On this last episode, we look back on 23 years of joyous, difficult and always informative conversation.
Guest Host: Marc Fisher
Reports of Chinese hackers descending on U.S. companies are raising new questions about cybersecurity and how we hunt the digital bad guys. Tech Tuesday explores how the FBI, Mandiant Corp. and other cyber sleuths track hackers and examines what you should do to protect your data, whether it’s on your home computer or your business’s vast network.
- Richard Bejtlich Chief Security Officer, Mandiant
- Michael Hicks Director, University of Maryland Cybersecurity Center; Professor of Computer Science
- Nicole Perlroth Reporter,The New York Times
Mandiant Exposes APT1, One Of China’s Cyber Espionage Units
This video shows actual attacker sessions and intrusion activities conducted by one specific Advanced Persistent Threat (APT) group, which Mandiant has named APT1. This group has systematically stolen confidential data from at least 141 organizations across multiple industries. A full report, published by Mandiant, details APT1’s multi-year cyber espionage campaign and is available at www.mandiant.com/apt1.
MR. MARC FISHERFrom WAMU 88.5 at American University in Washington, welcome to "The Kojo Nnamdi Show," connecting your community with the world. I'm Marc Fisher sitting in for Kojo. Coming up this hour, the evidence points to a white office tower on the outskirts of Shanghai. Inside that tower, hackers known as the Comment Crew and connected to the Chinese military are roaming the computer systems of dozens of American companies, looking for everything from operating manuals to sources behind news stories about Chinese politicians.
MR. MARC FISHERUnlike a virus or a worm that installs malware on a computer, these hackers are real people cruising remotely through the victims' files in real time. As more American companies come clean about the extent to which they've been hacked, there's new debate about who's responsible and what they're after. China steadfastly denies it's sponsoring international hacking, but the Obama administration is trying to figure out how to aggressively respond to state-sponsored hacking without risking a diplomatic debacle.
MR. MARC FISHERTech Tuesday examines today how hackers are breaching American computers, why they're doing it and what can be done to defend against it. And joining me for the program, Michael Hicks is director of the University of Maryland's Cybersecurity Center, and he's a professor of computer science there. And Richard Bejtlich is chief security officer at Mandiant Corp., which has played a key role in unveiling this pervasive hacking.
MR. MARC FISHERAnd, Richard Bejtlich, perhaps you could start out by telling us about there's an amazing video that we've posted on kojoshow.org that folks can look at where you can actually see the individual keystrokes as the guys in the People's Liberation Army Unit 61398 tapped into American computers. Richard, tell us about how you were able to watch them do this stroke by stroke, and do you think they might be watching you as you were watching them?
MR. RICHARD BEJTLICHBoy, that's a good question, Marc. That video does show real intruders on victim computers, and I've noticed some comments on the YouTube channel and some questions have come in via Twitter, why would hackers be using Windows. That looks like an old version of Windows. What you're seeing are intruders on victims' computers. In other words, those are the computers that were in a victim organization that the intruder broke into, and then they're using that computer remotely.
MR. RICHARD BEJTLICHNow, Mandiant has the capability with our services and software to see that sort of network traffic, that communication between the victim computer and the intruder someplace else, in this case in China. And we were able to reconstruct that network traffic and render it in the same way as if the intruder was sitting at the keyboard, so all of that is real intruder activity. None of it is doctored. None of it is edited. It's the actual actions taken by the intruder.
FISHERAnd if you're able to watch them, do you simply assume that they're able to and are watching you?
BEJTLICHWell, I guess it depends what sorts of activity they might try against us. You know, for example, if they were to break into one of our computers, in a sense, they can see us. Many of these intruders have the capability to turn on a webcam or to listen in to a computer's microphone, that sort of thing. But the sorts of activity we were doing is centered around incident response. It's helping a victim recover from an intrusion. The sorts of activities these hackers take isn't like that. They're trying to break into computers, steal information and then get out of dodge.
FISHERIf you'd like to join our conversation, give us a call at 1-800-433-8850 or email us at kojo -- K-O-J-O --@wamu.org or. And, Michael Hicks, when companies -- when you see these sort of different aspects of cybercrime taking place from the emails we all get inviting us to buy Viagra to state-sponsored Chinese hacking, does it -- is it all essentially the same process that's going on?
