New York Times Hacked by China

The New York Times hack was big news last week, and I spent a lot of time doing press interviews about it. But while it is an important story -- hacking a newspaper for confidential sources is fundamentally different from hacking a random network for financial gain -- it's not much different than GhostNet in 2009, Google's Chinese hacking stories from 2010 and 2011, or others.

Why all the press, then? Turns out that if you hack a major newspaper, one of the side effects is a 2,400-word newspaper story about the event.

It's a good story, and I recommend that people read it. The newspaper learned of the attack early on, and had a reporter embedded in the team as they spent months watching the hackers and clearing them out. So there's a lot more detail than you usually get. But otherwise, this seems like just another of the many cyberattacks from China. (It seems that the Wall Street Journal was also hacked, but they didn't write about it. This tells me that, with high probability, other high-profile news organizations around the world were hacked as well.)

My favorite bit of the New York Times story is when they ding Symantec for not catching the attacks:

Over the course of three months, attackers installed 45 pieces of custom malware. The Times ­-- which uses antivirus products made by Symantec ­-- found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.

Symantec, of course, had to respond:

Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.

It's nice to have them on record as saying that.

EDITED TO ADD (2/6): This blog post on Symantec's response is really good.

Posted on February 6, 2013 at 6:36 AM • 55 Comments

Comments

SimonFebruary 6, 2013 6:57 AM

You would be forgiven for expecting more from Symantec after years of reading their "white papers." Oh, NOW they claim you're on your own.

Summer 2012 I witnessed a Trojan blow right through Symantec everything latest updates and all on a workstation in a heavily fortified enterprise network at a major corporation in the NE. It was fully two months later that an update mentioned the virus and Symantec issued a description of it and why it could not be extricated.

I'm not picking on Symantec. I just can't stand journalists who claim vitamin C cures disease and two years later write how stupid everyone is to believe that vitamin C cures disease.

Atavia JonesFebruary 6, 2013 7:13 AM

Blacklist based signature AV that is designed only to catch previously caught malware has never been adequate. But, it has been a huge money maker for those companies.

They have done a lot over the years to argue against heuristic technology designed to discover new or undiscovered malware. One of my "favorites" was when the AV companies collectively ripped into Consumer Reports for daring to create their own malware to test their systems against.

They were angry not because it showed their software is useless, but because Consumer Reports broke the line and created malware making them virii authors. (Right.... )

Thankfully, there are companies that are coming out with zero day malware detection and prevention, but the signature, black list based big name AV companies are not among them.

No business is too big to become obsolete.

Atavia JonesFebruary 6, 2013 7:37 AM

On Bruce's paper linked to this...

The reason the US Government knows the Chinese is behind a lot of these attacks is from human intelligence.

Yes, you do not hear about that in the news reports. That is always the most important source to protect.

Yes, many in the gov and corporate say it is from China because that is where they track it back to.

But there is a reason our government is so bold at the highest levels to insist on putting pressure on China.

Even journalists have had human sources on these stories in the past.

So, I have to disagree with this, though I appreciate the criticism. The Chinese government has long been recruiting, training, and funding hackers.

There likely are plenty of amateurs in the mix, but many of these are not.

It can seem difficult to fathom that this is CN gov, because "espionage" is supposed to be secret. But, it is working for them, and much of their work is secret. That the strategy works is what matters, not that it offends historical ideas of "what is good tradecraft".


SimonFebruary 6, 2013 7:52 AM

@Atavia Jones - companies are made up of people and if all the know-it-all's get to play it safe and blame everything on users then users get to blame the know-it-all's. Security has become a personality parade. A few days ago a column appeared on Google News from elsewhere and in it the author cast doubt on the NYTimes attacks because 'experts' had not seen the logs, etc. Note the repulsive reference to some kind of brotherhood of experts which doesn't really exist. And the 'experts' he was referring to? A self-serving know-it-all working from a virtual office in Atlanta. What good did that do?

How ironic one writer casts doubt on the attacks because (his friend got his toes stepped on) the NYTimes didn't disclose enough but others laugh at how voluminous the NYTimes reports were.

spiesFebruary 6, 2013 8:41 AM

NYT was writing about corruption in the Chinese gov, naturally the gangsters that run the country wanted to find out who the sources were so they could plug the leak with some very unpleasant interrogation no doubt.

ItWasntMeFebruary 6, 2013 9:09 AM

What Shniener, CSO and the always credible NYT fail to mention is that they are also running an older version of Symantec. Of course they also use several other security vendors for their 'network protection', all of which somehow failed to block the hack or detect the intrusion but the only product called out by the NYT's seems to the old version of AV they are using, because we all know it couldn't be that their security staff could be to blame, it must be a vendors fault. As security experts we all know that old versions of AV on the desktop are the best defense against Chinese hackers. Are you people serious? Who is throwing who under the bus?

AlFebruary 6, 2013 9:22 AM

Best comment on Symantec that day:

Symantec®: If Our Software Didn't Work, It's Because You Didn't Buy Enough of Our Software.™

— Merlin Mann (@hotdogsladies) February 1, 2013

RandyFebruary 6, 2013 10:00 AM

From the NYT hacking expose:
"More evidence of the source, experts said, is that the attacks started from the same university computers used by the Chinese military to attack United States military contractors in the past."

Ummmm...I think someone should protect *these* university computers better.

