New York Times hacking revelations shed new light on China cybercrime
Experts suggest that Chinese government routinely employs ‘vast army of hackers’ to carry out covert spying campaigns
Despite the vociferous denials…Experts say the contours of a Chinese cyber attack have become familiar. They begin with slightly malfunctioning computer networks, usually at the headquarters of a military contractor, government office or multinational internet company. Sensitive files might go missing; servers may crash.
New York Times claims Chinese hackers hijacked its systems
Stories about wealth of outgoing premier Wen Jiabao appeared to be catalyst for attack, possibly by military, says paper
Jonathan Kaiman in Beijing
guardian.co.uk, Thursday 31 January 2013 01.02 EST
Chinese hackers, possibly from the country’s military, hacked the New York Times’ computers while it was investigating the wealth of Wen Jiabao, the paper has said. Photograph: Corbis/Xinhua
Hackers with possible ties to the Chinese military have repeatedly attacked the New York Times’ computer systems over the past four months, possibly in retaliation for a series of stories that the paper ran exposing vast wealth accumulated by the family of outgoing premier Wen Jiabao, the newspaper has reported.
The hackers gained entry to the newspaper’s internal systems and accessed the personal computers of 53 employees including David Barboza, its Shanghai bureau chief and author of the Wen exposé, and Jim Yardley, a former Beijing bureau chief.
An investigation by Mandiant, a cyber-security company hired by the New York Times, concluded that the hacks were likely part of an elaborate spy campaign with links to the country’s military. The company traced the source of the attacks to university computers that the “Chinese military had used to attack United States Military contractors in thepast”, the Times said.
Although the hackers gained passwords for every Times employee, Mandiant found that they only sought information that was related to the Wen story.
The Times said it worked with telecommunications company AT&T and the FBI to trace the hackers after AT&T noticed suspicious activity on the paper’s computer networks on 25 October, one day after the article appeared in print. A later analysis concluded that hackers initially broke into Times computers on 13 September when reporting for the Wen story was in its final pre-publishing stages.
The Times hired Mandiant on 7 November when management realised initial efforts to expel the hackers from the company’s computer systems had been unsuccessful.
“To get rid of the hackers the Times blocked the compromised outside computers, removed every back door into its network, changed every employee password and wrapped additional security around its systems,” said the article.
While Times executives worried that a flurry of hacker activity around the time of the US presidential elections may have indicated that the hackers were intent on shutting down the paper’s publishing systems, “the attackers’ movements suggested that the primary target remained Mr Barboza’s email correspondence”.
The Chinese government had warned the Times that the exposé would “have consequences”, according to the report.
The hackers used a technique called spear-phishing, according to the article, allowing them to install malware on their targets’ computers via seemingly innocuous email messages. The malware allowed them to add remote access tools that gave them access to data from employees’ computers.
“Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your email account and you’re opening it and letting them in,” said Michael Higgins, the Times’ chief security officer.
Chinese hackers began targeting western journalists in 2008 as part of a possible campaign to pre-empt stories that could damage the leadership’s reputation at home and abroad, the article said. Bloomberg was also a victim of cyber-attacks after the newswire published a report on the vast wealth of incoming president Xi Jinping’s family last summer.
In response to allegations that the Chinese military was behind the attacks, China’s ministry of national defence told the New York Times that “Chinese laws prohibit any action including hacking that damages internet security” and that “to accuse the Chinese military of launching cyber-attacks without solid proof is unprofessional and baseless”.
The mounting number of attacks that have been traced back to China suggest that hackers there are behind a far-reaching spying campaign aimed at an expanding set of targets including corporations, government agencies, activist groups and media organizations inside the United States. The intelligence-gathering campaign, foreign policy experts and computer security researchers say, is as much about trying to control China’s public image, domestically and abroad, as it is about stealing trade secrets.
Oracle patches Java, but concerns remain
Paul Sakuma/AP – Oracle says it has released a fix for the flaw in its Java software that raised an alarm from the U.S. Department of Homeland Security last week.
By Hayley Tsukayama, Published: January 14
Oracle delivered an unusual emergency patch to its ubiquitous Java software Sunday to fix a malicious bug that allowed hackers access to users’ Web browsers. But some security experts continued to warn users Monday to stay away amid lingering concerns about the company’s ability to react quickly to security problems.
