"The professional who can't quickly get at your credit card database moves on just as quickly to someone more easily attackable. The elite attacker who wants you, just you, and nobody else but you…is going to keep at it until he gets you." Wendy M Grossman looks at what we can learn from the cyber-attack on the New York Times.
Image: CC BY-NC-SA 2.0 Flickr: Dale
There's no question that the story of the complex and persistent four-month attack by (probably) Chinese hackers on the IT systems at the New York Times is one of the best few stories of its genre since Clifford Stoll invented it with his 1989 book The Cuckoo's Egg. It's not just the fact of the attack, but the detailed and excellent reporting of it (by Nicole Perlroth). Most companies decline to tell the world what happened to them. The Times behaved like a good newspaper should, and acted in the public interest. Later, the Wall Street Journal confirmed that it, too, had seen its systems infiltrated. In both cases, the goal seems to have been to monitor the papers' coverage of China.
The result is that now we know a lot more about the inner workings of modern attacks on computer systems: highly motivated, layered, multi-faceted, stealthy, patient, persistent. As Charles Arthur outlines over at the Guardian, the hacking scene (with apologies to old-timers, using "hacking" to mean breaking into computers rather than inventing things that do what you want) these days is in layers, each with its own characteristics. Arthur calls them amateurs (in which category he includes Anonymous); commercial hackers (those who steal credit card details for financial gain); and government and military hackers. In tennis terms, amateurs are club players, commercial hackers are paid folks - coaches, trainers, racquet stringers, promoters, agents - and government and military hackers are the elite athletes of the top 100. Somewhere there's a Roger Federer of computer cracking that all the other guys wish they were as good as.
It's striking that, as the Times relates, in 2011 the US Chamber of Commerce thought it had shut down a breach, only to find months later that an internet-connected thermostat and printer were still chatting away with computers in China. This prospect was, if you recall, the real point of the escapades that Columbia University's Ang Cui and Sal Stolfo showed off that same year. It was scary and dramatic that they could embed malware in documents to make printers smoke, if not burst into actual flames. But their main point was that any internet-connected device, even one using unique firmware its manufacturer believes is safely obscure, can be turned into a secret surveillance device. Things like printers and routers are especially effective listening posts, since they are necessarily open to everything on their network, and even a thin trickle of data is enough to send out bank account numbers - or user IDs and passwords for later use.
Think of that next time some manufacturer responds to a researcher demonstrating a new attack by saying that it's too far-fetched or something only an obsessive genius would think of. Nothing is too far-fetched if it can be shown to work, and "the other side" can afford to buy plenty of obsessive geniuses.
The story also has done a lot to highlight the limits of our ability to defend ourselves. It's no surprise, for example, that Symantec's anti-malware offerings failed to spot the attackers, and not just because the attacks used zero-day exploits that by definition have yet to appear in the wild. F-Secure's outspoken Mikko Hypponen was quite clear about this last June, when, he wrote bluntly in an opinion piece for Wired, "Consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets". The occasion was the discovery of the Flame malware and his admission that his company (and its competitors) had samples dating to 2010 (and even earlier); their automated reporting systems had simply never flagged them as something to investigate. The key points are that no system is 100 percent perfect (at least, if you want also to be able to do actual work on that computer), and that of course well-funded attackers test their malware, before deployment, against all of the leading anti-malware software to ensure it will get through. "We were out of our league," Hypponen concludes.
It is of course a cue for another round of stories asking yet again whether anti-virus software is over. I wrote one of these myself, in 2007. The answer is obviously no, and not just because, as vendors will tell you, anti-virus software has been evolving right alongside the malware it's intended to detect. Even if it hadn't you'd still need it to block all the same old stupid stuff that's been circulating for years.
The Times story also shows us how many more kinds of motivated attackers you may have than you think. The paper has simultaneously to protect its systems from defacement or disruption by amateurs; its database of customer credit cards and personal details from professional commercial hackers; and its reporters and their systems from targeted attacks by the elites employed by states and (perhaps soon) other very large organisations that seek to control what it says about them. Each of those groups has a different MO and also - and this is key - a different amount of patience. The amateur who wants to embarrass you will give up when his skills run out. The professional who can't quickly get at your credit card database moves on just as quickly to someone more easily attackable. The elite attacker who wants you, just you, and nobody else but you…is going to keep at it until he gets you.
Wendy M. Grossman responds to "loopy" statements made by Google Executive Chairman Eric Schmidt in regards to censorship and encryption.
ORGZine: the Digital Rights magazine written for and by Open Rights Group supporters and engaged experts expressing their personal views
People who have written us are: campaigners, inventors, legal professionals , artists, writers, curators and publishers, technology experts, volunteers, think tanks, MPs, journalists and ORG supporters.
Manchester Cryptoparty with FSFE