Cleaning house after a hack attack1 January 2013
Last updated at 13:21 GMT
The New York Times had to work hard to kick Chinese hackers off its network
Yet that was the approach taken by the New York Times when it cleaned house after its internal network was infested by a more modern nuisance - computer hackers.
Every device, be it a laptop or chunk of network hardware, known or thought to have been compromised by the Chinese hackers was thrown out and replaced with a shiny, and more importantly, clean machine.
The newspaper wanted to be sure that no trace of the hackers remained.
In addition, the NYT beefed up its defences, blocked access from other compromised machines that had been used to get into its network and found and removed every back door into the newspaper's network.
The decision to replace computers was motivated by the all-encompassing access that the attackers had to the NYT network. In an article detailing the attack, the NYT said the Chinese attackers had access for at least four months.
Graham Cluley, senior technology consultant at security company Sophos, which often helps companies cope with intrusions by hackers, said replacing all those machines was "a bit extreme".
"Normally, the most extreme measure is to reformat drives or completely wipe them but even that would be a bit of a sledgehammer," he said.
Reformatting and wiping drives was sufficient to defeat even those malicious programs that buried themselves deep in the heart of the Windows operating system, he said.
"Usually they would put a clean Windows installation on there rather than chuck out the hardware," he added.
The New York Times threw out machines it knew had been compromised
Mr Cluley speculated that the NYT threw out the machines to
reassure partners, employees and others that the intrusion had been
dealt with.
The lingering problem, he said, was that the NYT was still not sure how its attackers won access to its network.
The NYT suspects a so-called "spear phishing" attack that sent targeted, booby-trapped messages to a few key individuals. After they had won access to one computer, the attackers may have used that as a lever to pry open other parts of the network.
"It can be very difficult to determine when and where the initial entry point was," he said, adding that without firm information about that, throwing out the old hardware might be a reasonable choice.
The attack on the NYT was just one example of a growing number of attacks, seen by Sophos and other security firms, said Mr Cluley.
While some attackers got in and out quickly when they had stolen payment information, others were content to lurk inside a network for months, seeking out useful internal information including intellectual property, design documents or confidential financial plans.
"This was a long-term operation to steal intelligence and information that went under the radar," he said. "These sorts of targeted attacks that use unknown vulnerabilities do seem to be on the rise."
Deep impact "Security starts with knowing what you have," said Stephen Schmidt, chief security officer at Amazon's web services told the BBC in an earlier interview. Mr Schmidt is a former FBI investigator who specialised in intrusion analysis.
Mr Schmidt said many companies had discovered that one consequence of using cloud-based services was that it forced them to find out everything about their internal network. The very act of shifting from an in-house data centre to an on-demand service can start a powerful discovery process.
"You can see exactly what you have," he said. "There are no more dusty corners that someone can get to."
In addition, because most cloud-based services used standardised hardware and software it was far easier to keep an eye on who was doing what. A similar level of scrutiny was much harder to manage on the infrastructure a company had grown up with, he said.
"In the cloud... by definition you cannot log someone on under the desk," said Mr Schmidt.
The New York Times had to work hard to kick Chinese hackers off its network
If your house was infested with mice, the chances are that you would call a pest control firm to get rid of them.
Once they had done their work, you might go as far as to
replace some of the furniture nibbled by the rodents but you probably
wouldn't replace every single item they had touched. Yet that was the approach taken by the New York Times when it cleaned house after its internal network was infested by a more modern nuisance - computer hackers.
Every device, be it a laptop or chunk of network hardware, known or thought to have been compromised by the Chinese hackers was thrown out and replaced with a shiny, and more importantly, clean machine.
The newspaper wanted to be sure that no trace of the hackers remained.
In addition, the NYT beefed up its defences, blocked access from other compromised machines that had been used to get into its network and found and removed every back door into the newspaper's network.
The decision to replace computers was motivated by the all-encompassing access that the attackers had to the NYT network. In an article detailing the attack, the NYT said the Chinese attackers had access for at least four months.
Graham Cluley, senior technology consultant at security company Sophos, which often helps companies cope with intrusions by hackers, said replacing all those machines was "a bit extreme".
"Normally, the most extreme measure is to reformat drives or completely wipe them but even that would be a bit of a sledgehammer," he said.
Reformatting and wiping drives was sufficient to defeat even those malicious programs that buried themselves deep in the heart of the Windows operating system, he said.
"Usually they would put a clean Windows installation on there rather than chuck out the hardware," he added.
The New York Times threw out machines it knew had been compromised
The lingering problem, he said, was that the NYT was still not sure how its attackers won access to its network.
The NYT suspects a so-called "spear phishing" attack that sent targeted, booby-trapped messages to a few key individuals. After they had won access to one computer, the attackers may have used that as a lever to pry open other parts of the network.
"It can be very difficult to determine when and where the initial entry point was," he said, adding that without firm information about that, throwing out the old hardware might be a reasonable choice.
The attack on the NYT was just one example of a growing number of attacks, seen by Sophos and other security firms, said Mr Cluley.
While some attackers got in and out quickly when they had stolen payment information, others were content to lurk inside a network for months, seeking out useful internal information including intellectual property, design documents or confidential financial plans.
"This was a long-term operation to steal intelligence and information that went under the radar," he said. "These sorts of targeted attacks that use unknown vulnerabilities do seem to be on the rise."
Deep impact "Security starts with knowing what you have," said Stephen Schmidt, chief security officer at Amazon's web services told the BBC in an earlier interview. Mr Schmidt is a former FBI investigator who specialised in intrusion analysis.