PROF. MICHAEL HICKSAt the core of all of it is exploitation of some sort. So that email that invites you to download this file to look at the company's new procedures or to go to a website to get free Viagra, one way or the other, it's trying to entice you to download malware onto your machine. That will then take a foothold in your machine and then use it for nefarious purposes or steal information from it.
PROF. MICHAEL HICKSThat same email or other exploitation may involve a vulnerability on your computer system. Maybe your software is not up to date. Maybe there's an unknown vulnerability that has yet to be disclosed. And then those adversaries, those attackers exploit that vulnerability. And whether it's cybercrime or cyberespionage or cyberwar, basically, the way in is the same in all three cases. And it's sort of what happens afterwards that differs.
FISHERWell, if you'd like to join our conversation, have you ever opened an email that placed a virus or worm on your computer, and how did you discovered it? How did you get rid of it? Give us a call at 1-800-433-8850. Let us know if you work at a computer that's been hacked and what happened there. And, Richard Bejtlich, is there -- tell -- walk us through the procedure if a company thinks they've been hacked or if they get a call perhaps from the FBI saying that they have been hacked, they'll then call Mandiant and ask for help. What do you do?
BEJTLICHMandiant will deploy professional services consultants to the victim site. And our first order of business is to scope the intrusion. It's to find out how big is the problem, where is the intruder, what is the intruder doing. We'll respond using a combination of expertise gathered over the last nine years of doing work, plus some special software that we use that will ask questions of individual computers.
BEJTLICHAnd it sort of takes the process that we use to do manually 10 years ago and takes it to a whole new level where instead of looking at just a couple of computers at a time, we can look at tens of thousands or even hundreds of thousands of computers. And by getting all this information back, this forensic data and a combination of network data we also capture, it will tell us where the intruder is. And from that point forward, we'll start working on a remediation plan. In other words, what is it going to take to kick these intruders out of the network?
FISHERAnd now, as a private company, your first allegiance, I would gather, is to the company that hires you, but in the case of the Chinese hackers, there's an additional element there that you're dealing with the FBI. You're dealing with national security. Are there ever conflicts where the company wants to do one thing and the FBI wants to do something else?
BEJTLICHWell, Mandiant doesn't get between those relationships. We -- like you said, we do work for the companies, and we don't provide our reports to the FBI or to other law enforcement or intel community members. If a company decides to work with the FBI, that's their choice, and what they do with our reporting or our findings is really up to them.
FISHERAnd what do you -- you've watched now the Chinese working from this building in Shanghai and getting into everything from newspaper sites to think tanks and other kinds of companies across America. What do you think they're mainly looking for?
BEJTLICHWell, it depends who you're talking about. The group in question, APT1, which is 61398, or it's the -- it's an element of the PLA, the People's Liberation Army. This group has a very broad focus. They take a look at IT, transportation, electronics, finance, navigation. I can give you 15 more industries that they target. They're not that sophisticated. But they're very successful, and they're very prolific.
BEJTLICHOther groups are much more focused. They might spend their time going after more military secrets. Some might spend more time going after dissidents. Some might go after international organizations, like ASEAN or NATO or other groups like that. At the core of the issue, though, is the Chinese want to know what it is that we're developing. They want to take that innovation and put it into their products and services. They want to know what the rest of the world thinks of them, so they can better tailor their diplomatic messages.
BEJTLICHAnd they're also interested with who's interacting with their own dissident community and those who are trying to foster human rights. And that's one of the reasons why we saw the attention paid against The New York Times several weeks ago which incidentally was a different group. That was APT12 as Mandiant calls it, a different group, a different set of objectives, different from this APT1 group that we profiled in our report last week.
FISHERAnd do you assume that we as a nation, as a government, are conducting the same kinds of operations in China?
BEJTLICHThere's a difference between the operations that the United States conducts and those that are done by the Chinese or the Russians or some other country. The United States limits its activity to what the Western world considers normal targets of espionage -- foreign governments, foreign militaries, foreign intelligence community. The Chinese, and to a lesser extent the Russians, and some other countries have a much broader scope.
BEJTLICHIn other words, it is completely within the realm of acceptability for the Chinese in their own minds to break into Western companies, nongovernmental organizations, dissident home computers, the office of the Dalai Lama, just a very, very wide range of activities. And they don't see any problem with that whatsoever. So that's the big disconnect. Everyone tends to point back at the United States and says, "Oh, we do the same sort of thing." It's not true. Our espionage is very focused, whereas the Chinese tend to consider a wide range of targets as being acceptable.
