01
Feb 13

Source: Washington Post Also Broadly Infiltrated By Chinese Hackers in 2012

facebooktwittergoogle_plusredditpinterestlinkedinmail

The Washington Post was among several major U.S. newspapers that spent much of 2012 trying to untangle its newsroom computer networks from a Web of malicious software thought to have been planted by Chinese cyberspies, according to a former information technology employee at the paper.

twpOn Jan. 30, The New York Times disclosed that Chinese hackers had persistently attacked the Gray Lady, infiltrating its computer systems and getting passwords for its reporters and other employees. The Times said that the timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.

The following day, The Wall Street Journal ran a story documenting similar incursions on their network. Now, a former Post employee is coming forward with information suggesting that Chinese hacker groups had broadly compromised computer systems within the Post’s newsroom and other operations throughout 2012.

According to a former Washington Post information technology employee who helped respond to the break-in, attackers compromised at least three servers and a multitude of desktops, installing malicious software that allowed the perpetrators to maintain access to the machines and the network.

“They transmitted all domain information (usernames and passwords),” the former Post employee said on condition of anonymity. ” We spent the better half of 2012 chasing down compromised PCs and servers.  [It] all pointed to being hacked by the Chinese. They had the ability to get around to different servers and hide their tracks. They seemed to have the ability to do anything they wanted on the network.

The Post has declined to comment on the source’s claims, saying through a spokesman that “we have nothing to share at this time.” But according to my source, the paper brought in several computer forensics firms – led by Alexandria, Va. based Mandiant – to help diagnose the extent of the compromises and to evict the intruders from the network. Mandiant declined to comment for this story.

Update, Feb. 2, 7:42 a.m. ET: The Post has published its own story confirming my source’s claims.

The former Post employee also noted that experts from the National Security Agency and Defense Department took one of the Post’s servers for forensic analysis.

“Quickly we had 3-4 different security companies come in and help track down what was compromised and where info was being sent to,” the source said. “Supposedly they found a new trojan and sent the information to Symantec in order to create a signature to find it.”

The Washington Post used Symantec’s antivirus and security software to protect systems from malicious software, but that detection obviously failed here. The New York Times also said it had relied on Symantec’s software, prompting the company to issue a somewhat defensive and terse statement that took  the unusual step of commenting on a story about a customer, according to The Register.

As tweeted yesterday by Mandiant chief security officer Richard Bejtlich, what was rare about the New York Times hack was not that it happened, but that they disclosed so much information about it. I hope The Washington Post is as forthcoming about their experience. As security blogger Gunnar Peterson noted in an email exchange with KrebsOnSecurity, more surprising would be a major newspaper outlet that wasn’t hacked by the Chinese.

Peterson quipped that it may be some kind of “perverse journalistic badge of honor: If no one is hacking you [does it suggest that] your reporting doesn’t matter?”

Indeed, I would be surprised if we didn’t hear similar disclosures from a number of other major news media outlets in the coming days and weeks. Full disclosure: I should note that I got my start writing about technology and security for The Washington Post back in the early part of the last decade after having my home network completely overrun by a computer worm unleashed by one of China’s most celebrated hackers.

Tags: , , , , , , , ,

70 comments

  1. G’day Brian,

    Very much enjoy your work. Perhaps you’ve answered this question before on your blog, but within the areas you feel comfortable answering in public: what programs/methods do you use to maintain your security? Currently I use Avast (free version), Secunia PSI, Google Chrome (hopefully a bit more secure than other browsers), Java disabled in Chrome (I use Opera when I need to use Java), Javascript enabled on a site by site basis, AdBlock, Windows Firewall, and of course I verify with friends links or attachments that they send me, and usually upload them first to VirusTotal as well. Are there other steps that you would recommend?

    • Hello, Thom. As for AV, I use a mix, and eventually I use them all. I often get tired of one AV and because I frequently get free versions of the suites sent to me from the vendors, I have the luxury (or headache as it sometimes is) of trying many different types of AV per year. I really wish Avira didn’t have its constant nag screens, because for my money (or in this case not), it’s among the best of the free ones. But just having something is the only important takeaway, IMHO, for most users.

      You may want to take a look at the primer that I wrote recently, Tools for a Safer PC, which includes some other suggestions.

      http://krebsonsecurity.com/tools-for-a-safer-pc/

      • I’ve had really good luck with lxc: running in a throw-away clone of the O/S that has no real access to the hardware it becomes a lot harder to infect the hard disk. lxc can be used to start up a browser alone (i.e., no need to clone the O/S).

