
Chinese Hackers Infiltrate New York Times Computers - michael_nielsen
http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pagewanted=all&_r=0
======
brown9-2
If you want to give credit to a report detailing how much money your political
leaders have piled up for themselves, hacking the media outfit that published
it is a great way to confirm the story.

~~~
OGinparadise
_If you want to give credit to a report detailing how much money your
political leaders have piled up for themselves, hacking the media outfit that
published it is a great way to confirm the story._

Do you think it matters _now_ for the Chinese gov? By doing this and more they
will make it very expensive for NYT and impossible for smaller outfits to mess
with them. Maybe they'll uncover some dirt and release it to embarrass or
discredit its reporters, who knows.

Google thought they'd forced them to back down and we know what happened.

~~~
brown9-2
I don't think the New York Times would need much motivation to investigate
corruption in China in the first place, but I strongly doubt being hacked by a
foreign government would make them less motivated to do so.

------
corford
All this focus on the sophistication of the Chinese hackers irritates me
slightly.

Reading between the lines, it seems the NYT would likely have weathered this
"sophisticated" attack a lot better if they had observed a few simple security
best practices:

\- Salt your password hashes (rendering rainbow tables inert)

\- Train your staff NOT to open attachments from unknown sources (especially
if you've just written an inflammatory article on a foreign government
official)

\- Configure your mail server to automatically strip and quarantine any
attachment (inbound or outbound) that isn't of a type defined in a very strict
white list

\- In addition to network firewalls, make use of the software firewall on the
PC's themselves by tightly controlling what processes on the machines are
given egress permission

This stuff isn't rocket science and if the NYT can't get it right (knowing
that they're a natural high profile target), what hope do other firms have?

The focus of the discussion should be on getting to the bottom of why we keep
seeing these basic security oversights being made over and over again, not
panicking about Chinese über hackers and suggesting everyone move to smart
cards, retina scans or paper.

~~~
nikcub
> Salt your password hashes

As brown9-2 mentions in his reply, it was a Windows Domain Controller

> Train your staff NOT to open attachments from unknown sources

Spear phishing attacks are more sophisticated than that. They aren't sending
.EXE files. The two most common attachments are RTF[0] and PDF[1], or a link
in the email body to a website that will attempt a drive-by download.

These emails are composed in a way to make them look innocent (for eg.
'Twitter Password Reset Request', 'New Amazon.com Order', or an email from a
new source, etc.).

It is also likely that at this level of sophistication that there are 0day
exploits involved.

Attackers can send hundreds of spear emails over weeks and months, they just
need a single click from one user to get their foot in the door.

> quarantine any attachment (inbound or outbound) that isn't of a type defined
> in a very strict white list

As mentioned above, the attachment types are RTF, PDF and XLS - and much more
common is a link in an HTML email.

> make use of the software firewall on the PC's

The command and control servers send commands to ordinary looking websites
using HTTPS. If you read the analysis of Flame or Stuxnet you will see the
lengths that the designers went to to obfuscate this traffic.

This analysis[2] describes what the C&C servers looked like for Flame. The
admin panels make no mention of bots or worms, it looks like any other
intranet site.

It is really difficult to defend against these types of attacks. An attacker
only needs 2 or 3 decent exploit writers to come up with a unique attack
vector and a custom trojan tailored for the target. Also, time is on their
side and they only need a single hit while you need to find and shut down all
of the attempts.

[0] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333>

[1] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4363>

[2]
[http://www.securelist.com/en/blog/750/Full_Analysis_of_Flame...](http://www.securelist.com/en/blog/750/Full_Analysis_of_Flame_s_Command_Control_servers)

~~~
corford
Re: Windows Domain Controllers - I wasn't aware they didn't have the ability
to salt hashes (I last used domain controllers and active directory back in
the Win2K days). I could be facetious and say "move to open ldap, samba 4,
zarafa and an open stack" but I realise that isn't being very helpful :)

Re: spear phishing attacks

All it takes is a bit of training and common sense to significantly reduce the
effectiveness of this vector. Examples:

1). Remove Flash and, if possible, Java from all the desktop PCs and work
laptops. [0]

2). Use a non-Adobe product for reading PDFs

3). Standardise on one browser (e.g. Chrome), force all users to use it and
have someone in IT be responsible for tracking all security announcements from
the manufacturer.

4). Ban browser addons

5). Train staff to hover over any link in an email and verify where it's going
to before clicking it (and to be especially vigilant if the url purports to be
from a well known website i.e. amazon, twitter etc)

6). Ban staff from clicking on any link rendered by an url shortening service.

7). Ban staff from opening any attachment from a new/unrecognised email source
(regardless of file format).

8). Re-work your provisioning, network architecture and file storage setup so
that it becomes quick and painless to regularly (even randomly) format user's
machines and install a clean image.