FISHERMichael Hicks, why is it so easy for this kind of hacking to go on? Obviously, it's something that is tremendously bothersome, if not dangerous, to our national security and to the security of companies. Why is the system so vulnerable?
HICKSFundamentally, the difficulty comes with building systems that are secure. As we build more sophisticated programs, if you have an iPad sitting in front of me, the processing power or the amount of software, the sorts of things you can do with computer systems today are really incredible. We're building software systems that are millions and millions of lines of code long, and those sorts of systems are becoming more common. And so it becomes very difficult to stamp out all possible vulnerabilities, all possible flaws in those systems that could be exploited by an adversary.
HICKSAs companies go to try to bring their software systems to market, to try to have better products than their competitors with more features and more dancing frogs and fun things to do, it -- they are pressured to get the software out as soon as possible, which means that there's even less of a chance that they will find all of the flaws in the software. So I think it's very difficult to build systems securely, and it's even worse given the corporate climate of trying to get systems out as quickly as possible.
FISHERLet's hear from Elliott in Yuma, Ariz. Elliott, it's your turn.
ELLIOTTHi. I have a simple question. I've worked -- I'm 80 now. But I spent a number of years working in government communication. I worked for the Navy department, including a trip to Russia, et cetera. Anyway, I have a very simple question. Why is all of this sensitive data online in the first place? And why isn't there a simple access method set up so that -- I mean, this is primitive almost.
ELLIOTTBut you have a secret word for the day in order for somebody from the outside world to attack -- to connect to the computer. They have to go through a human who actually asks for the secret word. You could even use that to -- if you've got a spy in the plant or wherever, by putting different secret words up. And if certain words get out, then you can start to narrow it down and so forth. I mean, this -- it should be obvious. Why is this never mentioned? Don't make it available online unless it goes through a filter.
FISHERThat would certainly change the scope of the use of the Internet, wouldn't it, Michael Hicks?
HICKSSo I think the difficulty is that in a situation that you brought up, the authentication mechanism is more trustworthy that basically nothing is going to happen until you have that secret word. In today's systems, I can send an email to the CFO of some company and masquerade as if I'm that CFO's friend. And how can I do that? Well, I can go look at his LinkedIn account and find out executives that he knows, ones that he seemed to have a lot of activity with. And then I can send him that email that has malware in it. And then he can click the email, the malware, install it on his machine.
ELLIOTTBut you are -- the point -- excuse me for interrupting. But the point is that's the whole idea. Have another method not available online in any form that they have to go through a human interface to screen these people who have access. And that's -- I mean, it's so simple. I write software. Then some of it -- on my system. I have sensitive information. I have a couple of old computers that never go online. I don't have to worry about being hacked. I've had my other system hacked, but it didn't affect my customers' security. It seems so simple. I don't understand why it's not used.
FISHERI imagine that the speed and competitiveness are key issues in that.
HICKSYeah, I would say that that's the case. If you look at the government's secret networks, not the public facing Internet-connected ones but the ones that contain classified information, there's a so-called air gap between those networks and the rest of the Internet. And that does protect that information in the way that you described, certainly a lot more so than if it was connected to the Internet. But it's certainly a disadvantage to companies in terms of productivity to not be connected to the Internet. And I think that's why companies don't go that route.
FISHERRichard Bejtlich at Mandiant Corp., tell us about the steps that a hacker goes through to set himself up inside a victim's computer from spear phishing, what that is, to running a malware program.
BEJTLICHWell, Mandiant sees three main ways that intruders are able to access a network. We talked a little bit about spear phishing earlier. That's probably the most popular. Maybe 75, 80 percent of the time when an intruder gets an initial foothold, that's what they use. Using an email with a malicious link or a malicious attachment, you visit the link or you open the attachment, and your system becomes compromised.
BEJTLICHProbably another 15 to 20 percent of the time, we see direct attacks against publicly facing computers. In other words, your company's Web server, their mail server, some computer that's sitting on the Internet, the intruder will find a way to break into it and move from there. And then the last few percentage points, we do see some physical attacks whether it's rogue insider or the planting of a USB drive with malicious content on it. We do -- we have some cases that involve that as the initial point of entry.
BEJTLICHBut in all of those areas, once you get that first foothold on a network, the intruder's job is to figure out where else they can go in the network, what other computers are available, who has the data that they want to steal. And they start to set themselves up so that if you start to remove them, they maintain persistence. They figure out a way to stay active in the network despite other people trying to kick them out. And that's what makes it very difficult to deal with these sorts of intrusions.
