Confirmed: CBS News Reporter's Computer Compromised

← Back to Stories (view on slashdot.org)

Confirmed: CBS News Reporter's Computer Compromised

Posted by timothy on Friday June 14, 2013 @11:11AM from the all-the-cool-kids-have-their-lines-tapped dept.

New submitter RoccamOccam writes "Shortly after the news broke that the Department of Justice had been secretly monitoring the phones and email accounts of Associated Press and Fox News reporters (and the parents of Fox News Correspondent James Rosen), CBS News' Sharyl Attkisson said her computer seemed like it had been compromised. Turns out, it was. 'A cyber security firm hired by CBS News has determined through forensic analysis that Sharyl Attkisson's computer was accessed by an unauthorized, external, unknown party on multiple occasions late in 2012. Evidence suggests this party performed all access remotely using Attkisson's accounts. While no malicious code was found, forensic analysis revealed an intruder had executed commands that appeared to involve search and exfiltration of data.'"

44 of 176 comments (clear)

Min score:

Reason:

Sort:

Better security might help by gweihir · 2013-06-14 11:19 · Score: 4, Insightful

A good example why reporters (and others) need to care about IT security.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:Better security might help by masdog · 2013-06-14 11:23 · Score: 4, Insightful
  
  I'm not sure better security would help in this case. It's not like the government has compromised the major OS vendors/projects. In fact, I think there's no such agency dedicated to that task.
  
  --
  My Sysadmin Blog
2. Re:Better security might help by gweihir · 2013-06-14 11:34 · Score: 4, Insightful
  
  While it is known that MS has given vulnerabilities to the NSA before patching them, it is highly doubtful the same is going on with Linux or the free BSDs. The risk of being discovered would just be too big.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
3. Re:Better security might help by monkeyhybrid · 2013-06-14 11:43 · Score: 3, Interesting
  
  Please excuse my sceptism. I just googled the topic and it seems there's some evidence they've been doing this along with contributing to PRISM. Very enlightening to say the least!
4. Re:Better security might help by AxemRed · 2013-06-14 11:45 · Score: 5, Informative
  
  It's all over the internet. Here for one:
  
  http://arstechnica.com/security/2013/06/nsa-gets-early-access-to-zero-day-data-from-microsoft-others/
5. Re:Better security might help by Anonymous Coward · 2013-06-14 11:54 · Score: 3, Interesting
  
  There's no need to insert vulnerabilities into Linux. The Linux kernel is riddled with vulnerabilities.
  If you've ever wondered to yourself, "how the heck do those Linux developers commit such huge changes between minor versions without introducing bugs", well I have some news for you....
  If you want to run a secure system, try OpenBSD or NetBSD. Development occurs at a slower, more conservative pace, particularly with OpenBSD. And there are virtually none of the "dump and run" feature submissions that are so common with Linux.
  The application and server software you run should be developed similarly--slow and conservative, with a large number of the developers having a good comprehension of all or most of the subsystems, so that they can readily critique changes instead of deferring to the single guy who, alone, understands that subsystem.
  Remember, it's all about the eyeballs. But not all eyeballs are created equally, and not all projects make the most efficient use of the eyeballs available to them. Linux long ago past the point where bugs were spotted and quashed efficiently.
6. Re:Better security might help by erroneus · 2013-06-14 11:55 · Score: 2
  
  You don't need "malware" when you've got Windows.
7. Re:Better security might help by gweihir · 2013-06-14 12:09 · Score: 3, Insightful
  
  When you are talking about local exploits, maybe. But this is about remote exploits. When you have compromised an user account, you do not need privilege escalation to spy on them, you just need to get in as said user. That limits the scope of what needs to be looked at rather dramatically.
  Also, for security critical operation, a vanilla Linux is not a good idea. Use AppArmor or SELinux with custom, restrictive configurations. (Yes, I know that SELinux is from the NSA, but the risk of putting in back-doors is just to big.) Running a server is different. There, the largest risk is from the server software. Things like OpenSSH and Postfix are very secure, Apache2 without modules less so and Apache2 with modules can be a real nightmare, depending on the modules.
  I do agree on the development model though. But you need to take into account that most of the fast development in Linux is the drivers. The rest is done a lot more carefully and with significantly more review.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
8. Re:Better security might help by meta-monkey · 2013-06-14 12:12 · Score: 2
  
  But who eyeballs the eyeballs?
  
