Malaysia Airlines Defaced - 404 Plane Not Found (opens in new tab)

(wsj.com)

47 pointsscubasteve11y ago44 comments

44 comments

corobo11y ago

Bad as the deface is, they're making decent looking takeover pages these days. Not too bad that design

Take away the greetz and the embarrassment and you're halfway to a snazzy landing page

scubasteveOP11y ago

The second defacement reminded me of a geocities page with music playing in the background.

Reference: http://www.nbcnews.com/storyline/isis-terror/lizard-squad-cl...

mintplant11y ago

> hacked by a group claiming be aligned with the Islamic State extremist group

> hackers claiming to be similarly aligned with the Islamic State extremist group

This is either really dishonest or really stupid reporting. They're not actually aligning themselves with ISIS. They're just trolls trying to be edgy.

zerocrates11y ago

I don't see how it's dishonest.

Whatever their actual alignment and/or edgy-troll status, they still claimed to be aligned with ISIS, just as the article says.

potatolicious11y ago

The job of a journalist is to fact-check and separate fact from fiction.

Which is to say, when the subject of an article claims something, you should probably not print it verbatim without thinking it through at least a little bit, and maybe determine the credibility of what's being said.

It is not the job of a journalist to regurgitate sources blindly.

Otherwise... hey journalists, I am literally the second coming of Jesus, you guys should interview me and tell people I'm the Son of God.

mryan11y ago

> Otherwise... hey journalists, I am literally the second coming of Jesus, you guys should interview me and tell people I'm the Son of God.

Right, and in that case the article would probably read "potatolicious, who claims to be the second coming of Jesus..." *

Their claim of alignment with ISIS is, in itself, a part of the story. They are reporting that the claims have been made, not that the claims are factually correct.

* This actually happened on British TV: https://www.youtube.com/watch?v=qlSj_imnv7o

DanBC11y ago

In your example journalists would say that you claim to be the son of god. They wouldn't say that you are the son of god.

You seem to be asking journalists to say "he claims to be the son of god (but he isn't, obvs)" which is asking th journalists to provide information they don't have.

1 more reply

Lazare11y ago

> hacked by a group claiming be aligned with the Islamic State extremist group

The article claims that the website was hacked by a group claiming to be aligned with the Islamic State.

> hey journalists, I am literally the second coming of Jesus, you guys should interview me and tell people I'm the Son of God.

Good journalism would be to report that you are claiming to be Jesus. Which is what happened here; they reported a claim of affiliation, not the affiliation as a fact. It would actually be bad journalism for the reporter to take a position on your divinity (or an unknown groups actual affiliation with IS).

1 more reply

ryanlol11y ago

How can the journalist reliably evaluate who "Lizard Squad" is aligned with, especially with them repeatedly claiming to support ISIS?

ryanlol11y ago

Interestingly enough, despite malaysia airlines claiming that this is just a DNS hijack. It appears that their own CDN (Akamai) is now serving the deface page. (The page was being served by cloudflare before)

JoshTriplett11y ago

Many CDNs work by retrieving the page themselves, caching it, and re-delivering on request. In that case, if the original page changes, the CDN would automatically change too.

ryanlol11y ago

Which would imply that their backend was compromised, not just DNS.

zkhalique11y ago

The CDN could have simply refreshed its DNS cache couldn't it? That would mean it loaded the files from somewhere else.

1 more reply

jrockway11y ago

"Hey everyone, go visit this website that's probably serving malware!"

anon138511y ago

Google ads regularly serve malware[1], are you going to tell people not to visit Google?

[1] https://news.ycombinator.com/item?id=8879229

tombrossman11y ago

This isn't the best way to describe the problem or solution.

Users can be advised to install an ad-blocking plugin for their web browser to protect themselves. Since Google serves adverts from domains other than google.com, users can continue to use the google.com domain for search while at the same time blocking the malware coming from ad networks.

Daviey11y ago

Are you referring to contents of the linked article or that this is on HN? Need more words.

Surely, if the second - linking to wsj isn't known to serve malware.

Further, if you do not have some trust in your browser to go to potentially compromising sites - you need to change browser or stop browsing.

scubasteveOP11y ago

ryanlol already mentioned you could have ran a curl to check what's being delivered.

But, you can also use the Web Archive and check every domain yourself within their waterfall chart: http://web.archive.org/web/20150126072317/http://www.malaysi...

Looks like a bunch of static assets delivered by: fonts.googleapis.com, fonts.gstatic.com, pbs.twimg.com, and www.youtube.com. Looks similar to what I saw post-defacement/pre-fix.

ryanlol11y ago

A simple curl reveals that it isn't... And how often are deface pages serving malware anyways?

IMO it would be much more sensible to serve malware off of a page that _doesn't_ announce it has been hacked.

mschuster9111y ago

Not really. A defaced high profile website will draw visitors e.g. from all major news sites, maybe even TV. Combined with a couple 0days or a browser exploit kit, quite a chance to infiltrate a target.

And if you're lucky the online reporters also have twitter/fb account info on their PCs. I guess this is how the various compromises of twitter accounts have been done.

whizzkid11y ago

"The browser window of the website"

It is the first time i am hearing such a definition.

kalleboo11y ago

I reacted to the CNN article[0] which said "The browser tab read"

[0]http://edition.cnn.com/2015/01/25/asia/malaysia-airlines-web...

decentrality11y ago

I enjoyed the sole comment on the article at the time too:

"It's 'homepage' not 'browser window'... unless you're 80"

jobigoud11y ago

It's actually called "Page title" though.