The latest security hole came to light last week after the Department of Homeland Security raised an alarm about the security hole. Even after Oracle released the patch, the agency recommended that users disable Java “unless it is absolutely necessary,” citing continuing problems with the program’s overall security.
Oracle confirmed that it had released a new patch, but did not return a call for comment on the lingering concerns.
Security experts estimate that Java is used in 3 billion machines, about 2 billion of which are desktop or laptop computers. The program was a backbone of Web sites in the early days of the Internet.
Nearly all computer programs have security flaws. But Java has a reputation for not quickly responding to potential issues, said Kurt Baumgartner, a senior security researcher at Kaspersky Labs. “They are very slow at handling problems,” he said.
Developers are moving away from Java in favor of other programs such as Adobe’s Flash, but Java remains a standard program for many kinds of business software. If the security concerns discourage developers from using the program, the move away from Java could accelerate, analysts said.
Oracle updates Java every four months, far less frequently than the monthly or even weekly updates other software gets. Researchers who report Java problems to Oracle often wait months for a fix. That was the case with a security problem the company patched in August — one that security researchers said they identified in April.
The long period of time between updates gives hackers time to take advantage of software problems, experts say.
Chester Wisniewski, a senior researcher at the security firm Sophos, said Java exploits accounted for about 90 percent of all Web-based attacks last year, or about 12,000 attacks a day. The problem Oracle addressed Sunday, he said, had already found its way into “exploit kits,” or ready-made code that hackers distribute and use to crack vulnerable sites.
Wisniewski said users should disable Java within their Web browsers for security reasons, and only enable it if they need it for a critical program.
“My recommendation is to remove it,” said Wisniewski, who has removed the program from his own devices. “Most people don’t need it.”
Baumgartner disagrees. He pointed to his company and others who have released antivirus suites and other tools that allow users to keep the benefits of the software while minimizing the risks.
“There are flaws in every software. It’s impractical to tell people you can’t use it,” he said. “It’s not a valid solution, in my opinion.
Think about it. Java is an old technology that you rarely use in your day to day browsing experience. Once a blue moon, you come upon a site that requires Java and you install it and continue browsing. But now, you have created a huge security hole in your system just because Java is installed on your computer.
January 15, 2013, 7:31 p.m. ET
Banks Seek U.S. Help on Iran Cyberattacks
By SIOBHAN GORMAN and DANNY YADRON
Major U.S. banks are pressing for government action to block or squelch what Washington officials say is an intensifying Iranian campaign of cyberattacks against American financial institutions.
Financial firms have spent millions of dollars responding to the attacks, according to bank officials, who add that they can’t be expected to fend off attacks from a foreign government.
Defense officials have said Iran’s government is behind the assault. Officials from several affected banks, including PNC Financial Services Group Inc.,SunTrust Banks Inc. and Bank of America Corp., investigators say. Such attacks aim to knock an organization offline by bombarding its website with electronic requests. Because of the complex execution of these high-end denial-of-service attacks, it was difficult to immediately defend against it, a telecom-industry specialist said.
The hacking network surfaced again over the summer, attacking oil and gas companies in the Persian Gulf.
In September, the group turned back to U.S. banks. The next month, Defense Secretary Leon Panetta warned the perpetrators to cease, but the U.S. government hasn’t acted to put a stop to the attacks.
Initially, the assaults on individual banks were announced by hackers in advance. But lately, they have targeted multiple banks simultaneously without specific warning. The attacks have affected most of the top dozen U.S. banks, investigators and bank officials say.
The group’s most recent Internet announcement boasted its resiliency. “Despite the high cost of U.S. banks to deal with these attacks, the attacks cannot go under control and are unstoppable,” the group wrote on Jan. 8.
The hackers are using a network of tens of thousands of infected computers running corporate websites, investigators say. The attacks are considered more difficult to stop because they are coming from computers that could have legitimate reasons to communicate with the banks, said one bank official. Roughly half of those computers are overseas and out of the reach of U.S. law enforcement.