Randy

SimonFebruary 6, 2013 10:01 AM

OK here we go:

1) It must have been an older version you were running. If you didn't get the 123.45.62756 on 8/11 that must be the reason. You would know it if you did, because it takes an hour and a half to download then install.

2) Are you running any third-party apps?
That must be the reason.

3) Did anyone in your organization send or receive any Emails or get on the Internet even once? That must be the reason.

RandyFebruary 6, 2013 10:12 AM

Re: US Chamber of Commerce break-in...But months later, the chamber discovered that Internet-connected devices — a thermostat in one of its corporate apartments and a printer in its offices — were still communicating with computers in China.

How do you stop attacks on these internet connect devices besides updating firmware. And I wonder if that's even an option for a *thermostat*. Is this a new market for AV vendors?

Randy

RandyFebruary 6, 2013 10:19 AM

And finally, why didn't the NYT involve Symantec?

They did consult with another experienced firm, Mandiant, but I wonder if Symantec would have been able to help once the NYT noticed that the Symantec AV wasn't as effective as it should have been.

Randy

timFebruary 6, 2013 10:27 AM

@Randy

Symantec isn't a security company. They are a software and services company which bought security companies and then preceded to poorly integrate them. It goes all the way back to their purchase of Axent and ruining an excellent firewall product.

John SchillingFebruary 6, 2013 10:31 AM

If, per Selby, vaguely-described compliance frameworks are forcing companies to blow their entire security budgets on inadequate signature-based AV, shouldn't at least some of the scorn and opprobrium be directed at the "compliance frameworks"? Or, for that matter, whoever is demanding security but not providing an adequate budget.

If someone makes a rule requring people to buy a mostly-worthless product, I find it hard to see what a responsible supplier is supposed to do beyond offering the mandated worthless crap, also offering the genuinely useful alternative, and saying "If you want real protection, we recommend you buy both".

MxyzptlkFebruary 6, 2013 10:36 AM

it's not much different than GhostNet in 2009, Google's Chinese hacking stories from 2010 and 2011, or others

Do we know this? Aurora led to Google banning Windows from its workplace. And Ambinder advices in the aftermath, "don't use Windows."

But it's difficult to imagine that the NYT offices and staff not being dominated by OS X. Is there any word yet on which OS was undermined by the drive-by spear-phishing. I assume it was a Windows/Internet Explorer vulnerability, but it would be good to know this. What were the vulnerabilities that were exploited as the APT moved through the offices? Which mail server does the NYT use?

wiredogFebruary 6, 2013 10:43 AM

Washington Post, too.

So how long do you figure before the Chinese astroturfers come here to claim that there is no real evidence the attack came from China and this is a smear campaign and its really a US Plot?

Nick PFebruary 6, 2013 10:44 AM

I posted about these attacks on Brian Kreb's Washington Post article. Someone challenged my claim that INFOSEC best practices and my periodic recommendations would have prevented it. My response below.

“They suspect the hackers used a so-called spear-phishing attack, in which they send e-mails to employees that contain malicious links or attachments. All it takes is one click on the e-mail by an employee for hackers to install “remote access tools” — or RATs. Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers.” (news story)

"I’ll let you take a guess or two. Let’s just say this kind of thing hasn’t caused problems for me or anyone taking advice from me for years. There’s more ways to prevent, detect, and/or contain attacks like that than I can go into in one post. I’m sure you’re using one or more of them. ;) " (me)

FigureitoutFebruary 6, 2013 2:05 PM

I encourage readers to jump on over to krebs w/ link provided by @wiredog, good thread.

From CSO Online RE: Symantec:
reads the innuendo-packed weasel-fest that sounds like it was written by a large, ad-hoc committee of flacks, hacks, lawyers and brand and communications-crisis consultants
--Keep calling out this insincere garbage please so companies will hire more hackers and not PR.

JohnJFebruary 6, 2013 2:52 PM

So a spear phishing attack resulted in malware installation & proliferation ultimately leading to data leakage.

Spam filter - fail.
User awareness training - fail.
User running privileged account (can install software) and/or no app white/black listing - fail.
AV missed the malware - fail.
Network permissions allowed malware to spread - fail.
Data exfiltration ocurred - (DLP) fail.

I don't care to cut Symantec any slack but it seems there are failures, or at least weaknesses, throughout the NYT's infrastructure & InfoSec program.

Eric HackerFebruary 6, 2013 4:29 PM

So the NY Times was ripped apart by velociraptors that their deer fence didn't stop because they didn't have velociraptors as a threat in their risk worldview. The fence vendor, who makes all kinds of fences, says well, yeah those deer fences aren't meant to stop velociraptors, we could have sold you a velociraptor fence if that's what you felt you needed. And the blogosphere goes ballistic?

The biggest mistake being made here is a failure of the blogoshpere to understand risk management.

The NY Times, being in the business of making money, must not spend money on security they don't need. Until this incident, one would probably be hard pressed to sell to management that they needed to worry about velociraptors (Nation State level attacks). A deer fence was good enough. When the NY Times heard that velociraptors might be interested in them, they reacted by keeping a better eye on things and they got to watch the velociraptors shred their deer fences.

It was unfortunate that the NY Times reporter mentioned the deer fence manufacturer in a way that made it seem like folks should expect deer fences would stop a velociraptor and somehow the manufacturer should take some blame. It should not be surprising that the fence manufacturer might want to clear up the facts a bit.

