New York Times network hacked

Interesting article in Wired Magazine, about how the New York Times network was infiltrated by Chinese Hackers looking for information about Chinese dissidents that reporters may have interviewed. This ties back into the discussion we had in class about security.

The New York Times has discovered that hackers had access to their network for at least three or four months. Once they had access to the network, they stole the passwords of every employee in an attempt to identify reporters sources in a story about corruption in China.
The hackers also installed at least 45 different forms of malware, only one of which was actually identified and quarantined by Symantec, the Times’ antivirus software of choice.
The Times grew suspicious of the breach when a Chinese official warned them about the attack. The Times asked AT&T to monitor their network for suspicious activity, which they did. At that point an independent security firm was called in to investigate how bad the breach was. They found that attackers had installed three separate back doors into the network before they found the employee’s usernames and hashed passwords.

Developing Security Protocol for Bring Your Own Device. (BYOD)

I believe that the decision to implement a Bring Your Own Device policy boils down to what kind of organization you are:

On one side of the spectrum, your organization may exist in a corporate environment where network security is a major consideration for management. The Helpdesk would have to fully support every Tom Dick and Harry’s iPhone, Blackberry, iPad, Nexus 7, Lenovo ThinkPad, Android OS, OS X, Windows Vista through Windows 8, etc, and the risks would outweigh any benefits. In this case, BYOD would not be an ideal solution.

At the other end of the spectrum, an organization could exist in an academic environment where users have to register their mobile devices with a Network Access Control solution or they can’t access the internet, Helpdesk policy is that students support their own personal computers or mobile devices, the network is subnetted, and the students use Google Docs instead of a shared drive on a local public server located somewhere on campus. After a Risk Assessment and Cost/Benefit analysis, the Administration may decide that it makes more sense to give students the ability to access the internet from their personal devices than to continue supporting computer labs that need to be maintained and whose computers have to be replaced every three to five years.

In the end, it comes down to whether an organization can decide whether or not the risk is acceptable and they can maintain an acceptable level of support for their users. BYOD is certainly not an appropriate solution for every organization, but it could work very well in certain environments.

Beware of new and untested social media apps

It’s not just new, untested social media applications that we need to be worried about. People who are otherwise technically savvy use “legacy” sites such as Facebook and LinkedIn without fully understanding the way privacy settings are implemented; they don’t understand who can see their posts and who can’t.

For example, a friend of mine just got married, and proudly put a picture of his wife’s visa online to show off her new married name. For a brief period of time her full legal name, address, visa number, etc were online and available to everyone on the internet. Fortunately, my wife read his post shortly after he posted it, and he took it down.

I think part of the problem is people tend to be lax about who they think should be able to see their posts. But I also think that sites like Facebook and LinkedIn make security obtuse and difficult to figure out. We need to do a better job of educating users, and we also need to push back against these companies to make configuring security easier.