7

Did Planned Parenthood fake being hacked?

Example claims:

Via Twitter:

Their site is so hacked right now that someone has been rearranging CSS fonts and alignment.

Another tweet

Text below

If planned parenthood's site was hacked, why is the domain still loading content from the server?

And why is their site down template categorized as a campaign?

Because it is a campaign. Next time you lie, check your source code.

And Planned Parenthood “Hacking” Sure Looks Like An Orchestrated PR Stunt says that the Planned Parenthood Action Fund site http://ppaction.org redirects to a page saying the site has been hacked, but the domain houses a perfectly functional URL.

Andrew Grimm
  • 38,859
  • 36
  • 141
  • 342
  • 4
    We might want to discuss some ground rules on what would constitute acceptable answers. My guess, given the prevalence of programming backgrounds among Stack Exchange users (especially web programming) that this is going to encourage a lot of answers from people based on their own personal expertise of how websites work and common hacking techniques. But that is not what we are looking for, under our usual rules. – Nate Eldredge Aug 02 '15 at 04:55
  • @NateEldredge is the term used on Skeptics.SE for that kind of behaviour "original research"? – Andrew Grimm Aug 02 '15 at 04:57
  • 1
    Yeah, or "theory answer". – Nate Eldredge Aug 02 '15 at 04:59
  • 1
    One thought: I seem to recall that the word "campaign" has a specific technical meaning in certain web software, not necessarily aligned with its common definition. I can't find citations to back this up, but if someone can, I think that would be some evidence against at least one part of the claim. – Nate Eldredge Aug 02 '15 at 05:34
  • 4
    I'm not sure this is answerable without specific knowledge of their website and their CMS - perhaps the most expedient way to put up a "This site is down" message was to treat it as a "campaign" while they try to restore the rest of the site (the backdoor could have been installed months ago, perhaps predating their backup retention, which is why they can't just restore from a recent backup). The fact that one of their sites is up while other(s) are down sounds consistent with a hack. – Johnny Aug 02 '15 at 06:25
  • 14
    "why is the domain still loading content from the server?" Can someone explain me this sentence? I don't understand. If the server is hacked and the content is modified by the hackers directly on the server, then yes, the content will still be loaded from the server, and it's quite logical. Am I missing something here? – Einenlum Aug 02 '15 at 20:42
  • It is completely plausible that the hack was perpetuated through some combination of XSS attacks/SQL injections which exploited a loophole in the campaign code of PP's CMS. I fail to see how the HTML code signifies an inside job. – March Ho Aug 03 '15 at 03:55
  • 4
    That article on TheFederalist clearly shows that they have no experience with hacked websites. Feed them *any* hacked site and they will find the same 'arguments' as they are presenting in this statement. –  Aug 03 '15 at 09:25
  • 2
    Like any other question, we'll expect this to be answered through evidence and not expertise -- for example the results of an official investigation. – Sklivvz Aug 03 '15 at 09:29
  • @NateEldredge I believe the term "campaign" has specific meaning within Google Analytics, though I don't recall what that meaning is or if it would explain that html snippet. – Dan Staley Aug 03 '15 at 23:46
  • 1
    Is there any evidence Planned Parenthood even said they had been hacked? I see a quote saying *under attack* which is not the same thing. Your sources misinterpret the quote from Planned Parenthood and then proceed to demonstrate that they could not find evidence to support their own misinterpretation. – kasperd Aug 04 '15 at 10:56
  • 1
    Going by @NateEldredge said, is this question answerable at all? Unless Planned Parenthood allows a third party to inspect their website, I don't think there's ever going to be anything up to this site's standards. Would an answer along the lines of "The tweet and the Federalist's 'proof' don't prove anything, and here's why" fit on this site? – user2752467 Aug 17 '15 at 03:56
  • 1
    Oddly I cannot answer due to the question being protected (but I have > 10 rep). To answer each claim: 1. Still loading content from the server? Yes, a hacked site by it's very nature will still load content from the server because it is the server, or the web application that resides on the server, that is compromised. There are some attacks which can redirect a user to a different server, like DNS poisoning, but those are harder to achieve. Most common attacks are XSS (cross site scripting) and SQL injection attacks which make user of the existing server and web application. – Jarrod Christman Sep 22 '15 at 13:11
  • 2. Why is their site down template marked as a campaign? The information here is vague but it looks to be a AJAX campaign tracker script. These days it's extremely common (some would say a requirement) to have an AJAX traffic tracking script on your site. These services can record items like browser types and versions, screen resolutions, and most basic, traffic. If you have a site down page that is triggered by things like 500 errors, or other items, the site owners would still want to track the traffic to those pages. It so happens the terminology of the tracking script calls it a campaign. – Jarrod Christman Sep 22 '15 at 13:16
  • I can source this information if asked. Though this mostly comes from experience and knowledge as my primary job is web development for ecommerce sites, which deal a lot with security and customer tracking. – Jarrod Christman Sep 22 '15 at 13:17
  • They were hacked around the time of the report, and hacker leaked website log in details, but those particular images are most likely from a PR stunt. – yters Oct 17 '16 at 20:10

