NYT Hack Shows Gaping Holes in Traditional Security Systems

After The New York Times and The Wall Street Journal revealed last week that their computer systems had been compromised by Chinese hackers, the Journal reported that the FBI has been probing attacks on U.S. media outlets for more than a year.

The newspaper said the attacks are part of a long-running pattern by a “foreign entity” to compromise security at major U.S. companies.

The Times attack, particularly, set the security community buzzing because the newspaper noted in its reporting on the hack that its antivirus software made by Symantec failed to identify 45 of the 46 strains of malware planted on the media outlet’s computers.

“One of the biggest dangers we have now is that most enterprises think that their enterprise-class antivirus protection is going to protect them from this type of attack,” George Tubin, a senior security strategist with cyber security companyTrusteer, told TechNewsWorld. “It simply doesn’t.”

Symantec agrees. In a statement issued to the media following publication of the Times account of the attack, the company said, “Turning on only the signature-based antivirus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats.”

Aside from the failure of the Times antivirus software to shield it from hackers, the incident has another disturbing element to it, according to Harry Sverdlove, CTO ofBit9, a maker of trust-based security solutions.

This attack seems to be more personal than past hacks. “This is atypical for Chinese espionage attacks,” Sverdlove told TechNewsWorld. “The more personal an attack gets, the more targeted it becomes and the less effective traditional security will be in that situation.”

Java Stumbles Again

Not long after the Department of Homeland Security was advising users to disable Java, another flaw has been discovered in Oracle’s programming language.

Last week a bug was found that undermined Java’s “maximum security setting.” That setting, which Oracle activated by default in the last hasty update of the software, requires a user to give their OK to run unsigned Java applets. Because of the flaw, unsigned Java apps can run on a Windows system regardless of the Java security settings.

Instead of fixing security issues found in the previous version of Java, the most recent release of the program merely sidesteps them, said Bogdan Botezatu, a senior e-threat analyst with cyber security software makerBitdefender.

“They just tried to prevent the user from triggering the issue,” Botezatu told TechNewsWorld.

Leaving the resolution of security issues to the user is not a good idea. “One of the worse things a developer can do is let the user make security decisions,” he said. If a pop-up message appears when a user is in the middle of doing something they want done, they’ll click OK regardless of what the message says.

Beefing Up the U.S. Cybersecurity Army

The Pentagon’s master plan to expand its cadre of cyberwarriors hasn’t officially made it to Congress yet, but it managed to make headlines last week as The New York Times and The Washington Post published details.

Over the next several years, military chiefs want to increase the size of the nation’s lead cyberwarfare agency, the DOD’s Cyber Command, by more than 500 percent to 4900 troops and civilians from its current level of 900.

Cyber Command has largely been a defensive organization. That won’t be the case if Congress approves the Pentagon’s expansion plan, which calls for three types of forces: a National Mission Forces to protect computer systems that operate the nation’s infrastructure, such as electrical grids, power plants, and water treatment facilities; Combat Mission Forces to help commanders overseas plan and execute cyberattacks and other offensive operations;and Cyber Protection Forces to protect and fortify the DOD’s computer networks.

A big obstacle to the Pentagon’s plan, apart from a fiscally conservative Congress, will be finding qualified people to fill the new cyberwarrior slots.

“There are not enough highly skilled cybersecurity professionals in the ecosystem,” Greg Schaffer, former head of the Office of Cybersecurity in the Department of Homeland Security, said in an interview last year.

A month after Schaffer gave those comments, he left the agency for the private sector.

Data Breach Diary

• Jan. 28. Attorneys representing some 5000 drivers estimate a data breach, in which a former employee of the Minnesota Department of Natural Resources illegally accessed personal drivers license information, could cost the state more than US$12 million. The estimate is based on a penalty of $2500 for each violation of the federal Drivers Privacy Protection Act.
• Jan. 29. FTC announces settlement with CBR Systems in data breach case involving 298,000 health care clients. The breach happened when a laptop computer, unencrypted backup tapes, an external hard drive and a USB drive were stolen from a CBR employee’s car. As part of the settlement, CBR agreed to establish an information security system, submit to biannual security audits for 20 years and not misrepresent its privacy and security practices.
• Jan. 30. The New York Times reports that its computer systems have been under attack from Chinese hackers for four months. Passwords were stolen for every Times employee and used to seek information related to a report published online about the relatives of China’s prime minister accumulating billions of dollars through business dealings. The Times and security experts were eventually able to oust the intruders from the newspaper’s systems.
• Jan. 31. Works Bakery Cafe, a Northern New England bakery chain, reveals that it discovered a possible data breach in which customers’ credit and debit card numbers were compromised. The number of customers affected by the breach was not revealed by the bakery. The matter has been turned over to law enforcement authorities for investigation.
• Jan. 31. The Wall Street Journal reports its computer systems had been infiltrated by Chinese hackers in order to spy on Journal reporters covering China.

Upcoming Security Events

• Feb. 7. Closed to Risk, Open for Business: Keeping Retail Networks PCI Compliant. 1 p.m.-2 p.m. ET. Webinar sponsored by Watchguard. Free.
• Feb. 7. Three Ways to Insure Data Loss Does Not “Deep Six” Your Business. 2 p.m. ET. Webinar sponsored by WatchGuard. Free.
• Feb. 8-9. Suits and Spooks Conference: Should Private Companies Take Measured Offensive Actions against Attackers? Waterview Conference Center, Washington, D.C. Registration: $595.
• Feb. 12. Transforming Intelligence Operations Through IT. Sponsored by INSA and Nextgov. Ronald Reagan Building, 1300 Pennsylvania Ave., NW, Washington, D.C. Free.
• Feb. 14. Optimizing and Safeguarding Your Data Network. 1:30 p.m. ET. Webinar sponsored by Bank Info Security. Free.
• Feb. 24-25. BSides San Francisco. DNA Lounge, 375 Eleventh St., San Francisco.
• Feb. 25-March 1. RSA Conference USA 2013: Security in Knowledge. Moscone Convention Center, San Francisco. Registration: To Jan. 25, $1,895. After Jan. 25, $2,295.
• Feb. 26. Optimizing and Safeguarding Your Data Network. 11:30 p.m. ET. Webinar sponsored by Bank Info Security. Free.
• March 12-15. Black Hat Europe. Grand Hotel Krasnapolsky, Amsterdam, Netherlands. Registration: through Jan. 10, 1,095 euros (US$1447); through Feb. 28, 1,295 euros (US$1,711); March 1-15, 1,495 euros (US$1,975).
• April 23-24. Black Hat Embedded Security Summit. McEnery Convention Center in San Jose, Calif. Registration: Before Feb. 9, $999; Feb. 9-Apr. 18, $1,099; April 19-25, $1,199.
• April 23-25. Infosecurity Europe. Earls Court, London, UK. Registration: By April 19, free; After Apr. 19, Pounds 20.
• June 11. Cyber Security Brainstorm. 8 a.m.-2:30 p.m. ET. Newseum, Washington, D.C. Registration for Non-government attendees: Before March 3, $395; March 3-June 10, $495; On site, $595.