Mr Schmidt said many companies had discovered that one consequence of using cloud-based services was that it forced them to find out everything about their internal network. The very act of shifting from an in-house data centre to an on-demand service can start a powerful discovery process.
"You can see exactly what you have," he said. "There are no more dusty corners that someone can get to."
In addition, because most cloud-based services used standardised hardware and software it was far easier to keep an eye on who was doing what. A similar level of scrutiny was much harder to manage on the infrastructure a company had grown up with, he said.
"In the cloud... by definition you cannot log someone on under the desk," said Mr Schmidt.
-
Cyber attacks blamed on China31 January 2013 Last updated at 13:38 GMTThe New York Times says hackers based in China "persistently" infiltrated its computer network over a period of four months in late 2012 and early 2013.Repeated cyber attacks on foreign governments, companies and organisations have been traced to China over the past few years and the Chinese government has often been accused of backing them, either directly or by allowing them to go ahead. Analysts say the attacks often appear to be an attempt to gather information and protect China's image.
Beijing routinely denies state-backed hacking and says it is more a victim of hacking than the culprit. Many other countries are also believed to use cyber espionage.
Here are some of the major cyber attacks for which the finger has been pointed at China.
Operation Shady RAT
In 2011, internet security firm McAfee said it had uncovered one of the largest ever series of cyber attacks, targeting 72 different organisations over five years, including the International Olympic Committee, the UN and security firms. It did not name a culprit for the hack, dubbed Operation Shady RAT, but it was widely considered to have been China. Jim Lewis, a cyber expert with the Centre for Strategic and International Studies, said at the time it was "very likely China was behind the campaign because some of the targets had information that would be of particular interest to Beijing".
Lockheed Martin
In 2009, suspicion fell on China when hackers broke into the computers of US defence firm Lockheed Martin and took large amounts of data relating to the Joint Strike Fighter, the most advanced warplane in the world. The Wall Street Journal said investigators had traced the attack with a "high level of certainty" to Chinese IP addresses, the unique number that identifies a computer.
Coca-Cola
In November 2012, drinks giant Coca-Cola said it had been the victim of a cyber attack for more than a month in 2009, Bloomberg news reported. Code in a malicious email, sent to an executive, allowed hackers to operate undetected, logging commercially sensitive information. The attack happened while the company was attempting to buy the China Huiyuan Juice Group for about $2.4bn (£1.5bn). The takeover collapsed, but had it happened it would have become the largest foreign takeover of a Chinese company.
Google
In January 2010, Google said it had been subjected to a "sophisticated cyber attack originating from China". It said the email accounts of human rights activists were among those hacked. The allegations sparked a row between the search engine and the Chinese government over censorship and internet privacy, which prompted Google to move it's Chinese-language operations to Hong Kong.
Information contained in diplomatic cables leaked by Wikileaks showed that the US embassy believed senior Chinese politicians had been behind the attacks. They alleged that a politburo member ordered them after Googling his name and finding critical comments online.
In June 2011, Google said hackers based in China's Jinan province had compromised the personal email accounts of hundreds of top US officials, military personnel and journalists. China said that to blame it was "unacceptable".
Ghostnet
Researchers in Canada announced in 2009 that they had been tracking a vast and sustained cyber attack they called Ghostnet for the past 10 months. Ghostnet was one of the largest hacks uncovered in terms of its geographic reach, infiltrating 1,295 computers in 103 countries, targeting computers belonging to foreign ministries and embassies and those linked with the Tibetan spiritual leader, the Dalai Lama.
While they traced Ghostnet mainly to computers in China, the researchers at Information Warfare Monitor made no direct link to the government and Beijing denied involvement.
Nasa
The space agency was the victim of 47 cyber attacks during 2011. The most serious was traced to IP addresses in China and accessed computers in the Jet Propulsion Laboratory, which controls Nasa's robots in space. Nasa told the US Congress that the hackers had access to sensitive accounts, could create, delete and modify systems and accounts and upload hacking software. "In other words, the attackers had full functional control over these networks," it said.
South Korea
The Korean Communications Commission blamed Chinese hackers for stealing data from 35 million accounts on popular social media sites in 2011. The hackers were believed to have stolen phone numbers, email addresses, names and encrypted information about users.
Pentagon
In June 2007, an infiltration of computers at the US Defense Department was blamed on Chinese hackers, with officials saying there was a "very high level of confidence... trending towards total certainty" that the military was behind it, the Financial Times reported. The attack forced the Pentagon to take down its network for a week, although they US said most of the data taken were unclassified. China said the allegation was "totally groundless", the phrase it has routinely used in such circumstances.
Media
The New York Times said it was hacked for four months, though for most of that time it was tracking the hackers through its systems to try to understand what they were doing and how to get rid of them. The paper said the attacks began while it was preparing a report which alleged that the family of Chinese Premier Wen Jiabao had vast hidden wealth, and intensified afterwards, apparently looking for names of sources.
The Times said the attacks bore the hallmarks of previous Chinese hacks, including being routed through the same university computers.
Richard Bejtlich, the chief security officer of the firm hired to investigate, said that if each attack was viewed in isolation it was hard to say with certainty that China's military was to blame.
"When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction," he said.
In April 2012, Boxun.com - a website based in the US which had reported extensively on the scandal involving senior Chinese politician Bo Xilai - said it was crippled for several hours by a concerted hacking attack. The origin of the attack was not clear but the site's manager Watson Meng was quoted as saying he believed it was ordered by China's security services.
COPY http://www.bbc.co.uk/
Nenhum comentário:
Postar um comentário