Skip the navigation

Ira Winkler: My run-in with the Syrian Electronic Army

The hacker group dedicated to supporting Syria's dictator wasted an attack vector on trying to embarrass the writer. Will the SEA's handlers in the Syrian intelligence services approve of such immaturity?

By Ira Winkler
May 13, 2014 07:38 AM ET

Computerworld - The Syrian Electronic Army may have jumped the shark.

Last month, the SEA, a hacker group whose stated purpose is to support the Syrian government of Bashir al-Assad, hacked the RSA Conference website. The hack was done to express its dislike for me, which stems from a presentation that I gave at the 2014 RSA Conference that detailed the SEA's tactics, named names and disclosed methods to prevent its attacks.

I have investigated that hack and subsequent ones on The Wall Street Journal's Twitter accounts and BuzzFeed in the U.K., both meant to denigrate and embarrass me.

I'll get to the findings of those investigations, but first let me tell you how I became aware of the situation.

On the evening of Saturday, April 26, a tweet was directed at me from the SEA indicating that there was a message awaiting me at the RSA Conference site. I know better than to trust any links that come from the SEA, so I opened up a browser and typed in the RSA Conference URL. The normal site came up; no message for me from the SEA was visible.

The SEA tweeted more messages, but I ignored them. But when a friend told me the SEA wasn't playing a practical joke, I took out my safe computer and followed the tweeted link. Now I could see a graphic with a taunt from the SEA. My thought was that the RSA Conference might have been momentarily hacked and that this was a screen capture.

Being personally involved, I wanted to understand what had happened. I contacted some friends at the RSA Conference team, as well as some executives from RSA itself. The executives put me in touch with the security team at RSA, who told me that a website associated with Lucky Orange, an analytics software package used by the RSA Conference, had been redirected and returned JavaScript code that displayed the taunt.

That explained why I didn't see the taunt when I first went to the conference website; I don't allow JavaScript code to run on my Web browser. But the linked file was just a direct link to the graphic.

Around this time, someone on Facebook told me he had seen the taunting image. I didn't give that too much thought. The SEA's dirty work was out there on the RSA Conference site, and people inevitably were going to see it. But later I learned that this friend didn't see the image on the RSA Conference website. It was on another website entirely. If I had noticed that fact at that time, I would have found it very interesting. But as it was, I dismissed this bit of news as more of the same.

Our Commenting Policies