07 November 2014

Was Sheryl Attkisson's computer hacked? The video is hardly compelling evidence

The Politico has published an exclusive cell-phone video provided by former CBS News reporter Sheryl Attkisson and supporting her claims that her computer was hacked, presumably in relation to her inconvenient reporting on Benghazi and other Administration scandals.  The video shows a Word document on her Macbook Air being modified by some mysterious operator.

Now, this would be easily enough explained if Attkisson had enabled some standard OS X features and a malevolent operator had leveraged them, or if an attacker had somehow installed and enabled remotely-accessible hacking tools.  But, as I'll document, there are problems with either explanation, and with dismissive explanations from some observers that Attkisson was simply experiencing "garden variety technical glitches."  In particular there is one detail in the video that seriously needs explanation from Attkisson or whoever set up her Mac.

First, Macs (and PCs) have remote desktop sharing capability. It's normally disabled but is easily enough enabled by a user with administrative privileges on the machine. I use it all the time to access an old Mac that I use for archival purposes.

But, I know that machine's IP address. I can't just access anyone's Mac that way: it must be enabled, I must know the machine's IP address (and unless it's connected directly to a DSL or cable modem, there's no easy way to get to it from outside the LAN that the machine is on, unless a dynamic DNS utility is running on the machine, which on the evidence I'd doubt Attkisson would know how to arrange on her own).

But there's a problem.  Sitting at the target machine, the phantom operations from a remote desktop-sharing operator look a lot like what Attkisson shows in her video. But, if one is using ordinary Mac screen sharing as built-into OS X, there is an icon in the menu bar that lets you know that control of the machine is being remotely shared. An example is shown below, highlighted in blue: ​

 In what little of that corner of the screen Attkisson shows, there's no such icon: ​

Instead, from left: Dropbox (fully sync'd), AppleScript, Time Machine (OS X's built-in backup utility ...and it seems Sheryl hasn't backed up lately), Bluetooth (on), WiFi (connected), speaker volume, battery (charging), date/time (apparently it's Monday).

There may be other items to the right of the edge of the screen capture, but this moment, at about 0:50, was the broadest view I was able to capture from her video.

...Wait: AppleScript?

AppleScript is a built-in OS X capability that allows easy recording and playback of keyboard, menu and screen operations.  What is its icon doing in the menu bar during this video?

Based on the video, either:
  • The attacker is using OS X Screen Sharing but its telltale icon resides just off the edge of the video.  The issue of getting to the computer through whatever WiFi network it's logged into is still tough to explain. 
  • Or, the built-in screen sharing capability is not what's being utilized by the remote attacker, meaning Attkisson's computer was really and truly hacked.
  • Or, something other than a remote session is actuating the mouse and keyboard off-screen, such as a USB or Bluetooth external keyboard... or an AppleScript macro. 
Bottom line: It's a shame that Attkisson isn't more computer literate (and better videographer!), as this video raises more questions than it answers, and dastardly action by some government agent is not necessarily the likeliest explanation, much as one might want to think so.