In March, Vietnamese political news blog Anh Ba Sam underwent a series of attacks that left its content compromised and its owners unable to access the blog’s back end. Attackers took over the site, replacing its articles with their own content and changing passwords for the site’s administrative sections.
When Anh Ba Sam’s owners contacted WordPress, the blog’s hosting service, in an effort to reclaim access to their site, the company asked the owners to verify their identities. But this wasn’t easy — the attackers changed security information on the site, leaving the owners temporarily unable to prove their claim. Although the case has since been resolved, it raises critical questions about the role of blog hosting platforms and their responsibilities to provide adequate security measures for their clients.
Anh Ba Sam (ABS) has established a unique position in recent years as a consolidator of reportage on events and trends in Vietnam. The site features articles re-posted from the foreign press and original reporting from the ABS community, many members of which identify themselves as dissidents. ABS publishes news updates four times daily, and regularly posts political, economic and social analyses contributed by respected intellectuals and experts. Before the attack, the site was garnering roughly 100,000 hits daily.
In Vietnamese, “Anh” is a personal pronoun, use for an older, male person. “Ba Sàm” means “the Gossiper”. One site administrator explained to Global Voices Advocacy that readers developed a saying after the blog was founded: “Ba sàm thông tin chính thống, chính thống nói chuyện ba sàm,” or, “The Gossiper communicates official news, while the official media merely gossips.”
ABS was a high-value target for Vietnam's internal security agencies, though there is no hard evidence that government actors were involved in the attack. On March 8, hackers took control of ABS, locking out its true owners and deleting all of its content. On March 13, hackers (presumably the same person or group as before) posted on the site a lewd and defamatory ‘exposé’ of ABS managing editor Dinh Ngoc Thu, derived from materials she suspects hackers looted from her own computer.
Thu sent urgent requests to WordPress customer assistance staff, asking that control of the site be restored to her and her colleagues. Their response was that Thu must first prove that she was the true owner of the site, but this was impossible — all identifying data, correspondence with WordPress, billing records, and other evidence of ownership had been stored on subdirectories of the site and was either deleted or no longer accessible by the ABS team.
Could WordPress help?
Contacts of Thu’s brought the issue to the attention of the general counsel of Automattic, WordPress.com's parent company. WordPress customer assistance staff then became more cooperative and control of the blog was restored to the ABS staff. Yet it required substantial effort to persuade WordPress to remove various sub-blogs and other booby traps hidden within the ABS site by the hackers. Had the ABS team not been able to connect with influential staff at WordPress and Automattic, they may have spent far longer working to regain access to their site.
Not long after this, WordPress.com deployed a two-step authentication procedure for all its clients’ use. There’s no way to know for sure, but some believe that the ABS incident catalyzed this change.
ABS has been up and running again, with tighter security and a new URL, since late March 2013. Average daily hits have climbed back to 73,000. ABS staff are hoping to soon move the blog to a new and inherently more secure server soon.
Increasing security for vulnerable blogs
ABS administrators and Global Voices Advocacy urge WordPress to adopt a policy of proactive, preemptive assistance for blog administrators facing challenges similar to those of ABS. We believe that WordPress should take responsibility to the fullest extent possible for ensuring that their clients’ sites aren’t hacked (for example by strongly recommending 2-factor authentication and being more aggressive about helping to ensure that all WP scripts and plugins being used by blog administrator are up-to-date).
The company could could consider developing a mechanism that enables their clients to recover control of a hacked account. As was the case with ABS, suppose a person claiming to be the site owner urgently requests help regaining control of the site. WordPress staff very possibly won’t be fluent in the language used on the site. How can they tell who is the bona fide owner? A recent, sudden and radical change in the pattern of administrative access to the site should be prima facie evidence that a highjacking has taken place. At that point, WordPress could deny administrative access to the site by any party pending a sorting out of claims.
WordPress should take pride in its unique role as an enabler of free political speech around the world. To this end, we believe the company should provide interactive security counseling to the many alternative and dissenting bloggers it hosts. Such a commitment would strengthen the public image of both WordPress and Automattic, and provide an invaluable service to its community.