FISHERIf you'd like to join our conversation about hacking and the Chinese hackers that we've learned about in recent weeks, give us a call at 1-800-433-8850, or email us at firstname.lastname@example.org. Let us know if you think the U.S. should respond to reports of state-sponsored Chinese hacking and what the proper kind of response will be. We'll be back after a short break. Stay tuned.
FISHERWelcome back. I'm Marc Fisher, sitting in for Kojo Nnamdi. And we are talking about hacking -- Chinese hacking here on this Tech Tuesday with Richard Bejtlich, chief security officer of Mandiant Corporation, which is the company that has come forward with the report on how Chinese hackers have gotten into major American companies of all sorts, Michael Hicks, director of the University of Maryland's Cybersecurity Center. And joining us now is Nicole Perlroth, who is a reporter for The New York Times who did some of the initial reporting on this spate of hacking incidents.
FISHERAnd, Nicole Perlroth, you've written about hacking now that took place at The New York Times, at The Washington Post, The Wall Street Journal and a slew of other kinds of companies, and this apparently nothing new. This is something that has been going on for some years. Why are we just learning about it now?
MS. NICOLE PERLROTHThat's right. Well, the thing is there's -- Richard can tell you this, but there are now, we think, thousands of companies that have been attacked. And, you know, the favorite phrase among security folks these days are either -- there are two types of companies: companies that know they've been hacked and companies that don't know they've been hacked yet. The reason we don't hear about so many of these attacks is because companies are often extremely reticent to come forward.
MS. NICOLE PERLROTHSo in our case, we knew it was happening, and we made the decision to go public with it, partly for our own education but also because this was a unique opportunity to show just how easy these attacks are. As Richard was saying earlier, all it really takes is one employee at a company to click on a malicious link for attackers to get inside. I do think, in recent weeks, you've seen new companies step forward, which is pretty unusual. Facebook stepped forward and said it had been the victim of an attack, Twitter and then Apple, but these are really just sort of the tip of the iceberg.
FISHERRichard Bejtlich, what's your sense of why this is becoming public at this point? Was it something that your company wanted to bring out? Was there suddenly a shift in strategy among the companies that are affected by this? What the government involved in this decision?
BEJTLICHThere a bunch of different factors. I do find it interesting that the private software companies are coming forward right now. That's not something I had anticipated. I understand in The Times' case that letting the world know this had happened was a courageous decision, and that it could have a real effect. It's one of the odd situations we have here with the Chinese attacking us is from their point of view they tell everyone nothing is happening, that they're not responsible. Everyone is being attacked.
BEJTLICHWe have the government speaking -- the U.S. government speaking in terms of sort of vague Chinese hackers are doing this and that, so Mandiant decided to put a real unit associated with this activity. And it's not all the activity that's occurring. There's plenty of other hacker groups out there. There's other Chinese groups. But we had good attribution, good details on this particular group that we call APT1 or Unit 61398 of the PLA, and we decided let's let the world see what's going on with this particular group.
FISHERAnd before you went ahead with that, did you talk to the folks at the FBI or elsewhere in the government and get their perspective on that or permission, or was this your own effort as a company on your own?
BEJTLICHWell, certainly, our own effort. Everything we do is derived from our own consulting work for private organizations. What I will say is that we acted responsibly as far as releasing this report. We didn't just drop it out there and let the world deal with it.
FISHERAnd, Nicole Perlroth, The New York Times, obviously, led the way in the reporting on this and, in doing so, reported on some of its own problems as being a victim of this Chinese group. Was there any conflict within the company about whether to go public with what had happened to your own newspaper?
PERLROTHWell, just to be clear, the group that Richard was just referring to, 61398, was not the group that hit The New York Times. It was a different group that we believe were also -- a set of Chinese attackers. Internally, we -- there wasn't much question. We waited because we wanted to make sure that we had sealed up our systems before we came public with this. But it was almost clear from the beginning that we wanted to make this public.
PERLROTHLike I said, part of this was for our own education. You know, we're constantly -- we're reporters so we're constantly opening up emails from people we don't know and opening attachments in emails from people we don't know, and that's how the attackers managed to get in. So we wanted to do sort of a tick-tock and give people a clear idea of how this could happen.
PERLROTHBut also, you know, from my perspective, I've been on the cybersecurity beat a year now, and it's been extremely frustrating for me to on the one hand talk to government officials that tell me every day that there are thousands of these attacks happening.
PERLROTHAnd on the other end of things, going to companies and trying to get them to tell me their story has been incredibly frustrating because these companies are so scared what disclosure will do for their stock price or their reputations. They're worried that it will bring in the big scarlet letter on their company logo, so they're scared to come forward. And in this case, it was, like I said, just a very unique opportunity to tell the story and at the same time educate others, educate our own employees.
FISHERMichael Hicks, there's a report in The Washington Post a few days ago that said that essentially if you're at a law firm, a think-tank, a newspaper, any business or group with something of interest, you should assume you've been hacked. Is it really that pervasive?
HICKSIt certainly seems to be. I mean, just as Nicole was saying, a lot of -- and Richard was saying, a lot of companies have come forward recently, big companies that you would think, wow, they have big secrets. They're going to build walls and use all kinds of protection to protect them. And even those companies, even Google, even Apple have managed to get hacked.
HICKSAnd Richard would know. Mandiant is a company that goes in, cleans up, investigates and cleans up data breaches at many, many different companies. And many companies, it turns out have been hacked for quite a long time and don't know it until they see the tip of the iceberg. So sadly, it is a very pervasive situation.
FISHERLet's hear from Jeannie in Silver Spring. Jeannie, you're on the air.
JEANNIEHello. I'd like to know what you think about the idea that Chinese-made computers come with built-in spyware, makes them easy to hack.
HICKSI think that's certainly a possibility. Over time, as more and more of our manufacturing has moved overseas, there has been more of reliance on that manufacturing being both correct and also secure. So I know that DARPA, the Department of Defense's research wing, is very concerned about this. And they are looking at ways that we can depend less on foreign sources of hardware for very critical systems. But I think it's absolutely something that could happen, and we should worry about.
FISHERRichard Bejtlich, have you seen the evidence of that?
BEJTLICHActually, what I -- so Mike has excellent points around. The supply chain is one of the biggest issues confronting DOD and anyone else who cares about the quality of their equipment. But honestly, the biggest problem I see with Chinese-made equipment is the incredibly poor quality of the software. There's been some excellent research done by a German security engineer named FX who showed that the coding quality of Huawei Telecom equipment was basically 10 to 15 years out of date.
BEJTLICHYou don't need to rely on any backdoors to break into the stuff. It's just horribly coded. So I would stay away from that equipment just from that point of view. Never mind any sorts of allegations that they're tied to the PLA or anything like that.
FISHERAnd the idea that one bad actor can put a virus or a worm on our computer is something we've all been told by our cybersecurity folks, whoever we work for years now. But, Richard Bejtlich, these hackers you've been watching are live people, and you watch them work in real time, which seems like it's something very much different from these sort of automated phishing expeditions that we see. What do you see, and what's different about these sort of live intrusions from the sort of automated ones?
BEJTLICHTen years ago, we probably remember stories in the news about these worms that we're running through the Internet and causing trouble for everyone. And they really lodged in the consciousness of lots of people in IT and management and security, but this is completely different. These are not -- this is not mindless software that's running rampant on the network. These are human actors.
BEJTLICHIn other words, once they've established that foothold in your computer, someone logs into that computer, and you can't see it. It's not like it pops up on your screen, and you see that activity. They're working in the background. And the reason you can tell it's a human is that they make mistakes. They run into issues that they can't figure out.
BEJTLICHNow, the videos we posted online shows these people putting in the wrong country when they're trying to sign up for Gmail. Or in other cases, we have other videos we didn't release where it shows them stumbling around for an hour before they can get a command to work. So, on the one hand, we talk about them being very successful. They steal quite a bit of information.
BEJTLICHBut in other cases, some of them have extreme difficulty working through these problems. And that -- at the end of the day, that's what separates some of these different groups from each other. Some of the groups, like the one we released, APT1, they're not the A-team. As I noted in a Forbes interview, there are other teams out there that are fast, accurate, and they get exactly what they want in a minimum amount of time.
FISHERLet's go to Robert in Bethesda. Robert, you're on the air.
ROBERTHi. How are you? I'm finding this a very interesting conversation. More disturbing than it is interesting, however. A question that I -- the questions I have are manifold. I'll stick to two, maybe three very quick ones. One is how do you know if someone has corrupted your computer and is in your computer? That's number one. Number two is, is it possible to discover when someone's in your computer and to get them out?