        • On XP – steady state was a real good alternative, that nearly turned the hard drive into a LiveCd type arrangement. But when your dealing with the PRC, even they know how to work around that.

      • As a security professional & researcher, I’ve found that a reasonable compromise is to run your browser from within a virtual machine and monitor that virtual machine’s IO to the host using various available monitoring tools.

        • @Dave: “a reasonable compromise is to run your browser from within a virtual machine and monitor that virtual machine’s IO to the host using various available monitoring tools.”

          That sounds like an interesting way to try to detect a bot (although a hiding bot is not going to do much I/O). I would really like to see about a page of links and details on how to do this.

          I agree that a virtual machine can be helpful to confine normal software problems, but attacks are not normal. Because a VM links deep into the OS, it can be weaker than the normal OS itself.

    • Richard Steven Hack

      Everything you’re doing is pretty good.

      I’d add the free on-demand programs Malwarebytes Antimalware and Superantispyware for when you suspect an infection.

      I’d also add Spybot Search and Destroy for some additional protective services. I used to recommend Threatfire for that, but it’s no longer being maintained.

      • From what I understand Threatfire has been absorbed into other PC-Tools products(Symantec). So it is still being maintained, technically – I supposed you could say.

    • A Chromebook is cheap and extremely secure. No Java, for example (it does do Flash though). Everyone who uses one, seems to like it.

  2. It’s just another example of an intrusion good INFOSEC practices could beat. Relying on COTS and industry “best practices” isn’t good enough. Companies should go old school in protecting their most critical assets by providing full access mediation, ground-up security, and physical isolation of those resources. A better directory server (or existing ones extended) seems to be in order too.

    • @Nick P: “It’s just another example of an intrusion good INFOSEC practices could beat.”

      Is that true? In particular, exactly which practices would have beat this intrusion, and how would they do it?

      • “They suspect the hackers used a so-called spear-phishing attack, in which they send e-mails to employees that contain malicious links or attachments. All it takes is one click on the e-mail by an employee for hackers to install “remote access tools” — or RATs. Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers.”

        I’ll let you take a guess or two. Let’s just say this kind of thing hasn’t caused problems for me or anyone taking advice from me for years. There’s more ways to prevent, detect, and/or contain attacks like that than I can go into in one post. I’m sure you’re using one or more of them. ;)

  3. Even though most of the intrusions were allegedly routed through universities, are there any spam blocklists availble to filter out Chinese spammers/malware/badpeers?

    • MBAM has a pretty good IP blocker, and it works in the outbound as well. I can’t vouch for whether the IP address is sourced from the PRC, but my IDS reports indicate fewer attacks from the PRC now days. However, I’m not sure if that is because they are more focused in their target range; or if they are already in everyone’s shorts to begin with, so they can strike when ready.

      I would say both are true. ]:)

  4. Richard Steven Hack

    One critical thing companies must do these days is develop a highly sensitive detection and tracking capability. It’s ridiculous to be in a situation where hackers can stay in the network for weeks or months at a time without being detected or found.

    Hackers are going to get in regardless of what you do. You have to be able to detect them once they’re in, prevent them from getting to what they want, and then corral them and evict them. This is not easy but it is required to have any security at all.

    • Quite true RSH!! :)

    • Monitoring is a good defensive layer to have. An alternative in a similar vein is so-called recovery-oriented architectures. At one end of the spectrum, the architecture assumes the entire network is compromised and periodically restores machines from a master copy. At the other end, they combine monitoring and recovery features to protect application services.

      Books like Release IT! argue that we should make our software stacks both adaptable to change and resilient to failure. Recovery-oriented designs might help. I’d like to see firmware, OS’s, etc. in mainstream adopt some of these principles. It would make installing, updating, backups, maintenance and recovery so much easier. In contrast, I just spent three to four hours getting a Windows VM set up with Visual Studio after spending a few hours doing software updates that kept stalling. (rolls eyes)

      • “we should make our software stacks both adaptable to change and resilient to failure.”

        Heh, heh. With the industry as it is, good luck with that.

        As your related experience shows, the industry can’t even do reliable updates – although generally updates on my openSUSE Linux go pretty smoothly – Windows? Not so much.

        It’s very clear that unless the software industry massively changes its practices, software will remain unreliable and insecure.

        My meme remains unchallenged! :-)

      • Oh, and I should add that for some reason Microsoft simply cannot gets its updates for either .NET or Visual Studio to work properly.

        I don’t know how many times I’ve had to uninstall .NET and reinstall the complete stack from the earliest version for a client because some update failed to install. Microsoft’s ONLY resolution for that situation is a complete reinstall – and they even provide a tool for removing .NET completely.

