Thursday, January 31, 2013

The NYTimes article was content free

Even though Jeffrey Carr beat me to it, I'm going to write a post on this. That New York Times article describing how it got hacked actually contains no content.

Attackers and victims see things differently. Victims invariably put together complex conspiracy theories about what happened. That's what's wrong with the NYTimes story about its hack: the evidence of a Chinese conspiracy is so poor that even a UFOologist wouldn't find it credible. It may be true that the NYTimes was targeted by the Chinese government, but the story cites no adequate evidence supporting that conclusion.

What the story does cite is "security experts". But it waves hands over which specific expert made which specific claim. It's hard judging who they are, their expertise, or the evidence that leads them to make that conclusion.

The problem with our industry is that it's full of self-styled "experts" who are adept at slinging buzzwords and cliches. These people are skilled at tricking the masses, but they have actually zero expertise in cybersecurity.

Take, for example, the NYTimes description of "rainbow tables". This is a common buzzword repeated by non-experts, but the concept doesn't have value among real experts, as I explain here. This is strong evidence that some of the unnamed "experts" cited in the NYTime story are of the "pseudo-expert" kind.

The story describes how hackers hid their attacks by going through proxies. It goes into great detail about these proxies, but then says that that according to experts that the source must've been China. It doesn't describe how the experts know that for sure. For all we know, the expert is only guessing. Every hacker hides through proxies. We use the "open proxy" lists and "The Onion Router" to hide our attacks, it's not remarkable.

The NYTimes writing preys upon the ignorance of the masses. For example, it describes how Symantec's anti-virus detected only one of the 45 pieces of malicious software the hackers installed on machines. This is perfectly normal and means nothing. The unwashed masses have the impression that anti-virus is nearly 100% effective (it's not) and that it must take some sort of genius to bypass anti-virus (it doesn't). Every hacker puts anti-virus evading malware on machines, it's not remarkable.

The story mentions "custom software" that harvests emails. This implies some great feat of coding. But every hacker knows how to write code. We'll often whip together a script in JavaScript or VisualBasic or something to accomplish a task. Every hacker attack contains many such scripts, it's not remarkable.

Chinese made tools and techniques, such as the malware used in the attacks against the NYTimes, is used by hackers around the world. You'll find Chinese malware used by Russian hackers, for example. Assuming Chinese-made tools means the Chinese attacked is like assuming U.S. made products means a hacker attack  came from the U.S.

Like Jeffrey Carr, I distrust Mandiant. Sure, these guys are the experts, and if you have a major data breach you want investigated, these guys are the first that you should call. But, I distrust their motivations. Every time I see Mandiant quoted linking an attack to a Chinese conspiracy, the story is full of holes and non-information, just like this NYTimes article.

Because it's a hack against themselves, the NYTimes has no excuse for creating such a craptastic story. Instead of citing experts evaluation and guesses about the data, the NYTimes can disclose the raw data itself. They can dump the password hashes the hackers stole, the exact malware samples, the list of proxy IPs, and so on. Then, instead of having to take the "expert's" word, we can look at the raw data ourselves.


Anonymous said...

NYTimes craptastic reporting for the unwashed masses - how is this story any different from any other mainstream media piece on hacking?

Robert Graham said...

What's different is that NYTimes has a willing victim that can expose all the details. Most of the time reporting is hampered by the fact that the victim won't tell the reporter all the details. Since the victim is NYTimes itself, it can reveal all the technical details.

Will said...

Hi, just found your blog and I think it is great. I'm glad someone in the know wrote about this. I felt the NYT used this as a marketing technique rather than a 'warning to the masses' about data breaches.

Anonymous said...

You work in security and you're unaware of the overwhelming mass of evidence that Chinese actors are behind most APT intrusions? You're not unaware of this, right? You're just arguing that the NYT article provides no conclusive evidence of this, I hope?

decius said...

The indicators of attribution in a computer crime aren't just based on "who had the technical capability to achieve this." Technical capability sets a bar, perhaps, for who might have been responsible, but there are other variables that also have to be considered.

You have to consider the timing and objectives of the attacker, and ask yourself, who is interested in the information that was targeted here. What was the consequence of the outcome achieved by the attack and who desires that consequence?

You can also cross correlate specific markers, such as the use of particular malware, particular command and control protocols, or other behavioral indicators, with other incidents, and ask questions about the technical bar as well as the motive and objective behind those incidents. Presumably Mandiant is able to relate the specific techniques used here to techniques used in other incidents they have investigated to develop a profile of the attacker.

Some of the stories that are being told are stories. Others are real.

Anonymous said...

Could you please continue addressing this topic with some more detailed posts. More and more voices are saying its the Chinese, or at least the reverb machine is going on the Mandiant report.

What do you think is going on as more time has passed and any new information has been released?