ROBERTAnd, number three, do we have the same problem with cellphones? There's been tons of talk about how your phone can remotely -- your smartphone can remotely be turned to a listening device and into a camera that watches you through your camera, same as with your laptop, if you have a little camera at the top of your phone for Skyping.
ROBERTI'll take my answer off the air.
FISHERLet's have Mike Hicks.
HICKSSo certainly you can discover that someone is on your computer, but the person who is hacking into your computer is going to try to make that difficult. When ways in which software systems might be used, looking at the process table, looking at strange files that might have appeared on your computer, looking in the registry on your Windows machine to see if things have been changed around, trying to do that manually would be very difficult. There are software packages you can get that will take sort of a known good state of your computer.
HICKSAnd then alert you when that known good state has changed. I think that these packages are often unfortunately not used. And many times, they're not used because people find them frustrating to deal with, that they make it hard to install software that you want to install and these systems prevent it. Nevertheless, I think that if you had a so-called white listing system, a system that would only allow certain listed programs to run rather than blacklisting systems, which is the way currently anti-virus tends to work, it tries to find patterns of malice in programs that you might install...
FISHERSo it's always running behind. It's always...
FISHERIt's always running behind. That's exactly the problem. I think Nicole could confirm this. I believe for The New York Times case, of the 45 different variance of malware, only one of them was actually detected by an AV system and the other 44 evaded it. So the experience of NIST, of the Australian government that came out with a report recently is that white-listing approaches are far more effective at defeating malware and letting you know that it's on your machine compared to blacklisting systems. And they recommend that approach.
FISHERNicole Perlroth, the Chinese government has obviously denied pretty much everything connected with what we've been talking about this hour. But talk about the political dance that's now taking place between the United States and China over hacking. The United States government is not being sort of openly aggressive about confronting China with this. What is behind that reluctance?
PERLROTHIt is a very delicate diplomatic issue. I do think there's a lot going on behind the scenes that we touched on in our article. But I think you're right. They've been reluctant to come out and confront the Chinese government directly. However, you've sort of seen hints of this. You saw -- in Obama's State of the Union speech, you saw him linger on the issue of cybersecurity longer than he did on North Korea or Iran.
PERLROTHThe administration, I think, is still formulating their strategy on how to exactly address the issue with China, but it certainly has reached the tipping point where they know they need to address this. They know that if this doesn't stop, they're going to have to take proper action.
FISHERAnd their reluctance to be more overtly aggressive about it, you know, tit-for-tat kinds of policies is driven by what, the fear that China would dry up as a market or would take -- would take retaliatory action on the trade front?
PERLROTHWell, the U.S. and China have such a co-dependent relationship at this point, at least economically, that it definitely has to be handled with white gloves. I do think we are getting to the point where the amount of activity is getting so egregious and it's so aggressive that I think in coming months we'll see the U.S. take bolder action. I don't know what form that will take, but I do think that, according to the officials I've talked to, they are ready to start confronting this issue head on.
FISHERLet's hear from Bill in Arlington, Va. Bill, you're on the air.
BILLYeah. Hi. I'm an inventor. Not yet a millionaire at it, but I keep -- -- it's sort of -- I see it as writing my own lottery tickets. And when my first patent came out about 10 years ago, you know, the attorneys' names are published along with the patent (unintelligible) when it was published in the Official Gazette. And within a week -- AOL was popular back then -- someone pretended they were on his buddy list and broke into his computer and...
BILL...cloned those files -- yeah -- including all pending applications for me and all his other clients. So ever since then, I just kept a junkie old desktop around. And I bang out a wireless card, and I -- if it has a USB port, I put a proxy in there, and that's what I use. And then I connect it only to one rather old printer that I know doesn't have any fancy chips in there that could be repeating things or doing whatever. And that's what I use for all my, shall we say, sensitive business stuff. I just I can't -- I don't see any way I can compete with hackers and...
FISHERRichard Bejtlich, we've talked primarily about the Chinese efforts against large corporations and large institutions, but here in Bill's story, we have an example of an individual being targeted. How common is that, and how much of a danger is that to the average user?
BEJTLICHSo this is an important point. The Chinese -- or any nation-state hackers for that matter -- are not targeting the entire Western population. They are focusing their activities against the organizations that have the information that they need. You are much more likely, as an Internet user, to encounter some type of criminal activity -- organized crime, some type of a what's called a drive-by download -- when you visit a site that's been compromised.
