NBC News seems to think that "regular" users visiting the Sochi Winter Olympics go out of their way to ignore software updates, disregard security patches, and actively engage in unsafe online behavior. Some users may be slower to patch, or to allow software to update, but they would first have had to actively choose different default settings, as Windows and most common software wants to automatically download and install updates. If that is the case, the attacks could successfully happen anywhere. Does that describe a "regular" user?
"The U.S. State Department has told Americans coming to Sochi that they should have 'no expectation of privacy,' even in their hotel rooms," began a story in which NBC News chief foreign correspondent Richard Engel showed how visitors to the Sochi Winter Olympics would be "hacked within minutes" of arriving at Sochi. Errata Security's Robert Graham called the NBC story "100% fraudulent." In fact, the video segment was so highly criticized by security experts that NBC issued a statement to defend it.
Trend Micro's senior threat researcher Kyle Wilhoit, who was the security expert assisting NBC News, explained technical details edited out of the video and also released a white paper about the "honeypot environment and three devices used in the experiment."
"First, all the attacks required some kind of user interaction. Whether to execute 'applications' or to open a Microsoft Word document, all the attacks shown required user interaction in order to compromise the device," Wilhoit explained on the Trend Micro blog. "Second, these attacks could happen anywhere. ...Third, the infections occurred on newly unboxed hardware. Had basic security precautions such as updating the operating system or not opening emails from unrecognized sources been done, these attacks could have been prevented."
Wilhoit's white paper, From Russia with Love: Behind the Trend Micro-NBC News Honeypots [pdf], gives technical details of setting up the honeypot and Engel's fake information, and the three brand new devices used by Engel for the story. "NBC News wanted the experiment to be performed on new gadgets with no security or software updates." Although NBC News thinks "regular" users would take no basic precautions like security or software updates, they did allow lifestyle and productivity apps to be installed, such as the most recent version of Flash and Java, Adobe, and an older version of Microsoft Office.
Perhaps it's gotten to the point where I don't know any "regular" users, who would actively go out of their way to avoid security. But because NBC News spun the story to scare the snot out of Sochi visitors, I think it's important to look at the facts presented by Wilhoit in the white paper.
Samsung Galaxy S4
After unboxing a Samsung Galaxy S4, they left all security settings in the default state, plugged in a SIM card from a Russian cellular service provider, visited a Russian coffee shop, connected to open Wi-Fi and surfed to a Sochi-Olympic-themed site. The NBC video report claimed malicious software hijacked Engel's phone before the coffee arrived, making it appear as if malicious magical fairies installed malware on the phone. But Wilhoit gave tech details edited out of the video.
First there was a redirect from the Sochi-themed site, which "prompted a download that seemed to have relevant travel information." The user interaction came when Engel clicked "accept" to install the downloaded malware. The white paper explained that the "malicious app appears to be part of the SMSSEND malware family, which has infected more than 200,000 Android phones to date." The malware allows "an attacker to read the emails on it, gain access to external media connected to it, collect contact data stored in it, record calls made on it, and perform several other tasks."
Windows 7 was installed on the brand new Lenovo ThinkPad "because it is the most used Microsoft OS worldwide. This is what a standard user would likely do. We kept all of the default security settings as well." Additionally, Microsoft Office 2007 was installed "because of its perceived user base." About 30 hours later, Engel received a spear-phishing email. Wilhoit believes Engel's "email address appears to have been obtained from the compromised Samsung Galaxy S4 smartphone." Again, the device was only compromised after user interaction, after clicking on the embedded link in the email and downloading "a Microsoft Word document named Olympics.doc."
Within a minute of opening the document, a "piece of malware opened a back door" and "allowed the attacker to gain access to the infected machine. He can even perform several malicious tasks such as stealing banking information or exfiltrating important documents." Wilhoit wrote, "It appears to exploit the common CVE-2012-0158 vulnerability, which works against unpatched versions of Microsoft Office 2003, 2007, and 2010. Had the document been opened in Microsoft Office 2010, depending on its patch level, the attack would have likely succeeded as well."
The attackers didn't have evil pixie dust to magically infect the ThinkPad. Exploiting the remote code execution vulnerability, CVE-2012-0158, requires users to take action and click a link such as in email, instant messenger or social media. Microsoft issued a critical patch back in April 2012 to fix the flaw. It's January 2014, so surely "regular" users would have patched that hole in Windows by now...unless Windows 7 was pirated and couldn't be patched, but that surely doesn't describe the NBC News version of a "regular" and pretty technically stupid user.
After unboxing the Macbook Air, they left the installed OS on default settings and connected to a hotel Wi-Fi access point. While surfing and being redirected from a "fake social media site," a malicious file downloaded. However, Wilhoit pointed out, "We proceeded to right-click and choose 'Open'. Had we not right-clicked and opened the file, Macintosh Gatekeeper running on OS X 10.8.5 would have caught and prevented the file from running."
The techniques used to exploit the Macbook Air do not differ that much from those used against those browsing the Web on Windows machines, which shows that the attack was not targeted. All it required to succeed were an unpatched system and unsafe online behavior on the user's part.
If you want accurate details behind the NBC News story, then read Wilhoit's white paper, From Russia with Love: Behind the Trend Micro-NBC News Honeypots [pdf]. Although the NBC Sochi hacking story might apply to some technically challenged users, I don't think most "regular" users ignore all security wisdom.
Like this? Here's more posts:
- How to easily encrypt email with Virtru for free: Gmail, Hotmail, Outlook, Yahoo
- Top 25 most commonly used and worst passwords of 2013
- Microsoft: Targeted phishing attacks allowed SEA to steal law enforcement documents
- How to customize Windows 8.1 Start screen and keyboard shortcut tricks
- Microsoft surveys tech elites on online privacy
- Microsoft finally gets a clue: Boot to desktop as default in Windows 8.1 update
- Hackers give Microsoft a second black eye, vow to deliver digital dirt on spying
- As Facebook turns 10, Zuckerberg changes his mind about anonymity
- How to change Windows 8.1 to local account with no Microsoft email account required
- EFF on cyber attack against hacktivists: CFAA for you; impunity for feds
- Obama ignored NSA subverting encryption in surveillance reform speech
Follow me on Twitter @PrivacyFanatic
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. Smith has a diverse background in information technology, programming, web development, IT consulting, and information security. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.
Smith is an independent contractor and is not affiliated with any vendor that makes or sells information technology.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited