Significant hacking activity targeting journalists at large newspapers
February 1, 2013 1:45 PM   Subscribe

The New York Times has detailed a successful 4-month hacking campaign by China, infiltrating its computer systems and acquiring passwords for reporters/employees. The campaign was likely in retaliation for the NYT investigation of the wealth amassed by relatives of Chinese Prime Minister Wen Jiabao. Following the NYT announcement, the Wall Street Journal announced that it too was hacked last year. The Washington Post may also have been infiltrated. Slate asks if this could have a chilling effect on journalists writing about China.

The NYT hack was probably initiated by a spear-phishing attack on an employee, given the language in the article and the internal memo about the incident. The paper is being praised for its unusual transparency on the issue.
posted by gemmy (102 comments total) 21 users marked this as a favorite

 
Slate asks if this could have a chilling effect on journalists writing about China.

I don't know if it's the right question to ask. Foreign reporting is not always accurate and is usually one-sided anyway. There will always pressures that influence mainstream reporting.

I think the real question is to ask where internet security is heading in the next three years.

In an era of smart grids, ubiquitous networks and total connectivity, rainbow tables with 50 billion hashes, and the willingness of governments to exploit "cyber warfare", how secure will anyone or any piece of infrastructure be going forward?

Time to enable TFA on MetaFilter!
posted by KokuRyu at 1:52 PM on February 1, 2013 [2 favorites]


"If"?

Only a [having trouble thinking of appropriate epithet] of a journalist would keep cultivating sources on a story if he knew the Chinese regime would hack his computer to find them and kill them.
posted by ocschwar at 1:58 PM on February 1, 2013 [1 favorite]


Enable multi-factor authentication on your email accounts, people.
posted by GuyZero at 1:59 PM on February 1, 2013 [2 favorites]


As the NYTimes article suggests, it seems doubtful that the Chinese government and military were targeting the paper for "retaliation", but more that the Chinese were infiltrating their systems in order to find out who the high-placed informants are when these stories come out.
posted by Blazecock Pileon at 1:59 PM on February 1, 2013 [9 favorites]


On a related tangent, if you're interested in learning more about phishing, the techniques used, the damages it has caused, and countermeasures, I wrote up an article in Communications of the ACM on The Current State of Phishing that was published last year.
posted by jasonhong at 2:01 PM on February 1, 2013 [26 favorites]


In my profession, we are seeing a rise in APTs (Advanced Persistent Threats) and a lot of it originates from China. The scary thing about APT's is they're so stealthy that we don't catch them until they've already been silently sending out data for several years. Reporters are considered HVTs (High Value Targets) because of the level of access that is given to them in terms of confidential data and, often, people. That's what we find they are really after: who's talking to the media and what are they talking about? Once you have a list of interesting people/targets, then you can begin to grind away even more to harvest whatever else you're able to find; the media sites are often just proxies to their goals.
posted by nataaniinez at 2:02 PM on February 1, 2013 [5 favorites]


Is it fair to assume, given what we know so far, that the Times failed to salt the hashes of its reporters' passwords?
posted by Gordion Knott at 2:07 PM on February 1, 2013


Also, law firms and utility companies are showing high levels of APT activity. Even though I've been doing this for a long time, I am always shocked to see the state of a large law firm's information security environment.
posted by nataaniinez at 2:12 PM on February 1, 2013


This part of the NYT article really got me:

But months later, the chamber discovered that Internet-connected devices — a thermostat in one of its corporate apartments and a printer in its offices — were still communicating with computers in China

..how much information can be gleaned from this? Or, is it just the fact that the connection was established? I'm imagining the ubiquitous hacking scene in the movie, with the guy saying "We're in to the ...thermostat...!"
posted by obscurator at 2:12 PM on February 1, 2013 [3 favorites]


Is it fair to assume, given what we know so far, that the Times failed to salt the hashes of its reporters' passwords?

Salting passwords doesn't do anything against phishing. In phishing, the person you're attacking willingly gives you their password because they think you're some good guy that they want to deal with (Paypal or eBay or the employer's intranet or whatever).
posted by Jpfed at 2:15 PM on February 1, 2013 [4 favorites]


obscurator - thinking of it as camping alone in a mountain overlooking your enemy's base of operations. The inconspicuousness of your location and your patience are its advantages, especially if you're still able to communicate back to your base the activity of what's going on outside the enemy base.
posted by nataaniinez at 2:18 PM on February 1, 2013


..how much information can be gleaned from this?

Thanks to this technology, the Chinese now know that I never clean the crumbs from smart toaster.
posted by KokuRyu at 2:20 PM on February 1, 2013


Pretty soon reality will match the science fiction in the remained Battlestar Galatica.

I'm talking about the plot point where connections with outside computer networks is forbidden.
posted by Brandon Blatcher at 2:20 PM on February 1, 2013 [2 favorites]


> how much information can be gleaned from this? Or, is it just the fact that the connection was established?

Not necessarily useful on its own.

Potentially useful for correlating other fragments of information. eg, the reporter turned the thermo down before going on a trip to.... [other information needed]
posted by ardgedee at 2:20 PM on February 1, 2013 [1 favorite]


But months later, the chamber discovered that Internet-connected devices — a thermostat in one of its corporate apartments and a printer in its offices — were still communicating with computers in China

..how much information can be gleaned from this?


Depends on how much other information they have. Data that indicates a certain room likes to be keep really cold or really warm could match up with a noted reporter of Chinese politics who likes to work in really cold or really warm places. That indicates they should target computers and printers in that room, eh? 'cause it's not uncommon for reporters to print out a story and proof it or an email to take to a meeting.
posted by Brandon Blatcher at 2:23 PM on February 1, 2013 [1 favorite]


Foreign reporting is not always accurate and is usually one-sided anyway. There will always pressures that influence mainstream reporting.


isn't this true for non-foreign reporting too....
posted by Bwithh at 2:24 PM on February 1, 2013


a thermostat... connected to the internet.


Today's color is red... try it, it's the new blue.
posted by edgeways at 2:27 PM on February 1, 2013 [1 favorite]


how much information can be gleaned from this?

The printer? A lot. You may need to print something out that's sensitive, and stand up from your desk to grab it off the printer before anyone sees, but that information got sent to it and stored in the onboard memory. Printers are shared, too, so one device can get infected and see lots of different user's information.

Sometimes I think there's a war going on, a war in the ether, that almost nobody knows about, and the reports we see, like this, are icebergs - the great amount of activity happens silently, unknown.
posted by the man of twists and turns at 2:30 PM on February 1, 2013 [8 favorites]


Well, ok the network printer I get. And, if this reporter is printing half as many emails as the profs and college administrators I've worked with over the past few years...hacker GOLD!
posted by obscurator at 2:37 PM on February 1, 2013 [1 favorite]


how much information can be gleaned from this?

Some months back I needed to print something out and walked over to the network printers to find a couple pages just sitting there. I was about to stick them in the recycling bin when I noticed it was a list of usernames and passwords for our various application, including a password for an application I maintained. Turns out our "Director of User Experience" had an excel spreadsheet with all his passwords, printed it out on a network printer, then just left the printout sitting there.
posted by Ad hominem at 2:40 PM on February 1, 2013 [10 favorites]


obscurator: "how much information can be gleaned from this?"

It might not that the thermostat itself is the target, but it may be a known IP within the network and maybe less suspicious to a network admin or security officer.

Suppose your thermostat runs updates automatically from a vendor, and the hacker sends an update to it that compromises it and starts pen testing other devices on your network, or just monitoring everything. Soon, you see a lot of traffic between your network and mestthermostat.com. Gee, it looks like they're doing a great job of keeping your HVAC controller up to date!
posted by boo_radley at 2:41 PM on February 1, 2013 [2 favorites]


how much information can be gleaned from this?

Many organizations have a crunchy-outside-chewy-center kind of security setup. The printer or thermostat is inside the firewall, so you can use it to attack or probe other systems that are inside the firewall. Bob Secretary's computer isn't kept up-to-date because it can't communicate with the outside world, but it can communicate with the printer. Bob Secretary has access to Joe Boss's email. There you go.
posted by hattifattener at 2:41 PM on February 1, 2013 [2 favorites]


Sorry gemmy, I've turned this into an AskMe..
posted by obscurator at 2:46 PM on February 1, 2013


a thermostat... connected to the internet.

Previously.
posted by kmz at 2:48 PM on February 1, 2013 [2 favorites]


"Slate asks if this could have a chilling effect on journalists writing about China." - lulwut?

It is not like there is an abundance of serious reporters writing embarrassing stories about China at the moment. The biggest problem the Chinese govt has with the western press atm is the persistent "hard landing" story - which they are handling pretty well anyway.

If you are going to talk about China, the minimum in todays society is that you need to separate your hard facts from your conspiracy theory from your rational inference from your speculation - which none of these stories seem to manage.
posted by Another Fine Product From The Nonsense Factory at 2:50 PM on February 1, 2013 [2 favorites]


You can glean a lot more information than you'd think from a network attached thermostat; any member a network segment (basically everything talking to the same switch or router, wired or not) receives every frame (piece of information) sent across the network-- so if you compromise a thermostat on a network, you could use it to ship all the traffic from the thermostat's local network to a repository in China for analysis and re-education.
posted by elsp at 2:52 PM on February 1, 2013 [5 favorites]


"Johnson always turns the thermometer down to 42 degrees before leaving for the night when he's working alone. Send the assassins when it happens."

Or maybe the thermostat has a dormant Bluetooth chip built into the wifi hardware and now you can rip Johnson's phone contacts.

The idea that X technology doesn't have to be secure because we're not imaginative enough to think of a threat is one of the reasons we're in this mess. Think of how many people have weak webmail passwords because "I don't use it for anything important."
posted by Skwirl at 2:53 PM on February 1, 2013 [2 favorites]


Considering the US Congress and its, in theory, infinite budget can't prevent being infiltrated at least 2 times - how are you, the mere pleabe, how are you to defend your machines?
posted by rough ashlar at 2:58 PM on February 1, 2013


It's too bad there isn't an easy way to use good encryption to communicate with each other.
posted by mecran01 at 2:59 PM on February 1, 2013 [1 favorite]


Enable multi-factor authentication on your email accounts, people.

If your employer-provided email has multi-factor authentication as an option, well, I'm impressed.
posted by Holy Zarquon's Singing Fish at 3:01 PM on February 1, 2013 [4 favorites]


It is not like there is an abundance of serious reporters writing embarrassing stories about China at the moment.
Another Fine Product From The Nonsense Factory

The attacks were apparently in retaliation for two stories investigation possible corruption by two of the major leaders of China.

The idea that X technology doesn't have to be secure because we're not imaginative enough to think of a threat is one of the reasons we're in this mess. Think of how many people have weak webmail passwords because "I don't use it for anything important."
Skwirl

Yeah, but there's a balance between security and usability/living a normal life. There are always extra security measures I could take to prepare for eventualities, but at some point securing everything for every conceivable attack makes life unbearable.
posted by Sangermaine at 3:03 PM on February 1, 2013


The New York Times and Hacking's Layer Cake -- "The infiltration of the American newspaper by hackers reckoned to be working for the Chinese government is a demonstration of the layered model of hacking: from noisy to silent, amateur to professional."
posted by ericb at 3:05 PM on February 1, 2013 [1 favorite]


Man I remember when I read that bit about the Chinese Party chief's kid living in London like a billionaire my first thought was "if I was the New York Times team doing this story I don't think I would be doing this."
posted by bukvich at 3:07 PM on February 1, 2013


Cyber attacks on press reveal gap in US diplomacy -- "There is a void in U.S. leadership in countering cybercrime. A good starting point would be to hold countries accountable for cyber attacks emanating from their shores."

US weighs tougher action over China cyberattacks -- "High-level talks with the Chinese government to address persistent cyberattacks against U.S. companies and government agencies haven't worked, so officials say the Obama administration is now considering a range of actions."
posted by ericb at 3:08 PM on February 1, 2013 [2 favorites]


email has multi-factor authentication

How where there is a cheap unit as an USB stick that acts as a HID keyboard so you can just plug it it and press a button AND you, the end user is able to know what the HID will output.

Once the crap is bought or built - no 3rd party needed.
posted by rough ashlar at 3:09 PM on February 1, 2013


"There is a void in U.S. leadership in countering cybercrime. A good starting point would be to hold countries accountable for cyber attacks emanating from their shores."

*cough*stuxnet*/cough*
posted by titus-g at 3:13 PM on February 1, 2013 [12 favorites]


Enable multi-factor authentication on your email accounts, people.

Multi-factor authentication doesn't prevent spear-phishing, does it? That stuff comes in through the front door, right?
posted by The Bellman at 3:15 PM on February 1, 2013


Multi-factor authentication doesn't prevent spear-phishing, does it?

appealing to idiots is how "public relations" works. ("Public Relations" used to be called Propaganda BTW)
posted by rough ashlar at 3:19 PM on February 1, 2013


Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.

A Symantec spokesman said that, as a matter of policy, the company does not comment on its customers.
Ouch.
posted by not_the_water at 3:22 PM on February 1, 2013


Multi-factor authentication doesn't prevent spear-phishing, does it? That stuff comes in through the front door, right?

Maybe, maybe not. The article is a bit vague on exactly what mechanism "spear-phishing" uses. If it's a rootkit or some kind of keylogger, then the whole machine is compromised. But the good news is that that doesn't give unlimited access to email, just to what the person does on that one machine. I will be the first to say that there's no single security tool for end-users. Multi-factor is good, audit trails are also very good. If you can see someone's logged into your email from China, well, that's probably not a good sign. (Forging a different point of origin isn't hard, but that's no reason not to audit logins)
posted by GuyZero at 3:23 PM on February 1, 2013


>It is not like there is an abundance of serious reporters writing embarrassing stories about China at the moment.
Another Fine Product From The Nonsense Factory


Could you please provide some examples of what you would call "serious" reporting on China, and why you think it is serious?
posted by KokuRyu at 3:25 PM on February 1, 2013


If you are going to talk about China, the minimum in todays society is that you need to separate your hard facts from your conspiracy theory from your rational inference from your speculation - which none of these stories seem to manage.

Agreed. The shit that gets passed off for "serious" foreign reporting is laughable.
posted by KokuRyu at 3:26 PM on February 1, 2013


I'm not sure your comment is even in English, rough ashlar, but are you thinking of things like Yubikey?
posted by hattifattener at 3:26 PM on February 1, 2013


The wording of this post is slightly off. The linked articles discuss "Chinese hackers" and hacking activity coming from China. To call this a "4-month hacking campaign by China" seems a bit off. I mean, sure there's an implication that the state might be involved, but there's no proof. And to refer to activities originating in China as being "by China"? It's like, about half the world's population for god's sake!
posted by iotic at 3:28 PM on February 1, 2013


"Johnson always turns the thermometer down to 42 degrees before leaving for the night when he's working alone. Send the assassins when it happens."

Or maybe the thermostat has a dormant Bluetooth chip built into the wifi hardware and now you can rip Johnson's phone contacts.


Or not even that; it sits on the internal network in the building, and contains a processor core and some firmware and microcode, including a networking stack. Having something that punches a hole in the outgoing firewall and acts as a proxy server for attackers in the know wanting to get at internal systems shouldn't be all that difficult. Or even something which can surreptitiously sniff traffic/scan systems and send data back to a dropbox somewhere. Perhaps it could even include a GPS chip and list of coordinates which if it finds itself in, it should go into spy mode. They could manufacture these by the millions, or even embed the functionality in systems on a chip to be embedded in random internet-connected devices (thermostats, printers, NASes, game consoles, smart TVs, &c.) and wait for one to find itself in the offices of a press organisation or Tibetan charity or something.

The amounts of surreptitious things one can do with modern electronics is alarming; a few years ago, a gang of fraudsters got credit card terminals manufactured with added GSM modules which would send the credit card details to a server, and installed them in supermarkets in Britain. They were only found when a shop staff member noticed mobile phone interference when near the cash registers.
posted by acb at 3:39 PM on February 1, 2013 [5 favorites]


As always, The Onion has taken a different approach.
posted by ckape at 3:40 PM on February 1, 2013 [5 favorites]


Pretty accurate representation of most passwords I would guess:

Here are 10 more names and passwords of Onion employees:

Jessica Vaughn: Herbie12

Keith Jackson: 1274beechwood

Samuel Jennings: gul@g@rchipellig0

Deondra Northington: felixx44

Camille Ryan: missTee54

Undine Hurley: april8two08

Ross Bergman: bugsy8908

Ira Heidenrich: 009siam

Joyce Horn: silverstei22@

Brock Campbell: NeviL305

posted by KokuRyu at 3:57 PM on February 1, 2013


any member a network segment (basically everything talking to the same switch or router, wired or not) receives every frame (piece of information) sent across the network

This shouldn't be the case in any serious network using real switches. You will see broadcast traffic but you need physical access and port mirroring to perform old school promiscuous sniffing.
posted by lordaych at 4:07 PM on February 1, 2013 [1 favorite]


And broadcast traffic can tell you a lot but you won't see every interaction between every client and server.
posted by lordaych at 4:08 PM on February 1, 2013 [1 favorite]


The next awesome chapter will be high-end IT security people either winding up dead under completely believable circumstances but at a much higher rate than actuarial tables suggest, or simply disappearing and having clues occasionally turn up testifying in only oblique ways to their continued existence.
posted by seanmpuckett at 4:13 PM on February 1, 2013 [2 favorites]


The Washington Post routinely publishes full page "reports" and multi-page pullout sections like "Russia Today" and various China-themed versions, obviously written and paid for by the governments in question. Why do they have to bother suborning reporters when they can just buy space?
posted by Ella Fynoe at 4:27 PM on February 1, 2013


obscurator: how much information can be gleaned from this?

