In the lead-up to the Winter Olympics, people have been warned to watch out for malware, spam and spear-phishing attacks on websites and email, with the US-CERT agency issuing strongly-worded advice on February 4 and 5:
“Whether viewing live coverage, event replays or checking medal statistics online, it's important to visit only trusted websites,” the statement read.
“Events which gain significant public interest and media coverage are often used as lures for spam or spear-phishing campaigns. Malicious actors may also create fake websites and domains that appear to be official Olympic news or coverage that can be used to deliver malware to an end user upon visiting the site (also known as drive-by downloads or watering holes).”
However, a subsequent NBC TV news report featuring Trend Micro threat researcher Kyle Wilhoit was met with strong criticism after the report showed how easily it would be for Russian hackers to infect the computers and smartphones of anyone actually visiting Sochi.
The report is headlined “All visitors to Sochi Olympics immediately hacked” and features Wilhoit and NBC News chief foreign correspondent Richard Engel in a Russian restaurant, using a new smartphone to browse for information on the Games. “Almost immediately we were hacked…. malicious software hijacked our phone before we even finished our coffee” reports Engel.
Their two computers were also infected. “It had taken hackers less than one minute to pounce. Within 24 hours they had broken into both computers and started helping themselves to my data,” Engel said.
But the report has been rubbished by some security experts, led by Errata Security's Robert Graham. He said in a 6 February blog that the NBC story was “100 percent fraudulent” and “the story was fabricated”.
“The story shows Richard Engel ‘getting hacked' while in a cafe in Russia,” said Graham. “It is wrong in every salient detail. One, they aren't in Sochi but in Moscow – 1,007 miles away. Two, the ‘hack' happens because of the websites they visit (Olympic-themed websites), not their physical location. The results would've been the same in America.”
“Three, the phone didn't ‘get' hacked - Richard Engel initiated the download of a hostile Android app onto his phone.”
Gartner vice president Paul Proctor agreed in a blog post the report “is misleading”.
“They have directly positioned this as just turning on your mobile device and computer will result in you being ‘hacked'. This is an overstatement and misleading,” said Proctor.
“Most everything they describe in the story is as equally true at your local Starbucks as it is in Sochi. Therein they miss the opportunity to present a more accurate picture of global security, as opposed to the ‘evil Russians'.”
Wilhoit defended himself in Twitter exchanges. Asked if he was ever actually in Sochi, the analyst replied: “Nope. They wouldn't let me leave Moscow…Paper will be coming out soon about the details of what went on.”
Wilhoit did however admit that the editing of the story was out of his hands, and as such suggested the story was twisted
“Unfortunately, the editing got the best of the story,” he tweeted. “Cut a lot of the technical/context details out. White paper coming soon.”
He added: “I can't control how things get edited. I can, however, publish technical blogs.”
Security expert Brian Honan of BH Consulting told SCMagazineUK.com that the impact of the TV report will be to make the job of security professionals that much harder.
“The problem with overstating and sensationalising threats is that you can end up being like the ‘boy who cried wolf'. As an industry we have been struggling to ensure the mainstream public understand and appreciate the threats. Over-hyped and sensationalised stories from mainstream media hinder that message rather than help,” he said.
Asked what people browsing websites for information on the Sochi Olympics should do to secure themselves, he told us: “Criminals will set up fake sites to draw in unsuspecting users, so make sure to stick to official websites and blogs associated with the Olympics themselves or the media companies covering them. Do not click on pop-ups or download software that you are not sure of. Be wary of unexpected messages you receive via email, instant messaging or on social networks. If you are not sure of the content or the origin of the message do not click on any attachments or links.”
Honan went onto say: “One key element not mentioned in the NBC report is that the reporter connected and browsed the internet using computers and devices straight out of the box. So they had no anti-virus software installed, no firewall software installed and no software updates to ensure the systems were protected from known threats. In addition, the reporter deliberately downloaded a file onto his device from an unofficial website associating itself with the Winter Olympics which in turn infected his machine.”
The analyst, while urging computer uses to download anti-virus solutions and patch where required, also advised Sochi visitors to beware free Wi-Fi networks.
“Make sure all your internet traffic is encrypted, ideally you should employ a VPN to protect your online communications,“ he said. “Do not plug in USB devices, such as free USB sticks, that you receive from others without ensuring there is no malware on them. Encrypt the storage devices that you are using, be that the hard disks in your computers, your mobile phones and tablets, and also any portable storage devices you may have.”
“Do not access sensitive accounts from systems you have no control over, such as PCs in internet cafes or internet kiosks.”