As a technology reporter for The New York Times, Nicole Perlroth says it's hard to convince corporations to go on the record with the details of their cybersecurity breaches. But last October, when The Times learned that Chinese hackers had infiltrated its own computer systems, Nicole got a front-row seat to report on her own company's response to a targeted attack. Perlroth talks to Brooke about the inevitability of security breaches, and the measures that can be taken to minimize damage.
Andrew Pekler - Here Comes the Night
(PODCAST INTRO)(THEME MUSIC)
BOB GARFIELD: From WNYC in New York, this is On the Media. I'm Bob Garfield.
BROOKE GLADSTONE: And I'm Brooke Gladstone. If a dog bites a man it’s not a story but if a dog bites a journalist, as security technologist Bruce Schneier has observed, it’s front page news. Well, in this analogy, consider the dog to be Chinese hackers who hack institutions of all sorts all the time but this week when the New York Times revealed that it had been penetrated by Chinese hackers, and so had Bloomberg News, it was a huge story, swiftly followed by the Wall Street Journal's revelation that it too had been hacked. It seems to be a badge of honor, like being on Nixon’s Enemies List.
Anyway, apparently, the Times hacking was sparked by the paper's coverage of Chinese Premier Wen Jiabao’s wealthy relatives. But Times technology reporter Nicole Perlroth says that despite the hacking, no sources were compromised.
NICOLE PERLROTH: That story was actually sourced through publicly available documents. There was no Deep Throat, there was no sensitive sourcing. It really was what we’re calling a misbegotten search.
BROOKE GLADSTONE: But the Times allowed them to, quote, “spin a digital web,” you wrote, for four months. Was Mandiant, the security company the Times hired, really able to track the hackers?
NICOLE PERLROTH: In the days leading up to the publication of our Wen story, we had gotten warnings that the story may have consequences. So we asked AT&T here to look for unusual activity on our network and, lo and behold, AT&T came back to us and said, at least three of your computers are communicating with command and control servers that we have in the past seen launch attacks on companies in the US defense sector.
We then notified the FBI. We replaced every computer that had been compromised. We tried to block any communication between those known command and control servers. And we thought that had done the trick. A week later, you know, we continued to see activity in our systems, particularly on election night. After that, on November 7th we hired Mandiant. We’ve spent the last three months watching to see where the hackers were installing back doors, what malware they were installing, which computers had been compromised, what they were after, most importantly. Once we had a good grasp, we blocked the malware, shut down communication with the command and control servers, erected defenses and then we went public with it.
BROOKE GLADSTONE: And how long is that gonna protect you?
NICOLE PERLROTH: Well, I think we were clear about this; we’re on alert. This is an ongoing effort. Part of the reason that we went public with this was to educate our own employees about how easy it is for hackers to get into our systems. Hackers don’t charge through your firewall anymore. They send cleverly-written emails from someone who may know, with a link or an attachment that might be relevant to your job description. These emails are extremely targeted.
BROOKE GLADSTONE: Didn’t you note in your piece that one hacker got into a system through a thermostat?
NICOLE PERLROTH: Right. So in 2011, the US Chamber of Commerce had been attacked by Chinese hackers in a month-long cyber campaign. And the Chamber worked with the FBI to seal up its systems, and then months later it recognized that a printer in its office had been acting erratically, printing out documents in Chinese characters.
[LAUGHS] I know. It, it just sounds like something from a thriller. Then they noticed that – this is even better – a thermostat in one of its corporate apartments was acting erratically. And when it sent someone in to check, it noticed that this thermostat was communicating with an IP address in China. It’s just mind boggling.
BROOKE GLADSTONE: Isn’t the moral of this story that if you close a window, they’ll come in through the door, if you close the door, they’ll come in through the roof, if you seal the roof, they’ll come up though the basement? In other words, you can run but you really can't hide?
NICOLE PERLROTH: You’re right. But once they do get in, you want to prevent them from moving around. So they come in through the roof, you want to make sure that the flue is closed. You’re basically expecting that they’re gonna come in, and you set up your defenses in such a way that your most valuable intellectual property is protected.
BROOKE GLADSTONE: What about the criticism that some have that, you know, this is going on everywhere - every human rights organization, every corporation - and you don't really get this kind of coverage until they come up and bite the New York Times?
NICOLE PERLROTH: Well, that’s sort of the challenge of my job. People are very reticent to say that they have been hacked for fear of what it will do to their reputations or to their stock price. In the last couple of years, there's been a little change in the wind.
So in 2010, Google was the first to come forward and when they sort of withdrew their operations from China and said that they had done so because Chinese hackers had penetrated the Gmail accounts of human rights activists. They said, as part of that announcement, that some 30 other companies were hacked in the same campaign. Of those 30, only two came forward, Adobe and Intel, but they didn’t provide any details.
Later RSA came forward. Hackers had gone after their crown jewels, which was the algorithm for these secure ID tokens that are used by Booz Allen and Lockheed Martin. They really were left with no choice but to announce that they had been hacked. Lockheed Martin and Northrop Grumman have now been much more open about the fact that they are targeted on an almost daily basis.
Now, I have been trying to get these companies to let me do a tick-tock of the attacks but none of these corporations want to be the guinea pig. The fact that we were hacked did present an opportunity where we could sort of show the world how this happens and just how easy it is.
BROOKE GLADSTONE: Nicole, thank you very much.
NICOLE PERLROTH: Thanks so much for having me.
BROOKE GLADSTONE:New York Times technology reporter Nicole Perlroth.