Well, in the very earliest and simplest of IP-enabled devices, maybe not much. But the problem is that it's getting to the point of being cheaper, for many companies, to use something ridiculously over-complex for the purpose they intend. That is, rather than doing a little micro-controller with a custom TCP/IP stack for their IP-enabled thermometer, they can just toss a tiny ARM chip on it, with 256 megs of RAM, and a Linux kernel. Doing the custom microcontroller and custom development would let them possibly use cheaper hardware, but writing custom software is extremely expensive. So, it ends up being more cost-effective to put an entire Linux machine in your thermostat.

And Linux, sadly, is not known for its security. To be more direct, it's an effing mess. It used to be that you needed two compromises to take control of a Linux box; a hole in a service, and a hole in the kernel. But you can be pretty much guaranteed of a hole in the kernel, somewhere, that hasn't been patched, so modern Linux boxes really only need a single compromise to fall to an attacker.

And, guess what, the companies that find it cheaper to throw a Linux kernel on tiny electronics are often not all that great at defensive programming, and whatever interface they expose has an excellent chance of being exploitable.

Once a hacker has root on a Linux machine, even if it's theoretically a thermostat, he or she has a beachhead in your network, from which can be launched all sorts of different attacks. He or she might just leave it, quiescent, waiting for another major hole in Windows, and then use it to rapidly take over important machines behind the firewall, before the admins even know anything is wrong. With sufficient cleverness, the fact that a machine has been compromised can be extremely, extremely well-hidden.

For instance, I'm pretty good at this stuff, and I have no way to be absolutely certain that my home network is clean; I run a mixed environment of Linux, Windows, and Mac, and I've built out my home network with many of the same protections I'd use in a corporate one, but I'm still not absolutely certain it's clean. It gets very hard to determine if the slightly odd behavior in your network is a hacker making a slight mistake, or if you're simply misunderstanding what behavior you should be seeing, or perhaps are seeing a bug or interaction in all this interlocking software that's subtle and unexpected. This stuff is hard.

Those Chinese hackers are some of the smartest guys in the world, and they're being recruited and paid by their government to conduct offensive operations against "small" targets worldwide. Even when you're a company the size of the New York Times, it is extremely difficult to secure yourself against the resources that can be thrown at you by a major government. I do not envy their network administrators their jobs; I hope their bosses realize that defense against intrusion needs to be a company-wide thing, down to the lowest of the employees, and not just something they tell their administrators to somehow fix.

When you're dealing with this kind of security threat, you need all hands on board, and absolutely committed to security. Just one reporter getting it wrong, just once, can blow the whole network wide open.

This stuff needs to be drummed into the heads of the janitors... and if the NY Times doesn't directly employ their janitorial staff, the Chinese may have actual physical access to their servers already.
posted by Malor at 4:30 PM on February 1, 2013 [10 favorites]


gemmy:...a chilling effect on journalists writing about China...

obscurator: "But months later, the chamber discovered that Internet-connected devices — a thermostat in one of its corporate apartments and a printer in its offices — were still communicating with computers in China"

If they have control of the thermostats, they could certainly have a chilling effect on reporters.
posted by double block and bleed at 4:31 PM on February 1, 2013 [16 favorites]


lordaych: You will see broadcast traffic but you need physical access and port mirroring to perform old school promiscuous sniffing.

With reasonably advanced switches, port mirroring can be set up via remote access, no physical presence required. If the attackers can either directly attack the switch, or correctly deduce the passwords, they can map the network, and then watch the specific traffic in which they're interested. They're typically limited to sniffing one port at a time, but if that one port is your primary domain controller, then depending on how much encryption your network uses (often very little), they can get a hell of a lot of sensitive information.
posted by Malor at 4:34 PM on February 1, 2013


not_the_water: "
Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.

A Symantec spokesman said that, as a matter of policy, the company does not comment on its customers.
Ouch.
"

Well, other than heuristics, there's not much you can do against custom malware. I ran into a personal case a while back. My security software caught the payload, but not the delivery mechanism. Luckily I tripped over the delivery mechanism when it glitched once. And that was after weeks and weeks and weeks of bogged down cores and barely responsive Windows (yay for multi-booting!).

And, although I am far from a fan of Symantec, their quiet policy isn't bad. Zero day found in a Symantec product? Well, then let's go to Symantec.com and see what customers they have listed...
posted by Samizdata at 4:46 PM on February 1, 2013


The control interfaces of the switch should be on separate vlans, (as should thermostats and printers), so an attack should not be that easy. It's basic CCENT stuff to configure proper passwords and access control lists and so on. If memory serves, you can configure ssh-only access with no password allowed; only a hex key will get you access. Or just turn off remote access completely and require a laptop and a blue cable to access switches and routers.
posted by gjc at 4:48 PM on February 1, 2013


lordaych: "any member a network segment (basically everything talking to the same switch or router, wired or not) receives every frame (piece of information) sent across the network

This shouldn't be the case in any serious network using real switches. You will see broadcast traffic but you need physical access and port mirroring to perform old school promiscuous sniffing.
"

I was going to state, but figured someone else would, so didn't, that I was pretty damn sure that was the reason you use switches instead of hubs. (Since hubs send all packets to all ports and switches only send data between ports when needed). I mean, barring things like ARP poisoning.
posted by Samizdata at 4:52 PM on February 1, 2013


It boggles my mind, to think that while US, UK, AU and most Western intelligence agencies were fucking around with fake evidence in Iraq and then using shadowy terrorists and wikileaks to make their budgets to explode like pavlova on an IED, China (and no doubt others) was, you know, actually doing shit that had tremendous intelligence value and cost virtually nothing.

