This Week in Cybercrime: Hackers Break Into News Outlets’ Computers

Hackers Break Into News Outlets’ Computers to Peek at Reporters’ Notes

On 30 January, the New York Times reported on its site that it was the victim of a sophisticated campaign of cyberattacks aimed, it suspects, at uncovering the names of sources who provided information about the business dealings of Chinese Prime Minister Wen Jiabao and his family. (In fact, we’re learning that the Times was only the latest publication to have its systems raided, but more on that later.) According to the NYT article, Chinese hackers—who tried to cover their tracks by infecting and remotely controlling computers at U.S. colleges then using those compromised machines to send the malicious code—started snooping around the Times’ internal networks as early as 13 September. This after word got out that journalists at the daily’s Shanghai bureau were conducting research into how Wen had amassed a fortune worth billions. According to a researcher at Mandiant, the computer security company the paper hired to exorcise the malicious code:

“[The hackers] set up at least three back doors into users’ machines that they used as a digital base camp. From there they snooped around The Times’s systems for at least two weeks before they identified the domain controller that contains user names and hashed, or scrambled, passwords for every Times employee.”

Mandiant discovered that the hackers used the passwords to access the computers of 53 Times employees. But Times Executive Editor Jill Abramson, who was quoted for the story, says, “Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied.” The Times was also quick to offer reassurance that no customer data was stolen. But what the hackers did in fact take is still an open question.

Even after the article about Wen was published on 25 October, the hackers continued snooping. The Times article references a December intelligence report prepared by Mandiant. The security firm had uncovered evidence that the “Chinese hackers had [from as far back as 2008] stolen e-mails, contacts and files from more than 30 journalists and executives at Western news organizations, and had maintained a ‘short list’ of journalists whose accounts they repeatedly attack.”

That assessment was confirmed on 31 January, when the Wall Street Journal admitted that hackers trying to monitor the newspaper's coverage of China, hacked into its systems. Bloomberg says it was targeted after publishing an article last June about Xi Jinping, China’s then vice president and current general secretary of the country’s Communist Party. But Bloomberg says that although its computer systems came under attack, they were never breached.

Thousands of Networked Gadgets Double as Gaping Security Holes

Computer World is reporting that faulty implementation of the Universal Plug and Play (UPnP) protocol standard has turned millions of network-enabled devices such as routers, printers, media servers, and even smart TVs into gateways through which hackers can get inside firewalls. On 29 January, security researchers from Rapid7 released a research paper in which they noted that more than 20 percent of the 80 million unique IP addresses they pinged exposed the UPnP Simple Object Access Protocol service to the Internet. This allows one networked device to discover another and remotely turn on the other gadget’s data sharing, media streaming, media playback control and other services. The Computer World article explains that:

“In one common scenario a file-sharing application running on a computer can tell a router via UPnP to open a specific port and map it to the computer's local network address in order to open its file-sharing service to Internet users.

Many had UPnP implemented through a library called the Portable UPnP SDK. Unfortunately, as the Rapid7 researchers discovered, UPnP SDK contains eight remotely exploitable vulnerabilities. Two of them can be used to inject code remotely.

The upshot: More than 23 million networked devices exhibited this vulnerability during the test. Rapid7 told Computer World that a patch has been released, but the firm’s chief security offer predicted in a 29 January blog post that “it will take a long time before each of the application and device vendors incorporate this patch into their products.”

The slow-to-update problem, says Rapid 7, also affects users of a UPnP library called MiniUPnP, which can be exploited for denial of service and remote code execution attacks. New versions released in 2008 and 2009 don’t contain those security holes. But according to Rapid7, 14 percent of the Internet-exposed UPnP devices it pinged were still using MiniUPnP 1.0 and were thus still vulnerable. Though Rapid7 has released a free tool called ScanNow for Universal Plug and Play, and a module that detects vulnerable UPnP services running inside a network, many vulnerable devices will remain unpatched.

“Many PC users don't even update PC software that they frequently use and are familiar with,” Thomas Kristensen, chief security officer at vulnerability research and management firm Secunia told Computer World. “The task of finding the Web interface of a vulnerable networked device, obtaining the firmware update and going through the whole update process will likely be too intimidating for many users,” he said.

Want to Use a Plug-in on Firefox? Ask For It

Mozilla announced this week that it would automatically disable all plug-ins in Firefox except the latest version of Adobe's Flash Player. In order for any plug-in to run, the user will have to manually override the block. This feature, which Mozilla calls “click-to-play,” used to bar only plug-ins that the Firefox browser judged to be unsafe or too far out of date. The move comes on the heels of numerous reports of hackers taking advantage of bugs in plug-ins, particularly the Java browser plug-in. The makers of other browsers such as Chrome and Opera include the click-to-play feature. But Mozilla is the first to turn it on by default. The others require the user to enable it.

Yahoo Mail Hijacking Case Solved

Security researchers at Australia-based BitDefender say they have gotten to the bottom of how some Yahoo Mail accounts have been hijacked over the past month. It seems that a link that is supposed to take them to an MSNBC News site, connects them with a domain registered in the Ukraine. Javascript that finds the user's contacts and sends spam under his or her name is placed on those pages so that its almost impossible not to click on it.

Bill Shocker Malware Spreading Like Wildfire in China

It was revealed this week that a new piece of malware dubbed “Bill Shocker” has infected at least 600 000 mobile devices in China. The malicious code, which targets several of the most popular mobile apps in China, including Tencent QQ Messenger and Sohu News, sends spam to the users’ contact lists—often costing mobile device users a lot of money by going beyond the number of messages included in the unsuspecting users’ messaging plans. In a 30 January blog post, Beijing- and Dallas-based NQ Mobile said that the malware can update itself and "automatically expand to other apps, multiplying the potentially disastrous effects.”

Photo: Jleon/Wikipedia

Related Stories

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 

Newsletter Sign Up

Sign up for the ComputerWise newsletter and get biweekly news and analysis on software, systems, and IT delivered directly to your inbox.

Advertisement
Advertisement