The negative blogoshpere reaction by supposed security experts is just shameful. The Register piece seems balanced, but the CSO piece is embarrassingly naive. It completely ignores risk management and the need to prudently purchase the appropriate level of security to manage the risk at hand. Selby writes as if everyone should have the same level of security implemented and a vendor's product portfolio needs to protect everyone from velociraptors. Many other folks seem to have the same attitude.

Well, I disagree. I will be building some new garden beds this spring. I am planning an array of technologies to help ensure I get the harvest and not my neighborhood critters, including deer fencing. But if a velociraptor happens by...

DougFebruary 6, 2013 8:03 PM

The NYT article was written in the full knowledge that the malware authors would be reading it. So how many of the 'details' can we trust?

Nick PFebruary 6, 2013 9:02 PM

@ Erik Hacker

"The Register piece seems balanced, but the CSO piece is embarrassingly naive. It completely ignores risk management and the need to prudently purchase the appropriate level of security to manage the risk at hand. "

I agree. I rarely look toward publications like CSO because of such issues. Of course, you brought up risk management perspectives without giving one that applies here to judge NYT by.

"So the NY Times was ripped apart by velociraptors that their deer fence didn't stop because they didn't have velociraptors as a threat in their risk worldview. The fence vendor, who makes all kinds of fences, says well, yeah those deer fences aren't meant to stop velociraptors, we could have sold you a velociraptor fence if that's what you felt you needed. And the blogosphere goes ballistic?"

" I am planning an array of technologies to help ensure I get the harvest and not my neighborhood critters, including deer fencing. But if a velociraptor happens by..."

That is a poor metaphor. The newspapers were hit with the same kinds of attacks we've been seeing for years now. These are attacks they themselves have been reporting on. There's quite a few countermeasures available. They were just using AV. Attackers also came in through University connections for at least one news organization. The access they achieved from there seem possible only if basic network segmentation, defense and access control were in poor shape.

Velociraptors weren't even necessary. Most hackers don't have access to a flock of them anyway (or the metaphorical equivalent). They just move on to an easier target.

@ Doug

"The NYT article was written in the full knowledge that the malware authors would be reading it. So how many of the 'details' can we trust?"

They couldn't do basic network defence. Yet, they can fake a network breach account? Well, they are writers. It is definitely possible. The more likely option is that this breach that sounds pretty typical is what it appears to be.

JonasFebruary 7, 2013 1:59 AM

> "The newspaper learned of the attack early on, and had a reporter embedded in the team as they spent months watching the hackers and clearing them out."

I hope no one believes this kind of ass covering! There is no benefit in "watching" hackers in your system; it will only get worse. I would say it took them months to fight back and all they could do is watch. "Reporters embedded" - ah so the whole office watched over the shoulder of the overwhelmed sysadmins...

And I agree with @Eric Hacker!

How comes, everyone accepts the statement that they were Chinese? You can never be sure of that... I bet there are enough people in the US with the same interest in press internals, with equal skill set and the ability to publicly blame other nations. Of course it all makes sense with the Chinese - just keep in mind that nothing is certain.

neillFebruary 7, 2013 5:44 AM

" ... protection against new and unknown threats ... "

does NOT exist. you have to observe and analyze, then you can provide other users with updates to protect them

i do NOT work for symantec et al., however i have seen enough cases where "regular" users were warned or blocked from opening files, installing apps etc

so for the wide majority of users (non-domain-admin-non-computer-science) it is indeed better to have some AV program than none, better have a 10 % detection than 0 %.

especially journalists that work with anonymous, secret sources have to open files from unknown senders in a variety of file formats.

Atavia JonesFebruary 7, 2013 6:38 AM

@Neil: On no protection against new and unknown threats, and comparing a proof of that to buggy software systems which unfairly block users...

The comparison is unfair. Heuristics can be done without such ham fisted methodology.

I think anyone in IT can list such products they already own, I would hope so, such as the anti-exploit tech in modern Windows OS, or in their browser... and hopefully, in their IPS solutions...

Good paragraph from Jon Oltsik at Network World :

" If your organization is not evaluating or implementing Advanced Malware Detection/Prevention (AMD/P) solutions from vendors like Damballa, FireEye, Malwarebytes, Sourcefire, or Trend Micro, then you deserved to be hacked. I’m not suggesting that any of these tools is a panacea but all are designed specifically to find, block, and let you know about advanced malware. Some combination of these tools should be a first step for all vulnerable or targeted organizations."

WinterFebruary 7, 2013 6:42 AM

"So the NY Times was ripped apart by velociraptors that their deer fence didn't stop because they didn't have velociraptors as a threat in their risk worldview. The fence vendor, who makes all kinds of fences, says well, yeah those deer fences aren't meant to stop velociraptors, we could have sold you a velociraptor fence if that's what you felt you needed. And the blogosphere goes ballistic?"

Completely wrong metaphor. For one thing, velociraptors are extinct and would most likely not be a match for modern mammals. You should think a "fox&dog fence" versus "tigers, lions, and wolves".

The AV firms sells SECURITY PRODUCTS to secure my hen house. If they sell me a fox fence and tells me it makes my hen house secure in an area where tigers, lions and wolves roam then I have all right to expect that it also secures me against those threats. If not, the firms should make that completely clear.

Symantec are the ones that know how their products work. It is proprietary and they have the expertise.