        I’ve had similar problems with Visual Studio for a client – but in that case I said the hell with it and just disabled the updates. He didn’t need them anyway.

        • My experience as well :(

        • I got so tired of .NET’s crap that I run plenty of it in locked-down VM’s with configurations that will work. I recently was trying to learn some C# for an Archer (RSA) project. I had a perfectly working, lightweight, fast development VM. An hour into trying to get VC#2012 to work right I said (expletives deleted) and installed VC#2010. Took 3 hours but works like a charm.

          I have nothing against the C# language itself, but it doesn’t say much for .NET platform that it’s so brittle. And the underfunded COBOL, CICS, 4GL, and VMS based apps just keep running and running. ;)

  5. And of course this isn’t the first time the NYT has been hacked. Well-known hacker Adrian Lamo did it some years ago.

    The line that was funny from that breach was when he said he was hardly trying to breach the system and the NYT proxy servers “practically threw themselves at me”, meaning that a mere two-minute scan found seven misconfigured proxy servers.

    • Haha. Yes, I never wrote about it, but my computer at The Washington Post was actually seized by the Post lawyers and kept in storage for years, after the company got a letter from the US Justice Department telling them to preserve evidence, because I had corresponded extensively with Lamo prior to his intrusion at NYT.

  6. To be honest, I haven’t used any extra protection on my PC other than the standard Windows. [ firewall is even turned off.] Monthly I run Spy Bot search and destroy to catch a few bugs if there.

    The point though is that I always presume my system is infected, I also presume that all web sites, browsers etc are already hacked.

    Working with those those premises has led to a change in how I access the net and how one protects critical assets. [isolation being a key and the use of a separate PC for financial and critical issues]

    I found that using propriety AV products appeared to increase the likelihood of infection and not diminish them and slowed my systems down incredibly.

    Working on the premise of “total loss possible” means a safer strategy can be put in place.
    …Just my personal view….

    • I might add that I would expect “hackers” to look for the type of security systems installed first and then work out which one they are familiar with before launching an attack. A recognized AV product could in fact invite attack as the hackers would be most familiar with them.
      So hiding the AV products installed [it’s signature] could be most advantageous.
      Do the “hackers” perform Robotic surveys to find out what AV products are being used globally I wonder?

      • Attack code is already well known to automatically assess the infrastructure, and pick the best exploits to take over a LAN. There is no doubt in my mind that they gather data constantly from “sleepers” that come in drivers to printers, applications, etc. that surveil not only what is installed on the local machine but assess your network as well.

        I’ve caught such code embedded in CDs from the OEMs, and have complained to them about it over and over again. At least the updates on most of the sites out there are clean.(so far)

      • They do. It’s just like the quality assurance portion of developing legal products. For years, malware developers would run a potential exploit against a test system with the most common types of AV running. They kept tweaking it until most didn’t detect it. Then, they use it on real systems. I’m sure they do something similar today.

  7. Maybe a stupid question, but…

    If a foreign correspondent is filing a story from China, presumably the Chinese government is going to a lot of trouble to monitor his activity. He’s going to use the internet to file his stories, and he’s probably going to want to do it via a secure connection, which would require logging in with a password at some point. Does it become practical for the Chinese government to try to decrypt passwords on high-value targets like reporters? Since the PRC is running its software on millions of citizens’ computers, presumably they’ve got a pretty big botnet available if they choose to use it. Perhaps there should be a general rule to choose a new password before traveling to China, and change it again when you leave.

    As far as antivirus, I like Avira, too, and $25 a year is pretty cheap for the full version. But when you’re providing AV service for someone else, you quickly run into the rule that it’s impossible to make anything foolproof because fools are so ingenious. Avira is very sensitive, but if you don’t have the fund of knowledge to identify the false positives, you’re quickly going to starting clicking “ignore” on everything.

    • When you become a target for the big boys, like the PRC. I doubt there is much you can do about keeping them out once they get past the perimeter (which is no challenge with social engineering).

      All you can do is watch closely and wipe the entire network clean. Recovering from backup would be a real challenge, because detecting any exploits in the data is next to impossible.

      Most of the tools these guys use never show up as a signatures on an AV/AM solution anyway – they are just too far under the radar. I know of only one HIPS that has caught government sponsored spies, and even they are under intense pressure to white list these spybots, or attack vectors, or whatever you want to call it.

      • Actually, you can try to keep your organization secure for your sources. Confidential source information can be treated specially and differently from regular information. Put the info in encrypted files on a dedicated netbook. Move messages using low risk methods. Make sure the draft newspiece has little identifying information before it’s sent to main network. Use data diode + UDP to ensure one-way communication between netbook and main network. And so on.