  --
  We don't have a state-run media we have a media-run state.
9. Re:Better security might help by Clsid · 2013-06-14 13:26 · Score: 4, Informative
  
  SELinux is not provided by the NSA anymore. It has been incorporated into the kernel and all you have to do is enable stuff that you want to use now. The code has been reviewed and the NSA was not the only entity involved, so I would not worry about that too much.
10. Re:Better security might help by Anonymous Coward · 2013-06-14 14:30 · Score: 4, Interesting
  
  It isn't the operating systems. Too many people pay attention to them. The secret code is in the compilers (where all the NSA fake employees work). It works this way: the compiler itself was compiled by the NSA to add secret code to the compiler source. This way, even if you are compiling from the clean and open source files, you will still get the NSA features. And when the OS is compiled, the NSA features are also added. For all 'hard-copy' operating systems, additional effort is made to ensure that the final copy is compromised. For open source or downloadable operating systems, the NSA runs a program where they swap out bytes at the ISP level while retaining the checksums. I've heard that this program is code named LEYTUNNEL.
  Posted via Tor to protect myself and my source
11. Re:Better security might help by __aaltlg1547 · 2013-06-14 16:23 · Score: 2
  
  What do you mean being discovered? Of course the NSA and every other security agency in the world wants early access to zero day information. And the NSA has the budget to pay for them. If you think ordinary citizens and businesses are under attack from the NSA, imagine how much effort is bent on extracting the gigatonnes of Top Secret information such an agency has on file. I'm not saying the NSA is above using the information for nefarious purposes. They are, after all, a spy agency. But they also have a counter-espionage side and those guys are very busy trying to keep their information systems secure against every other spy agency in the world.
12. Re:Better security might help by elashish14 · 2013-06-14 17:42 · Score: 2
  
  Funny. So remember everyone - if you find a critical bug in Windows, do what this guy did. Disclosing it confidentially to Microsoft instead would be highly irresponsible.
  
  --
  I have left slashdot and am now on Soylent News. FUCK YOU DICE.
13. Re:Better security might help by gweihir · 2013-06-14 23:56 · Score: 2
  
  Very stupid, obviously. SELinux has been intensively scrutinized by others. Remember that it is FOSS, anybody can look. Any hacker finding a planted vulnerability in SELinux would have made a name for life.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
14. Re:Better security might help by gweihir · 2013-06-15 00:00 · Score: 2
  
  Sorry, but sendmail has been known to be insecure and likely unfixable for decades. The architecture just sucks and cannot really be secures. Nobody that wants security cares about it anymore, they just use PostFix instead. Same is true for bind. One vulnerability after the other. A bloated monster with cryptic configuration, even after the redesign.
  Finding bugs is one thing. If the architecture and design is unsound (overly convoluted, complicated and cryptic), no amount of finding of bugs is going to fix that. But for sendmail this is well-known to anybody who cares. There is a reason most distros use a different default MTA.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
15. Re:Better security might help by mcgrew · 2013-06-15 01:23 · Score: 2
  
  It seems to me that when Microsoft's involved, "responsible disclosure" guidelines should be adjusted to immediate public release, as long as MS is feeding exploits to hackers before fixing them.
  It seems to me that ALL vulnerabilities should be disclosed immediately. Vuln in FireFox? No problem, use IE or Opera. Vuln in PDF? Uninstall it until it's fixed or use a different reader or writer. It's not like there's only one OS, spreadsheet, browser, image editor, etc.
  It seems to me that when a white hat finds a vuln there's probably a 50% chance a black hat found it first, but he's not going to disclose it at all, he'll keep it under his hat and use the hell out of it until a white hat discloses it.
  Fuck the company that wrote the software, tell ME, the user, so I can stop using the vulnerable software until it's fixed.
  
  --
  Free Martian Whores!
16. Re:Better security might help by s.petry · 2013-06-15 02:49 · Score: 2
  
  Interesting sci/fi, but how much is true? Personally I can only speak of common things I have used like RHEL and GNU compilers provided by Redhat. If what you said was true, I should be able to see things in a stack. The compiler would have to embed network objects into code it detects as network code. That would take some massive work, and be easily visible in the gcc/g++ source code.
  Potentially an issue, but I think it's pretty far away from the "likely" category. In closed source, of course this could be built in much easier. I still find it unlikely that compilers are tampered with in this manner. Dumping system calls and stack traces you would be able to see the hidden functions and variables. Colluding with every vendor and sabotaging OpenSource in a way to make this feasible (kernel hiding system calls and variables) would be nearly impossible.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
17. Re:Better security might help by onyxruby · 2013-06-15 04:03 · Score: 2
  