9). If feasible, configure all user's email programs to render emails in plain
text and encourage staff to avoid checking their private accounts on work
provided machines (especially high profile users).

10). Ban users from connecting non-work appliances to the network. Use MAC
filtering if you have to enforce this.

Re: firewalling

That's why I said block everything going out and only white list a very
limited number of _processes_ not ports. Do it via the native software
firewall or something like TinyWall.

[0] If a user really needs either of these, they can apply for special
dispensation and IT can (after making sure the user is security trained) give
them a locked down virtualbox instance they can launch from the desktop. If
possible this could also be scripted so that it gets deleted every day or week
and re-provisioned from a "gold" vm image.

Some attacks would still make it through despite the above but that's life. At
the very least it raises the bar needed for a successful attack, making vanity
hacks (like in the case of the latest one on the NYT) less common.

------
tetrad
The executive editor of the Times says “Computer security experts found no
evidence that sensitive e-mails or files from the reporting of our articles
about the Wen family were accessed, downloaded or copied"... but referring to
their forensics they say that the attackers "search[ed] for and grab[bed] Mr.
Barboza’s and Mr. Yardley’s e-mails and documents from a Times e-mail server"
after cracking their password hashes.

So which is it? Did they download gigs and gigs of mail, but _not_ the ones
they were looking for? Or is "found no evidence" doublespeak for "we're pretty
sure they got what they were looking for, but the logs had already rolled over
on that system, so we have no evidence that they did". Based on the rough
timeline presented, this was after they were known, so it may have been their
honey-pot server, but the tone of the article suggests that they were not
honey-potting them and simply monitoring their progress as they slowly stomped
their way through their live network. This begs the question... if they were
really monitoring the attackers for months, including watching them grab
Barboza and Yardley's e-mails, what are we to make of the PR statement that no
relevant or sensitive e-mails were obtained?

------
tedunangst
There's a couple surreal quotes in here. Like asking the Chinese Ministry of
Defense to comment.

"A Symantec spokesman said that, as a matter of policy, the company does not
comment on its customers."

Uh huh. Even when it's the customer doing the asking? Way to hide behind the
policy.

~~~
btilly
About Symantec's technology, it is worth noting that antivirus scans are based
on identifying malware in one place, then being able to recognize that malware
everywhere. This does not particularly help you recognize malware that was
custom made to only be installed in one location. Particularly not when the
people who were making that malware themselves have access to your anti-virus
scans prior to deployment and can verify on their own computers that you do
not detect them.

Therefore there is no surprise that Symantec failed to provide any meaningful
protection during this attack. They know this. But they hardly want to admit
it in front of all of their customers.

~~~
tedunangst
But see, the thing is, that's not what it says on the box.
<http://us.norton.com/antivirus/>

"It's okay to blink, because we never do – SONAR technology and live 24x7
Threat Monitoring watch over your PC for any suspicious behavior to quickly
identify threats."

"Protection from the future, available today – our exclusive reputation and
behavior antivirus technology are so advanced that they can stop online
threats that bad guys haven't even created yet."

~~~
btilly
Yes. And if you engage in _suspicious behavior_ like connecting to a botnet
and then spewing spam, SONAR likely figures out that something is wrong.

But remote command and control through a covert channel can be done in ways
that do not look particularly suspicious. And a sophisticated attacker should
be assumed to know what behaviors SONAR is looking for.

------
temphn
I think it's important to understand the Chinese perspective on this issue, if
only to see why they do these things. Start with this:

[http://www.nytimes.com/2011/04/15/world/15aid.html?pagewante...](http://www.nytimes.com/2011/04/15/world/15aid.html?pagewanted=all)

    
    
      U.S. Groups Helped Nurture Arab Uprisings
    
      Even as the United States poured billions of dollars into 
      foreign military programs and anti-terrorism campaigns, a 
      small core of American government-financed organizations 
      were promoting democracy in authoritarian Arab states. ...
    
      The United States’ democracy-building campaigns played a 
      bigger role in fomenting protests than was previously 
      known, with key leaders of the movements having been 
      trained by the Americans in campaigning, organizing through 
      new media tools and monitoring elections. ...
    
      Today the work of these groups is among the reasons that 
      governments in turmoil claim that Western meddling was 
      behind the uprisings, with some officials noting that 
      leaders like Ms. Qadhi were trained and financed by the 
      United States. Diplomatic cables report how American 
      officials frequently assured skeptical governments that the 
      training was aimed at reform, not promoting revolutions.
    

and then this:

[http://online.wsj.com/article/SB1000142405274870356040457618...](http://online.wsj.com/article/SB10001424052748703560404576188981829658442.html)

    
    
      Is China Next?
    
      Over the course of three short months, popular uprisings 
      have toppled regimes in Tunisia and Egypt, sparked a civil 
      war in Libya and created unrest in other parts of the 
      Middle East. They also have raised a question in many 
      people's minds: Are all authoritarian regimes now 
      threatened by this new democratic wave? In particular, is 
      China, a rising superpower, vulnerable to these forces?
    

Whether or not you believe the Arab Spring actually resulted in good outcomes,
the salient fact is that US funded groups started the revolutions and
prominent neocons (like Fukuyama in that WSJ article) were/are calling for
similar actions in China.

This is why the Chinese government feels that it is under attack by the United
States, and it does not see a line between NGOs, the NYT/WSJ, and the US
government, which they believe are working in concert to discredit their
leaders and foment violent revolution in the name of democracy, as they did in
the Middle East. Is this paranoid? Well, it's now hard to gainsay the USG/NGO
connection given those articles, and in general even the NYT does tend to side
with the USG against China or Arab regimes (most famously with Judith Miller).

From this worldview, China thinks of this as a conflict between one of their
intelligence agencies and one of ours. It's not obvious that they are wrong in
that assessment.