        They can do much better than they do without causing themselves operational misery. They just aren’t trying. Let’s face it: most news organizations probably think of dead [former] sources as “not their problem.”

    • It’s a decent idea. I’ve told people for years on Schneier’s blog to treat any device you take into China as untrusted. The safest route is to go Cold War style with rice paper (easy burning), microdots and/or hiding ultra-thin digital storage in your clothing.

      If you want to be digital, then don’t use your main PC: buy a throw away PC, use every reasonable security option (esp FDE), access your core services through a stateside VPN with temporary password, do your work, send encrypted data (or key) home, and sell the temp PC when you get home. The reason to constantly send the data or key stateside is so that you can honestly say (under duress) you can’t provide it to the local authorities. Throw away PC is used b/c you must assume an evil maid attack at some point. The FDE should use a randomly generated password and/or keyfile. When finished, the pass/key should be securely deleted so nothing leaks when you sell the PC.

      Oh yeah, the leaked British MOD manual listed China, Russia and Israel as the top espionage threats to their country. Russia particularly had many insidious ways of getting you into bugged rooms and such. So, add them to list of countries to use my scheme in.

      • Didn’t I read somewhere that the “Great Wall of China” was going to start blocking VPN?

        • Yep.

          http://rendezvous.blogs.nytimes.com/2012/12/23/adding-more-bricks-to-the-great-firewall-of-china/

          My main opinion was always never to do business in China. If you do, don’t put your IP over there. If you do, then have trusted American’s managing its security physically and in software. Rigging it to auto-delete critical stuff upon a breakin is an option.

          Far as private communications, the bandwidth of the channel is important. VPN’s go over the Internet which has plenty of bandwidth. They’re shutting them down. Next thought for sending small amounts of data (maybe summary or KPI data) is to use [encrypted] satellite comms. One may also use esoteric methods such as moon-bounce or meteor burst communications. I designed operational protocols around the latter.

          There’s yet another possibility if you’re right at the border. Let’s say you have a trusted relay connected to the Internet in a neighboring country that’s not trying to block you. You can set up a point-to-point wireless link between the source and that relay node using technology such as WiMAX. Use highly directional antennas to constrain the signal.

          • I also ran into a source, quite by accident, of a source that was supposed to be used by victims of the Tibet crackdown. This was something that used a bot net that was taken over by activists, to communicate anonymously. I am not sure how an individual could get this to work, but my imagination can run wild with the idea.

            Just reading Brian’s articles, one could imagine how difficult it would be to run someone down, just for exchanging information using this kind of tool. There would be no banking tracks to back engineer to attempt to catch the dissidents either. I suspect this was something that was capable of taking temporary control of the bot herder’s command and control network. Needless to say, this package was obsolete very quickly, and I don’t know how the dissidents re-acquire the new package. I read about something like this being used in Iran as well.

  8. I posted via mobile, when the screen refreshed the Name, Email, and Website fields were populated with someone else data.

  9. I submit that the Chinese were already in there, and everywhere there is no secured environment. Symantec is NOT a secured environment.

    They have been in everyone’s shorts since at least 2006; it is just that people are finally waking up to this!

  10. @JC . that is why I feel using known AV’S can actually attract them. You are actually telling them, with the AV signature what to do.
    It is only in the power gained through predictable AV response that gives them leverage. remove the predictabilty and their ability to attack with confidence is minimised.

    • That’s not even logical.

      What’s up with everyone focusing on AV? No hacker is going to deploy a trojan that’s already detectable. Ever. Why would they? Would you?

      • I don’t think the AV/AM solution matters as much as who owns the company that is developing it. AdAware used to be a pretty good AM solution, but now it is owned by the enemy camp. How many more of these companies will be bought out, and trashed?

        iObit comes to mind as well.

      • That’s not logical. You’re claim assumes two false premises: that what I’d do equals what an arbitrary hacker would do; that you know what arbitrary hackers will do. Talented hackers will try to use new (or tweaked) malware. Many script kiddies will grab whatever they can off the net and try to throw it at machines. High school hackers are also likely to do that.

        Hence, hackers may use old malware. That AV’s periodically catch old malware supports my assertion.

  11. By what means are many of you supposing that it could be deduced what AV solution a host is running?

    If your AV solution listens on unique ports for updates it would be trivial, but that would require port-forwarding for NAT transversal or opening up your firewall, which wouldn’t be practical for most multi-user networks. AV solutions I’ve seen rather reach out to the AV update server periodically

    It would be easy if an opponent could intercept traffic such as definition updates, but that assumes you’ve been compromised between the AV vendor and your machine. So who has been compromised?

