Hacking: We Do Not Think It Means What You Think It Means

February 6, 2013

Last week the New York Times found itself in the unique position of reporting a story about itself: “Hackers in China Attacked The Times for Last 4 Months.” Predictable headlines followed:

  • “Chinese Hackers Hit U.S. Media” (The Wall Street Journal)
  • “New York Times, Wall Street Journal say Chinese hackers broke into computers” (CNN)
  • New York Times Hacked Again, This Time Allegedly by Chinese” (Wired).

It’s a familiar story by now, and not just for large companies. In the same span of time we read about the Times breach, one of our team members received an email from a friend with an odd, suspicious subject that looked a lot like spam. Later that same day another email arrived, only saying: “Sorry, I was hacked!”

There are a lot of serious issues surrounding these breaches, from online espionage to the merits of antivirus, but we see a real problem in the coverage. Noticed how everyone responds to a virtual break-in in the passive voice: “We were hacked.” That wording makes it sound like everything was fine, then suddenly out of nowhere, a hacker swooped in and blew up the digital safe. It’s an idea encouraged by headlines like the Times and pop culture stories (like Iron Man hacking into NASA in seconds during The Avengers last year).

Here’s the problem: a lot of this hacking is more like a burglar slipping in an unlocked window than busting in the front door. Why? Inevitably in these articles, usually buried three or four paragraph down, we find out that the hacker used social engineering or phishing to get inside the network. In the case of the Times, we had to click on the second page before we found it:

Investigators still do not know how hackers initially broke into The Times’s systems. They suspect the hackers used a so-called spear-phishing attack, in which they send e-mails to employees that contain malicious links or attachments. All it takes is one click on the e-mail by an employee for hackers to install “remote access tools” — or RATs. Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers.

Michael Higgins, chief security officer at The Times, said: “Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”

Of all the stories that covered the Times, the only one we saw get straight to the heart of the matter was (ironically enough) from the social memechaser BuzzFeed. Boldly headlined “New York Times Hack Started With A Simple Email Scam,” this article correctly identifies the real problem at the heart of the story:

This wasn’t a control room full of masked marauders launching software attacks against a major computer network; it was a group of hackers trying to social-engineer their way into newspaper employees’ inboxes. The Times was hacked only after its employees were tricked — its biggest vulnerability, like any other large organization’s, wasn’t in its software or infrastructure, but in its humans.

Don’t get us wrong: these alleged Chinese hackers are obviously good at what they do, and developed some seriously sophisticated malware to install on the Times computers after getting in. But they didn’t “hack” through the systems with the virtual equivalent of a dynamite. They kept baiting people until someone opened the door. That’s not the fault of the antivirus provider or the IT staff.

That’s the fault of the person who lets the bad guy in.

Aside from finding someone to blame (which isn’t very constructive), why do we care how people perceive hackers? Because misunderstanding a problem gets in the way of a solution. If hack attackers are thought of like killer robots or space aliens, people are apt to become paranoid or jaded, neither of which leads to secure online behavior. We’d like to see less hand wringing and more practical advice on stopping these guys from waltzing into our businesses.

For example, keep software updated. Use security tools like firewalls, VPN, and network monitoring. Above all, avoid phishing schemes that make you part of the problem. Our partner Neustar has a great post up what to look out for in these attacks. Plan for how to deal with the fallout of such an intrusion (the New York Times did a great job there).

We don’t want to downplay the dangers, but we also want people to do more than worry. Acknowledging the shared responsibility you have in keeping your business network safe is a step forward in finding a solution.