That NBC Story Is 100% Fraudulent blog.erratasec.com

Robert Graham, Errata Security:

Absolutely 0% of the story was about turning on a computer and connecting to a Sochi network. 100% of the story was about visiting websites remotely. Thus, the claim of the story that you’ll get hacked immediately upon turning on your computers is fraudulent. The only thing that can be confirmed by the story is “don’t let Richard Engel borrow your phone”.

Following the primetime broadcast of the original report, NBC released a supplementary video on their website which more clearly explains how these attacks were carried out. A few things become perfectly clear:

  1. As Graham points out, this story was filmed in Moscow, not Sochi. The cities are separated by over a thousand miles. It would be similar to a story claiming you’re more likely to be hacked at the 2014 Superbowl held in New Jersey, but filming the story in Chicago.
  2. These attacks were in no way specific to Russia. Engel manually downloaded and installed suspicious software on three separate devices. That’s the story, in a nut.
  3. Richard Engel doesn’t know how to open a box like a human being (about 1:00 into the broadcast clip).

The security expert in the story, Kyle Wilhoit, is a respected researcher, and blames the NBC report on sloppy editing. He promises to release a full technical report to explain what unfolded, and I anticipate he will. He has not done so yet, though.

But, in advance of the NBC report, he published a preliminary writeup which, when combined with the supplement video on NBC’s website, offers a pretty clear picture of what transpired:

For this experiment a honeypot environment was created emulating a user in Russia performing basic tasks; such as browsing the Internet, checking email, and instant messaging. The primary purpose of this experiment was to gauge how quickly a compromise would occur on given devices, should the user perform normal activity while in Russia for the Sochi Olympics.

Then later in the post:

After creating a “profile” of Richard, I then performed the laborious task of generating what appeared to be his user presence on each of the devices. This was accomplished by creating fake contacts (Including name, phone number, email address, and title) to place into his fake email account I created. If a nefarious user compromised the machine, they would in fact think it was really used by Richard, which allows us to study their behavior in closer detail.

In addition to creating fake contacts, I also browsed the Internet, emulating Richards’s habits. I went to Olympic themed websites, as well as traditional news sites that he often checks – like nbcnews.com.

This second quote is largely irrelevant to the story. What Wilhoit did was create a user with a presence online. The fact that it was in Richard Engel’s name isn’t actually important, nor is the fact that he frequents nbcnews.com. If the user was called “Johnny Appleseed” or “Ginny Weasley” it would have resulted in a similar effect.

It’s also pretty clear that Engel’s actions — opening suspicious attachments and downloading sketchy software — are entirely what contributed to this attack. I — and, I’m sure, you — receive similar emails and see ads for phony antivirus software all the time.

And finally:

On all of the devices, there was no security software of any type installed. These devices merely had standard operational programs such as Java, Flash, Adobe PDF Reader, Microsoft Office 2007, and a few additional productivity programs.

Using a Windows computer with Java, Flash, Office, and Adobe Reader on it but without antivirus software is a recipe for disaster. You know this, I know this, and we’ve all drilled it into the heads of our parents, coworkers, and friends. NBC took three minutes to tell their viewers not to download sketchy shit on the internet. Bravo.

In fact, the NBC investigation didn’t really cover what I consider the scariest part of the story, which is what Maltego can uncover. If you’ve ever searched for your own name or handle with Pipl, or tried interesting keywords in Shodan, you probably have some idea of the power of an application like Maltego. Its ability to cross-reference multiple sources is wicked powerful, especially when you consider it in the wake of the past eight months of Snowden’s leaks.