This is not to say the West was doing nothing, of course (both in terms of protection and the Iran nuclear worm, drones etc), but man did we ever piss a whole lot of money away with nothing to show for it, and let foreign intelligence get a huge jump on us. Crazy.
posted by smoke at 4:53 PM on February 1, 2013 [2 favorites]


Just start several blogs reporting on the schoolchiklren killed by corrupt construction practices in China, and use that as your honeypot.
posted by benzenedream at 4:55 PM on February 1, 2013 [1 favorite]


Malor your comment is a bit over the top. You're conflating a number of things and making some statements that are broad and generally alarmist in nature and incorrect.

While many IP enabled devices do have the linux kernel at their core, the risk from them isn't that it's linux as the operating system is that this class of devices broadly are rarely updated and maintained. It's a universal risk, not limited to a singular operating system. Linux kernel security is *not* a mess, the kernel can actually be secured quite easily and lends itself to building secure ecosystems quite readily.

Yes, a compromised machine in an infrastructure is a problem, which is why you should always practice defense in depth. Plan for compromise and develop strategies for mitigation and detection.

It is not challenging for the NY times to secure itself because it has so many resources at its disposal, it's a challenge because of it's size and industry. You've got it backwards.

Relying on your staff to follow secure practices and to be 100% on board with security is a non starter, your staff has neither the time nor the inclination to become experts in secure operating practices. They were hired to do their jobs, the role of IT Security is to strike a reasonable balance between their ability to get work done and the risk of compromise. Again, this goes to defense in depth. Define security zones and profiles for those zones, enforce at zone edge, define practices for operating within zones. Be realistic.

This stuff needs to be drummed into the heads of the janitors... and if the NY Times doesn't directly employ their janitorial staff, the Chinese may have actual physical access to their servers already.

Janitors? I think that maybe you're too wrapped up in this narrative, what you're talking about isn't even realistic.
posted by iamabot at 5:04 PM on February 1, 2013 [3 favorites]


I'm surprised that the New York Times doesn't make its employees use two factor authentication.
posted by gsteff at 5:15 PM on February 1, 2013 [1 favorite]


"I have to use this stupid thing now? What does it even do. I lost my thing. I lost my phone. What even is this. I can't type the numbers fast enough. This is so dumb. You guys are paranoid. Why are you making it hard to read my email. Fucking IT, right? These six numbers you could hack them so easy just use a graphics card LOL. It costs HOW much? Does it support Word 2003? Why do we need... that thing, again? Two Fuzzy Authorization... Yeah that thing. I'm not going to modify my login page you do it. You made me change the thing and it crashed the site FIX IT NOW. IT COSTS HOW MUCH ARE YOU FUCKING KIDDING ME. I lost my thing again."

It's harder than you think.
posted by tracert at 5:34 PM on February 1, 2013 [13 favorites]


The article itself is interesting, but pretty common as far as these things go these days. The story isn't so much about the breakdown of front line security with the times in as much as is a story about the breakdown of the times security model and controls around that security model and that the Chinese government (apparently) views the times reporters and editorial staff as a rich source of intelligence.

It's also hard to tell how much of the security model broke, that the times didn't suffer a loss of customer data seems to indicate that they had a breach in their enterprise side of the house and that it didn't extend in to their production publishing infrastructure. Then again, the stuff they were after was likely the reporters and editorial staffs comms. who cares about stealing credit card numbers or changing an article or advertisement/etc when you're a nation state.

Typically enterprise infrastructure is broken in to a few security zones, and quite typically the desktop/email part of it sits in a pretty insecure zone due to the hurdles associated with securing that kind of geography while not really impacting the users ability to get stuff done and consequently generate revenue. The attack surface where enterprise users live is simply huge, and it's really hard to secure that consistently without impacting the jobs you hired all those users to do. So you just weigh the risks and plan with your model to mitigate and remediate. then you hire people who aren't beholden to anyone to audit/investigate your pants off and report to your board on a regular basis.

There is some commentary upthread about two factor authentication, the current methodology for most applications of two factor is to have it at the network perimeter for all users and to enforce two factor auth for all administrators of a given infrastructure. This is the case (generally speaking) for a couple of reasons:

1) Two factor can be expensive from a commercial perspective - users historically have a higher rate of incident with needing help with it. The technology is pricey in and of itself. It gets in the way of users. Two factor integration is often a pain in the ass and IT is a cost center.

2) Administrators offer a higher risk to the business if they are compromised (risk/vs reward), they tend to be more comfortable with the technology and don't generate support cases for themselves that are user error (broadly). It's pretty much industry standard (finally) to support authentication models for interactive infrastructure logins that support two factor by default.

What you do see to mitigate the risk of all users not using two factor for everything is to move towards single sign on. Single sign on does lots of things - their importance varies but in this case it let's you control passwords and policy much more cleanly and watch authentications. It also enables your users - users are a notoriously innovative pain the ass when it comes to getting around security controls that do not enable them to do their jobs. Turns out you actually have to work with them and make their lives easier if you want to improve the security model. Two factor for all of it's drool worthy security model enhancement gets in the way.

Long story short, you apply the biggest hurdle for your broad population at the biggest risk point (your perimeter for users), and then implement controls from there. Then you implement that hurdle again at the perimeter to the next zone and re do a posture assessment aligned with the new zones profile.
posted by iamabot at 5:35 PM on February 1, 2013 [2 favorites]


It's harder than you think.

Amen.
posted by iamabot at 5:36 PM on February 1, 2013


Apparently there are no rules for Internet espionage. Seriously, this is the part of this story that worries me the most. Folks associated with the Chinese military and universities have been hacking pretty much every kind of American enterprise for 3+ years now. They're regularly caught, and exposed, and everyone sort of shrugs and says "oh well! use better passwords next time!". At what point does this escalate to becoming a diplomatic problem.

(I'm not so naive as to think the US doesn't also hack foreign companies, although we seem to be getting caught less. The efforts we know about like Stuxnet are much more specifically targeted.)
posted by Nelson at 5:37 PM on February 1, 2013


At what point does this escalate to becoming a diplomatic problem.

It doesn't, because there is no diplomatic solution. You can't deal with technology problems with a diplomatic solution because it's not a static trade agreement, arms treaty/etc thing.

