As I blogged earlier this week, the Syrian Electronic Army hacked The Onion's Twitter account and used it to post a bunch of dumb messages attacking Israel, the US, and the UN. Now, the Onion's IT administrators have posted a detailed account of how Syrian hackers used a series of staged and careful phishing attacks to escalate from a single naive user's email credentials to the password for the Onion's social media accounts.

Once the attackers had access to one Onion employee’s account, they used that account to send the same email to more Onion staff at about 2:30 AM on Monday, May 6. Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials. Two staff members did enter their credentials, one of whom had access to all of our social media accounts.

After discovering that at least one account had been compromised, we sent a company-wide email to change email passwords immediately. The attacker used their access to a different, undiscovered compromised account to send a duplicate email which included a link to the phishing page disguised as a password-reset link. This dupe email was not sent to any member of the tech or IT teams, so it went undetected. This third and final phishing attack compromised at least 2 more accounts. One of these accounts was used to continue owning our Twitter account.

At this point the editorial staff began publishing articles inspired by the attack. The second article, Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels, angered the attacker who then began posting editorial emails on their Twitter account. Once we discovered this, we decided that we could not know for sure which accounts had been compromised and forced a password reset on every staff member’s Google Apps account.

I'm impressed by the cleverness of triggering a "password reset" message from the IT team, then sending out fake password-reset messages to users who aren't on the IT team to get them to click on yet another link. Most of the recommendations the IT team make are pretty bland ("educate your users"), but these two reccos are good:

Read the rest

The Onion got hacked by the Syrian Electronic Army, who proceeded to send out a bunch of tweets that could have been mistaken for actual Onion tweets making fun of the sort of thing that Syrian propagandists would tweet if they hacked the Onion's Twitter (see after the jump for the full list). But no, they actually did get hacked.

The Onion responded by putting up a post called Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels, which matches the Assadists' bluster and is much funnier:

DAMASCUS, SYRIA—After hacking into The Onion’s Twitter account earlier today, members of the Syrian Electronic Army confirmed that the organization simply wanted to have a little fun before soon dying at the hands of rebel forces. “We figured that before they bust in here and execute every single one of us, we might as well have a good time and post some silly tweets about Israel from a major media outlet’s feed,” said a spokesperson from the pro-Assad group, adding that he and his cohorts “had a few good laughs” and are now fully prepared for their painful and undoubtedly horrific deaths in the coming days. “I mean, we definitely don’t have much time left, so we thought, hey, let’s just enjoy ourselves before getting blown away by rockets, decapitated, beaten to death, or hung during public executions. Why not, right?” At press time, violent screams and pleas for mercy were reportedly overheard as rebel troops broke into the Syrian Electronic Army’s hideout.

Read the rest

David Weinberger took great notes from what sounds like a barn-burner of a talk by Anil Dash at Harvard's Berkman Center on what has happened to the net, and where it's headed:

“We have a lot of software that forbids journalism.” He refers to the IoS [iphone operating system] Terms of Service for app developers that includes text that says, literally: “If you want to criticize a religion, write a book.” You can distribute that book through the Apple bookstore, but Apple doesn’t want you writing apps that criticize religion. Apple enforces an anti-journalism rule, banning an app that shows where drone strikes have been.

Less visibly, the laws is being bent “to make our controlling our data illegal.” All the social networks operate as common carriers — neutral substrates — except when it comes to monetizing. The boundaries are unclear: I can sing “Happy Birthday” to a child at home, and I can do it over FaceTime, but I can’t put it up at YouTube [because of copyright]. It’s very open-ended and difficult to figure. “Now we have the industry that creates the social network implicitly interested in getting involved in how IP laws evolve.” When the Google home page encourages visitors to call their senators against SOPA/PIPA, we have what those of us against Citizens United oppose: now we’re asking a big company to encourage people to act politically in a particular way. At the same time, we’re letting these companies capture our words and works and put them under IP law.

A decade ago, metadata was all the rage among the geeks. You could tag, geo-tag, or machine-tag Flickr photos. Flickr is from the old community. That’s why you can still do Creative Commons searches at Flickr. But you can’t on Instagram. They don’t care about metadata. From an end-user point of view, RSS is out of favor. The new companies are not investing in creating metadata to make their work discoverable and shareable.

[berkman] Anil Dash on “The Web We Lost” (via Beyond the Beyond)

Internet-savvy indie musicians organize "house shows," which are pretty much what they sound like: a fan lets the band use her or his house for a performance, and other fans come by and hear it. The shows aren't legal, but they're pretty fun*.

Boston cops have taken to Twitter, posing as punk kids, trying to get bands to tip off the location of their house shows. As Slate's Luke O'Neil points out, though, they're really bad at it, totally tone-deaf. It's created something of an Internet sport of "spot the undercover," which is almost as much fun as the house parties.

“Too bad you were not here this weekend,” “Joe Sly” wrote. “Patty's day is a mad house I am still pissing green beer.  The cops do break balls something wicked here. What's the address for Saturday Night, love DIY concerts.” He might as well have written “Just got an 8 ball of beer and I’m ready to party.”

Is it possible that Joe Sly is a real Boston punk? Sure, though if so he’s the first Boston punk in history to brag about drinking lame St. Patrick’s Day green beer. As one of the many amused music fans who scoffed at the screencap as it was shared around on Tumblr pointed out, “he/she said concerts ... concerts.” Anyone who's ever been to a concert like this knows that it's not called a concert. It’s a show.

The Massachusetts band Do No Harm also tweeted about receiving an email from Joe this month. “whats the 411 for the show saturday?” he asked, apparently using some sort of slang-filter translator from the turn of the century.

Of course, there may be really good undercovers trolling Twitter for house parties that we don't know about because of their perfect ninja stealth. If only disproving a negative was possible!

Boston Punk Zombies Are Watching You! [Slate/Luke O'Neil]

* Though I have some sympathy with neighbors who don't like the late night noise -- when an illegal, unlicensed hotel moved in next door to me and started drilling into my bedroom wall all night, and jackhammering against the wall for 8 hours straight on Christmas, it made me totally bananas.

CISPA is a bill before Congress that will radically increase the ease with which the government and police can spy on people without any particular suspicion. It is being rammed through by people like Rep. Mike Rogers (R-MI), who received a small fortune in funding from the companies that stand to get rich building the surveillance tech CISPA will make possible.

What's more, Rogers admits it, and even tweets about it! Nicko Margolies from the Sunlight Foundation writes,

Rep. Mike Rogers (R-MI), a co-sponsor and major supporter of the controversial Cyber Intelligence Sharing and Protection Act (CISPA), deleted a retweet of an analysis of contributions to lawmakers from pro-CISPA companies. MapLight looked at the powerful House Intelligence Committee, where Rep. Rogers serves as Chairman, and followed campaign contributions to the members who are currently considering the bill that would allow companies to share more information on Internet traffic and users with the U.S. government.

Rep. Rogers, or possibly a member of his staff, retweeted the story that identified that members of the House Intelligence Committee "have received, on average, 15 times more money in campaign contributions from pro-CISPA organizations than from anti-CISPA organizations." He retweeted MapLight's tweet of this information from his iPhone and after 23 minutes thought better of it and removed it. Fortunately the Sunlight Foundation's Politwoops project caught it and archived this change of message and of heart. According to the MapLight piece, Rep. Rogers received $214,750 from interest groups that support CISPA.

The EFF has more info on CISPA, and ways you can help kill it.

Pro-CISPA Lawmaker Deletes Retweet about Money Received from Pro-CISPA Groups (Thanks, Nicko!)