[Dailydave] The New York Times Plays with Fire

Dave Aitel dave at immunityinc.com
Fri Feb 1 17:19:57 EST 2013


So one thing I think is interesting is that New York Times story.

Here's how it goes, in bullet points:
1. NYT knows it's ruffling feathers, so it hires AT&T (??) to "watch
their network"
2. AT&T sees something, so NYT calls in Mandiant
3. Mandiant and NYT let the Chinese hack things and watch them while
they penetrate into the domain controller and lots of other machines.
4. Article about this comes out on NYT.com, calling out the Chinese.

So, as far as I can tell from their article, the Chinese have all the
passwords for every NYT employee. This sounds like something that is not
good for NYT employees who may reuse their passwords elsewhere, even if
they're changed now.

Likewise, it seems like at any time the Chinese could have turned off
the domain controller. That would probably have had significant
downsides for NYT, to say the least. Here's why they didn't: Their
policy did not let them. But that doesn't ameliorate all the risk, as
even hackers make typos...

In other words, playing games with hackers on your network for a story
is a fundamentally bad idea. Because at some point, you're going to find
a contractor who screws up and doesn't follow their own policy (or can't
type) and it's going to take down your whole business.

-dave

-- 
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
www.infiltratecon.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 266 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130201/454d008b/attachment.sig>


More information about the Dailydave mailing list