The NYT is a newspaper, not a security outlet. If Symantec now claims you need high level expertise to apply their products, they should say so in their marketing material.

Atavia JonesFebruary 7, 2013 6:47 AM

@Jonas:"How comes, everyone accepts the statement that they were Chinese? You can never be sure of that... I bet there are enough people in the US with the same interest in press internals, with equal skill set and the ability to publicly blame other nations. Of course it all makes sense with the Chinese - just keep in mind that nothing is certain."


Because the evidence is consistently overwhelming year after year.

China has turned the minds of most skeptics over these past ten years of unrelenting assaults against every quarter of corporate and defense.

Hacking journalists, even all our primary journalist outlets, of course! Go China! That really wins them PR here.

Of course, hacking human rights groups and free speech advocates already got Western journalists against them.

China does not care. While they are by no means any North Korea, in this activity they act like it. Nobody can stop them. They know it. We know it. What can we do, sanction China?

If you are in IT Security in the West, heck, anywhere on the planet, and your organization has not been hacked by China, you know someone's organization who has. They are that prolific.

I am sure the money being poured into breaking into China's many holy sanctums globally, of course, is massive. And I am sure the amount of money going globally to their many moles is massive.

But, most countries have no reason to otherwise hack China back because China steals technology, they rarely innovate (anymore).

Days of inventing kung fu and gunpowder for China, I suppose are dead.

Of course, if they became more free, they would be highly innovative. But pirates never innovate. It is a completely different mindset.

WinterFebruary 7, 2013 6:47 AM

"especially journalists that work with anonymous, secret sources have to open files from unknown senders in a variety of file formats."

I think in such circumstances there are a lot of precautions you should take. not storing names of contacts on the newspaper's network would score very high on that list.

Atavia JonesFebruary 7, 2013 6:54 AM

@JohnJ: "I don't care to cut Symantec any slack but it seems there are failures, or at least weaknesses, throughout the NYT's infrastructure & InfoSec program."

Very true. Signature based, blacklist AV should be one part of a robust security program. Their opinion and blame laying belies the fact that their organization clearly was not paying for security internally as they should have been.

As too many organizations do not do.

Really unless an organization is hacked or has some onerous regulations demanding it... companies do not do security. They can see physical security controls and threats so they can get that. But they can not see cyber security controls and threats. So they tend to not get that... though the unseen dangers far, far outweigh the seen these days.

WinterFebruary 7, 2013 7:02 AM

"China does not care."

I think they do, at least part of "China".

Historically, China has never been one monolithic state. So, the "administration" might care a lot, but the "military" might not care about the PR, nor about what the administration in Beijing think. And there are other power centers.

Atavia JonesFebruary 7, 2013 7:10 AM

@Simon: on biased experts and the like...


Yep, there is enormous bias, all around, and I am not at all surprised to hear of such a biased article.

The majority of the planet, of course, lives under an enormous blanket of delusion -- and there is enormous logical evidence supporting those delusions.

People are forced to operate in an unconscious, instinctual level under such circumstances. They deal with higher truths about their state of being on a level far removed from their conscious.

The kind of biased reaction you speak of reminds me of politically extreme hackers who are on the fringes of the industry. They are basically as anyone in the darkest corners of the abyss, in deep denial of any evidence that comes out regardless of how clear it is that might go against their deeply entrenched world view.

Atavia JonesFebruary 7, 2013 7:33 AM

@Winter: Historically, China has never been one monolithic state. So, the "administration" might care a lot, but the "military" might not care about the PR, nor about what the administration in Beijing think. And there are other power centers.


Yep... I tend to label it as "China" at times just to get at the goats of those there who do care.

Horrible manipulative tactic.

@Jonas: Thinking more on the idea that all of these global attacks not being from China as you suggest...

You could be right.

Only China would really know that.

Of course, believing this would be on the level of believing in ghosts, demons, and angels. Which is patently absurd.

Believing these global attacks are really a cunning program of the US is far more absurd then believing in shinigamis. :-)

Patrick G.February 7, 2013 7:55 AM

A question to some of the knowledgeable people here:
Now how do you protect your private company with thousands employees with high demand for mobility & utility from high-effort, high-sophistication, precision-targeted cyber attacks with proper funding and an able team?

I somehow doubt that any software or degree of ISO-certified employee-training or even the best IT wizards you could buy for the highest budget you could afford would protect your Newspaper without totally crippling your employees' ability to get their work done.


P.S.: As someone mentioned before, I would be careful with the "Blame the Russians" eh "Blame the Chinese" approach, it's hard to pinpoint such attacks.
And some parties may have reasons to make it look like someone else did the job. And if you are able/equipped to pull of such a hack, I would guess you would be able to route your traffic through every country you desire.
Of course we will never know for sure...

WinterFebruary 7, 2013 7:58 AM

"Now how do you protect your private company with thousands employees with high demand for mobility & utility from high-effort, high-sophistication, precision-targeted cyber attacks with proper funding and an able team?"

How do you secure access to the buildings? And how do you secure cash flows?

I would start with hiring employees with experience and know-how. I would most certainly NOT start with buying products.

WinterFebruary 7, 2013 8:43 AM

This I do not understand in the original report:
"Security experts found evidence that the hackers stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees, most of them outside The Times’s newsroom."

How were these passwords stored that they could be stolen?

Atavia JonesFebruary 7, 2013 9:23 AM

@PatrickG On the skepticism this is Chinese...