Bank representatives have discussed the attacks with officials from a range of U.S. agencies, including the White House, National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, and Treasury Department.
Treasury officials held a series of meetings with individual bank representatives in December to ensure that all parties were working from the same set of information about the attacks, an investigator said. The FBI has been providing updates and warnings to banks of impending attacks as it continues an investigation. In some cases, U.S. officials have visited banks to assess their data, the investigator said.
A number of affected banks would like the government to either block the attacks or take down the network of computers mounting them, bank officials said. Other options for government action include complaining through diplomatic channels and counterattacks, said industry officials familiar with the investigation.
The U.S. government also could work with Internet providers to block traffic coming from computers in Iran tied to the network, a former U.S. official said.
Overall the financial services industry is still split over whether Washington should take on a more forceful role.
Last month, financial services executives, regulators and officials from the departments of Treasury and Homeland Security officials gathered at a meeting in the Washington suburbs to discuss the latest round of attacks. Some argued that U.S. government should go after the hackers, while others cautioned that offensive action could lead to retaliation, additional attacks against the banks, or unforeseen consequences, said one security executive who attended the meeting.
Most of the banks declined to comment. PNC, which has acknowledged the attacks, referred to its statement to customers that the bank “has taken steps to block this [attack] traffic and maintain online and mobile banking access for the vast majority of its customers.” A SunTrust spokesman said the company wouldn’t comment “on security-related matters.”
An Obama administration official said the U.S. government has been “a very active partner” in working with the private sector. The Treasury Department, National Security Agency and Federal Bureau of Investigation either declined to comment or referred questions elsewhere.
Time for Congress to offer help against cyber attacks
By Editorial Board, Published: January 23
THESE HAVE NOT been easy days for cybersecurity experts at some of the nation’s leading banks. A barrage of attacks on bank networks has intensified since September, clogging Web sites with traffic, slowing or crashing them. The banks have not lost data, but their online services have been interrupted.
The onslaughts are known as distributed-denial-of-service attacks, and the attackers have apparently reached a new level of skill and destructive power. Radware, a network security firm,reports that they are now harnessing powerful servers into destructive “botnets,” or chains of computers that have been infected by malware and ordered to swarm a target. The botnet technique has been around for a while, but the use of servers to generate the stream of pings gives the attackers unprecedented power.
According to a report by Ellen Nakashima in The Post, the banks have now turned to the National Security Agency (NSA) for help in protecting their systems. The super-secret electronic surveillance agency has been at the forefront of defending U.S. government networks from intrusion; its director, Gen. Keith Alexander, also serves as chief of U.S. Cyber Command. What’s happening now is something that Gen. Alexander and other cyberexperts have warned about for a long time: attacks aimed at the soft underbelly of American society, our wired but vulnerable private sector. Several news reports have identified the assault on U.S. banks as the work of Iran, perhaps in retaliation for Stuxnet, the computer worm designed to wreak havoc on Iran’s nuclear equipment that was apparently developed by the United States as part of a covert intelligence operation.
Out of concern for attacks on U.S. companies, Congress last year wrestled with legislation that would have allowed the NSA to share its sophisticated cybersecurity tools with the corporate sector. Sens. Joseph I. Lieberman (I-Conn.) and Susan Collins (R-Maine) championed a bill that would have eased the way for the government to enter company networks. But the legislation was opposed by the U.S. Chamber of Commerce, which warned of heavy-handed government regulation and bureaucracy, and it died.
Now, just months later, who’s knocking on the government’s door, demanding help? According to news reports, the attacks have stricken Bank of America, PNC Bank, Wells Fargo, Citigroup, HSBC and SunTrust. Perhaps they should tell the Chamber of Commerce a little about the experience. The business lobby’s approach to cybersecurity legislation was myopic last year. The chamber should face the reality that corporate America is seriously vulnerable to attack.
Congress would be well advised to focus early on this topic. The private sector remains unprepared for the kind of massive botnet assaults being aimed at the banks. The U.S. government can offer an important line of defense. Congress ought to lay down a foundation for this cooperation in new legislation, and without delay.
