Site security is the hidden cost of doing business on the Web

The cost of operating a news site on the Web seems relatively low. In the U.S. you don’t have to secure an FCC license as a radio or TV station would. It doesn’t cost millions of dollars to purchase and install a press to compete in print. Buy a URL, rent some server space, install a content management system and start publishing, right?

Well, yes. Until you post the first article. Then the reality of the Internet hits.

Spambots dumped more than 4,000 submissions into the comment sections of the first three stories posted on this blog before I came to my senses and installed the Akismet plug-in to preserve my sanity. (Most of the spam was was for mail order drugs. Apparently there’s a real market for fake Tramadol. I never heard of it either, so I had to look it up.  It’s similar to codeine)

The first site I helped to build at Penn State to showcase work by journalism students was felled by a hacker. It had been online for about two years when I woke up one morning to an email alert from our IT department that said the site had been shut down because it was serving up Viagra ads — possibly the product least needed by college students. We moved the site off campus to increase security, but that site was knocked offline for a day by a dedicated denial-of-service attack that originated in the Baltics. The second attack not only closed us down, but the time spent solving the problem prevented us from instituting a scheduled upgrade. The site is now hosted once again on university servers, where a phalanx of IT people have (so far) kept it running continuously for two years.

SEA logo from screenshot

SEA logo from screenshot

Today the New York Times was not so lucky. The site was up and down for several hours this afternoon as hackers who the Times said appeared to be from the Syrian Electronic Army attacked the site’s domain registry. The assault redirected traffic away from the Times’ servers to what appeared to be a Syrian Electronic Army domain.

Marc Frons, chief information officer for The New York Times Company, said, “In terms of the sophistication of the attack, this is a big deal … A domain registrar should have extremely tight security because they are holding the security to hundreds if not thousands of Web sites.”

In fact the domain registry that serves the Times also handles Twitter, which Frons said was compromised, too. While the Times site disappeared and content had to be temporarily posted on a different server (update) viewers were directed to the site’s server without using the hacked directory, the associated assault on Twitter seemed mostly to disrupt the display of thumbnail images associated with some Tweets. (If you’re still having trouble accessing the New York Times site, click here.)

The Syrian Electronic Army isn’t new. The organization is credited/blamed for hacking an AP Twitter account and Tweeting about a spurious attack on the White House. That fake Tweet caused a dramatic temporary drop in stock prices.

On campus, cyber security is a big issue. In July The New York Times reported that America’s research universities are increasingly coming under cyberattack by people trying to steal product designs and research data. Bill Mellon, an associate dean at the University of Wisconsin, told the Times that when he set out to overhaul computer security recently, he was stunned by the sheer volume of hacking attempts. “We get 90,000 to 100,000 attempts per day, from China alone, to penetrate our system,” Mellon said.

From a financial standpoint, it doesn’t really matter if the attacker is try to wedge spam into the site or extract information from it. The IT costs of maintaining security are skyrocketing. The University of California at Berkeley’s cyber security budget (already in the millions of dollars) has doubled since last year in response to “millions of attempted break-ins every single week,” spokesman Larry Conrad told the Times.

All of which makes the meager IT resources at most news sites seem like a real risk.

In the early days of we had one IT guy dedicated to website support. We had several discussions about whether that was a good idea. There was general agreement that we needed at least one more person, if only we had more money. But nothing happened until the IT guy got into an accident riding an all-terrain vehicle on his day off. Suddenly there was back up.

With the exception of major sites like, and, I’ve never seen anything close to an adequate amount of technical resources associated with an online newsroom. But if all three of those sites can all get knocked offline by Syrian hackers (WaPost hack, NPR hack), and the Times can also be felled by a maintenance update, where does that leave smaller sites who are cutting corners on IT?

Maybe smaller sites are hoping no one will notice them. But if hackers can find and disable a small journalism student showcase site, how much longer do under-funded news sites think they can avoid a similar fate?


Gizmodo has a good explanation of the workaround the Times used to make the site visible during the cyber attack.

The Times wrote about the search for the Syrian Electronic Army in May.

On a cheerier note, I suspect that the Washington Post loves reporting on New York Times problems. Columnist Alexandra Petri had a pretty funny take on the site crash earlier this month, “New York Times Web site goes down, panicked mobs stream into street demanding to know the trends.”


Leave a Reply

Your email address will not be published. Required fields are marked *