Could be an army of spirits behind all these global attacks these past fifteen years cleverly blaming one state actor or another seamlessly simply for some unknown, higher agenda.

Perhaps a campaign of false flag operations enacted by heaven.

Otherwise, occam's razor is that these countless attacks seamlessly attributed to China over the years really are from China. With maybe a tiny, tiny percentage piggybacking on.

It is dangerous stuff, however, because it is easy these days for an entity to create a false attack and make it appear to be a nation state... such a well performed attack could have severe consequences for the world.

Brandioch ConnerFebruary 7, 2013 9:46 AM

@Patrick G.

A question to some of the knowledgeable people here:
Now how do you protect your private company with thousands employees with high demand for mobility & utility from high-effort, high-sophistication, precision-targeted cyber attacks with proper funding and an able team?

1. Understand that you WILL be cracked. No matter how good you are, you cannot micro-manage every user every time they do something risky.

2. Because of #1, use internal segmentation to prevent successful attacks from gaining additional access.

3. Actively monitor for evidence of successful attacks. Use intrusion detection. Use internal honeypots. Read your logs. Why is Alice's workstation scanning the network for openings on port 23?

4. Limit what software can be run on the systems and who has the rights to install software.

5. Actively monitor the software on your systems. Not just the systems you think might be infected.

I somehow doubt that any software or degree of ISO-certified employee-training or even the best IT wizards you could buy for the highest budget you could afford would protect your Newspaper without totally crippling your employees' ability to get their work done.

In my experience (everyone else's may be different) the only "crippling" is when software/hardware becomes a status issue. The average employee uses the installed software to do their jobs (mostly data entry of some form and content creation with word processing and spreadsheet programs).

Jarrod FratesFebruary 7, 2013 9:58 AM

@Winter: The passwords could have been obtained any number of ways. The most likely way is gaining access to the domain controllers, grabbing all of the password hashes and then cracking them. Most would have fallen, especially if older hashes were also stored (the default in almost every environment).

However, it's also possible that they used a single-sign-on system that stored the passwords encrypted (but not hashed) in a database somewhere. All they had to do was find the encryption key and that database, and they'd have everything, no matter how complex it was.

Lotus MarketingFebruary 7, 2013 10:30 AM

@Doug

I agree, they are showing us what they want them to see. Anyway, the title was pretty brutal, accusing china of attacks against them. Wars are starting to get online instead. It's a good news, less death.

Nick PFebruary 7, 2013 11:11 AM

@ Patrick G.

Brandioch Conner's comments are right on the money about expecting user failure, segmentation, monitoring and application control. Here's a random assortment of other possibilities.

1. For mobile, ensure work and play are on different devices. Recently, groups like OK Labs virtualize phones for same reason. Follow mobile best practices, optionally using industry solutions, to protect the content on the device and secure its access to the network.

2. Use OpenBSD for the firewall/routers or critical services. Run them on a non-x86 platform if possible. Almost all malware targets Intel architectuers. If your non-Intel & you don't advertise that, then all their malware will just mysteriously fail to work if it's below the application level of OSI. Additionally, some SOC's have hardware features that can boost security/availability.

3. Optionally, run critical services on System i, AIX or OpenVMS. These have excellent uptime, manageability and security profile. Very few vulnerabilities in their history. IBM also has PowerVM hypervisor and OpenVMS IntegrityVM, respectively.

4. Use bump in the wire style IDS. Make sure it doesn't advertise its presence. Make sure it's robust. Maybe use separate LAN for management/security than data/apps.

5. Consider a thin client architecture, virtualized Linux desktops, Argus PitBull-style trusted OS's, or Windows Sandboxie for reduction of risk at the user's application level.

6. My network designs add a robust embedded firewall between each user PC and the network. (inspired by Boeing & BLACKER) The firewall is configured by the admin. It does the usual stuff along with monitoring, rate-limiting and implementing end-to-end VPN's for each node. This can restrict the damage a compromised node can do. It also restricts what it can see. The router should have crypto acceleration and plenty of performance. Many inexpensive boards have this now. The EFW can be a dirt cheap board.

7. Devise and train users on a classification scheme. This creates different labels representing the potential damage that a given piece of information can do. For example, Public might mean harmless information that shouldn't be protected. Confidential-HR is a sensitive piece of information with a label indicating only HR people should have it. Solutions like Trusted OS's and document lifecycle management systems may help. Much can be scripted too.

8. Apply updates regularly. Make backups. Make the backups when the main OS isn't running if possible so malware can tamper with it. Backups should go to a dedicated, hardened, highly monitored machine. The backups should also be stored on write-once media so they can't easily be altered. The various nodes on the network should be set up such that they can be quickly shut down, restored to clean state and resume operations. This should be done regularly to both test the backup/restore procedures and remove any invisible malware.

9. Security administrators might periodically do a random sample of machines and run various rootkit checks on them.

10. Use NIST's free publications for advice on mobile, VPN, desktop, etc. security.

11. Use simple data formats and protocols where possible. Some vendors also sell software that checks common file formats (e.g. PDF) for dangerous constructs that shouldn't be there.

12. Use non-standard software for anything risky, although make sure its "quality" non-standard software. ;) Examples are Foxit PDF Reader, nginx over Apache, djbdns over Bind (opt. w/ Phreebird), Postfix over Sendmail, etc. Sandbox the heck out of untrusted software. Example: Sandboxie (or VM) -> Firefox -> NoScript. See Terry Ritter's firefox plugin list and computer security guidelines. He covers all the basics and then some.

