Data Breach , Risk Management

The New York Times says its Moscow bureau has been targeted by suspected Russian cyberattackers, but its internal systems have not been compromised.

See Also: Protecting Your Assets Across Applications, Services and Tiers

The confirmation follows a CNN report on Aug. 23 that the FBI is investigating a series of cyberattacks that affected the Times and other unidentified U.S. news organizations. The report, which cited anonymous U.S. officials, said the attacks had been detected in recent months and implied that some have been successful.

The Times reacted quickly to that report by publishing one of its own. "We are constantly monitoring our systems with the latest available intelligence and tools. We have seen no evidence that any of our internal systems, including our systems in the Moscow bureau, have been breached or compromised," spokeswoman Eileen Murphy says in a news story published by the Times.

An FBI spokesman declined to comment on those reports or any potential investigation being undertaken by the bureau.

U.S. and Russian tensions over cyber activity are at an all-time high. Experts widely suspect Russia is behind a series of cyberattacks against several Democratic Party organizations and Democratic presidential nominee Hillary Clinton's campaign (see DNC Breach More Severe Than First Believed).

"Attribution can be hard, although in the last five years, it has gotten better as the government has concluded that good attribution was necessary if it wanted to have a chance at a viable deterrence policy," says Martin Libicki, a domestic and national security expert at the think tank The Rand Corp. "One thing that makes attribution easier is that hackers persist in doing the same thing over and over again - and they can afford to be repetitive because the downside of a hack being attributed have, so far, been modest."

Russia may have also had a hand in the recent leak of a powerful set of software exploits and spying tools that security experts were built by the NSA, although clear evidence of Russia's involvement has not emerged (see Confirmed: Leaked Equation Group Hacking Tools Are Real).

Follows Critical Reports

The New York Times's coverage has often deeply antagonized countries such as Russia and China, so it's perhaps no surprise that spies would want to keep tabs on their reporters.

China warned the Times of "consequences" even before the paper published an October 2012 expose describing vast wealth accumulated by family members of former Prime Minister Wen Jiabao.

Three months later, the Times said suspected Chinese hackers had used malware to obtain access to its networks. Corporate passwords for all of its employees were stolen, and the hackers accessed the personal computers of 53 employees. The email accounts of both the Times' Shanghai bureau chief and former Beijing bureau chief were accessed.

"It was presumed that they were looking for sources that helped The New York Times story on corruption associated with Premier Wen," Rand's Libicki says. "The Russians may have similar motivations, although recent Russian behavior suggests they also could have been looking to dox NYT employees or those mentioned in internal Times documents and messages."

This year, in early May, the Times published an extensive report on how Russia ran a sophisticated laboratory at the 2014 Winter Games in Sochi that aimed to conceal Russian athletes' use of banned substances. The story featured the first public comments from laboratory director Grigory Rodchenkov, who fled to Los Angeles after those games, fearing for his safety.

Tough to Defend Reporters

In theory, news organizations would carefully safeguard their reporters, given that the information they collect could be attractive targets for intelligence agencies or organizations conducting corporate espionage.

But reporters stationed overseas are often at a defensive disadvantage. In-country equipment providers could supply routers to reporters and news organizations' bureaus, for example, that have been tampered with to facilitate remote surveillance. Network traffic flows through in-country carriers may also be monitored by intelligence agencies. Physical access to offices is also potentially easier overseas, creating the possibility that sophisticated monitoring equipment has also been surreptitiously installed.

Using a VPN service, which encrypts traffic from a computer to the VPN services' computers, can offer some security by not exposing browsing traffic to local ISPs. But even those connections could be compromised if users' login credentials get stolen, perhaps through simple phishing attacks or if the VPN service itself has been compromised. Mobile phone connections and landlines, meanwhile, would have to be treated as being completely insecure.

"Reporters are particularly vulnerable because they need a lot of latitude to effectively do their jobs," says Ryan Stolte, CTO for cybersecurity firm Bay Dynamics. "They travel to countries and connect to diverse networks which are more easily exploitable. All of those factors make them more vulnerable to a cyberattack than your average corporate employee."

Journalists Are Valuable Targets

Journalists are prized targets because they have data that sometimes is never published, says James Lewis, a senior vice president and director of strategic technologies programs at the Center for Strategic and International Studies in Washington. They can also talk to people that foreign agents have trouble engaging, he says.

News organizations have traditionally been soft targets. "At least until recently, media network security was terrible," Lewis says.

Lewis believes the recent attacks aren't a warning or a threat but rather an effort to figure out who the Times is speaking with and what it knows. "If there are embarrassing emails that can be leaked - so much the better," he says. "It's a favorite Russian trick."