~~~
babarock
Very good points!

>> it does not see a line between NGOs, the NYT/WSJ, and the US government.

Aren't we all doing the same mistake when we refer to them? All we know is
that the attacks came from China, so we safely assume it came from the
Government? Why is it that each time something comes from China (a country
with approximately 5 time more people than the US - source Wikipedia) we blame
their government and treat it as a declaration of war (or, with less
exaggeration, a political move)? Is it possible that this enormous gigantic
human honeycomb has, say, organizations, corporations, competitors, God-knows-
what-which-isn't-their-government?

The western media have created this weird image of China and ... something
doesn't add up. I've never been there and I hope I'll get the chance some day,
but I can't help but feel that "someone" (feel free to replace this word with
the antagonists of your favorite conspiracy theory) is trying to shove down
our throat that China is a menace.

That being said, I agree with your analysis. The Chinese government has seen
what happened in the Arab world and it knows that the US constantly needs an
enemy. It probably does feel threatened.

~~~
toomim
I've been there. I spent 6 months last year.

What you might not understand is that the Chinese government has its hands in
every corporation, organization, competitor, etc.

You might have false assumptions coming from the US system, where corporations
and government are separate entities. They even sue one another at times.

In China, large corporations are overseen by the government. The government
funds them, decides what they can and cannot do, and decides which
corporations will succeed. You cannot build a search engine or social network
right now, unless you pull a political coup, because the government controls
which companies succeed. Baidu and Tencent are the "blessed children" for the
time being.

Within the government, China is run by various clans, continually vying for
power in the Communist Party. It's easiest to build a large company by having
a family member in the upper echelon of the party, to push things through.

Everything is connected to the government in China. It's in your company's
interest to keep the party in power, because the corrupt politicians keep you
in business. It's in your wealthy family's interest to keep the government in
power, because they keep you wealthy. It's a giant corrupt system, keeping
itself in place.

Most likely, these attacks were actually executed by some low-level hackers
somewhere. But most certainly, someone in the government has something to do
with their funding, organization, or guidance.

~~~
RestlessMind
"Government" is not one cohesive entity, certainly not in a country as big as
China. Sure, there might be some rogue actors sympathetic to such attacks. But
that doesn't imply that "Chinese government" in general is supportive of such
acts, just like a few corruption scandals do not imply that entire US
government is corrupt.

~~~
krichman
But for each scandal we need to re-evaluate the prior.

I'm irritated that you post this as if presupposing that the US government is
not corrupt. I know you are factually correct, but the connotation bothers me.

When they failed to stop SOPA of their own accord, I realized that the
majority _are_ either incompetent or corrupt.

~~~
RestlessMind
Well, my main point was about China and mentioned US govt just as an example.
If you don't like that example, how about: "Its wrong to call a corporation
corrupt just because a few mid-level employees go rogue"

------
Volpe
Strange that they would hack NYT when NYT's source for the WenJiaobao article
seemed to be public financial records and info from wikileaks (state
department cables).

What is the strategic gain from hacking NYT? Identify potential other sources
(within china) perhaps?

~~~
brown9-2
It's not necessarily that the state as a whole found strategic value in this.
Could just be one general hoping to impress the Politburo.

~~~
yzhengyu
TBH, it could be anyone in the chain with sufficient authority to trigger it
and hoping to impress someone who can reward him in a tangible manner.

And the sad thing, it is not limited to bureaucracies or government
organisations. I have seen bugs that are not fixed, patches that are rejected
because it allows someone somewhere to behave heroically in an attempt to
impress someone.

When I first experienced this, it was a very real WTF moment from the School
of Dilbert Mismanagement.