13. Disable all unnecessary services. Some go further and remove all unnecessary code from the apps and OS. A friend of mine has a fully functioning WinXP desktop w/ the usual apps that takes up approx 300MB of disk space. Poly2 is doing that for OS's hosting network apps. Presumably, a 0day or common attack strategy might not work b/c the code it needs isn't there.

14. Write internal apps using a managed language. If you can, avoid the most common platforms or runtimes. Don't advertise what you use, even in job ads. Hire smart people & they'll figure out how to code in (censored). Obfuscation goes a long way.

15. Have well-thought out policies for giving out information useful for social engineering. Good authentication of messages can help here. Expect that something in the chain might fail and have a plan for it. Periodically test the users with con men, spear fishing, etc. to keep their awareness up.

16. If possible, replace anything that was stolen or lost for a while. Have standby's ready. Sell the old one. It's just so easy to grab a company phone, put some crap on it and return it.

17. Follow best practices for laptops. Use FDE, TPM, restrict BIOS, and maybe a dongle/card so shoulder-surfing isn't all the attacker needs to get in.

And so on. Many of these suggestions are free or seemless for the user. The others involve cost, usability, etc. tradeoffs. Do what you wish with them.

Clive RobinsonFebruary 7, 2013 1:07 PM

A number of people are Pro-v-Con on if China performed the attack or not, and the comments appear in some cases to be gut reactions.

If you walk the problem backwards you start getting some posabilities (to which I will let people attach their own probabilities).

The analysts saw packets arrive / from a source IP address that (supposadly) matched a University in China.

Now the first question you need to ask is "can anyone spoof this" to which the answer is yes quite easily if they have control of an "up-stream" host from the NYT.

The question then becomes is it possible to step back through the hosts verifing that the traffic has come "through them" rather than "from them"?

They only way to verify this is by being on the up-stream side of the host in question, which becomes impossible to tell beyond a certain point.

But on the assumption that the traffic did indeed originate and returned to the IP address of the University you have to ask "How good is the Universities security?"

And the honest answer as with most Uni's is very likely "woefully inadequate".

This immediatly gives two possabilities,

1, Point of origin is on campus.
2, Point of origin is off campus.

Both of these further break down into other possibilities.

After a little further thought and you will realise you get into a huge list of possibilities.

But as I've mentiond in the past China has been for millennia and effectivly still is feudal politicaly and has all the trapings of patronage and favour.

So yes IF (and it's a big if) the attack did originate in China, then it might have been by the polit bureau or millitary in an official way or by a chancer seaking promotion. It could also have been by one of the many mafia like crime organisations in China attached by largesse to either the polit bureau or military (and this is quite likely).

But it could just as well have been originated from another country. For which I could make a quite reasonable case that iit was directly associated with Vladimir Putin, or any one of a large number of Russian crime syndicates all of which the NYT has done stories on and continue to do stories on.

Likewise how about from the US it's self...

Or how about Australia? they could well be the "upstream" point from which to launch attacks and fake them as coming from china. But to who's advantage...

The real problem is only the Chinese who can directly monitor all routes in and out of the University network could say and for various reasons I'm not holding my breath waiting for answers...

Atavia JonesFebruary 7, 2013 5:39 PM

@Clive R

The evidence is not just that it was from an university computer in China. Mandiant would have to release the full details on this, they are used as a source. There is also evidence that this was a timed campaign targeting multiple major US News Agencies at the same time.

I do not see anyone tying all of this together, but when you have Bloomberg, the Washington Post, the Wall Street Journal, and the NYTimes all agreeing -- I have to admit, that is a pretty good group of sources all agreeing together.

Could the US have been behind such an attack disguising it as China? Sure. Maybe some shadowy group in the US is going out and doing such a thing. If so, they thoroughly fooled some of the largest and most prestigious news agencies in the world.

And they would have fooled all of the external players involved, such as Mandiant. Or had them involved. While Mandiant's speciality seems to be China, it could be argued they were biased. Or bought. Or trained and owned from the beginning.

But, who else was involved in discerning these matters at these other companies? Was it all just Mandiant?

So, sure it could have been the US, as you and others suggest. Or it could have been Australia.

It could be that Australia fooled all of these news agencies, and all of the firms hired to help these agencies route out the hackers.

Could be all the firms were Mandiant and Mandiant could be an US FBI or CIA created cover company.

Could be all of the security firms involved, all of the investigating agencies, and all of the news agencies... were all simply victims of ignorance about the technology and of over zealousness.

Maybe Hoover was behind the Kennedy assassination. And you know, when Hoover said he didn't do undercover operations because it made his agents dirty he was lying. We know now he even had his agents running Mafioso to do dirty deeds for them.

So who knows? Maybe there is some kind of elaborate conspiracy here. As for mob insanity affecting all of our most prestigious US news agencies, security firms, and government agencies... I am not aware of such a case where this has ever happened before.

I feel pretty confident it was China, because I know Jamie Butler, and I have talked to many people both inside China and outside of China on this. I have been there. And I know the government has heard substantial evidence that China really has been running a global hacking program.

They are competent enough to gather human and technical evidence. And they are competent enough not to say, "We have human intelligence telling us these things". They are competent enough not to say "we have technical intelligence telling us these things which we should not report to the media".

