Attacks/Breaches
2/1/2013
11:43 AM
Connect Directly
RSS
E-Mail
50%
50%

NYT, WSJ Hacks Scrutinized By Security Community

China is again being blamed, but security experts criticize the lack of evidence, call on the media outlets to release full details of the attacks.

Chinese hackers breached the network of the The Wall Street Journal as part of what's been dubbed a broader "cyberspying" campaign against U.S. media.

The Journal discovered the breach after being notified by the FBI that it had seen data that appeared to have been stolen from the Journal's Beijing bureau. After the Journal hired a firm to conduct a digital forensic investigation, it found that the newspaper's systems had been breached -- first in Beijing, and then globally.

The Journal's self-published account of the attacks failed to specify the length of time that attackers might have had access to the paper's network. Instead, the story made general allusions to an FBI investigation into media hacking incidents, which began more than a year ago, and is being treated as a national security matter. Likewise, the newspaper's account made general reference to the fact that many security experts believe that "a foreign entity" has been attempting to compromise U.S. companies' security.

[ How do you define cyber warfare? Read Uncertain State Of Cyber War. ]

The Journal also noted that investigators hadn't been able to identify all of the Journal information that attackers may have accessed. After discovering the breach and watching what information attackers accessed, however, the investigators hired by the Journal said the targets appeared to be a handful of journalists in its Beijing bureau, including the bureau chief.

"Evidence shows that infiltration efforts target the monitoring of the Journal's coverage of China and are not an attempt to gain commercial advantage or to misappropriate customer information," said Paula Keve, a spokeswoman for Journal publisher Dow Jones, which is part of News Corp., in a written statement Thursday.

The Journal's Thursday story that it had been the victim of a sustained hacking effort, seemingly aimed at amassing intelligence about the stories that the paper was writing -- and likely the identity of reporters' Chinese sources, mirrors a Wednesday story published by the The New York Times, which said it, too, had been the victim of a sustained hacking campaign that sought information, rather than business secrets.

Is the Chinese government behind the attacks? Multiple China watchers have hypothesized that the attacks may have been an effort by Chinese officials to try and manage the country's global image.

But Chinese government officials have denied having any part in the hacking. "It is irresponsible to make such an allegation without solid proof and evidence," Chinese Embassy spokesman Geng Shuang said, according to the Journal. "The Chinese government prohibits cyberattacks and has done what it can to combat such activities in accordance with Chinese laws."

But chief research officer at F-Secure Mikko Hypponen thinks China was likely involved. "I believe the attack against New York Times did genuinely come from China as a reaction to their reporting," he told TechWeekEurope. "It might be impossible to prove that, though."

The Times and Journal reporting has provoked skepticism -- and not just about the supposed Chinese tie -- from multiple security experts, with Robert David Graham, CEO of Errata Security, criticizing the Times' account of how the Times was hacked, saying it "contains no content" about the actual hacking. "It may be true that the NYTimes was targeted by the Chinese government, but the story cites no credible evidence supporting that conclusion," he said in a blog post. "What the story does cite is the conclusion from 'security expert.' But it waves hands over which specific expert made which specific claim. It's hard judging who they are, their expertise or the evidence that leads them to make that conclusion."

Noting that the story also contained a number of inaccuracies on the information security front, he called on the Times to come clean and publish everything it knows. "Dump the password hashes the hackers stole, the exact malware samples, the list of proxy IPs and so on. Then, instead of having to take the 'expert's' word, we can look at the raw data ourselves," he said.

One fact that's not been disputed was the apparent malware-blocking success rate -- just 2% -- experienced by the Times against its advanced persistent threat (APT) attackers. That squares with a study recently published by security firm Imperva and the Technion Israeli Institute of Technology, which found that most antivirus software detects about 5% of new malware, though it can take approximately four weeks before in-the-wild malware gets spotted. "Although vendors try to update their detection mechanisms, the initial detection rate of new viruses is nearly zero," according to the study. "We believe that the majority of antivirus products on the market can't keep up with the rate of virus propagation on the Internet."

The Times hasn't come clean about what security strategies it previously had in place, although a statement released by its antivirus vendor, Symantec, suggested that the Times relied on little more than signature-based antivirus products. On a related note, the Times' account of the hacking published Wednesday said that the paper had recently overhauled its security infrastructure. Meanwhile, the Journal's hacking story said that paper had finished a network security overhaul Thursday.

Based on the breaches, "here's the message for security: rebalance the security portfolio," said Rob Rachwald, director of security strategy at Imperva, in a blog post. "Use free antivirus and spend some money modernizing your security strategy."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
2/5/2013 | 6:11:54 AM
re: NYT, WSJ Hacks Scrutinized By Security Community
Now, hold on, wait a minute...

A breach at a media outlet is a "national security matter" - since when? Does the WSJ have access to state secrets or is this simply an over-dramatization (which one certainly wouldn't expect from the WSJ)?

If China is behind this and possibly looking to prosecute sources, are there any American lives in danger? Why hasn't the State Department and CIA been engaged?

One has to wonder about the push behind the sensationalism... smokescreen for something else? Conspiracy theories anyone?

Andrew Hornback
InformationWeek Contributor
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/4/2013 | 10:21:22 PM
re: NYT, WSJ Hacks Scrutinized By Security Community
Hmmm. Things might get interesting now that the attackers have gone after a Rupert Murdoch property. He strikes me as the type who likes to punch back.

Drew Conry-Murray
Editor, Network Computing
macker490
50%
50%
macker490,
User Rank: Ninja
2/4/2013 | 11:58:08 AM
re: NYT, WSJ Hacks Scrutinized By Security Community
yep, we need details. what o/s were they running ? XP ? if they were running XP, oh well. Get over it: the boat sank.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.