Buge11y ago

HSTS could prevent this from working.

tyho11y ago

So could attaching decent transponders to their aeroplanes.

jrockway11y ago

How much more per flight would you pay for this? Satellites aren't cheap.

ryanlol11y ago

At their scale, yeah they are. (Especially considering you wouldn't need new sats)

ryanlol11y ago

Not really, the page is being served from MAS's own servers now.

Dylan1680711y ago

Not if the other comment by... you... about it being served by an external CDN is correct.

HSTS could easily stop a CDN from picking up a bad version during a DNS hijack.

ryanlol11y ago

MAS's CDN that is. The same CDN they were using before the hack even happened.

1 more reply

j / k navigate · click thread line to collapse

44 comments

corobo11y ago

Bad as the deface is, they're making decent looking takeover pages these days. Not too bad that design

Take away the greetz and the embarrassment and you're halfway to a snazzy landing page

scubasteveOP11y ago

The second defacement reminded me of a geocities page with music playing in the background.

Reference: http://www.nbcnews.com/storyline/isis-terror/lizard-squad-cl...

mintplant11y ago

> hacked by a group claiming be aligned with the Islamic State extremist group

> hackers claiming to be similarly aligned with the Islamic State extremist group

This is either really dishonest or really stupid reporting. They're not actually aligning themselves with ISIS. They're just trolls trying to be edgy.

zerocrates11y ago

I don't see how it's dishonest.

Whatever their actual alignment and/or edgy-troll status, they still claimed to be aligned with ISIS, just as the article says.

potatolicious11y ago

The job of a journalist is to fact-check and separate fact from fiction.

It is not the job of a journalist to regurgitate sources blindly.

Otherwise... hey journalists, I am literally the second coming of Jesus, you guys should interview me and tell people I'm the Son of God.

mryan11y ago

> Otherwise... hey journalists, I am literally the second coming of Jesus, you guys should interview me and tell people I'm the Son of God.

Right, and in that case the article would probably read "potatolicious, who claims to be the second coming of Jesus..." *

Their claim of alignment with ISIS is, in itself, a part of the story. They are reporting that the claims have been made, not that the claims are factually correct.

* This actually happened on British TV: https://www.youtube.com/watch?v=qlSj_imnv7o

DanBC11y ago

In your example journalists would say that you claim to be the son of god. They wouldn't say that you are the son of god.

You seem to be asking journalists to say "he claims to be the son of god (but he isn't, obvs)" which is asking th journalists to provide information they don't have.

1 more reply

Lazare11y ago

> hacked by a group claiming be aligned with the Islamic State extremist group

The article claims that the website was hacked by a group claiming to be aligned with the Islamic State.

> hey journalists, I am literally the second coming of Jesus, you guys should interview me and tell people I'm the Son of God.

1 more reply

ryanlol11y ago

How can the journalist reliably evaluate who "Lizard Squad" is aligned with, especially with them repeatedly claiming to support ISIS?

ryanlol11y ago

JoshTriplett11y ago

Many CDNs work by retrieving the page themselves, caching it, and re-delivering on request. In that case, if the original page changes, the CDN would automatically change too.

ryanlol11y ago

Which would imply that their backend was compromised, not just DNS.

zkhalique11y ago

The CDN could have simply refreshed its DNS cache couldn't it? That would mean it loaded the files from somewhere else.

1 more reply

jrockway11y ago

"Hey everyone, go visit this website that's probably serving malware!"

anon138511y ago

Google ads regularly serve malware[1], are you going to tell people not to visit Google?

[1] https://news.ycombinator.com/item?id=8879229

tombrossman11y ago

This isn't the best way to describe the problem or solution.

Daviey11y ago

Are you referring to contents of the linked article or that this is on HN? Need more words.

Surely, if the second - linking to wsj isn't known to serve malware.

Further, if you do not have some trust in your browser to go to potentially compromising sites - you need to change browser or stop browsing.

scubasteveOP11y ago

ryanlol already mentioned you could have ran a curl to check what's being delivered.

But, you can also use the Web Archive and check every domain yourself within their waterfall chart: http://web.archive.org/web/20150126072317/http://www.malaysi...

Looks like a bunch of static assets delivered by: fonts.googleapis.com, fonts.gstatic.com, pbs.twimg.com, and www.youtube.com. Looks similar to what I saw post-defacement/pre-fix.

ryanlol11y ago

A simple curl reveals that it isn't... And how often are deface pages serving malware anyways?

IMO it would be much more sensible to serve malware off of a page that _doesn't_ announce it has been hacked.

mschuster9111y ago

And if you're lucky the online reporters also have twitter/fb account info on their PCs. I guess this is how the various compromises of twitter accounts have been done.

whizzkid11y ago

"The browser window of the website"

It is the first time i am hearing such a definition.

kalleboo11y ago

I reacted to the CNN article[0] which said "The browser tab read"

[0]http://edition.cnn.com/2015/01/25/asia/malaysia-airlines-web...

decentrality11y ago

I enjoyed the sole comment on the article at the time too:

"It's 'homepage' not 'browser window'... unless you're 80"

jobigoud11y ago

It's actually called "Page title" though.

Buge11y ago