstatic.com, pbs.twimg.com, and www.youtube.com. Looks similar to what I saw post-defacement/pre-fix.
A simple curl reveals that it isn't... And how often are deface pages serving malware anyways?
IMO it would be much more sensible to serve malware off of a page that _doesn't_ announce it has been hacked.
Not really. A defaced high profile website will draw visitors e.g. from all major news sites, maybe even TV. Combined with a couple 0days or a browser exploit kit, quite a chance to infiltrate a target.
And if you're lucky the online reporters also have twitter/fb account info on their PCs. I guess this is how the various compromises of twitter accounts have been done.
"The browser window of the website"
It is the first time i am hearing such a definition.
I reacted to the CNN article[0] which said "The browser tab read"
[0]http://edition.cnn.com/2015/01/25/asia/malaysia-airlines-web...
I enjoyed the sole comment on the article at the time too:
"It's 'homepage' not 'browser window'... unless you're 80"
It's actually called "Page title" though.
HSTS could prevent this from working.
So could attaching decent transponders to their aeroplanes.
How much more per flight would you pay for this? Satellites aren't cheap.
At their scale, yeah they are. (Especially considering you wouldn't need new sats)
Not really, the page is being served from MAS's own servers now.
Not if the other comment by... you... about it being served by an external CDN is correct.
HSTS could easily stop a CDN from picking up a bad version during a DNS hijack.
MAS's CDN that is. The same CDN they were using before the hack even happened.
But it being an external CDN means that there is no indication that the actual servers they have control of were tampered with. The possibility that HSTS could have saved the day is just as valid. There is no indication that the CDN got these incorrect files with any kind of encryption or signing.
So CDN just works without having the SSL certs?
What? A CDN accessed over TLS needs some kind of cert, sure. I don't see how this connects to whether the CDN pulls off the wrong server.
Obviously if the CDN has cert X then any authentication it may have should use cert Y.
Malaysiaairlines.com is proxied by Akamai CDN, surely Akamai has access to the certificate used for malaysiaairlines.com then.