But competent enough to run such a vast conspiracy? Or incompetent enough to not understand that a proxy can hide the traffic behind it?

I think the skepticism here is not from dummies, but from people who want to try and get information from those who have been up close and personal. Maybe unconsciously.

And it is from those who feel they should express public doubt on the issue in order to claim, on behalf of the US, that we don't have human intelligence and do not have secret technical intelligence.

RobertTFebruary 7, 2013 5:54 PM

@clive Robinson

As i have said many times before, when hacking ALWAYS lead the administrator / defender back to where they wanted to go in the first place. The Great China Firewall is in and off itself a useful hacking cloaking tool, make a couple of trips through the GFC and visit a few likely locations around Changdu and you'll be absolutely safe.

In this case I'd be inclined to say it is a Chinese attack but not necessarily by a state ran organization, or even at the behest of a state org. There are a lot of other interested parties that would like to map out all the sources of wealth for the China's ruling elite. one obvious reason is blackmail, although you had better be careful because try that and you are absolutely playing with fire (you can expect your head to accidentally get stuck under a trucks wheel...honestly)

Another less nefariousness application of this information, is to simply understand what investment decisions those with the best advice possible are making. Statistically speaking elite politicians make unbelievably good investment decisions (better than any broker), so investing in parallel with them is always a good strategy.

Nick PFebruary 7, 2013 7:30 PM

@ Atavia Jones

"They are competent enough to gather human and technical evidence. And they are competent enough not to say, "We have human intelligence telling us these things". They are competent enough not to say "we have technical intelligence telling us these things which we should not report to the media".

But competent enough to run such a vast conspiracy? Or incompetent enough to not understand that a proxy can hide the traffic behind it?"

If there is a precedent to look for, it was the pre-War intelligence build up to Iraq and the Gulf of Tonken justification for Vietnam. The US government has a long history of inventing justifications for profitable wars. The media and any group that financially/politically benefits from the administration typically repeats their lies without checking them. The US govt also repeatedly exaggerate the "cyber" threat to justify "cyber" commands and huge "cyberwar" budgets. This is both deceptive & a conflict of interest for reporting reasons. Even ignoring specific motives, history shows war and imperialism is in America's DNA.

Our government also admits to doing false flag operations left and right overseas, then add they'd never do that to Americans for political reasons. They probably meant to say "we'd never do a false flag against American public if we couldn't maintain secrecy about where it came from." That's more consistent with history.

Now, what about our current topic? I'm not arguing that this is all a conspiracy, false flag, or massive amount of BS. Not at all. I was showing that the US govt has done that plenty in the past, including recent past, and is capable of doing it again. So, it's a mere possibility. What's probable though?

Honestly, I have no idea. I'm leaning toward Chinese hackers rather than relays. I'm not saying they're government. There's plenty of different groups operating in China that can fund sophisticated hackers. It's even possible that many of the hackers are in an independent organization that works on behalf of many parties. If govt has evidence of specifics, they're withholding much of it or they're lying again.

Motive. Others mentioned economic motive. State-sponsored attacks from China typically target military secrets and intellectual property. The US govt knows they do this. US companies have given specific examples of it. It's a real threat. However, many groups within China might be interested in these news agencies information, so we can't point a finger. This includes non-government groups.

There's also the possibility of relays. Certain attacks "originating from China" didn't. I've even run covert traffic through China years ago. I know I'm not the only one. RobertT recently mentioned how easy it is to trick all but well-funded organizations with people embedded deep in Chinese networks. (TLA's, mainly.) There's only so much you can tell by looking at packets. Expert or not, one can be fooled by sophisticated misdirection.

So, what to do? Secure our networks. Follow best practices. I posted some tricks in this thread and links in the squid thread to help people do this. They might still find a way in but experience shows doing things correctly stops vast majority of attacks, even some so-called "APTs".

Clive RobinsonFebruary 8, 2013 3:48 AM

@ Atavia Jones,

First off I was listing possabilities to consider not throwing my weight behind any of them. As others have noted China is an ideal place to perform attacks through, from or pretend to be from.

The reason I mentioned Australia is not because I happen to think it any more likely that the Australian Gov is upto such things than any other first world nation, but because of where it sits geographically and thus has easy access to sub-sea and other communications links.

Australia is one of the places I'd certainly investigate getting illegal access to if I was activly in the business of doing "through, from, or faux from" for political or criminal activities.

Though I don't rule the Aus Gov out, a look at what the Kiwi's did to somebody and publicaly appologised for lends credence to the theory that all WASP nations spy on their own full time for political rather than National Security reasons.

Australia certainly has sufficient skilled people to pull off this sort of stuff and are still very much active players in the old BRUSA club so could be in on somebodyelses agenda.

The question everybody should consider is "Why China is always in the news and other nations not?" like countries such as Russia, who we certainly know are activly involved with making attacks for power and money not just criminaly but very much politicaly as well (you even have Vladimir Putin and his close allies making comment to the fact they are doining it publicaly).

So I would say that there is a distinct "China is the root of all evil" attitude around at the moment and that it has been building up slowly for some time (around twice the length of time as South Korea's currently outgoing leader).

Now I'm not saying China is not an issue as much as Russia and other naions, but there is a danger in "chicken little" style "over egging the pudding", which is epitomized by the "boy who cried wolf". In that you shout "China is attacking" to many times then people stop listening and one day the wolf realy does turn up and nomatter how loud you shout people won't listen.