1 Answers1

3

Claim

This answer attempts to respond to the following claim (from the images in the question):

Planned Parenthood (PP) faked being hacked

Basis

This claim is based on:

  1. Claims that PP is hacked (from Twitter)
  2. Data is being loaded from PP servers
  3. Source code including keywords that imply a campaign
  4. The website is reachable despite claims of an attack

Summary - why this basis is not sufficient

Briefly said (see discussion below the answer), the claim that the hack was fake comes from the servers PP claims are hacked. If the servers are indeed hacked, the attacker has the same control over the servers that PP would normally have, and is therefore able to falsify the basis of the claim (at least, points 2 through 4). Without information from a source independent of these servers, it cannot be determined whether the attack occurred or not.

Background

"Hacked" refers to the situation where someone unauthorized has access to the server. This means that integrity was compromised (see this section and its reference on wikipedia, or a basic computer security course for more details). This means that the attacker can make modifications to the system as if she were the administrator of the website. What specific changes are possible depends on the details of the case, but in general this means it is not possible to distinguish changes made by an attacker from changes made by the administrators. Thus, strictly speaking, we can't make a judgement about whether a hack is "real"; the attacker/hacker can always make it look as if the attack was fake, unless there is an additional source of information independent of the potentially affected website. As the website in question discusses a sensitive issue for some, it is at least plausible that this occurred, and it similar to website defacement, a technique often used to discredit websites by teenagers in the past, and currently by activists and politically motivated persons.

Rens van der Heijden
  • 161
  • 4
  • Also, it's not based on evidence, but the author's speculation. – Sklivvz Aug 03 '15 at 09:30
  • 1
    @Sklivvz honestly, I disagree, but the amount of original research in my post is probably too high. The latter part of the post is directly based on the definition of integrity. Would references to teaching material, such as books, be acceptable? The content is considered obvious in security literature, but I can also try to find a paper that describes this more precisely if that is preferable. – Rens van der Heijden Aug 04 '15 at 06:23
  • 1
    I'm not sure what you mean. We expect evidence specifically related to the planned parenthood situation, but you only posted a link to Wikipedia for "information security". That's, at best, a definition. – Sklivvz Aug 04 '15 at 07:41
  • @Sklivvz right. I see where our misunderstanding comes from. I interpreted the question as "Based on (information), can we conclude that PP is faking the hack?" and my answer was, "The information comes from the supposedly compromised server, and if it is actually compromised, the attacker can by definition make it look like PP is faking it." I'll attempt to improve the answer after this comment. I think there might be a problem with the question in this case, though; it is impossible to objectively determine whether the hack was faked, without the ability to inspect the system directly. – Rens van der Heijden Aug 04 '15 at 19:18
  • @Sklivvz I hope the changes I made align the answer more towards what skeptics is looking for, but in case this is not what is intended, should I remove the answer in its entirety, or leave it until there is a better answer? – Rens van der Heijden Aug 04 '15 at 19:40
  • The answerer highlights a very good point - how is it portrayed when a website gets taken down by a hostile Denial of Service attack? As a hack. I'm glad he pointed out that being hacked does not have to mean your site is down. – PoloHoleSet Oct 19 '16 at 21:26