  I can't argue your point about the need to care about security and raising awareness. However the idea that locking down your box could stop the government is naive. If they can convince a judge they can get a warrant. With a warrant you simply enter the residence and install something like a hardware keylogger (that's a commercial one, they come much smaller) or a pinhole camera.
  Your TrueCyrpt secured hard drive hosting your locked down Operating System behind the firewall of doom that only ever connects to the outside world through a VPN and random proxies means jack when a keyboard logger records your keystrokes or the camera watches you put them in. You can't secure against a warrant and direct physical access in that type of situation. The only thing that you can do is to focus on having a tamper evident system that alerts you.
  Resources would be better spent on shoring up Tripwire like tools for everyday users so that they can know they have been compromised in the first place. There are open source versions of trip wire and I would encourage anyone concerned about these types of issues to work on maturing what is there and bringing it to the masses in a form that they everyday person can effectively use.
18. Re:Better security might help by gweihir · 2013-06-15 06:49 · Score: 2
  
  And there is the other thing: The NSA does not only spy on people, they also help securing people against others spying on them. Now, theoretically it is possible to secure a planted backdoor cryptographically so that nobody else can use it. That is however highly obvious in the code. If, on the other hand, they had a backdoor not secured in this fashion in SELinux, the risk of, say, the Chinese fining it would far out-weight any advantage of having access via this backdoor themselves. This is not the first tome they make things more secure. For example, the first DES candidate had a vulnerability that the academic community only found far later. They fixed it and made DES a lot stronger. AFAIK there still is no known fundamental vulnerability in DES. Its key is just too short for today.
  I happen to know a few people that did semi-academic project work for them. Not all the NSA does is bad. It is just an utterly moral-less bureaucracy, and that means the question of ethics does not arise. They will just as happily fix vulnerabilities and make secure designs, as they will do the opposite. And they are far less capable than people commonly assume. They try to do many things with overkill.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Oddly specific denial by hawguy · 2013-06-14 11:23 · Score: 5, Interesting

Why is the justice department denial so specific:

To our knowledge, the Justice Department has never compromised Ms. Attkisson’s computers, or otherwise sought any information from or concerning any telephone, computer, or other media device she may own or use.
It sounds like a carefully worded statement that leaves open the possibility that they planted an old fashioned bug to listen to her in her home, or a GPS tracker on her car, or secretly searched her house, or one of the other many ways they can secretly keep someone under surveillance.
Why not a simple "We have never had Ms Attkisson under any surveillance or covertly obtained any information about her"?
Besides, if she used a Verizon Business cell phone, or if the same cell phone meta-data order that was leaked to the press was given to all of the carriers, then the government *did* seek information concerning telephones used by her.
1. Re:Oddly specific denial by larry+bagina · 2013-06-14 11:38 · Score: 5, Insightful
  
  When you have an Attorney General who will, under oath in front of Congress, commit perjury, why are any of their other statements considered credible?
  Not posting anonymously because the DOJ and NSA are tracking us either way.
  
  --
  Do you even lift?
  These aren't the 'roids you're looking for.
2. Re:Oddly specific denial by Nutria · 2013-06-14 11:55 · Score: 2
  
  It sounds like a carefully worded statement that leaves open the possibility ...
  because, as Brett Buck mentioned, it might not have been the DOJ, OR it might have been the DOJ and the people who did it conveniently forgot to pass the information up the chain.
  Plausible deniability, doncha know.
  
  --
  "I don't know, therefore Aliens" Wafflebox1
3. Re:Oddly specific denial by ShanghaiBill · 2013-06-14 12:28 · Score: 4, Insightful
  
  well that would explain why they say that Justice Department hasn't done it.
  That is NOT what they said. Read the quote carefully. It simply says that the speaker has no knowledge of the justice dept doing it, not that they didn't do it. This is a classic example of a bureaucratic waffle. It sounds like they are actually saying something meaningful, but if you parse the sentence, it is basically vacuous.
4. Re:Oddly specific denial by hawguy · 2013-06-14 13:17 · Score: 2
  
  Why is the justice department denial so specific:
  Because they're refuting a specific accusal?
  Seriously, what kind of logic is this? The justice department didn't say that they didn't try to poison her! They must have!
  If think it's more like if she was found poisoned, and the Justice department said "I have no knowledge the DoJ had any involvement with poisoning her food or by poisoning her with toxic gas. We have no comment on whether or not we poisoned her with an injection toxin or through a contact poison".
5. Re:Oddly specific denial by amiga3D · 2013-06-14 15:06 · Score: 2
  
  But he's telling the truth this time. Honest.
tsk tsk.... by arcite · 2013-06-14 11:27 · Score: 4, Funny

Looks like someone didn't renew their Norton Anti-Virus subscription. They warned you!
Welcome to the Botnet by checkitout · 2013-06-14 11:31 · Score: 5, Insightful

Occam's razor would suggest that she got pwned by a drive-by exploit on some site she visits. In the same way anyone else might. She just happened to be of some level of importance.
1. Re:Welcome to the Botnet by gl4ss · 2013-06-14 11:37 · Score: 3, Informative
  
  Occam's razor would suggest that she got pwned by a drive-by exploit on some site she visits. In the same way anyone else might. She just happened to be of some level of importance.
  but it was an attack by someone who knew the user/pass. like, from her mail or whatever..
  