------
ChuckMcM
It will be interesting if we see the first use of national firewalls used to
keep a nation-state boxed in from the outside. I'm not sure what the 21st
century equivalent of a blockade or siege is, but that would come close.

~~~
don_draper
Interesting idea but difficult to implement. The hackers hide behind proxies.
Unless you could cut off proxies everywhere they would still find ways to get
in.

~~~
ChuckMcM
As are sieges and blockades of course.

As virtual as the Internet is, in many ways, it still takes physical form as
fiber optic cables and trunks. And due to a variety of reasons the number of
those that cross national borders is fairly limited. Wireless is great but
hard to push terabits of data through like lasers in glass do.

I've just always thought of the Great Firewall of China as a state device to
keep Chinese citizens from full access to the Internet, this article made me
wonder if at some point there will be another Firewall outside the Great
Firewall which _isn't controlled_ by the Chinese but also keeps Chinese
packets inside the country but for different reasons.

------
tokenadult
From the article:

"After surreptitiously tracking the intruders to study their movements and
help erect better defenses to block them, The Times and computer security
experts have expelled the attackers and kept them from breaking back in.

"The timing of the attacks coincided with the reporting for a Times
investigation, published online on Oct. 25, that found that the relatives of
Wen Jiabao, China’s prime minister, had accumulated a fortune worth several
billion dollars through business dealings."

As a student of the language, history, culture, current politics, and future
prospects of China since 1975, I had better comment on how significant this
is. The effort by operatives based in China (that much is indisputable from
the computer forensics involved in this case) is deeply hostile to the press
freedom that is a fundamental difference between China and the United States.
Under usual principles of international law, China has the responsibility to
keep actors on its territory from launching harmful attacks on the territory
of another country, unless it is interested in declaring war. Prior restraint
of news media is routine in China, and accounts for a great deal of the public
ignorance in China that keeps the current dictatorial regime in power, but it
is not at all a friendly act toward the United States. The United States
government has everything to gain and essentially nothing to lose by every
other government on the planet being exposed to more press coverage of
national leaders and their possibly corrupt activities. In this regard, the
current regime in China and any government of the United States under the
Constitution have inherently differing interests.

The national interest of the common people of China, on the other hand, would
be best served by freeing the news media there from the prior restraint and
censorship that now exist there. If everyday people in China knew better what
is really going on in the country, and what their leaders are doing, China
could make greater progress in overcoming persistent poverty and enjoy more
peaceful relations with countries all around the globe. Right now, the masses
in China are not given the choice of knowing what's going on through
uncensored mass media, nor are they given the choice of free and fair
elections for choosing national leaders.

My best hope is that this effort to scare off the New York Times from honest
reporting about China will fail as efforts by the Church of Scientology to
frighten away investigative journalists are also increasingly failing.

[http://tonyortega.org/2013/01/29/more-signs-of-
scientologys-...](http://tonyortega.org/2013/01/29/more-signs-of-scientologys-
armageddon-as-the-media-takes-aim/)

A lot of journalists would like nothing better than to write even more tough
stories about what is really going in China, based on unfettered reporting
with Chinese-speaking sources in the country. One journalist from China I met
long ago in a place far away commented well in advance of the Internet age
that if the Communist Party of China ceased censoring mass media that its rule
would be gone "in a week." The time will come when the Party can't shut down
all the channels of information flowing into China and within China, and then
the Party will have to face elections or face a revolution.

AFTER EDIT: The first reply asked a fair question, which is whether or not
there is a basis for thinking that the Communist Party of China losing power
in China would be a good thing. My answer is yes. I lived in Taiwan both under
the KMT dictatorship and under its current democratic regime (which now again
has the KMT as the ruling party, after an election). I have also been to Hong
Kong. Chinese people can adapt well enough to democracy. In general, all
around the world, freedom and democracy have their defects, but they are
generally better for the people who live with them than the alternative.
Precisely because Taiwan is available for an example, I think a transition to
democracy in China could be especially smooth. It is regrettable that although
there are Muslim democracies, the first attempts at specifically Arab
democracies so far are nascent and struggling. The democratic transition in
Arab countries will be harder in the short term for lack of culturally similar
examples, but I think that too will be a long term benefit to the common
people of the Arab lands.

AFTER ONE MORE EDIT: Anyway, it shouldn't be the censorship and armed force of
the Party that restricts the people's right to choose their national leaders.

~~~
Volpe
> One journalist from China I met long ago in a place far away commented well
> in advance of the Internet age that if the Communist Party of China ceased
> censoring mass media that its rule would be gone "in a week."

Is that a good thing?

Would it's replacement be better?

Arab spring has kind of taught us that things aren't as simple as: "Break
status quo and things get better".

~~~
untog
_Arab spring has kind of taught us that things aren't as simple as: "Break
status quo and things get better"._

I don't think that anyone needed to be taught that. I doubt that we will be
able to judge whether the Arab Spring was a success for another ten or twenty
years- the immediate aftermath of revolution is always deeply messy.