Executive Editor Eric Chabrow contributed to this report.

Compliance , Data Breach , Privacy

Ashley Madison, the extramarital online hookup service breached in 2015, has agreed to bolster its security and make key data retention changes after regulators in Australia and Canada ruled that the site had violated local privacy laws (see Ashley Madison Breach: 6 Lessons).

See Also: A Smarter Approach to Third-Party Vendor Risk: A Case Study

Both the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner found Avid Life Media, the Toronto-based company that runs the website, did not have documented information security policies in place or proper breach detection capabilities. The company violated both Canadian and Australian privacy laws, regulators ruled.

"It is not sufficient for an organization such as ALM, or any organization that holds large amounts of personal information of a sensitive nature, to address information security without an adequate and coherent governance framework," the regulators say in a summary of the investigation published Aug. 22.

In one of the more damaging findings, ALM acknowledged fabricating a medal icon and other "trustmarks" that were displayed on Ashley Madison's homepage. The marks implied the website had strong security, which deceived users in order to get their consent, the regulators say.

The Ashley Madison breach, one of the most high-profile incidents of last year, was particularly sensitive give the lurid nature of the service. In mid-July 2015, a group calling itself the Impact Team gave ALM an ultimatum: shut down Ashley Madison and a related site, Established Men, or else the attackers would dump user data.

The Impact Team claimed that Ashley Madison was a fraud and opposed some terms of the website, which included having to pay a fee for the full erasure of an account.

The company resisted, even after the group leaked a small sample of data. The Impact Team then released three dumps, comprising nearly 30GB of data. The files included customer names, email addresses, postal codes, partial credit card numbers, hashed passwords, GPS data and the amount paid for subscription services for some 36 million accounts (see Researchers Crack 11 Million Ashley Madison Passwords).

Also released were embarrassing internal companies emails, including those of former CEO Noel Biderman; source code for some of ALM's websites; financial records and company documents.

In July, ALM officials told Reuters that the U.S. Federal Trade Commission is also investigating the breach. The company also faces a raft of class-action lawsuits tied to the disclosure of personal data and charges that it manipulated male customers by using automated chat bots (see No Surprise: Ashley Madison Breach Triggers Lawsuits).

Security Overhaul

In July, Avid Life Media changed its name to Ruby Corp., announced that it had hired a new CEO and dropped the infamous Ashley Madison tagline - "Life is short. Have an affair." - in favor of "Find your moment." It also now bills Ashley Madison as "the original extramarital affairs site" (see Ashley Madison Seeks Security Reboot).

ALM - now Ruby - has agreed to comply with an extensive set of conditions and deadlines laid out by regulators. The government agencies could take the company to court if it fails to meet those conditions.

For example, by May 31, 2017, the company must implement a policy to delete deactivated or inactive accounts after an "appropriate period," according to the terms, signed by James Millership, president of ALM/Ruby.

Prior to the data breach, ALM had charged users $19 for a "full delete" to scrub their personal data from its systems - an unheard of fee for a web service. But based on data leaked by the Impact Team, it appeared that the company not only didn't scrub any personal data, but also didn't fully delete users' accounts after they paid $19. The company eventually dropped the fee.

If the company chooses to continue to require users to submit an email address, it will have to take steps to ensure the accuracy of that information, regulators say.

For starters, all staff and contractors with network access to ALM will be required to have security training. The regulators found 75 percent of the company's staff had not received general privacy and security training. Ironically, ALM was in the process of developing written security policies and procedures when the breach occurred.

The company is also required to put in an information security management framework, along with process and policies, which will be verified by a third party. A report on the effort is due by July 2017.

Regulators Detail Lackluster Defenses

While ALM had some breach detection and monitoring capabilities in place, those tools were more focused on site performance issues and monitoring employees' access to customer data, regulators say.

"ALM had not implemented an intrusion detection system or prevention system and did not have a security information and event management system in place or data loss prevention monitoring," the agencies say.

The attackers stole account credentials for an employee, then used those credentials to gain access to the corporate network and compromise other accounts. After several months of lurking inside the company's network, the attackers appeared to have mapped ALM's network topography and exfiltrated customer data.

The hackers took some care to mask their activity. The regulators say that the infiltrators used a VPN, allowing them to sport IP addresses that made them appear to be located in Toronto. Once inside the system, the attacker deleted log files, which made it harder to trace the intrusions.

ALM provided regulators with other evidence of its poor security practices. For example, plaintext passwords were found in emails and other text files on the network. Encryption keys were also stored as plaintext. One server had an SSH [secure shell] key that was not password protected, which allowed an attacker to connect to other servers.