    The AV vendor? If you read some of the white papers the big boys’ employees put out, they seem to be a lot more intelligent than the software they distribute.

    The big ISPs? That’s the nation’s security agency’s territory for snooping and I imagine they guard it

    Of course …

    On the flip side, do a tracert or traceroute (win or *nix) and you might notice your traffic passing through some small (or curiously large) private networks. In addition to their potentially lax security provisions, both these and probably your AV vendor and ISP use commercial forward-facing gear that … well to be cynical is probably made in foreign territories. A look at past uncovered edge-device vulnerabilities, including one recently covered by Brian, suggests that ‘firewalls’ won’t always burn all.

    Speaking/writing about this makes me wonder … if the nation’s security agency can snoop our traffic why aren’t they more effective at filtering out malicious foreign threats? Of course, actors from a foreign nation would most likely use platforms from other states to both cover their tracks and implicate others

    • Looking for effects like you point out is way more effective that the AV/AM solution. They are blind to the enemy anyway. Looking for anomalies like that is way more effective. Using kernel based tools that run in an infected environment and still work, is another.

      • @JCitizen: “Using kernel based tools that run in an infected environment and still work,”

        It seems unreasonable to expect that any tools running on an infected computer could be trusted, no matter how restricted the services they use.

        • I always assume 100% that the working environment is infected with something – what is not important. Until I get information or see evidence these tools have been compromised; I and my clients don’t really have a choice. Life must go on.

  12. Brian et al,
    Tnx for the additional info, adding your piece to this news puzzle explains a lot. Pretty unusual things are happening. A privately held US security firm named Mandiant now _personally_ accused the new General Secretary of the Chinese Communist Party and President Xi Jinping of “condoning cyber espionage” https://www.mandiant.com/blog/chinese-leadership-change-advanced-persistent-threat/
    This is very unusual. Possibly General Michael V. Hayden had dropped a hint or two after his keynote at Mandiants MIRcon 17. October 2012. One week later the NYT discovered the hack. At least they say so in their exclusive report on the hack of their own network. A double exclusive: The NYT being the single source of the story as well. A number of Chinese agencies _but not a single_ US government office is mentioned in the article. When the most eminent, investigative news media group of the western world is being attacked by the Chinese Communist Party there is No Such Agency around to match that threat? There is none in the NYT story because they tell only half of what happened. They might have been too busy while trying to purchase a second antivirus engine…
    For readers of German here is some lengthy analysis on that matter
    http://fm4.orf.at/stories/1711998/

    • Not a single US government office is mentioned, because they are so late to the table, they are not worth mentioning. And I suspect some of them may have members who don’t have our company’s best interests at heart. I probably would go to the US government only as a last resort – and it would be a known FAIL at that time. Might as well declare bankruptcy while you’re at it.

    • I have to laugh at Mandiant accusing the Chinese government of “condoning cyberespionage.”

      First of all, the talking head for this has been Richard Beitjich who is a known China basher. He won’t be happy until the US is at war with China – REAL war, not cyberwar.

      Second, Mandiant is playing this up for PR purposes. The fun part is they’ve admitted they don’t even know if the Chinese hackers are still in the NYT network!

      Third, the US is not in a position to complain about anyone’s “cyberespionage” after collaborating with Israel on Stuxnet and Flame.

      Anyone with a brain KNOWS China is conducting cyberespionage. So is every other country on the planet who can afford to hire a hacker. We’re supposed to be surprised at this?

      Economic espionage has also been going on for decades – again from every country on the planet that can afford to hire a spy.

      Anyone remember Anna Chapman, the Russian spy from a couple years ago? Who by the way has become a celebrity in Russia now. And who happens to be smokin’ hot if you’ve seen recent pics of her. I’d give her any info she wanted! :-)

      Who cares if you’re being spied on by China or Israel or Russia or France? The only reason for touting China now is because they are the current “Big Bad” – after Iran and North Korea – for purposes of ratcheting up the Pentagon budget and thus the military-industrial complex corporate profits.

      Green Greenwald has an important article on that in The Guardian recently:

      Pentagon’s new massive expansion of ‘cyber-security’ unit is about everything except defense
      http://www.guardian.co.uk/commentisfree/2013/jan/28/pentagon-cyber-security-expansion-stuxnet

      Sure, there’s a “threat”. The question people need to ask is: who’s profiting from hyping the “threat?” And do those people have a rational SOLUTION TO the “threat” other than policies that have failed in the past and will produce worse results in the future?