To thwart hackers, firms salting their servers with fake data
By Ellen Nakashima, Published: January 2
Brown Printing Co., which prints popular magazines and catalogues, knew that it had valuable assets in its computer systems and that those assets — online editions and subscriber databases — were increasingly at risk with the proliferation of cyber-espionage.
And so, to confront one of the newest and most damaging crimes, it turned to one of the oldest tricks in human history: deception.
Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt
Rina Castelnuovo for The New York Times
Amichai Shulman, the chief technology officer at Imperva. The data security firm recently found that antivirus software programs perform poorly against new viruses.
Bank Hacks Were Work of Iranians, Officials Say
By NICOLE PERLROTH and QUENTIN HARDY
Published: January 8, 2013
SAN FRANCISCO — The attackers hit one American bank after the next. As in so many previous attacks, dozens of online banking sites slowed, hiccupped or ground to a halt before recovering several minutes later.
But there was something disturbingly different about the wave of online attacks on American banks in recent weeks. Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas.
The skill required to carry out attacks on this scale has convinced United States government officials and security researchers that they are the work of Iran, most likely in retaliation for economic sanctions and online attacks by the United States.
“There is no doubt within the U.S. government that Iran is behind these attacks,” said James A. Lewis, a former official in the State and Commerce Departments and a computer security expert at the Center for Strategic and International Studies in Washington.
Mr. Lewis said the amount of traffic flooding American banking sites was “multiple times” the amount that Russia directed at Estonia in a month long online assault in 2007 that nearly crippled the Baltic nation.
American officials have not offered any technical evidence to back up their claims, but computer security experts say the recent attacks showed a level of sophistication far beyond that of amateur hackers. Also, the hackers chose to pursue disruption, not money: another earmark of state-sponsored attacks, the experts said.
“The scale, the scope and the effectiveness of these attacks have been unprecedented,” said Carl Herberger, vice president of security solutions at Radware, a security firm that has been investigating the attacks on behalf of banks and cloud service providers. “There have never been this many financial institutions under this much duress.”
Since September, intruders have caused major disruptions to the online banking sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC.
They employed DDoS attacks, or distributed denial of service attacks, named because hackers deny customers service by directing large volumes of traffic to a site until it collapses. No bank accounts were breached and no customers’ money was taken.
By using data centers, the attackers are simply keeping up with the times. Companies and consumers are increasingly conducting their business over large-scale “clouds” of hundreds, even thousands, of networked computer servers.
These clouds are run by Amazon and Google, but also by many smaller players who commonly rent them to other companies. It appears the hackers remotely hijacked some of these clouds and used the computing power to take down American banking sites.
“There’s a sense now that attackers are crafting their own private clouds,” either by creating networks of individual machines or by stealing resources wholesale from poorly maintained corporate clouds, said John Kindervag, an analyst at Forrester Research.
How, exactly, attackers are hijacking data centers is still a mystery. Making matters more complex, they have simultaneously introduced another weapon: encrypted DDoS attacks.
Banks encrypt customers’ online transactions for security, but the encryption process consumes system resources. By flooding banking sites with encryption requests, attackers can further slow or cripple sites with fewer requests.
A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed in online posts that it was responsible for the attacks.
The group said it attacked the banks in retaliation for an anti-Islam video that mocked the Prophet Muhammad, and pledged to continue its campaign until the video was scrubbed from the Internet. It called the campaign Operation Ababil, a reference to a story in the Koran in which Allah sends swallows to defeat an army of elephants dispatched by the king of Yemen to attack Mecca in A.D. 571.
But American intelligence officials say the group is actually a cover for Iran. They claim Iran is waging the attacks in retaliation for Western economic sanctions and for a series of cyberattacks on its own systems. In the last three years, three sophisticated computer viruses — called Flame, Duqu and Stuxnet — have hit computers in Iran. The New York Times said last week that they had no intention of halting their campaign. “Officials of American banks must expect our massive attacks,” they wrote. “From now on, none of the U.S. banks will be safe.”
RICK WILKING/Reuters – A network defender works at the Air Force Space Command Network Operations & Security Center in Colorado Springs, Colorado. The Pentagon is expanding efforts to safeguard critical computer systems and conduct cyberattacks against foreign adversaries, officials say.