Lessons from The New York Times hack

The recent cyber-attack on The New York Times should be a timely wakeup call for CIOs managing media companies. With hackers diversifying their list of targets it would seem that today's newsrooms are fertile ground for electronic intruders.

While these intruders were once merely satisfied with customer data, now they seem just as interested in the off-the-record information gathered by journalists and stored in newsroom servers. Anonymous source names, embargoed information and confidential documents, all of this has the potential to be stored on a journalist’s computer or a newsroom database and is in the firing line.

Indeed, this was what could be considered to be the most unique point about The New York Times hack; customer data was spared, editorial data was not.

The Times claims that Chinese hackers infiltrated its systems to unmask any information it could find on its reporting of China. It also alleges that the hacks were a form of cyber espionage being conducted by the Chinese government. Needless to say, Chinese authorities have vehemently denied the accusations and the report also sparked a pointed response from anti-virus vendor Symantec, which is none too pleased with the assertion that its software wasn't able to detect the intrusions.

According to the Times, the intruders installed 45 pieces of custom malware of which only one was picked up by Symantec's software. It adds that the hackers found a way to install malware on 53 of the company’s employee’s own computers and used this to gain access to its internal network. The installation of this malware was achieved through emails, where targeted spear phishing attacks were used to trick specific people within the organisation into visiting a malicious website or opening a malicious attachment.

It’s a fair guess given that unlike other professions, journalists are in the business of being inundated with press releases and information via email from an array of people they don't know and they usually don’t question it. Any malware contained within an authentic looking press release - even one stolen from another company’s website - would do the trick and could easily slip by undetected.

Perhaps the most concerning point of these instances is that the victim here is one of the world’s most respected, and possibly richest, news organisation. The media company is seen as a thought leader in the industry with global peers looking to it as a trailblazer in digital innovation and media strategy.

The whole episode comes at an interesting juncture for Australia’s media industry: where most major publishers are either overhauling or looking to overhaul their legacy backend systems. With the downturn in the ad market making budgets tighter, the temptation to cut costs at the expense of security could be a path to disaster.

Providing ample cyber-security for newsroom related data may be seem as a bit of frill given that most of the information contained within its database ends up in the public sphere anyway. But as the New York Times' experience highlights off-the-shelf consumer grade antivirus software just isn’t good enough, especially if state-sponsored hackers have you in their sights.

The other interesting highlight is that the New York Times’ primary defense hinged on signature-based endpoint-security, which in this case wasn’t robust enough to prevent the bespoke intrusions.

Faced with such a scenario, where firewalls and antivirus software are rendered toothless, one viable defence would be continuous monitoring and perimeter testing.

One important facet of this vigilance is training all necessary staff to be aware of what they can and cannot click on and developing a keener instinct when it comes to suspect emails. Given the growing level of sophistication on display by hackers the latter is easier said than done and the situation is further complicated by the fact that many newsrooms just don’t have the resources to train their staff adequately.

However, this incident could shift thinking and journos, still coming to grips with social media, may end up adding encyption lessons to their to-do list as well.

As Sophos points out in a blog post, there is a growing trend of newsroom hacks. Aside from the hacking of Crikey last year, Australian media companies have really only been hit in a bid to attain customer data, but that could change in a blink of an eye.

If the Chinese government is indeed hacking media outlets, then what’s to say that other organisations won’t follow the same path in the future? It may be indulging in a bit of ‘tin hattery’ to say that other governments and even companies may turn to hacking newsrooms to uncover sensitive information, but the claim isn’t completely unrealistic given that newsrooms, by their very nature, are reliant on open, continuous and free flow of information.

Locking the gates, big and small, isn’t an option but there is certainly ample cause for stricter vigilance.