Not to mention that 'better' is entirely subjective anyway, of course. There
are plenty of older Russians that miss the Soviet days, believe it or not.

~~~
Volpe
That was my point.

If it takes 20 years to see a 'benefit' is it that bad now, that they should
go through that kind of mess?

~~~
untog
When looked at from the very long term position, the removal of dictators is
indeed a good thing that is worth suffering through. I'm not sure that anyone
can judge whether it's worth it, though- that a personal judgement.

~~~
Volpe
Dictators... Are you saying wen jiaobao is a dictator?

Given the vast improvement in the way of life for Chinese since deng xiaoping,
and their continuos prosperity. Are we really sure that's the "best" thing to
do.

------
cloudout
"a thermostat in one of its corporate apartments and a printer in its offices
— were still communicating with computers in China"

This is the dark side of the "internet of everything". Software=inherently
buggy Software EATS WORLD Word=buggy?

------
est
I like how the whole article is rambling about Chinese hacks yet no strong &
clear evidence suggests it's from China, except perhaps from a Chinese IP
address.

You know what, Chinese computers are also likely to be hacked easily.

~~~
hawkharris
I agree that the Times can't prove absolutely that the Chinese government was
behind the attack. But they do provide a few strong pieces of evidence: (1)
the university computers used in this attack were the same machines used in
past attacks that were linked to China's military; (2) the attacks coincided
directly with policy issues affecting Chinese officials.

The article also had a relatively even-handed tone. It discussed the broader
trend of hacks originating in China without linking the trend to the Chinese
government, and it included an eloquent rebuttal quote from a Chinese
official.

~~~
est
the two evidence from NYT made a meme in Chinese Interwebs:

蓝翔 hacked Google.

------
wavesounds
Seems like putting a password on their printer and thermostat as well as
telling their employees not to click random links or better yet setting up a
security rule on their email router to not allow links and attachments from
outside the network would have prevented this.

In essence these big companies are leaving the door unlocked and keep acting
surprised when people that don't like them open it up and poke around inside.
There needs to be more education and common sense this sounds like a very easy
attack to prevent.

------
jenandre
This story, and the recent RubyGems debacle should be teaching all of us one
thing -- assume you can and will be hacked. Do you understand the implications
(what data you are going to lose? what credibility?) Do you have a plan to
deal with it?

Ruby Gems was lucky in that their hack was noisy. The chinese government, as
illustrated above, won't play so nice.

This is why monitoring and incident response matter.

Remember the subtle backdoor that almost slipped into the Linux kernel in
2003[1]? That could be Ruby Gems right now. Hopefully, they are taking the
proper steps to investigate exactly what the hackers did.

[1] <http://kerneltrap.org/node/1584>

~~~
pifflesnort
China appears to be engaging in highly sophisticated attacks of the like that
major companies need to be aware.

The RubyGems fiasco is the result of remarkably incompetent decisions by
everyone in the chain of control.

The lessons are completely different. In the first, it's that you have to
expect that you will be compromised if a determined and capable attacker
targets you.

In the second, it's that you will be compromised if you use software written
by people and maintained by a community that seemingly lacks any remote
resemblance of engineering competence.

~~~
jenandre
I don't think the RubyGems people were incompetent. The software serves its
core purpose quite well (as a library delivery mechanism) and is quite
reliable. But clearly they weren't thinking about security in decision, and
what would happen if the repos were compromised.

Let's be honest here - no software is 100% secure. As developers and
consumers, the idea that we all review all of the tools in our toolchain for
security soundness is absurd. It's like saying that everyone using C made poor
decisions because of security flaws in popular libraries (even security ones,
like openssl) and therefore all of the C community has no engineering
competence.

The fact is, China already has their eyes on GitHub and it's not beyond the
planning capability to place backdoors in popular software to suit their
future ends.

No matter who the attacker may be, you have to be prepared for the situation
where your computers and data are compromised, period.

~~~
pifflesnort
> _I don't think the RubyGems people were incompetent._

They sat on a publicly disclosed vulnerability in the YAML parser for a week.
The YAML parser itself was ridiculously designed to (essentially) eval() YAML.

Those were the two active decisions of incompetence.

On top of this, they built a massively central system that is widely trusted
with no means of code verification whatsoever. There is no telling what people
could have injected into that repository at any point in its history.

~~~
ceejayoz
> On top of this, they built a massively central system that is widely trusted
> with no means of code verification whatsoever.

<https://github.com/rubygems/rubygems/blob/master/History.txt>

0.8.11 / 2005-07-13: Added Paul Duncan's gem signing patch.

They've had a mechanism for code signing for 8 years. Yes, they could require
signing of all gems on the site, but the ability has been there for a long
time.

