jacobI remember a humorous anecdote during a security workshop organized by the U.K. based press freedom organisation ARTICLE 19. The charismatic director Leopoldo Maldonado conducting the workshop spoke of a reporter in the restive Mexican state of Tamaulipus who had just been hacked. The reporter later discovered the Tamaulipus state governor had given a $10,000 USD bounty to black hat mercenaries contracted over the dark web from their base in eastern Europe to hack his password and uncover his sources. The reply from the journalist: “Why didn’t the governor just give me $10,000? I’d have given him the password in person!”
Gallows humour aside, whenever there is an uptick in cyberattacks against the news portals I helped my Mexican colleagues architect I find myself scanning the headlines across our frontpages: have our investigative journalists uncovered a scoop that some wealthy senator or extremely connected congressman with links to organised crime would prefer to keep quiet?
Our news portals are among the most influential in the state of Quintana Roo. The exposure means the attacks against our newsroom have gotten more advanced over time. The threats against our Editor-in-Chief, Pedro Canché, add an extra layer of complexity to our newsroom security, above and beyond that of traditional cybersecurity.
The attempts to censor the free press with cyberattacks are also crafted to have a chilling effect. The constant DDoS attacks against our servers were reasonably simple to mitigate with CDN’s such as Cloudflare and now barely register after load balancing across three Virtual Private Servers. The SQLi attacks from the Russian Federation pictured below against Chetumal News (backdated to 2021 to keep things interesting without revealing current countermeasures) make me wonder how this newspaper that serves the judicial capital on southern Mexico’s tropical Carribbean coast ever gained such a faithful readership from above the arctic circle?
Its always advantageous to use country blockers available in most premium WAF’s (or the free plugin https://lite.ip2location.com) to make it difficult for your adversary. Lockheed Martin’s pioneering paper on Intelligence Driven Computer Network Defense advised organisations to deploy countermeasures faster than its adversary can evolve to vanquish them and raise their expenditure in order to achieve their own actions on objectives. Following this advice, the idea is to monitor and document your adversary’s TTPs (Techniques, Tactics and Procedures) to gain clues whether its a suspected script kiddie using Burp Suite or Hydra or perhaps a more sophisticated adversary deploying a botnet which specialises in predictable but relentless brute force attacks.
Its also wise to monitor if their is a change of location from where the reconaissance or attacks are occuring. After IP country blocking the regions that are perpetrating the majority of attacks against our newspapers, the WAF (Web Application Firewall) tracked attacks from different regions. The image below are attempted malicious file upload and directory traversal attack on the WordPress configuration file from a few years ago that originated from France.
It may seem like a game of wack-a-mole by country blocking entire continents but the idea is to make it get more expensive for your adversary. This does reveal a worrying trend in Cybercrime as a Service (CaaS) where botnets can be hired in bitcoin and automated hacking tools can now perform sophisticated cyberattacks at the behest of technologically luddite politicians for a small fee.
The aim then should be that your newspaper is hardened against the most common cyberattacks–sanitized databases, input validation, which freemium WAFs provide. Also remember, your newsroom is only as secure as your least trained reporter, but fortunately there are cybersecurity toolkits for journalists to raise the security posture of your publication. It means the politicians who are attempting to censor your publication (we have a shortlist 😉 ) have to dish out much more dough to achieve an ever diminishing level of success. Oftentimes, I have found these mercenary hackers will simply get bored and move on or the money to fund the cyberattacks will dry up.
