Sophos Cloud Optix
Rupert Murdoch, the media mogul whose newspaper empire includes the Wall Street Journal, posted on Twitter earlier today that his newspaper was still suffering at the hands of hackers.
Murdoch has waded into the developing news story about the high profile hacks, which were revealed to the world by the New York Times when it admitted that its servers had been infiltrated by hackers for four months, stealing employee passwords.
Murdoch’s seven word tweet claims that the hacks against his own companies are still going on.
In a column published on Sunday, entitled “Barbarians at the Digital Gate”, the Wall Street Journal shared some details of the attack against its systems, and didn’t beat around the bush regarding what it felt about the hackers:
"Specifically, the email accounts of under two dozen Journal editors, reporters and editorial writers have been hacked for months and maybe longer by the Chinese government. The hackers entered our systems and sought to monitor our China coverage. We identified the hacking last year and have taken steps to prevent it. The attack parallels similar Chinese infiltration of the New York Times, which believes the cyber-espionage originated with a Chinese military unit, as well as a hacking attempt last year against Bloomberg News."
"Whatever else the Chinese thought they were doing by hacking us, they didn't stop the publication of a single article. Now they have only magnified their embarrassment, as their intrusion was eventually bound to be detected and publicized. Perhaps they will now try to deny us travel visas, harass our journalists or otherwise interfere with our business in China."
"Meantime, we read that the FBI is investigating China's media hacking and treating it as a national security issue. It's also a plain-old crime, undertaken by a government that fancies itself the world's next superpower but acts like a giant thievery corporation."
Hard hitting stuff, I’m sure you’ll agree.
Quite what Chinese hackers might have done to upset Rupert Murdoch over the weekend isn’t made clear, and – frustratingly – he doesn’t share any details as to how the Wall Street Journal has positively identified that the hackers are Chinese.
I think it’s very hard for anyone to prove that China was behind these hacks (although lets not be naïve, they probably were).
China has, of course, denied involvement. That’s easy for them to do, as the origin of a particular hack is very difficult to prove. Hackers can bounce their attacks from computer to computer, leapfrogging around the world, hiding their origin.
Even if an attack is tracked back to a Chinese computer – who is to say that it’s not been hijacked by a hacker in, say, El Salvador?
These are important considerations to take into account before pointing the finger of blame at particular countries for a hacking attack.
The complexities of attribution don’t make for easy media headlines, but are important for the general public to understand – especially when some countries appear to be gearing up for pre-emptive internet attacks against perceived aggressors.
Further reading: A short history of hacking attacks against the media.
Internet image from Shutterstock.
Currently, I think one thing is for sure. Security experts hired by NY Times still can not trace the hacker back to a Chinese computer. If they did, attribution will be easy. Attribution only becomes difficult when they could not connect the event with China.
Let's not be naive. China is an easy target. If I, as a so-called security expert, can not uncover the hacker, claiming that China is the suspect is my easy way out. Who really hack NY Times is not important. Let's sum up the "golden rule of digital forensics":
1. If a security event can be traced to IP's within China, then it is done by Chinese hackers.
2. If that event is traced back to a computer outside China, then it is a jumpboard or proxy abused by Chinese hackers.
Those who aspire to be a security expert should never forget the two rules above.
Let's practice the golden rule now. According to McAfee, US hosts more botnet servers than any other country currently. In this case, we can not trace back to a Chinese computer, so by applying rule #2, we should say that these botnet servers are controlled by Chinese hackers. US are merely the victims. If McAfee reports that China hosts most botnet servers, then we should apply rule #1, and all the bad thing are done by Chinese hackers. US are again, the victims.
All the Above, I am just kidding. What I really want to say is, attribution of security events is indeed difficult. Sometimes we will never know the answer, just like we may never know who develops the Stuxnet. But that doesn't mean we have the right to attribute it to someone we dislike the most.
Isn't that an eight word tweet?
One effective way to stop or at least reduce the Chinese hacking: Stop or restrict severely doing business with one Chinese company (like they did with Huawei) each time a hack is traced to China. Then… -if it's not governmental, but origins from China, it will force the Chinese government's to start cleaning up in their own country. If not, soon China will have no companies left the West want to do business with. A nice fairy tale perhaps, but hard payback is probably the only medicine which will have an effect on the Chinese thieves. We all know they steal any industrial secret they can get their hands on from countless examples, so why not start hitting hard back? Sometimes I am wondering how stupid tolerant we in the west are since we continue to tolerate this… -while the Chinese are laughing all the way to the bank.
How do we know that someone isn't using China's computers as a jumping point? We can only track a hacker back to the last proxy that is willing to give us their logs and then we have to trust that their logs are legit.