BEJTLICHAnd in those cases, the criminal is trying to steal personally identifiable information such as your Social Security number or your log-on to your bank account, that sort of thing, and maybe commit some type of fraud. So I don't -- in other words, I don't -- I'm not worried about my parents and my family members around this sort of thing. If you -- I don't know how many of your listeners have had credit cards stolen, but I've had several over the years. And it's something that you handle through your bank, and you take care of it. And it's not that big a deal.
BEJTLICHIt's certainly worrying, but it's not something that I think everyone should panic about. The Chinese activity is not going to target an individual unless you are a dissident, you're associated with an NGO, or something like that. For the most part, they're limiting their activity to organizations that do business in China, have information that they're interested in. So I want to make sure that the audience doesn't get too worried that the Chinese are coming and they're all going to grab all your stuff. It really is more of a targeted attack.
FISHERRichard Bejtlich is chief security officer for Mandiant Corporation. He's joining us from studio in San Francisco, as is Nicole Perlroth, a reporter for The New York Times. And here in our studio in Washington, Michael Hicks, director of the University of Maryland's Cybersecurity Center. When we come back after a short break, more of your calls, and we'll talk about what you can do to protect against hackers. That's after this short break.
FISHERWelcome back. I'm Marc Fisher of The Washington Post, sitting in for Kojo Nnamdi, and we are talking about Chinese hackers with our guests: Michael Hicks, Richard Bejtlich and Nicole Perlroth. You can join our conversation at 1-800-433-8850. And, Mike Hicks from the University of Maryland, we have an email from Andrew, who asks about building a national firewall. "Aside from the censorship implications and concerns," he says, "what's preventing us from having a national firewall filtering traffic that originates in China, Russia and Iran?"
HICKSWell, first of all, I think it wouldn't work. That would be the biggest problem. Firewalls and these sorts of filtering technologies have been around for quite a while. They've gotten bigger and bigger. Today, your antivirus system, your so-called host-based intrusion detection system, is about 10 million lines of code, and it is now a source of vulnerabilities on its own.
HICKSSo I think a better approach to take is to look at how to build systems better, to reduce the attack service of the systems that we build by, like I said before, running only programs that we trust, that we know about, rather than by default allowing any program to run and hoping it's the right one. But I think, unfortunately, though the analogy is appealing, a gigantic wall is probably not going to cut it.
FISHERAnd, Richard Bejtlich, another email from a listener says, "I do not know who was behind a phishing scam I fell for this past week, but my question is, what should I do now to protect my computer and prevent intrusions?" This was a case where the listener was -- fell for a phishing scam that used the official UPS symbol and name. He opened the link, and the email asked him to re-register with UPS, which he quickly responded to with his email address and was downhill from there.
BEJTLICHWell, in situations like that, I would first change passwords. First of all, I would not use that computer. That computer, unless you get the help of a professional, I would consider it to not be trustworthy anymore. Next, I would move to a new computer and reset your passwords on any accounts that you have used with the previous computer.
BEJTLICHAnd then, third, I would keep a close watch on your bank accounts and your credit card statements and be alert to anyone making charges. That sort of scam that you talked about generally is targeted towards someone's credit cards or personally identifiable information. So if you pay attention from that perspective, you should be OK.
FISHERHere's Bobby in Arlington, Va. Bobby, you're on the air.
BOBBYHi. My question -- well, I guess I have a few questions. The first question was what do -- is the speculation that the Chinese want from all these attacks, whether it's on media outlets or, you know, you guys mentioned Facebook, Twitter? Are they attacking financial institutions? Or, in general, what's the sense we get that -- what are they trying to get at? That's the first question.
BOBBYAnd then a separate -- and the second question is I have a laptop, and I was thinking about buying a new laptop. If I want to store secure files on a laptop, is there a way to disengage a wireless card or anything like that where it couldn't be accessed by hackers?
FISHERNicole Perlroth, you want to take that first question about what do the Chinese really want?
PERLROTHSure. There was a -- there's a project called -- Chinese project called Project 863, and this was named after a letter that I believe was sent by three Chinese scientists in 1986 that said, we can no longer be dependent on Western technology. And as part of that, that letter set off a program within China, and because of that, they spent billions trying to build up their universities. And a lot of people think that sort of a lesser-known part of this project has also been using cyber espionage to steal intellectual property from Western organizations.