This is going to be a problem on, from one source or another, for the foreseeable future. If your question is more along the lines of when is the US government going to impose sanctions/etc against nation states involved in this kind of stuff? They probably aren't, outside of some folks in congress with a poor grasp of technology looking to make some name for themselves and pound their fists on a desk and act tough.

The solutions for this kind of stuff are far more likely to manifest themselves in government initiatives to sponsor public security research or to publish research they've already conducted, or to provide infrastructure security grants or tax incentives/etc.
posted by iamabot at 5:46 PM on February 1, 2013


Retaliation is the wrong word. Their email system had info on Chinese dissidents so the Chinese went after that data. Same reason they tried to hack GMail a few years ago.
posted by w0mbat at 6:06 PM on February 1, 2013 [1 favorite]


Why are these journalists so crap at computers? If you have stuff on your computer that you think the Chinese government wants to get at, don't connect that computer to the internet. Don't enable wifi. And don't open up random PDFs in your inbox on it.

Don't communicate with your sources using gmail, FFS.

Another good idea: Use a like virtual machine on something like virtual box to do your communication, then when you're done revert it to a previous snapshot. That way if any malware does get installed, it'll get erased as soon as your finished with your session. There is still a slight risk that really sophisticated malware might 'notice' that that it's in a VM session and take advantage of a security hole in the virtual machine itself but that seems pretty unlikely. If you were even worried in that case, you could use a live CD to boot your computer and check your email. That way there's no way to install malware at all (other then overwriting the BIOS I suppose)
But months later, the chamber discovered that Internet-connected devices — a thermostat in one of its corporate apartments and a printer in its offices — were still communicating with computers in China

..how much information can be gleaned from this? Or, is it just the fact that the connection was established? I'm imagining the ubiquitous hacking scene in the movie, with the guy saying "We're in to the ...thermostat...!"


As other people pointed out, it's not just a thermostat, it's probably a computer with a temperature sensor and outputs to control the AC/Heater. So if you have access to it you can use it like any other computer to get in past firewalls, etc.
Yeah, but there's a balance between security and usability/living a normal life. There are always extra security measures I could take to prepare for eventualities, but at some point securing everything for every conceivable attack makes life unbearable.
Um, hello, the level of security you need depends on the level of threat. Most people don't have teams of highly paid hackers trying to break into their thermostats, and some people do. Those people need to take extra steps to keep their stuff secure, or it's going to get hacked. The tradeoff isn't going to be the same for everyone.

Just ask Paula Broadwell how much not encrypting her love letters helped her live a "normal life". Oh wait, her life was totally ruined because of a failure to follow a few simple steps that would have just taken a few extra minutes out of her day.

The thing is - you can have one computer that you use 'normally' for your day to day stuff, and another, separate computer that you use for corresponding with informants in the Chinese government.
Apparently there are no rules for Internet espionage. Seriously, this is the part of this story that worries me the most. Folks associated with the Chinese military and universities have been hacking pretty much every kind of American enterprise for 3+ years now. They're regularly caught, and exposed, and everyone sort of shrugs and says "oh well! use better passwords next time!". At what point does this escalate to becoming a diplomatic problem.
What makes you think we're not doing the same thing to them? The fact that they're not crying about it to local reporters?
posted by delmoi at 6:21 PM on February 1, 2013 [3 favorites]


"It doesn't, because there is no diplomatic solution. You can't deal with technology problems with a diplomatic solution because it's not a static trade agreement, arms treaty/etc thing."

Couldn't they make some kind of diplomatic solution? I guess there's little chance of getting all the nations to sign on at this point, after the benefits of state sponsored hacking have become apparent, but is the problem really impossible to regulate?
posted by Kevin Street at 6:23 PM on February 1, 2013


iamabot: Janitors? I think that maybe you're too wrapped up in this narrative, what you're talking about isn't even realistic.

Do you have any clue at all? I mean, this stuff is junior grade admin material; physical access to the servers trumps all other security measures. Black hats and corporate espionage have both used janitorial services to do this kind of spying for a long time. Any kind of company that plausibly would need access to the target's offices can work; I've seen hackers dress up as telephone repairmen. But almost everyone uses janitors, so they're a primary weakness for most corporate security.

This isn't particularly unusual, but you don't read about it that much, because the targets either don't even know they were penetrated, or are too embarrassed to bring it to the media.

China's got all the money in the world, we have evidence of massive, semi-coordinated break-ins at multiple major media companies, and you're pooh-poohing the idea that they might bribe a janitor?

I really hope you're not in charge of security for anyone. If you are, they're being poorly served.
posted by Malor at 6:40 PM on February 1, 2013 [4 favorites]


Do you have any clue at all? I am questioning your familiarity with the business decisions of a large enterprise and their ability to co-locate servers in a datacenter that passes a routine SAS70 audit. If you're trying to emphasize the need for physical security, make the point but your janitor illustration is pretty out there in relationship to a modern enterprise. I'm sorry if you don't recognize this. You can go back to your paper backs spy novels now.
posted by iamabot at 7:14 PM on February 1, 2013


ITT: infosec people hate each other
posted by 3mendo at 7:18 PM on February 1, 2013 [3 favorites]


Meanwhile, on the twitters:

http://blog.twitter.com/2013/02/keeping-our-users-secure.html
posted by iamabot at 7:21 PM on February 1, 2013


Couldn't they make some kind of diplomatic solution? I guess there's little chance of getting all the nations to sign on at this point, after the benefits of state sponsored hacking have become apparent, but is the problem really impossible to regulate?

So it's not that you couldn't strike an agreement not to compromise or extract data from each others systems, it's just that there are so many avenues to conceal yourself that it's impractical to enforce. From a practical perspective it would be a waste of time, although that hasn't stopped politicians from wasting time or posturing previously.
posted by iamabot at 7:43 PM on February 1, 2013


Define security zones and profiles for those zones, enforce at zone edge, define practices for operating within zones. Be realistic.

Can you get a hell yeah? Because hell yeah!

