Attacks/Breaches
2/1/2013
11:43 AM
50%
50%

NYT, WSJ Hacks Scrutinized By Security Community

China is again being blamed, but security experts criticize the lack of evidence, call on the media outlets to release full details of the attacks.

Chinese hackers breached the network of the The Wall Street Journal as part of what's been dubbed a broader "cyberspying" campaign against U.S. media.

The Journal discovered the breach after being notified by the FBI that it had seen data that appeared to have been stolen from the Journal's Beijing bureau. After the Journal hired a firm to conduct a digital forensic investigation, it found that the newspaper's systems had been breached -- first in Beijing, and then globally.

The Journal's self-published account of the attacks failed to specify the length of time that attackers might have had access to the paper's network. Instead, the story made general allusions to an FBI investigation into media hacking incidents, which began more than a year ago, and is being treated as a national security matter. Likewise, the newspaper's account made general reference to the fact that many security experts believe that "a foreign entity" has been attempting to compromise U.S. companies' security.

[ How do you define cyber warfare? Read Uncertain State Of Cyber War. ]

The Journal also noted that investigators hadn't been able to identify all of the Journal information that attackers may have accessed. After discovering the breach and watching what information attackers accessed, however, the investigators hired by the Journal said the targets appeared to be a handful of journalists in its Beijing bureau, including the bureau chief.

"Evidence shows that infiltration efforts target the monitoring of the Journal's coverage of China and are not an attempt to gain commercial advantage or to misappropriate customer information," said Paula Keve, a spokeswoman for Journal publisher Dow Jones, which is part of News Corp., in a written statement Thursday.

The Journal's Thursday story that it had been the victim of a sustained hacking effort, seemingly aimed at amassing intelligence about the stories that the paper was writing -- and likely the identity of reporters' Chinese sources, mirrors a Wednesday story published by the The New York Times, which said it, too, had been the victim of a sustained hacking campaign that sought information, rather than business secrets.

Is the Chinese government behind the attacks? Multiple China watchers have hypothesized that the attacks may have been an effort by Chinese officials to try and manage the country's global image.

But Chinese government officials have denied having any part in the hacking. "It is irresponsible to make such an allegation without solid proof and evidence," Chinese Embassy spokesman Geng Shuang said, according to the Journal. "The Chinese government prohibits cyberattacks and has done what it can to combat such activities in accordance with Chinese laws."

But chief research officer at F-Secure Mikko Hypponen thinks China was likely involved. "I believe the attack against New York Times did genuinely come from China as a reaction to their reporting," he told TechWeekEurope. "It might be impossible to prove that, though."

The Times and Journal reporting has provoked skepticism -- and not just about the supposed Chinese tie -- from multiple security experts, with Robert David Graham, CEO of Errata Security, criticizing the Times' account of how the Times was hacked, saying it "contains no content" about the actual hacking. "It may be true that the NYTimes was targeted by the Chinese government, but the story cites no credible evidence supporting that conclusion," he said in a blog post. "What the story does cite is the conclusion from 'security expert.' But it waves hands over which specific expert made which specific claim. It's hard judging who they are, their expertise or the evidence that leads them to make that conclusion."

Noting that the story also contained a number of inaccuracies on the information security front, he called on the Times to come clean and publish everything it knows. "Dump the password hashes the hackers stole, the exact malware samples, the list of proxy IPs and so on. Then, instead of having to take the 'expert's' word, we can look at the raw data ourselves," he said.

One fact that's not been disputed was the apparent malware-blocking success rate -- just 2% -- experienced by the Times against its advanced persistent threat (APT) attackers. That squares with a study recently published by security firm Imperva and the Technion Israeli Institute of Technology, which found that most antivirus software detects about 5% of new malware, though it can take approximately four weeks before in-the-wild malware gets spotted. "Although vendors try to update their detection mechanisms, the initial detection rate of new viruses is nearly zero," according to the study. "We believe that the majority of antivirus products on the market can't keep up with the rate of virus propagation on the Internet."

The Times hasn't come clean about what security strategies it previously had in place, although a statement released by its antivirus vendor, Symantec, suggested that the Times relied on little more than signature-based antivirus products. On a related note, the Times' account of the hacking published Wednesday said that the paper had recently overhauled its security infrastructure. Meanwhile, the Journal's hacking story said that paper had finished a network security overhaul Thursday.

Based on the breaches, "here's the message for security: rebalance the security portfolio," said Rob Rachwald, director of security strategy at Imperva, in a blog post. "Use free antivirus and spend some money modernizing your security strategy."

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/4/2013 | 11:58:08 AM
re: NYT, WSJ Hacks Scrutinized By Security Community
yep, we need details. what o/s were they running ? XP ? if they were running XP, oh well. Get over it: the boat sank.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/4/2013 | 10:21:22 PM
re: NYT, WSJ Hacks Scrutinized By Security Community
Hmmm. Things might get interesting now that the attackers have gone after a Rupert Murdoch property. He strikes me as the type who likes to punch back.

Drew Conry-Murray
Editor, Network Computing
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
2/5/2013 | 6:11:54 AM
re: NYT, WSJ Hacks Scrutinized By Security Community
Now, hold on, wait a minute...

A breach at a media outlet is a "national security matter" - since when? Does the WSJ have access to state secrets or is this simply an over-dramatization (which one certainly wouldn't expect from the WSJ)?

If China is behind this and possibly looking to prosecute sources, are there any American lives in danger? Why hasn't the State Department and CIA been engaged?

One has to wonder about the push behind the sensationalism... smokescreen for something else? Conspiracy theories anyone?

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.