~~~
pifflesnort
This doesn't do any good if it's not required/used, which it's not.

As a counter-example, the maven central repository requires signatures, and
caching Maven repositories validate those signatures.

~~~
ceejayoz
I'm simply contesting the "no means of code verification whatsoever"
statement.

~~~
pifflesnort
My point is simply that without signatures, there is no means of verification.
Having the code isn't enough.

------
arunabh
So PRC online spin doctors couldnt do the job
<http://en.wikipedia.org/wiki/50_Cent_Party>

------
ChrisArchitect
didn't expect much out of this story because it has felt for a long time that
hackers targeting politically sensitive media orgs, govt and private sector
out of China is the norm. Too common, widespread (however it's being
organized) and they are too many for us to keep tabs on/hope to stop. All we
can do is be vigilant in security practices and keeping on top of latest
measures.

~~~
re_todd
Keeping on top of the latest measures is great, but I wonder if it's good
enough. Maybe we should go back to writing our most sensitive information on
paper.

------
sc00ter
"It then replaced every compromised computer and set up new defenses in hopes
of keeping hackers out."

I hope that's just poor reporting, or does the Times' IT department really
have that poor an understanding of how computers work? No wonder they got
pwned. And I'm not buying the "we gave them free reign for four months on
purpose" line. It makes no sense.

~~~
beagle3
Someone has poor understanding of how computers work, but it isn't necessarily
the NY Times.

Once a computer is compromised, you can't trust anything about it. You may
believe reinstalling the OS is enough, but it is possible that some remote
control tool is still lurking in a main BIOS reflashed while compromised, or
in the GPU firmware, or tens of other places.

While it should potentially be possible to reflash everything, it is
practically cheaper to replace the computers. Do YOU know how to reflash your
bios with a trusted version, your GPU firmware, etc?

I don't mean "I know how to look it up on Google, and I'm sure I can do it if
needed". This thing is hard to automate and do at scale even if you do know
how to do it, especially if not all your computer models are uniform.
Depending on how old and varied the hardware is, it is very likely that the
economical solution, (assuming you suspect an attacker capable of these
feats), is to replace all the computers.

[Though, all the hardware they replaced it with has been, most likely, built
and QAd in China. Why would you trust _that_? The rabbit hole goes very deep.
Practically too deep for anyone without a billion dollar R&D budget these
days]

~~~
sc00ter
_You may believe reinstalling the OS is enough_

I made no such claim, but verifying bios and firmware signatures (and indeed
detecting changes when they happen), and reinstalling them at scale is not a
major challenge with a well managed IT infrastructure.

I can accept however that the Times may well have been running 10 year old
PCs, with manual IT management processes, and outdated security software, and
that replacement may have been overdue and economically more viable.

~~~
beagle3
> verifying bios and firmware signatures (and indeed detecting changes when
> they happen), and reinstalling them at scale is not a major challenge with a
> well managed IT infrastructure.

Can you back up that claim with reference to a system that does that?

EVERY single management system I can think of trusts the system to report its
status. You can't trust a compromised system to report its status.

Assume you have 5,000 desktop computers. How do you set them up so you can
verify bios and firmware signatures without forcing a good bios reflash in the
first place? (An action that does require soldering or jumper setting on
modern motherboards!)

> I can accept however that the Times may well have been running 10 year old
> PCs

If you're running your business properly, 3-4 years is the oldest any PC
should ever get. If you know a business running 10 year old PCs, tell them to
get a new accountant. Today's $300 ATOM netbook (with your 10 year old screen
and keyboard) will have positive ROI compared to maintaining a 10 year old
machine (The best 2002 Pentium 4 is comparable to a modern ATOM, but needs
5-10 times as much power). You'll be saving money just with energy/cooling
costs.

~~~
j_s
Good point, as in theory both the BIOS and the BIOS flash update routine could
be replaced/virtualized... confirming a successful update even though the
update was ignored.

------
fatjokes
"Security experts found evidence that the hackers stole the corporate
passwords for every Times employee and used those to gain access to the
personal computers of 53 employees"

Does this mean the NYTimes is storing passwords in plaintext?

~~~
Hilyin
I think if they have the ability to steal the passwords, even if they weren't
plain text, they didn't do the proper precautions of encrypting with a salt.
So either way, they failed.

~~~
betterunix
At this point, passwords should be considered obsolete when it comes to
securing things. We should be using smartcards and cryptographic techniques;
humans are just not good enough at generating or remembering random strings
for passwords to be considered a good idea.

~~~
amalag
Yes I personally like the Yubikey idea which integrates with AD. Keeping a
physical token and just pushing a button is nice.

------
d4vlx
So much time and effort by talented people being used for such useless
purposes. So monarchic.