ALM employees used a VPN service to log into the network. But a shared secret for the VPN service was stored on Google's Drive service. The regulators noted that "anyone with access to any ALM employee's drive on any computer, anywhere, could have potentially discovered the shared secret."

Site Still Running

Perhaps the most startling aspect of the Ashley Madison incident is that the site is still running. After the breach, researchers combed through the user data and came to the conclusion that most customers were male.

An analysis by Gizmodo - based on source code and internal emails - pointed to ALM propping up activity on the site by using an army of chat bots that presented themselves as female. The bots - referred to as "hosts," "engagers" or "fembots" - would chat up male site visitors, making it appear women were highly active on the site.

Even if Ashley Madison was more fantasy than it let on, the dating site was immensely lucrative. ALM told regulators it brought in $100 million in revenue in 2014. According to Reuters, ALM says its 2015 revenue was $109 million, with a profit margin of 49 percent.

Breach Notification , Breach Response , Data Breach

Epic Games has temporarily shut down some of its user forums for maintenance after data on about 808,000 accounts was stolen, marking the second data breach of the game maker in 13 months.

See Also: A Smarter Approach to Third-Party Vendor Risk: A Case Study

The compromise involved several forums maintained by Epic Games, based in Cary, N.C., that center on games and developer tools.

The most affected forums are Infinity Blade, UDK, Gears of War archives and those for previous Unreal Tournament games. Email addresses, hashed and salted passwords and data entered into forums were leaked.

Passwords that are hashed have been run through a one-way algorithm to create mathematical representations of passwords. In theory, the hashed value should not be able to be reversed into the original plaintext password. But it is possible for a password to be recovered if a weak hashing algorithm was used (see We're So Stupid About Passwords: Ashley Madison Edition).

"If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password," Epic Games says in a statement.

Password hashes that have "salt" added are harder to reverse. Salt is other data added to a password hash that's intended to make it more difficult to crack.

Also affected were the Unreal Engine and Unreal Tournament forums. Email addresses and data entered into forums were leaked, but not password-related data. Those forums remain online, and users do not need to reset passwords.

The Paragon, Fortnite, Shadow Complex and SpyJinx forums are not affected.

"We apologize for the inconvenience this causes everyone and we'll provide updates as we learn more," Epic Games says.

The new breach alert follows the company warning in July 2015 that usernames, email addresses, passwords and dates of birth might have been compromised after a breach, according to the gaming publication Kotaku. That cyberattack affected UDK, Infinity Blade, Gears of War and Bulletstorm as well as prior Unreal Tournament games.

SQL Injection Attack

After the latest breach, the Epic Games data first appeared on LeakedSource, a website that sells subscriptions to a repository of data breaches that are obtained through opaque sourcing. The number of Epic Games accounts affected is about 808,000, Leaked Source tells Information Security Media Group.

When asked how the service obtained the Epic Games data, a LeakedSource representative says that hackers "know that we don't resell or trade data for any reason, and some of them 'just want to watch the world burn,' which means exposure to data sets and people panicking" (see LeakedSource: 'Assume Every Website Has Been Hacked').

The hacker who stole the data exploited a SQL injection vulnerability in the popular vBulletin forum software, the LeakedSource representative said. "SQLi" is a common type of web attack where a back-end database fails to filter malicious requests and returns data.

Of the 20 most recent batches of breached data that LeakedSource has acquired, 16 of them have been via a vulnerability in vBulletin, the representative says.

New vulnerabilities get regularly disclosed by vBulletin, says Troy Hunt, a data breach expert who runs the Have I Been Pwned? data breach notification service (see Troy Hunt: The Delicate Balance in Data Breach Reporting).

Web Forums: Endless TLC Required

While vBulletin regularly issues related patches to fix the problems, many administrators choose to host their own vBulletin software and never get around to applying the fixes, Hunt says. And that creates a "perfect storm of software with holes in it that people don't maintain," he says.

The Epic Games forums were breached on Aug. 11. Although it's unclear which vulnerability was exploited in that breach, vBulletin recently issued patches for a problem that could allow an attachment to exploit a system for vBulletin versions 3.8.7 and up.

For better security, an improved approach for vBulletin users would be to pay vBulletin Solutions to host the software, Hunt says, which would ensure the software gets promptly patched.

"Having your own web application running on any platform is like having a child," Hunt says. "You need to give it TLC for the rest of its life. It's worse than having a child. Children grow up and leave home. You've got to continue to look after this [web application]."

×Close

Request to Republish Content