The UK’s Channel 4 is the latest media organisation to fall prey to hackers from The Syrian Electronic Army.
The original defacement has now been wiped off but, originally, it carried a story titled, “Nuclear strikes on Syria: The genie is already out of the bottle”, which included an image of a mushroom cloud. The story went on to say that,
“The fact of the matter is, what we are seeing in both these cases is a tactical nuclear strike, probably by cruise missiles launched from aircrafts near the borders of Syria or right off the coast in the Mediterranean.”
Of course the story was bogus but the hack was certainly genuine. The Syrian Electronic Army even posted what they claimed to be a screenshot of the WordPress admin panel for the Channel 4 blogs on their Twitter account:
There are many possible answers as to how the hackers were apparently able to gain access to the admin panel. A quick look over the blogosphere and social media would, perhaps, lead you to think that some sort of phishing or social engineering exercise was to blame but ehackingnews.com may have discovered a more disturbing answer.
If you visit www.blogs.channel4.com now you’ll see the image above which, appropriately, shows The IT Crowd along with a message saying that “something is broken.”
Right-clicking and viewing the page source doesn’t give much away now but ehackingnews have said that there was an interesting line of text there earlier that may give us some clues as to how the hack was possible:
<meta name=”generator” content=”WordPress 3.1.2″ />
Now, the WordPress users amongst you will have already figured out the significance of that, but for everyone else the issue here is that WordPress recently put out version 3.6 of their popular blogging platform. Version 3.1.2 is actually a long way out of date having been released in April of 2011.
Considering the large number of security updates that have been included in the intervening updates over the last two years it would seem likely that this is how the Syrian Electronic Army gained access to the back end of Channel 4’s blogs. Why no-one at Channel 4 picked up on this is puzzling to say the least.
So the moral of this situation is to ask when was the last time you checked that all of your company’s software was fully patched and up to date? If it isn’t then you may want to better prepare for the future with a security assessment. You may also need to ask yourself whether your employees are security aware?