  --
  world was created 5 seconds before this post as it is.
2. Re:Welcome to the Botnet by Mista2 · 2013-06-14 11:49 · Score: 2, Insightful
  
  Drive-by hacking, probably not as it doesnt look like they were after money, or extortion, or attempting ransomware installation. In fact, because it attempted to be stealth, its not even an attack for fun, as most vandals like to let you know you got pwnd.
  It might not be internal domestic spying thug, could be from the UK (The Guardian likes to tap phones and listen to voicemails too) or china - (too many examples to list).
3. Re: Welcome to the Botnet by Anonymous Coward · 2013-06-14 13:03 · Score: 3, Interesting
  
  Total coincidence that she was the only non-Fox reporter looking into Fast & Furious gun running scandal, and this happened right around when that was heating up.
  Obama's people wanted to know if they'd been caught.
4. Re:Welcome to the Botnet by Anonymous Coward · 2013-06-14 20:51 · Score: 2, Informative
  
  >The Guardian likes to [...] listen to voicemails too
  Are you mixing up the News of the World and The Guardian?
  That's a pretty big mistake to make.
Re:Yawn... by Anonymous Coward · 2013-06-14 11:32 · Score: 3, Insightful

Leave an embassador to die, no one bats an eye.
Spy on some reporters, everyone looses their minds....
Yawn....
The Slashdot audience is either retarded or full of partisan idiots.
The quoted comment is quite relevant to the level of attention the media and the public pay to seriously important failings based on party politics of the government and of course is modded down.
While this fluff nonsense gets modded up.

Maybe they just wanted hot pics of her (Score:2)
by Spy Handler (822350) on Friday June 14, 2013 @07:19PM (#44012213) Homepage Journal
She's a nice looking lady... sure she's like 50 now, but around the year 2000 I was unemployed and watching late night TV, and she used to be a regular on CBS late late night news (like past midnight). I remember thinking hey she's really cute.
I'm sick of it, and reading the comments is a waste of time here. All you libtards can congratulate yourselves on your partisanship and continue doing so as America becomes a banana republic.
And while you are at it, quit thinking of your selves as the technical elite, you're not, you're more like kiddie Hax0rs competing for attention by being idiot smartasses.
What data? by dadelbunts · 2013-06-14 11:37 · Score: 5, Interesting

I love how they fail to mention what data was searched. Im sure that would provide alot of information as to who was doing the searching.
1. Re:What data? by __aaltlg1547 · 2013-06-14 16:34 · Score: 2
  
  Perhaps they just copied everything in in her user profile. If I were going to hack somebody's computer, that's what I'd do. Grab it all while you can and sift it later for whatever you're looking for. You never know when she's going to change her password and you lose access.
Security begins with Linux by seyfarth · 2013-06-14 11:41 · Score: 2

I would not trust a commercial operating system to not be loaded with back doors accessible to the NSA. That's not even considering the history of Windows vulnerabilities. If I were in charge of IT for a foreign government, a news agency, a military or any business I would start by banning the use of Windows. With Linux it should be possible to have a computer which can search the Internet and prepare reports with no open ports for external attack. That should be the first step. Following that there needs to be training in human factors vulnerabilities. A computer for work should be a tool, not a toy, and user preference should not be the highest priority. Security should be first. Linux is clearly good enough for business purposes. I can see a value in Windows for gamers, but not for work computers. OS X is less vulnerable than Windows, but can you really be sure that the NSA can't access all OS X systems?
I would expect that hackers might also discover back doors. They would certainly study the instructions in the OS to try to find the holes.
Now I have been assuming that the computer was not running Linux. Perhaps it was. It is possible to screw up with Linux systems.
Fortunately for me, no one wants me to run their IT operation. It would be so painful trying to educate the users.
Maybe I'm a little too paranoid. Luckily not much is at risk on my home computers. I would not wish to do anything interesting to the NSA.

--
Ray Seyfarth, ray.seyfarth@gmail.com, http://rayseyfarth.blogspot.com
1. Re:Security begins with Linux by DaHat · 2013-06-14 11:53 · Score: 3, Insightful
  
  With Linux it should be possible to have a computer which can search the Internet and prepare reports with no open ports for external attack.
  So you are going to read code line by line to determine that no such exploits exist?
  Anytime you run ANYTHING that you did not build AND control yourself... you run that risk... the best we can do is hope we can trust who we get our OS, router or tank from... and perhaps audit them from time to time (if we have that power) to try to make sure.
  
  --
  Help Brendan pay off his student loans
2. Re:Security begins with Linux by drinkypoo · 2013-06-14 12:23 · Score: 2
  
  So you are going to read code line by line to determine that no such exploits exist?
  It's probably enough just to run an operating system by and for paranoiacs, e.g. OpenBSD. If you really think someone is out to get you, at least take some precautions.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
3. Re:Security begins with Linux by __aaltlg1547 · 2013-06-14 16:41 · Score: 2
  
  A computer for work should be a tool, not a toy, and user preference should not be the highest priority. Security should be first.
  For most businesses, first is maintainability via tools that your IT staff knows how to use, then user preference, then productivity, then security.
  For businesses with well-run IT departments, it's either productivity, security, maintainability, preference or security, productivity, maintainability, preference.
  The latter schemes are both valid, depending on what your business's security needs are.
Re:Yawn... by gmuslera · 2013-06-14 11:43 · Score: 4, Insightful

Spy on basically everyone on the planet, no one bats an eye. Spy on a public person, everything is crazy now.
Re:Yawn... by cold+fjord · 2013-06-14 13:54 · Score: 4, Informative

The best thing to do if you want to change people's minds is to find facts and present them reasonably, politely, logically, in a factual manner, and possibly with a reference link. Flames and insults seldom change peoples minds, and rarely snark, but facts sometimes do. Note that I wrote "sometimes." And it is often a long process. Being in the minority on Slashdot often means having to ignore insult, bad moderation, harassment, trolls, the occasional doppelganger trying to discredit you, silly arguments against you being highly moderated while you get mod bombed, the occasional death threat or wish for your injury, and all manner of other nonsense. And you have to live with the fact that vehement statements that are uninformed, silly, completely wrong, and often inflammatory, will be highly moderated as long as they are from the proper politically correct perspective. There are people from all around the world that post here with all manner of ideas, including: liberals, socialists, progressives, libertarians, conservatives, communists, Nazis, Islamists, Christians, atheists, the occasional Jedi, programmers, sys admins, engineers, doctors, lawyers, soldiers, students, mathematicians, physicists, and I'm going to stop because the full list is so long, seemingly unbounded. It can be frustrating, but try to be salt, if you care to.

--
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Re:Yawn... by ShooterNeo · 2013-06-14 14:41 · Score: 4, Interesting

Think back to the 1960s. Many of the complaints the "radicals" had were in fact legitimate. The Vietnam war was poorly managed and ultimately a colossal waste of lives and resources. Agent Orange really was a horrible toxin, causing permanent injuries. Drafting people to send them to a pointless war really was an evil act (and the draft dodgers were making a decision that in retrospect was a smart one)
Marijuana really was a drug with low potential for harm, black people really were being oppressed, and nudism and free love must have been pretty fun.
The point is, what did mainstream culture have to say then? What did all those protests do to affect the decisions made by The Man? Fuck-all, that's what. Doesn't seem any different now.
Hold it... by Rick+Zeman · 2013-06-14 14:42 · Score: 2

...why say DOJ? It could be the Chinese.
Re:Yawn... by tripleevenfall · 2013-06-14 16:29 · Score: 3, Insightful

I think /. is showing it's biased, but it's mostly biased on things other than tech issues. On tech issues like online privacy, everyone has the same opinion here.
On something like Benghazi or Guantanamo Bay or (whatever), for most people it's ok when their guy does it, not ok when the other guy does it.
We will all be a lot better off if this president's (remaining) defenders admit they were sold a bill of goods.
(from a 3rd party voter)
Re:Yawn... by lxs · 2013-06-15 01:08 · Score: 2

If you think anybody whose name isn't Dupont or Gates will be able to do jack shit about any of this you REALLY haven't been paying attention
Congratulations! You haven't even tried and you have lost. In the former Eastern Bloc there was a phenomenon called the inner policeman. The citizens had the rules of the state drummed in them so solidly that it didn't occur to the majority to rise up. Any rebellious thoughts were quashed by their own minds. Your defeatism is just as effective.