Major news media at risk from hackers as they prepare to report the US election results

PUBLISHED : Wednesday, 09 November, 2016, 1:04am
UPDATED : Wednesday, 09 November, 2016, 1:04am

Experts have warned for months that hackers could try to disrupt Tuesday’s election by penetrating local voting systems. But another target could prove easier to hack: US media reporting election results.

I’ll be amazed and shocked if we don’t see attacks tomorrow
Bobby Kuzma, a system engineer

Upguard, a California company that assesses how well companies protect themselves from hackers, has found that three major news organisations – The Associated Press, The Wall Street Journal and CBS News – tallied “pretty abysmal” scores on key criteria to thwart breaches.

All three are key sources of election results, with the AP perhaps the largest provider of election tabulations in the country. Upguard ranked 20 media companies in its survey.

Attacks on the computer systems of journalists and news organisations have become more frequent. Targets have included BuzzFeed, which Upguard ranked among the five most secure media but still was breached October 5. A week earlier, Newsweek’s website mysteriously crashed.

Hackers, both domestic and in foreign countries, including Russia, changed the course of the presidential campaign with penetrations of computer systems and thefts of internal emails and documents.

A hack of servers storing information for the Democratic National Committee, revealed in June, led to committed Chair Debbie Wasserman Schultz’s resignation in late July. Based on leaked emaills, she was accused of tilting the party nomination battle from Bernie Sanders toward Clinton. Another hack led her interim successor, Donna Brazile, to lose her job as a Democratic pundit on CNN in mid-October. Leaked emails showed that she’d passed town hall questions to Clinton ahead of time.

After conducting drive-by external assessments, much as a hacker would do, Upguard gave a score of risk preparedness. The scores were modelled on the credit ratings people get to gauge their financial health.

On a scale up to 950, Upguard gave CBS the lowest score (334), and a little higher to The Wall Street Journal (376) and The Associated Press (378).

“Those are quite bad scores. Those are the kind of scores we see for companies with major security failures,” said Greg Pollock, vice president of product at Upguard. CBS and The Wall Street Journal did not respond to requests for comment. A spokeswoman for The Associated Press declined to comment on its security measures.

Upguard looked at more than 20 criteria that Pollock said were commonly accepted as “best website security standards”. They include whether a company uses basic standard encryption between its servers and the computers of those visiting the website, and whether it hides information about its servers from those outside its firewalls.

Asked about the AP, Pollock looked and said: “They are using a Windows server called Microsoft IIS 7.5. As a hacker, I can go and Google vulnerabilities of IIS 7.5. Essentially, it just gives me a lot of information about what bugs to place if I wanted to break into the site or do a denial-of-service attack. The fact that it’s not obscured gives me an indication that they are not using good practices internally.”

Upguard did not assess McClatchy, a company based in Sacramento, that owns newspapers in 29 US cities. Other cybersecurity experts said they expected problems for media companies on Tuesday.

“I’ll be amazed and shocked if we don’t see attacks tomorrow,” said Bobby Kuzma, a system engineer at Core Security, a network-security company. “There’s so many bits of infrastructure involved with getting news to press [or website, as it is today], that extensive vulnerabilities are likely to be the rule, rather than the exception. With decreasing budgets and revenue streams, that cybersecurity spending would take a back-seat to other priorities is not shocking.”

Kuzma said media companies might see distributed denial-of-service attacks, which use multiple computers to bombard a site with data, freezing it, or “subtler defacements and misinformation during the election.” In cybersecurity, many companies do not take sufficient steps until faced with crises, Pollock said. “In the absence of actually getting breached, companies just default to ignoring these problems.”

Upguard ranking and scores:

Yahoo (825)

The Guardian (783)

C-SPAN (780)

Buzzfeed (752)

The Washington Post (731)

Fox News (574)

ABC (561)

NBC (543)

NPR (522)

MSNBC (513)

Huffington Post (511)

CNN (480)

The New York Times (480)

Bloomberg (480)

Politico (480)

USA Today (470)

Reuters (428)

The Associated Press (378)

The Wall Street Journal (376)

CBS News (334)