Topics:

NYT attack offers hints for other CIOs facing threats

January 31, 2013

Tools

By Frank Hayes

The months-long Chinese cyberattack on the New York Times has already been widely reported, but the level of detail in the newspaper's own reporting on the incident should be useful to CIOs at other companies facing potential security threats. That includes the fact that the company initially underestimated the problem, then eventually seemed to overreact to it, according to reporter Nicole Perlroth.

The Times asked AT&T, its network provider, to monitor for suspicious activity starting on Oct. 24, the day before a news story critical of Chinese prime minister Wen Jiabao was scheduled to appear. But a later forensic analysis determined that hackers had already broken in on Sept. 13. "They set up at least three back doors into users' machines that they used as a digital base camp," the newspaper reported. By the time AT&T (NYSE: T) was called in, attackers had already found and decrypted passwords for every Times employee.

But it wasn't until Nov. 7 that the company brought in security specialist Mandiant to investigate. The overreaction? Eventually the company said it "replaced every compromised computer" along with removing the back doors into its network, changing all employee passwords and blocking compromised computers from universities and other outside organizations that had been used in the attacks. Given that the PCs of at least 53 Times employees were accessed, replacement sounds extreme, especially since wiping hard drives and a clean reinstall of software would usually suffice. In practice, though, replacement has advantages.

The Times never determined exactly how attackers got a foothold into its networks, but it suspects spearfishing, in which emails laden with malware are targeted at employees. Once a PC is infected, the malware could collect large amounts of information about the machine, including hardware details such as MAC addresses that might make future attacks and reinfection easier. Such future attacks are likely.

"Once they take a liking to a victim, [attackers] tend to come back," said Richard Bejtlich, Mandiant's chief security officer. "It's not like a digital crime case where the intruders steal stuff and then they're gone. This requires an internal vigilance model."

For more:
- see the NYT article

Related Articles:
Secret backdoors found in security appliances from Barracuda Networks
Getting out in front of the Black Hats
New Java exploit put up for sale

Filed Under

AT&T, Chinese Hackers, hackers, New York Times

Comments

View the discussion thread.

Popular Stories

Most Read
Most Shared

THE LIBRARY: WHITEPAPER

Defense Against the Dark Arts: Finding and Stopping Advanced Threats

| Sponsored by: ProofPoint

Today's most-damaging targeted attacks don't occur by happenstance. They are carefully planned and executed by a new breed of professional adversaries. Read this white paper, Defense Against the Dark Arts: Finding and Stopping Advanced Threats to gain a practical understanding of today's Advanced Threat Landscape and strategies for detecting and stopping Advanced Threats. Download today!

MORE ITEMS

Latest Commentary

1 in 3 IT managers say: The CIO must go!

Don't be the only security fall guy

Job demand is up, and it's going to cost you

Overcoming a crisis of confidence

IT job market: Best of times? Worst of times?