------
chayesfss
Looks like their mail is just protected by username & password too

------
amazedsaint
"Psychic spies from china tries to hack your mind elation"

------
lennydizzy
How come the Anonymous never attacked Chinese government?

~~~
andrewcooke
[http://www.telegraph.co.uk/news/worldnews/asia/china/9189192...](http://www.telegraph.co.uk/news/worldnews/asia/china/9189192/Chinese-
government-struggles-to-restore-hacked-websites.html)

google is useful for this kind of thing:
<https://www.google.cl/search?q=anonymous+target+china>

------
beefsack
*Crackers.

------
spitx
Are these state-independent actors capable of orchestrating intrusions of such
sophistication?

Judge for yourself.

    
    
      They operate from a bare apartment on a Chinese island.
      They are intelligent 20-somethings who seem harmless.
      But they are hard-core hackers who claim to have gained
      access to the world's most sensitive sites, including 
      the Pentagon.
    
      In fact, they say they are sometimes paid secretly by the
      Chinese government -- a claim the Beijing government
      denies.
    
      "No Web site is one hundred percent safe. There are Web
      sites with high-level security, but there is always a
      weakness," says Xiao Chen, the leader of this group.
    
      "Xiao Chen" is his online name. Along with his two
      colleagues, he does not want to reveal his true identity.
      The three belong to what some Western experts say is a
      civilian cyber militia in China, launching attacks on
      government and private Web sites around the world.
    
      If there is a profile of a cyber hacker, these three are   
      straight from central casting -- young and thin, with skin
      pale from spending too many long nights in front of a
      computer.
    
      One hacker says he is a former computer operator in the
      People's Liberation Army; another is a marketing graduate;
      and Xiao Chen says he is a self-taught programmer.
    
      "First, you must know about the Web site you want to
      attack. You must know what program it is written with,"
      says Xiao Chen. "There is a saying, 'Know about both
      yourself and the enemy, and you will be invincible.'"
    
      CNN decided to withhold the address of these hackers' Web
      site, but Xiao Chen says it has been operating for more
      than three years, with 10,000 registered users. The site
      offers tools, articles, news and flash tutorials about
      hacking.
    
      Private computer experts in the United States from
      iDefense Security Intelligence, which provides
      cybersecurity advice to governments and Fortune 500
      companies, say the group's site "appears to be an
      important site in the broader Chinese hacking community."
    
      Arranging a meeting with the hackers took weeks of on-
      again, off-again e-mail exchanges. When they finally
      agreed, CNN was told to meet them on the island of
      Zhoushan, just south of Shanghai and a major port for
      China's navy.
    
      The apartment has cement floors and almost no furniture.
      What they do have are three of the latest computers. They 
      are cautious when it comes to naming the Web sites they
      have hacked.
    
      On camera, Xiao Chen denies knowing anyone who has
      targetted U.S. government Web sites. But off-camera, in
      conversations over three days, he claims two of his
      colleagues -- not the ones with him in the room -- hacked
      into the Pentagon and downloaded information, although he
      wouldn't specify what was gleaned. CNN has no way to
      confirm if his claim is true.
    
      "They would not publicize this," he says of someone who
      hacks the U.S. Defense Department. "It is very sensitive."
    
      This week, the Pentagon said computer networks in the
      United States, Germany, Britain and France were hit last
      year by what they call "multiple intrusions," many of them
      originating from China.
    
      At a congressional hearing in Washington last week,
      administration officials testified that the government's 
      cyber initiative has fallen far short of what is required.
      Most alarming, the officials said, there has never been a
      full damage assessment of federal agency networks.
    
      "We are here today because we must do more," said Robert
      Jamison, a top official in the U.S. Department of Homeland
      Security. "Defending the federal system in its current
      configuration is a significant challenge."
    
      U.S. officials have been cautious not to directly accuse
      the Chinese military or its government of hacking into its
      network.
    
      But David Sedney, the deputy assistant secretary of
      defense for East Asia, says, "The way these intrusions are
      conducted are certainly consistent with what you would
      need if you were going to actually carry out cyber
      warfare."
    
      Beijing hit back at that, denying such an allegation and   
      calling on the United States to provide proof. "If they
      have any evidence, I hope they would provide it. Then, we
      can cooperate on this issue," Qin Gang, a spokesman for
      the Chinese Foreign Ministry, said during a regular press
      briefing this week.
    
      But again off-camera, Xiao Chen says after the alleged
      Pentagon attack, his colleagues were paid by the Chinese
      government. CNN has no way to independently confirm if
      that is true.
    
      His allegations brought strenuous denials from Beijing. "I
      am telling you honestly, the Chinese government does not
      do such a thing," Qin said.
    
      But if Xiao Chen is telling the truth, it appears his
      colleagues launched a freelance attack -- not initiated by
      Beijing, but paid for after the fact. "These hacker groups
      in my opinion are not agents of the Chinese state," says
      James Mulvenon from the Center for Intelligence Research
      and Analysis, which works with the U.S. intelligence
      community.
    
      "They are sort of useful idiots for the Beijing regime."
    
      He adds, "These young hackers are tolerated by the regime
      provided that they do not conduct attacks inside of
      China."
    
      One of the biggest problems experts say is trying to prove
      where a cyber attack originates from, and that they say
      allows hackers like Xiao Chen to operate in a virtual
      world of deniability.
    
      And across China, there could be thousands just like him,
      all trying to prove themselves against some of the most
      secure Web sites in the world.
    

Source(s):

<http://www.cnn.com/2008/TECH/03/07/china.hackers/>

<http://www.youtube.com/watch?v=ovNVhk1rVVE>

------
mcclosdl
Jeez, NYT. 2FA much?