  13. Brian: I have long followed your stories and always found them well researched and very relevant. Kudos and keep up the good work. I am a retired Senior Foreign Service officer and played an instrumental role in the State Department’s Information Assurance program during its developmental stage. This included the time when there were several active infiltrations originating in the far east that have since come to light. This leads up to my conclusion and challenge to you: Every single business, corporation and government entity pays lip service to IT security. They will go through the motions of putting up a facade of due diligence, devoting the absolute minimum in resources towards effective IT security because they view it as a cost center rather than a business enabler. Many look at the risks – if they’re even aware and understand them – and then put a cost to that exposure and consequently “writes the cost off” as just another acceptable risk. What would be really worthwhile for someone of your reputation is a series of deep exposes on what is really at risk, in terms understandable in the C-Suite, and the escalating costs. Just a thought. Terry

    • This is the problem. People don’t understand that cybercrime is a growth industry. It’s where drugs were in the 1920’s or shortly after just being made illegal. Now look where it is. Gangs with billions of dollars using submarines to smuggle the stuff!

      Cybercrime will continue to grow for at least the next decade until it has become ubiquitous and affects every company, large and small. It won’t be controlled until it becomes so massive that it can’t be controlled without major alterations in how the software industry produces products and in how organizations view security in general.

      It’s not even clear that it CAN be controlled any more than crime in general can be “controlled”. Physical crime is significantly different than computer crime. It has limitations that don’t exist in computer crime. Technological solutions to computer crime MAY be developed, but as long as PEBCAC exists it’s not clear that will be sufficient.

      It’s a good time to be computer criminal or cyberspy! Growth industry, high rate of return, minimum risk! Get in on the ground floor now! Secure your future! :-)

      • “It’s a good time to be computer criminal or cyberspy! Growth industry, high rate of return, minimum risk! Get in on the ground floor now! Secure your future! ”

        LOL. Quite true. I think the best time was years ago, however. Things weren’t as complicated technically or legally. I liken it to the identity theft industry. That made huge gains with little risk for years because there weren’t specific laws restricting it. I remember a teenager who bought a house and a bunch of other stuff getting away with it b/c it was mere credit card fraud that victims only had to pay $50 for. Just makes you shiver to think of it, eh? ;)

        So, the criminal market started specializing. They realized they could do division of labor to increase personal profits while reducing risk. They made plenty of money. Now, the double-edged sword that is market forces is stabbing them in the ass. The commoditized black market is driving the value of goods near zero. You have to send so much spam, steal so many cards, etc. to become a multimillionaire. Truly rewarding crime is limited to niche areas like ACH.

        The semi-anonymity still makes it a better risk/reward tradeoff than many crimes. Not being physically there allows many cowards and extra-careful people to get into the crime. The market just isn’t as rewarding as it once was for most of the players. The best way to rob people is still to open a bank. :)

        • But the market hasn’t finished developing. The low-hanging fruit – credit cards and spam – have been mostly, if not entirely, been grabbed.

          The REAL money is in industrial and government espionage, not spam or credit cards. Steal some IP that’s worth a couple hundred million dollars either in development costs or market potential, sell it to someone for a few million. For that, you only have to break into one or two places a year and manage to exfiltrate the goods. One or two deals a year should be child’s play for the better hackers.

          The hard part would be finding the buyers that won’t turn you in. But my guess is there are tons of those in most of the economies of the world.

          Every company has something worth stealing. And eventually hackers will realize it and start going after that stuff rather than just the credit card database or identity theft stuff.

          • Industrial espionage is certainly the most profitable target. It’s why I’ve promoted so much higher assurance stuff over the years: nothing else gets close to stopping it. Not to mention the policies, procedures, user training, monitoring, etc. an organization must do to deal with sophisticated attackers.

            The reason I left that out is that I think it’s a non-issue for the hacker market in general. That sounds stupid at first, yeah? Well, we’ve had years to see it mature and it hasn’t. Likewise, home burglers usually don’t look for valuable pieces of art, etc. and sell it for a good rate to interested buyers. They smash, then grab the obvious stuff for quickest possible sale at whatever rate. I see a correlation in behavior.

            What’s the correlation? Well, both take little talent to get in, do obvious stuff and get out. Add a little sophistication to get something like ACH or ransomware. Even those aren’t nearly as successful as they could be. Look at the whole underground market and tell me how much IP is floating around that’s not Adobe’s products. The main people interested in IP are spies hired by competing companies and state-sponsored groups. This has been steadily true for two decades with no change in actors, just capability.

