[Dailydave] The New York Times Plays with Fire
al bell
ab4250 at gmail.com
Wed Feb 6 16:32:21 EST 2013
There are several interesting tidibts:
NYT asked AT&T to collect egress data: Either they are not collecting it
themselves, or they do not trust their sensors, or they have limited
collection.
There was no clear description of how 'patient zero' got pwned. Was it a
zero day or an unpatched computer?
There is of course far more than meets the eye. For example, the costs of
post-event remediation vs. the cost of improved defenses.
Al
On Tue, Feb 5, 2013 at 6:32 PM, Richard Bejtlich <taosecurity at gmail.com>wrote:
> This is what I can say:
>
> # 3 is not true.
>
> Also, the security staff brought the reporters into the incident at the
> very end. The reporters did not know what was happening until the security
> and IT staff cleared it. Reporters and IT/security collaborated on the
> publication date to balance the need to speak for the good of the
> community, and the need for the paper to protect itself. Both sides acted
> professionally and executed well.
>
> There is no conspiracy. Our press is not run but the government, unlike
> the press where many conspiracy theorists live.
>
> Sincerely,
>
> Richard
>
>
> On Friday, February 1, 2013, Dave Aitel <dave at immunityinc.com> wrote:
> > So one thing I think is interesting is that New York Times story.
> >
> > Here's how it goes, in bullet points:
> > 1. NYT knows it's ruffling feathers, so it hires AT&T (??) to "watch
> > their network"
> > 2. AT&T sees something, so NYT calls in Mandiant
> > 3. Mandiant and NYT let the Chinese hack things and watch them while
> > they penetrate into the domain controller and lots of other machines.
> > 4. Article about this comes out on NYT.com, calling out the Chinese.
> >
> > So, as far as I can tell from their article, the Chinese have all the
> > passwords for every NYT employee. This sounds like something that is not
> > good for NYT employees who may reuse their passwords elsewhere, even if
> > they're changed now.
> >
> > Likewise, it seems like at any time the Chinese could have turned off
> > the domain controller. That would probably have had significant
> > downsides for NYT, to say the least. Here's why they didn't: Their
> > policy did not let them. But that doesn't ameliorate all the risk, as
> > even hackers make typos...
> >
> > In other words, playing games with hackers on your network for a story
> > is a fundamentally bad idea. Because at some point, you're going to find
> > a contractor who screws up and doesn't follow their own policy (or can't
> > type) and it's going to take down your whole business.
> >
> > -dave
> >
> > --
> > INFILTRATE - the world's best offensive information security conference.
> > April 2013 in Miami Beach
> > www.infiltratecon.com
> >
> >
> >
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130206/4c269b58/attachment-0001.html>
More information about the Dailydave
mailing list