CNN latest target of Syrian hacktivists

CNN is the latest western media organisation believed to have been targeted by the Syrian Electronic Army (SEA) hacktivist group

CNN is the latest western media organisation believed to have been targeted by the Syrian Electronic Army (SEA) hacktivist group that supports Syrian president Bashar al-Assad.

The organisation’s social media accounts and one of its blogs were briefly compromised by the SEA, according to US reports.

The SEA is believed to have been behind a string of similar attacks on other media organisations throughout 2013, including the Financial Times, Washington Post, Thomson Reuters and the BBC.

The hacktivist group emerged in May 2011, during the first Syrian uprisings, when it started attacking media outlets and spamming popular Facebook pages.

In more recent months, attackers claiming to be part of the SEA have hit the social media accounts of Microsoft and Skype to protest against US internet surveillance.

In the latest attack, CNN’s Facebook and Twitter accounts showed content from SEA for about an hour, including tweets that said the US was “brewing lies that the Syrian state controls Al Qaeda".

The SEA said the attack was in protest against CNN’s “biased reporting on Syria”.

Commentators said the SEA targets social media and blogging accounts because of the low standard of security. 

Read more on hacktivism

Password security for these public-facing apps is an often overlooked issue, said Thomas Pedersen founder and CEO of identity management firm OneLogin.

“The attack on CNN’s social media accounts is another reminder that bad password hygiene, coupled with a lack of access control, can create weak points in any company’s ability to securely manage their marketing applications,” he said.

Pedersen said it is critical that any organisation – especially larger organisations with distributed internal and external users  – locks down access to all applications.

Social media hacks can often be avoided with identity and access management (IAM) systems because users do not log directly into an application and they enable two-factor authentication, he said.

“Password Vaulting is often combined with an IAM system and is a way of adding an additional layer of protection to web apps such as Twitter or in-house content management systems,” said Pedersen.

“By storing the passwords securely server-side and injecting them into an application’s login page during sign-on, there is no reason why a communications worker should ever know his or her password to an app or be able to share it with colleagues,” he said.

Read more on Hackers and cybercrime prevention