~~~
tmsh
Most valuable point in this otherwise very interesting discussion.

MFA neutralizes most hacker threats. Organizations like the NYT that are
sensitive should implement them. I know we do for banking, per industry
standards (FFIEC). Fraudsters aren't about to defeat RSA tokens or multiple
channels of authentication in the near future, as far as I know. It's just too
logistically difficult and an order of magnitude harder to then compromise the
MFA servers (via MITM or otherwise), etc. If implemented correctly, they make
access to individual personal data significantly more distributed and
difficult to breach.

Is MFA for e-mail each time extremely annoying? Probably. But logging into a
system with just a username and password for a new ip address should not be
the standard for authentication. This has got to be the solution eventually,
and one which will essentially de-emphasize nation states or any large
organizations from surveilling lists of accounts.

~~~
rawrly
MFA and Authentication has a much larger scope than what you've brought up
here. I should start by I think passwords have atrophied and should be
replaced, and MFA is the best option we have to replace passwords at this
time. However, MFA has flaws many people are unaware of.

I apologize for starting with a contradiction to something you state, but MFA
does not neutralize most hacker threats. It only addresses authentication,
it's unable to help against software compromises or user compromises --
Phishing attacks would still be effective, as the user will input a valid
temporary token. What is MFA effective at preventing? Brute force password
attacks, and users choosing bad passwords.

An attacker who compromises an internal system or is successful in egressing a
login database will gain the session tokens for logged in users and be abel to
use that to access compromised accounts (subverting the entire logged in
process.)

But, you covered this, so I will digress to mentioning MFA's authentication
concerns:

The "forgot password" or "lost my token" systems are always a weak link.
Frankly, it's improbable (due to overhead costs) that any bulk service
provider (twitter, gmail, etc...) enact a strict verification process beyond
automated email/phone verification (and this has been compromised before,
lookup the attack against cloudflare's google services.)

Second to the "lost password/token" attacks, there is the simple attack
against the session ID/token. Remember, once you're logged in, your computer
will store a token that it shares with the service to verify you are still
authentication. While the token will expire, if the token is active then
system will accept the session ID or token to verify you are logged in. The
egress of data from the twitter login database included these session IDs. Of
course, this requires a compromise of the system and not a MFA login
compromise.

Finally, on your discussion of using an MFA token for every login, every time.
This is actually not true in all cases. A reasonable approach most
implementations use is to require MFA for logins from unknown computers/IPs,
once a system is verified via MFA a user would likely have a grace period when
they would have to enter only their password until that grace period expires
and then they would have to verify via MFA again, this could be 1 week, 1
month or 1 year+

Of course these statements I've made are really up to the environment's
configuration, ideally in a very strict environment it's expected you verify
via MFA each and every time, session IDs are updated automatically with every
action and users are aware of security risks. But we don't live in this
security/paranoia utopia (and perhaps that's all for the better.)

Hope I've helped spark some discussions on MFA here. Bam, i'm out!

~~~
tmsh
Very good points. Good discussion, thanks.

Interesting to think about. And you're right, phishing, breaches of the MFA
database, and session jacking (via breaching the session database) are all big
problems still.

But it's significantly more difficult to compromise certain accounts with
another channel of authentication. Whether it's the initial attack vector
(trying to crack some random employee's password) or secondary attack vectors
(once access is gained, trying to go up a security level or compromise servers
upstream, etc.), if each of those authentications require (after initial
setup) a secondary device, it's just so much harder to crack.

Anyway, I think there's got to be a way to design a security system that
partitions secure information. MFA secure cookies (or whatever we want to call
long-term session ids associated with authenticated secondary channels), I
would hope could slow down access to individual accounts.

Ideally, secure cookies get more sophisticated in the future and truly lend a
'distributed' quality to the architecture (i.e., are just one-time RSA private
keys, maybe?). Thus making it very difficult to login without actual access to
the device that the user setup MFA with.