            I predict that only the smartest crooks or well-established online organized crime syndicates will make any real money on high value IP. The rest will still be chasing commodities related to machines, credentials, ad redirection, etc. And for those worried that you’re right and hackers will be all over their IP? Well, I’ve posted, and continue to post, plenty of solutions for that on another blog. People know where to find me. ;)

            • In my experience, the targets for industrial espionage are very smart people, but they don’t have a clue about INFOSEC unfortunately. They typically have to do a lot of catch-up to just get a usable IT source. They eventually realize they can no longer take advantage of easy IT assets; some of them have gone back to typewriters and locked file cabinets, which are most likely in a vault if need be. You can’t even trust a newer model copy machine if it has any web access or built in hard drive.

              One of them found that by using an old Mac PowerPC, this individual was able to at least function at a certain level, because the attackers apparently aren’t too good at cracking the old code based on that chip architecture.

              The sad thing is, – they get no respect from the FBI or any other agency in the US. We are doomed as an innovative nation, if we don’t get off our duffs and so something to protect our IP.

              • Re: using PowerPC Mac’s. It’s funny that you mention that…

                http://www.binrev.com/forums/index.php/topic/40786-infection-prevention-w-nonstandard-cpus/

                (army_of_one was my binrev hacker name. just read the first post to see my scheme and justifications. the remaining debate you’ve heard before.)

                One thing to take from that debate, though, is security through diversity. When I advocate it, people accuse me of doing security by obscurity. This isn’t the case. I’m simply driving complexity up for the attacker and reducing the damage one weapon can do. This has provable value in dealing with popular threats, script kiddies, turning economics around on attacker, and maybe causing sophisticated attackers to be detected during recon or escalation phase.

                • Yes – I make sure the victims know they shouldn’t give out information that is useful to the attackers – they are just trying to gain some functionality so they can at least get some work done that doesn’t impact them in that way.

                  If you take a small business or innovator’s IT and destroy it; it is hard to function at all without some kind of modern device.

                  It is a very scary situation, not unlike being a victim of a mafia strong arm “protection” racket.

                  • I agree. Even businesses that aren’t heavily dependent on IT often have very important documents on their computers. These might be specific plans, contracts, strategies, intellectual property, dirt, or regulatory information. Loosing any of this can be pretty damaging. Anything that prevents it with reasonable cost is justified.

            • The problem is that what was true over the last few decades is likely to change. In fact, I’d say it is certain to change.

              As you say, the low-hanging hackers grab the low-hanging fruit. But since the opportunity to do the fancy, high-profit stuff is now more prevalent, thus producing a new “monopoly profit market”, we can expect “investors” to enter that market.

              It’s basic economics. You go where the high profit is.

              In the past and even for the most part in the present, industrial espionage was done using shoe leather, not computers.

              I read a book about that industry maybe twenty years ago or more. One spy simply entered the office of his target while confidential papers were on the man’s desk, whipped out a camera. photographed them, then walked over to the window and threw the camera out to his confederate in the street. The target was furious but there was nothing he could do.

              Today that IP is sitting on a computer that can be accessed one way or the other – even if it requires walking in to the building as Jayson Street is fond of doing.

              And the ability to sell that IP anonymously over the Internet once it’s acquired is also easier.

              The market has expanded and hackers sooner or later will enter that market. It really doesn’t take much more skill to access that IP than it does to access the credit card database. Again, being smart enough to find buyers safely is the hard part.

              You may be correct that only the smartest hackers will be successful at this. But that doesn’t mean this isn’t a growth market.

              The problem with the solutions you posit are that companies won’t implement them in sufficient numbers until the situation has reached crisis proportions.

  14. Here’s a quick puzzle… why do some companies get breached and others don’t, when they’re running the same security products and for aurgument’s sake let’s say they hold the same value as targets?
    The answer is simple. The people managing the security of the network and the security processes they have in place. A security suite is essential but it is not a panacea as some seem to think.
    And here’s a quick question… why did the NYT choose to blindside their security vendor as opposed to working with them?

    • I prefer a blended defense with a wide variety of stand alone products. Suites have been nothing but a big FAIL for me.

  15. @Peter Bell… Other companies do get hacked; you simply do not hear about it.

    Biggest causes of the breaches I have worked:

    sql injection
    email phishing

    NYT did not blind side anyone. When a company is breached they work through their lawyers (outside counsel). The lawyers direct everything, even what is or is not disclosed to the public.

    And sometimes what is disclosed is full of half truths. The lawyers will decide if they are legally obligated to disclose. If they are legally obligated, they disclose the bare minimum.

    Notice Twitter only mentioned 250,000 email addresses and passwords?