ITT: infosec people hate each other

Trust the network boundary admins. The guys who look at traffic moving from one network to another. We see shit running across our firewalls that would make your brain bleed... the worst of it is that it happens because some application security guru or other sneers at us when we tell them a janitor with a screwdriver can undo their entire infrastructure.

(Also, never trust a tiger team without someone younger than 25 and older than 55.)
posted by Slap*Happy at 7:51 PM on February 1, 2013 [1 favorite]


Man, you infosec guys. You guys are the reason I have to use ssl or ipsec for every web service call or db connection, have to deal with 4 damn zones so I can't even talk to the SQL server or NAS from our web servers, and have to fill out a request form to whitelist any outside site I need access to. Jokes is on you cuz us application developers will just move stuff to AWS or Azure, where you have no control. Who wants to pay for cooling, generators, and space just so we can run a bunch of VMs we don't even have admin rights to anyway cuz you guys don't trust us.

I actually used to hear our CISO shouting at people about stuff like wall heights, number of man traps in the datacenters, garbage cans etc. It always tickled me that the would shout out detailed security info in a cube farm full of god knows who.
posted by Ad hominem at 8:10 PM on February 1, 2013 [2 favorites]


Jokes on you Ad hominem, who do you think designs that shiny compute you're using ;).
posted by iamabot at 8:15 PM on February 1, 2013


Can't catch a break. One of these days I'm going to join a startup, do everything in rails, set up continuous deployment and never worry about QC, engineering and management reviews or ISO anything ever again.
posted by Ad hominem at 8:26 PM on February 1, 2013 [4 favorites]


Jokes is on you cuz us application developers will just move stuff to AWS or Azure, where you have no control.

My last gig, and that was a firin'... and we got to watch, arms crossed, grinning, from the back of the room. Our audit teams are getting very, very, very good: lots of twitchy guys who get bent out of shape if their paper napkin at lunch isn't perfectly aligned.

Dude, we would send out regular phishing emails to our own guys, and if you got caught more than once, you had to go to remedial training. Get caught three times, and you get a firin', even if you were appointed by Someone Very Important, or did something (Allegedly) Very Unimportant. More, our tiger-teams do APT now, on us. I love it. I admit, I'm the guy on Starcraft who built a zillion siege tanks and missile towers and killed your Zealot/Zergling rush outright and then blitzed your base with spare SCVs. Turtle up.
posted by Slap*Happy at 8:29 PM on February 1, 2013 [1 favorite]


Yeah, I'm much more security concious than the average developer, it just rankles when I have to get the same sites whitelisted over and over. I put on my last "professional development" thing I was going to work towards a CISSP but who am I kidding, I do infosec training every six months and still forget all the stuff about the ISO standards by the next time.
posted by Ad hominem at 8:49 PM on February 1, 2013


Jokes is on you cuz us application developers will just move stuff to AWS

Good. Amazon has a decent security team. Competent security teams doing continual monitoring is a very real benefit of The Cloud™.
posted by GuyZero at 8:50 PM on February 1, 2013


Do you have any clue at all? I am questioning your familiarity with the business decisions of a large enterprise and their ability to co-locate servers in a datacenter that passes a routine SAS70 audit.

Yes, I'm sure you have your servers wonderfully well locked up. But not too many places I've seen have been especially careful with the workstations. All they need to do is put a day-0 exploit on a USB stick, bribe a janitor (or get a job as a janitor), stick it into a workstation, and they've got an APT in that network. You never know the bad guy was there, but he's through the firewall, and working on whatever your internal defenses are.

And are your satellite offices as well-defended as your main facility? Maybe you've got some domain servers out there to support those offices? It doesn't matter if your home citadel is fifty meters tall and 12 meters thick, if the French office can just have the drop ceiling tiles popped out to get into the server room.

This is, by the way, almost exactly how the US took down the Iranian uranium enrichment facility. They got a USB key onto the network, and that's all it took. Sneering at this is exceptionally stupid, since we've seen this actual attack method do hundreds of millions of dollars of damage. We don't know if it was a janitor or an inside person, but it doesn't actually matter.

Plus, you're describing Fortune-500 stuff. I'm talking about the New York Times, a newspaper. I doubt very much that their facilities are designed around compliance with security audits, since they're not exactly providing financial services to billion-dollar companies. And they're in pretty desperate financial shape. It strikes me as exceedingly improbable that they've been investing significant amounts into physical and network security.

If your company is huge and rich, you can partially mitigate against stuff like this. But it is not hard for state-level actors to get physical access to your network, possibly much more intimately than you believe. Scorning this just shows ignorance of established facts.
posted by Malor at 8:59 PM on February 1, 2013 [2 favorites]


I'm not trying to defend the Chinese in any way, but I wonder if the CIA hacks foreign news organizations.

If you work for the CIA and can confirm this, cough twice.
posted by mecran01 at 9:05 PM on February 1, 2013


I am questioning your familiarity with the business decisions of a large enterprise and their ability to co-locate servers in a datacenter that passes a routine SAS70 audit. If you're trying to emphasize the need for physical security, make the point but your janitor illustration is pretty out there in relationship to a modern enterprise. I'm sorry if you don't recognize this. You can go back to your paper backs spy novels now.
I didn't get the impression the thermostat was in a data center. Presumably getting into the offices would also help yield a ton of information as well.
Can't catch a break. One of these days I'm going to join a startup, do everything in rails, set up continuous deployment and never worry about QC, engineering and management reviews or ISO anything ever again.
Um, was that sarcastic? I... actually can't tell.
posted by delmoi at 10:26 PM on February 1, 2013


I'm a bit tired and may chime in on this more tomorrow, but a few points regarding the article and comments here...

First, it's kinda weird that the Times just published the "fact" that they use Symantec for AV - not all AV is created equally and I'm sure folks more plugged into that community know how responsive Symantec is to the ever-mutating code-identification challenge that is malware. I can only hope that by publishing that, it is no longer true (that they now have multiple AV engines for redundancy).

