Not every media company is as tempting a target for hackers as The New York Times, The Washington Post, or The Wall Street Journal. Not every company can afford high-priced computer security consultants, either. Is there anything that everyday reporters and their editors can learn about protecting themselves, based on the revelatory details the Times and other targets made public last week?
As we wrote at the time, the cyber-attacks on the Times, the Post, and the Journal came as no surprise to foreign reporters working in China or elsewhere who repeatedly face fake emails, custom malware, and hacking attacks on their webmail. But the level of access that the hackers obtained at the Times‘ main offices, and the publication of details by their technical advisers, can be instructive.
The Times revealed that it had been persistently attacked by hackers for four months. The attackers specifically aimed for access to emails and contacts kept by reporters covering the financial affairs of China’s premier, Wen Jiabao, and his relatives. There was no smoking gun indicating that this was the work of state-sponsored hackers, but the Times‘ security experts, Mandiant, said the target, the techniques, and the timing of the attacks strongly suggest it was planned by Chinese hackers working under the guidance of the Chinese military.
The Post was later reported to be using the same company to fight off an attack that began in 2011. The Journal said the FBI had warned them of a breach in their security in mid-2012. On Tuesday, Rupert Murdoch, chairman of the paper’s owner, News Corp., tweeted that “[the] Chinese [are] still hacking us, or were over [the] weekend.”
The first lesson: Even if your employer has a dedicated computer security detail (most do not), you should still make the security of your own computer a personal matter. Hackers target the weakest leak in order to enter a system, and do not differentiate between personal or professional systems. The New York Times indicated in its report that the first breach was a personal “spear-phishing” mail sent to a Times employee on his or her own computer. The most convincing of these attacks use personal details gleaned from public sources or private intelligence. Be careful what email attachments you open. Don’t use the same password on different services, even if one is professional and the other private. With the cracking of passwords used by Times employees on an internal system, other accounts used by those employees elsewhere became vulnerable, the Times implied. Follow our advice and others on developing your own computer security regime.
Second, you should understand that hackers can gain access to a great deal of incidental material, even when their attacks fail at their goals. It is reassuring that even when the Times hackers were attempting to target investigators in China, they were unable to penetrate the additional security those reporters used. But, this same group now presumably has a large amount of other information–including names, passwords, and personal information on other reporters. Such information can be used in future attacks, or may be traded to other groups with other targets. Twitter lost control of the (obfuscated) database holding the passwords and email addresses of its earliest users this week. That information could be used as tradable knowledge for more targeted attacks on reporters who re-used their Twitter passwords on other services.
For now, these professional, advanced, and persistent attacks are being conducted in cases of well-financed industrial espionage or sophisticated state-level spying. But given the impunity with which these hackers operate, it’s only a matter of time before the data they collect and the tactics they use will trickle down to common crooks or petty dictators.
Which brings us to a third point. Both China and the United States are now suspected of using malware and the illegal entry of computer systems as tactics in their foreign policy. China spies on American news media; the U.S. is assumed to have been behind StuxNet, a customized piece of malware targeting the Iranian nuclear program.
There are no clearly defined international norms that govern these practices. As China’s Ministry of Defense told The New York Times, “Chinese laws prohibit any action including hacking that damages Internet security,” and similar laws apply in Iran and the U.S. But if nations believe that they can conduct these operations abroad against any target without consequence, in an environment where all countries see hacking as legitimate statecraft, then journalists will inevitably be among the many unprotected groups that will suffer for it.
In the end, the only weapon journalists have to defend themselves against such attacks is vigilance, and their most well-worn weapon: transparency. The New York Times, Washington Post, and The Wall Street Journal all took an important step when they began publicizing the attacks they have faced. They can continue to help smaller media companies and individual reporters by publishing more details, and pressuring governments to outlaw cyber-attacks as a tool of international affairs.