    I guarantee you those who made their way onto the Twitter network exfiltrated more than just email addresses and passwords.

  16. Another blog put together a nice timeline of attacks on media companies

    http://nakedsecurity.sophos.com/2013/01/31/history-hack-attacks-against-media/

  17. tnx @John, that is to the point. That is what I meant. This kind of situation, when the lawyers of your news company rule what you are allowed to report on the hack of your company network. These circumstances and the matter you are investigating create an at least quadruple “lose” situation for a journalist.

    Before that investigation of your own hordes of security experts had scanned all your news publishing company databases up and down. Humptydumpy gov agencies/consultants lurk around in the network you are publishing and communicating on. Tracking down the Chinese Peoples Army 23th cyber platoon cadets master class No 359. Great, double lose with a single move!

    Then you publish an investigative story about the whole matter signed with your investigative reporter name. Superb. Of course after you censored certain info, even when necessary to understand the whole story. What is missing? The info your lawyers told you being NOT fit to print. Of course after thorough consultations with private and government entities …

    WSJ only _quoted_ Dow Publishing Group dec. They did no “embedded reporting” from their own publishing facilities
    my 2 [euro]cents
    Erich M.

  18. Were the NYT of WP running any IDS? If so, which? How were the breaches actually detected? I’ve heard that most breaches are detected by external (LE) entitities…what that the case this time?

    • “Were the NYT of WP running any IDS? If so, which?”
      ——————-
      Not sure. Some companies I have worked with use Dell SecureWorks. IMHO and in my experience, Dell SecureWorks is a horrible service and I would discourage anyone from using them. But, just my opinion based on what I have seen/experienced.

      “How were the breaches actually detected?”
      ——————-
      Not sure. Perhaps internal security team noticed anomalous activity. Perhaps a third-party monitoring firm (e.g., Dell). All you will ever hear about from a company is watered down half-truths.

      “I’ve heard that most breaches are detected by external (LE) entitities…what that the case this time?”
      ——————-
      Most breaches? Where have you heard this? This has not been the case in my experience.

  19. Back in 2009, Washington Post syndicated the following PC World report by Michael Scalisi on the open source Smoothwall firewall product.

    http://www.washingtonpost.com/wp-dyn/content/article/2009/09/10/AR2009091003938.html

    Although there may be no connection between the internal security at Washington Post and the information security topics reporters write about (there may have been good internal separation), it does raise questions about whether Washington Post may itself have relied on open source products that were compromised. Is there any evidence that any open source products were compromised in the course of this attack?

  20. Although whitelisting (as in Tripwire, Lumension etc) is so much more reliable as an anti-malware approach than blacklisting (as in Anti-Virus products), an excellent addition to the blacklisting toolkit is the secondary anti-malware solution Prev X which specifically targets zero-day exploits.

    This solution which is designed to co-exist with other A/V products focuses on the behavior of newly installed binaries.

    See: http://www.prevx.com

    • I’ve tested Prevx, and recommend it to folks who insist on having more than one AV solution on board. However – Prevx is Rapport aware, and shuts down some of its protections when it detects Rapport on-board. This is to prevent conflict. I must admit, that I like the noisy HIPS of Prevx, but I have to ask myself if Rapport is already the heavy weight that is doing the lifting here.

      I still recommend Prevx, and folks who are FaceBook subscribers are eligible to get the FREE version of Safe-Online. If they don’t do any shopping or banking online, then Prevx is sufficient. I don’t recommend removing any malware with Prevx, as I’ve read too many disasters with that on reviews by users over at CNET. I let Prevx alert me to the malware’s presence, and simply run CCleaner to get rid of the offending package in the temp files. If one is running as a user with limited rights, the virus will not do any damage anyway. Malware is another problem though.

  21. You put together several great ideas throughout ur blog, “Source: Washington Post Also Broadly
    Infiltrated By Chinese Hackers in 2012 – Krebs on Security”.

    I am going to wind up returning to ur website in the near future.
    Many thanks -Gustavo

  22. Interesting … At the location described by Mandiant, street view chinese website city8 .com showing soldiers and a security camera at the entrance of the building.

    http://ditu.city8.com/share_p_x_121.58391_y_31.35282_1021

  23. Please let me know if you’re looking for a article author for your site. You have some really great posts and I believe I would be a good asset. If you ever want to take some of the load off, I’d really like to write some articles for your blog
    in exchange for a link back to mine. Please send me an e-mail if interested.
    Many thanks!


Read previous post:
Pro-Grade Point-of-Sale Skimmer

Every so often, the sophistication of the technology being built into credit card skimmers amazes even the experts who are...

Close