Now every time I hear "Mandiant" and "China" in the same article let alone paragraph or sentence I get very cautious. The reason being is Richard Bejtlich it's Chief Sec Officer and founder has considerable history in this area as any long term impartial reader of the TaoSecurity blog will tell you (infact quite a few people called him out for having a fixation in this area on his own blog and some have indicated it as being more a mania).

Richard as an ex soldier tends to have a soldiers view not a policeman's view of the world. And what we currently lack in our "Cyber-briefings" is the policeman's view not the soldier, political or theoretical legal view.

And by policeman's view I mean the actuall investigators view not the politicised view of senior officers or Federal or equivalent organisations.

To a policeman the world is full of grey, no blacks no whites or even reds, just varying shades of grey coloured by experiance and knowing all is not what it appears to be. That you need to find real evidence not surface faux evidence and it's a difficult painstaking and time consuming process with no "quick fix" answers.

There is a reason computer crime used to be called computer fraud, which is originaly it was a very closely allied to financial crime or fraud. Financial fraud is perhaps one of the most difficult crimes to investigate as those involved are smart and rely on the "smoke and mirrors" of misdirection not just to carry out the crime but also to make the money become untracable.

We are currently seeing just a tiny part of years of financial fraud unraveling, in the main because the wanabe bankers at the bottom operating such things as LIBOR fixing whilst being smart were not as smart as those who first started doing it. And were thus not sufficiently cautious and in effect laid down a trail of written words back to their own door due to the contempt people develop to the familiar. So all we see is the small fish getting fingered whilst the big fish pretend to look shocked and negotiate fines that others such as the shareholders and customers will pay whilst they get away with it.

With that level of smarts involved with "white collar crime" it is quite easy to see the same level of smarts in organised computer crime and also in state sponsored cyber-crime/espionage.

Thus you must expect a level of smoke and mirrors that makes such crimes difficult to investigate and thus assume that you need to look for evidence over and above that you get presented with to differentiat between the puppets and puppet masters. However as I and others have indicated actually getting at reliable let alone indicitive evidence is at best difficult even in your own jurisdiction, it's virtually impossible even in friendly cooperating jurisdictions so what of unfriendly uncooperating jurisdictions?

You have to go another way which is often called Humint, however it can go badly wrong, we have seen prime exampls of this historicaly. Look at WWII and the British 20 (or XX in Roman numerals which is also a "double cross") Committee or how the Germans in Holland compleatly fooled SOE, and a whole number of fairly well documented examples of Humint telling you what you want to believe not what is actualy so.

So whilst I am not throwing my weight against any one area I'm saying that the "obvious answer" is probably "politicaly expedient" and thus very suspect.

GeorgeFebruary 8, 2013 11:58 AM

""The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks"

I would love to see these "advanced capabilities" tested against the 44 identified, undetected threats.

I hope NYT sues them.

HughFebruary 8, 2013 12:59 PM

This is a blame game: Instead of putting a solo blame on Symantec for undetected 45 pieces of custom malware, NYT has to share some blame as well. What happen to NYT Incident Response Procedure. Aren’t they supposed to be detecting/monitoring the incidents which may have not been detected by Anti Virus software. If we have sensitive information, aren’t we supposed to be monitoring for malware at every layers not just anti-virus software, so what happens to other layers of detection. Instead of blaming a vendor, NYT should be looking at the weakness in their Information Security management System and learn from this incident and make a resilient information security management system (per Bruce) which work for NYT, especially paying attention to monitoring of the incident at every layers.

TrustMeFebruary 8, 2013 8:56 PM

Anyone has any suggestions or theories on how a malware on an end-user node was leveraged to obtain the table of all the Hashed NYTimes password?

Or, if a proper salt was used, how was the obtained table used for deriving any of the actual passwords (even the weak ones)?

Niha Ma (-:

Nick PFebruary 8, 2013 9:11 PM

@ George

"I would love to see these "advanced capabilities" tested against the 44 identified, undetected threats.
I hope NYT sues them."

I do too. I also hope they win. The AV firms have always overpromised to the point that it should be considered fraud. A few legal precedents will either reduce that or (sigh) just change the way they word their lies.

FigureitoutFebruary 8, 2013 11:57 PM

RE: the topic of hacking for IP
--My dad's company, he believes was the target of such an event. Some sketchy Korean wanted to buy "just 1" of a product and with a straight face asked for "access to the source code". He promised high sales after buying "just 1" of the product. Anyway access denied and we're keeping an eye on the market. So, beware people; they likely won't be as stupid as this individual and this sh*t doesn't just happen to "everyone else".

Wang-LoFebruary 10, 2013 11:50 AM

"The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks"

"reputation-based technology"? Do they label all your protected data with a "Protected by Symantec!" window decal?

-Wang-Lo.

Nick PFebruary 10, 2013 9:12 PM

@ Wang-Lo

""reputation-based technology"? Do they label all your protected data with a "Protected by Symantec!" window decal?"

Nah, they label their honeypots with "Protected by Norman Antivirus." Then, they turn off the important computers when that box acts up.

ShaneFebruary 18, 2013 6:54 AM

I opened up a VBS script attachment in notepad that Symantec failed to QT and one of the processes was named "Malware".

Seriously.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..