Second, there's this focus on calling these things (not just the Times breach) a "state-actor" or "state-sponsored" attack. Like, if Anonymous doesn't issue a communique it must be state-driven? If Chinese hackers are trained by the Chinese military, even a group of trained dissidents or independent non-state Chinese actors are going to have a similar footprint to one which is "sponsored" by the state. Maybe it's because we've all been indoctrinated to think of China in particular as this monolithic entity, but I think it's an assumption that should be challenged more often than it is.
posted by antonymous at 11:00 PM on February 1, 2013 [1 favorite]


Um, was that sarcastic? I... actually can't tell.

Just a little.

I don't really blame Rails for what seams like issues with Psych. The Psych guys have been debating it for the past month.
posted by Ad hominem at 11:58 PM on February 1, 2013


So it's not that you couldn't strike an agreement not to compromise or extract data from each others systems, it's just that there are so many avenues to conceal yourself that it's impractical to enforce. From a practical perspective it would be a waste of time, although that hasn't stopped politicians from wasting time or posturing previously.

If our government takes complaints anywhere past griping by the Department of State, all China has to do is laugh and say they're no longer going to sell computers in the United States. It's not like anyone else is making our gadgets.
posted by Blazecock Pileon at 12:15 AM on February 2, 2013


I wonder if major newspapers will ever develop counterintelligence teams.
posted by gsteff at 7:08 AM on February 2, 2013


I wonder if major newspapers will ever develop counterintelligence teams.

See the thing is, the NYT is part of a 3 billion dollar, 7000 employee, 2+bilion dollar revenue generating company. They already have a a mature IT sec group, the reason they brought in an external team is because that's the standard response for this. Part of that post incident analysis will be enhancements to the security model or a rework of the frameworks they use. It will probably not involve insourcing their janitorial staff, however.
posted by iamabot at 8:37 AM on February 2, 2013


As a follow-up, the Washington Post has confirmed a breach as well, but much earlier - taking place in 2008/2009 and discovered in 2011.

Reading the text of the post today, I think "retaliation" probably wasn't a good word to use. "In connection with" would have been more accurate.

Also, I wrestled a bit with sourcing it as an attack by China in the post itself, despite the NYT attributing it to a state-sponsored Chinese attacker. Attribution for these types of attacks is hard in general, and it becomes even more difficult to pin it on a government/state actor. If it did originate in China, perhaps it was what's been called a "patriotic hacker" and nothing to do with the government. This is why I used the more generic term "China," despite it implicating the whole country in one fell swoop.
posted by gemmy at 9:36 AM on February 2, 2013


One of the problems with attacks coming from other countries, like China, is that you can never be sure if the attackers are bored teenagers, private investigators using shady methods, competing companies trying to steal secrets, or the state. And if you don't know who's responsible, diplomatic solutions won't get very far.
posted by ymgve at 10:15 AM on February 2, 2013


Ad hominem: "Can't catch a break. One of these days I'm going to join a startup, do everything in rails, set up continuous deployment and never worry about QC, engineering and management reviews or ISO anything ever again."

Security and sarcasm aside, I went from working for Big Pharma to RoR development for a web startup and I've never been happier. My only problem is that I'll often write a test only to have my boss/co-dev say, "Dude...overkill. You're not making medicine anymore." It's hard to break old habits but it's nice to have fun writing code that has no possibility of killing anyone if it's wrong.
posted by double block and bleed at 2:50 PM on February 2, 2013


Malor: "physical access to the servers trumps all other security measures."

A number 1 rule of computer security - If you can get to the box, you own the box. This I know from experience from helping people unlock boxen they have forgotten the keys for.
posted by Samizdata at 3:42 PM on February 2, 2013


Sangermaine: Yeah, but there's a balance between security and usability/living a normal life. There are always extra security measures I could take to prepare for eventualities, but at some point securing everything for every conceivable attack makes life unbearable.

Just because security by inconvenience is the flavor of the day, that doesn't mean it has to be that way. Good security is as effortless and automated as possible to the end user. Encryption should be automatic across the network. Encryption should be the norm and not the exception. Centralize authorization for all but the most sensitive systems with something like OpenID so the user only has to login once for all resources. Use CorrectHorseBatteryStaple passwords instead of asinine impossible to remember ones. If it's not important enough to secure, then it's not important enough to put on the network. Train and test users against social engineering hacks. Prioritize contractors who prioritize security, instead of by lowest bidder standards, and hold them accountable to patch holes for the lifetime of the system.
posted by Skwirl at 6:52 PM on February 5, 2013 [1 favorite]


The Ultimate Invasion of Privacy: How a Chinese hacker used my private nickname, personal emails, and sensitive documents to try to blackmail me.
posted by homunculus at 3:42 PM on February 10, 2013 [1 favorite]


U.S. said to be target of massive cyber-espionage campaign
posted by homunculus at 2:33 PM on February 11, 2013


It's too bad there isn't an easy way to use good encryption to communicate with each other.

Serendipitously, just came across this article on a new crypto program.

disclaimer: I am not connected to Slate or Phil Zimmerman
posted by mecran01 at 8:28 AM on February 14, 2013


Business Week is apparently doing a series on Chinese Hacking
- Yes, the Chinese Army is Spying on You Business Week cover.
- A Chinese Hacker's Identity Unmasked
- Close, but not quite hacked
posted by gemmy at 10:03 AM on February 14, 2013


Just the tip of the iceberg. CyberSquared blog about the grups active in the media hacking.
posted by gemmy at 6:52 AM on February 15, 2013


A Chinese hacker's identity unmasked -- "Cloaked by malware, aliases, and misspellings, computer spies are usually invisible. This one made a mistake."
posted by ericb at 8:37 AM on February 15, 2013


Apple, Mac computers hit by hackers who targeted Facebook
posted by homunculus at 11:07 AM on February 19, 2013


New thread.
posted by homunculus at 11:10 AM on February 19, 2013


« Older Researchers at Japan's National Institute of Genet...  |  Michael Jones McKean has figur... Newer »


This thread has been archived and is closed to new comments