Attacks/Breaches
2/1/2013
11:43 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

NYT, WSJ Hacks Scrutinized By Security Community

China is again being blamed, but security experts criticize the lack of evidence, call on the media outlets to release full details of the attacks.

Chinese hackers breached the network of the The Wall Street Journal as part of what's been dubbed a broader "cyberspying" campaign against U.S. media.

The Journal discovered the breach after being notified by the FBI that it had seen data that appeared to have been stolen from the Journal's Beijing bureau. After the Journal hired a firm to conduct a digital forensic investigation, it found that the newspaper's systems had been breached -- first in Beijing, and then globally.

The Journal's self-published account of the attacks failed to specify the length of time that attackers might have had access to the paper's network. Instead, the story made general allusions to an FBI investigation into media hacking incidents, which began more than a year ago, and is being treated as a national security matter. Likewise, the newspaper's account made general reference to the fact that many security experts believe that "a foreign entity" has been attempting to compromise U.S. companies' security.

[ How do you define cyber warfare? Read Uncertain State Of Cyber War. ]

The Journal also noted that investigators hadn't been able to identify all of the Journal information that attackers may have accessed. After discovering the breach and watching what information attackers accessed, however, the investigators hired by the Journal said the targets appeared to be a handful of journalists in its Beijing bureau, including the bureau chief.

"Evidence shows that infiltration efforts target the monitoring of the Journal's coverage of China and are not an attempt to gain commercial advantage or to misappropriate customer information," said Paula Keve, a spokeswoman for Journal publisher Dow Jones, which is part of News Corp., in a written statement Thursday.

The Journal's Thursday story that it had been the victim of a sustained hacking effort, seemingly aimed at amassing intelligence about the stories that the paper was writing -- and likely the identity of reporters' Chinese sources, mirrors a Wednesday story published by the The New York Times, which said it, too, had been the victim of a sustained hacking campaign that sought information, rather than business secrets.

Is the Chinese government behind the attacks? Multiple China watchers have hypothesized that the attacks may have been an effort by Chinese officials to try and manage the country's global image.

But Chinese government officials have denied having any part in the hacking. "It is irresponsible to make such an allegation without solid proof and evidence," Chinese Embassy spokesman Geng Shuang said, according to the Journal. "The Chinese government prohibits cyberattacks and has done what it can to combat such activities in accordance with Chinese laws."

But chief research officer at F-Secure Mikko Hypponen thinks China was likely involved. "I believe the attack against New York Times did genuinely come from China as a reaction to their reporting," he told TechWeekEurope. "It might be impossible to prove that, though."

The Times and Journal reporting has provoked skepticism -- and not just about the supposed Chinese tie -- from multiple security experts, with Robert David Graham, CEO of Errata Security, criticizing the Times' account of how the Times was hacked, saying it "contains no content" about the actual hacking. "It may be true that the NYTimes was targeted by the Chinese government, but the story cites no credible evidence supporting that conclusion," he said in a blog post. "What the story does cite is the conclusion from 'security expert.' But it waves hands over which specific expert made which specific claim. It's hard judging who they are, their expertise or the evidence that leads them to make that conclusion."

Noting that the story also contained a number of inaccuracies on the information security front, he called on the Times to come clean and publish everything it knows. "Dump the password hashes the hackers stole, the exact malware samples, the list of proxy IPs and so on. Then, instead of having to take the 'expert's' word, we can look at the raw data ourselves," he said.

One fact that's not been disputed was the apparent malware-blocking success rate -- just 2% -- experienced by the Times against its advanced persistent threat (APT) attackers. That squares with a study recently published by security firm Imperva and the Technion Israeli Institute of Technology, which found that most antivirus software detects about 5% of new malware, though it can take approximately four weeks before in-the-wild malware gets spotted. "Although vendors try to update their detection mechanisms, the initial detection rate of new viruses is nearly zero," according to the study. "We believe that the majority of antivirus products on the market can't keep up with the rate of virus propagation on the Internet."

The Times hasn't come clean about what security strategies it previously had in place, although a statement released by its antivirus vendor, Symantec, suggested that the Times relied on little more than signature-based antivirus products. On a related note, the Times' account of the hacking published Wednesday said that the paper had recently overhauled its security infrastructure. Meanwhile, the Journal's hacking story said that paper had finished a network security overhaul Thursday.

Based on the breaches, "here's the message for security: rebalance the security portfolio," said Rob Rachwald, director of security strategy at Imperva, in a blog post. "Use free antivirus and spend some money modernizing your security strategy."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
2/5/2013 | 6:11:54 AM
re: NYT, WSJ Hacks Scrutinized By Security Community
Now, hold on, wait a minute...

A breach at a media outlet is a "national security matter" - since when? Does the WSJ have access to state secrets or is this simply an over-dramatization (which one certainly wouldn't expect from the WSJ)?

If China is behind this and possibly looking to prosecute sources, are there any American lives in danger? Why hasn't the State Department and CIA been engaged?

One has to wonder about the push behind the sensationalism... smokescreen for something else? Conspiracy theories anyone?

Andrew Hornback
InformationWeek Contributor
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Apprentice
2/4/2013 | 10:21:22 PM
re: NYT, WSJ Hacks Scrutinized By Security Community
Hmmm. Things might get interesting now that the attackers have gone after a Rupert Murdoch property. He strikes me as the type who likes to punch back.

Drew Conry-Murray
Editor, Network Computing
macker490
50%
50%
macker490,
User Rank: Apprentice
2/4/2013 | 11:58:08 AM
re: NYT, WSJ Hacks Scrutinized By Security Community
yep, we need details. what o/s were they running ? XP ? if they were running XP, oh well. Get over it: the boat sank.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2014-0778
Published: 2014-04-19
The TCPUploader module in Progea Movicon 11.4 before 11.4.1150 allows remote attackers to obtain potentially sensitive version information via network traffic to TCP port 10651.

CVE-2014-1974
Published: 2014-04-19
Directory traversal vulnerability in LYSESOFT AndExplorer before 20140403 and AndExplorerPro before 20140405 allows attackers to overwrite or create arbitrary files via unspecified vectors.

CVE-2014-1983
Published: 2014-04-19
Unspecified vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x before 3.1.1 allows remote attackers to cause a denial of service (CPU consumption) via unknown vectors.

Best of the Web