PERLROTHIn the story that we wrote, we traced some of the victims of this group that Mandiant identified as 61398, and we traced several talks to several victims. One was Coca-Cola. Another was Telvent, a Canadian company. The Coca-Cola case appeared as if -- it was around the time that Coca-Cola was trying to acquire a Chinese company.
PERLROTHIt would have been the largest foreign takeover of a Chinese company, and they were attacked in the middle of the -- those negotiations, and it appeared that the attackers were after their negotiation strategies and pricing information. In the Telvent case, this was a Canadian arm of a company that builds technology, software that meshes with older systems that are on things like oil pipelines and water projects and wind turbines so that IT staff, et cetera, can monitor those systems remotely without sending out a guy every time there's a problem at the pipeline.
PERLROTHAnd that attack was particularly scary when you look at it on its face. Why would the Chinese be infiltrating a company that had access to over half the oil pipelines in North America? What were they after? Are they -- were they looking for some -- to do some damage to some of these critical systems? I think, actually, in talking to sources, what was more likely is that the Chinese are extremely interested in clean technology and smart grid technology.
PERLROTHAnd they were after the intellectual property and the blueprints and the technologies used to remotely access these systems, not do any kind of damage. But, you know, in each case it's different. It's negotiation strategies in the Coca-Cola case. It's IP in the Taliban case. It changes, but the majority of attacks I would say are after intellectual property.
FISHERAnd, Mike Hicks, do you want to take Bobby's second question about his laptop?
HICKSI think that disengaging your wireless card might not be necessary. Most of the time attackers, as Richard was saying, they're not trying to remotely log in to your computers or attack your computer per se, rather they are going -- you're going to unwittingly do that for them by going to a site that's been infected or something like that. So you can certainly just shut off your wireless or just not browse the Internet on the machine that you store your files. One step that I take is to use an encrypted partition on my drive.
HICKSI have a Mac laptop. And you can make encrypted partitions, and you just give that a really big hard-to-guess password. And you don't leave it mounted most of the time so that if someone does manage to get access to your machine, they won't be able to look at those files because they'll be encrypted and the drive is not mounted.
FISHERAnd speaking of Macs, Mike Hicks, we have an email from Robin in Arlington saying, "Why can't I find any anti-malware packages that run on a Mac?"
HICKSWell, I think that Macs are targeted less often because at least the personal computers, the laptops, desktops and so on are very small portion of the overall market. And so when you're a malware writer, you tend to target the market that's going to give you the most bang for your buck. And so fortunately, for Mac users, it seems that Windows is the main target there. And, therefore, there is just less need to build these anti-malware systems.
FISHERRalph in the District, you're on the air. Ralph.
RALPHI haven't been working on computer science for a while, but I do have a master's degree in the field. I'll say this: I've, you know, I've worked on computers and I have my computer hacked.
RALPHAnd if I was a manager and I have an IT guy who gave -- who put source selection and sensitive information, corporate secrets or something like that that had access to the Internet, especially anything dealing with national security, you know, I would fire that man immediately because there is no way that I have seen that they've been able to put up a firewall or any kind of security software or anything that's able to block it.
RALPHMaybe you could drive home the point to the IT manager that if you think the systems were secure, then if we get hacked, you get immediately fired and you could lose all of your benefits. That would wake him up to the severity of the issue. I mean, it's just insane to put this kind of information and have an access to Internet. Thank you.
FISHERRichard Bejtlich, is Ralph right? Are American companies simply too cavalier about what they put on their systems?
BEJTLICHI think it's important to recognize that we should not blame the victim here. People are trying to get their jobs done. They're trying to develop innovative products and services. And then the focus of the activity -- or the focus of our anger should be directed at the intruders. So now there are practices that you can take, and you can adopt a culture that says, yes, we will be compromised.
BEJTLICHWhen we get compromised, we need to have a way to quickly detect what happened and to contain the intruder before he can steal our information. But to sort of blame the victim for this, I think, is a wrong approach.
FISHERAnd here's Michael in Alexandria. Michael, you're on the air.
MICHAELYes. I'm an attorney, and I just have a feedback on this, answering the question earlier, which is why the U.S. government has seemed relatively silent about the attacks from China. Having been an attorney for many years, I've attended many conferences where Department of Justice attorneys would come out and speak about the cases that they are investigating and so forth.
MICHAELAnd quite often, you know, they are violating and data mining other country's networks without any problem. They have done that quite regularly, from my understanding, so I think the U.S. not saying anything about it is because U.S. is doing the same thing around the globe, not only to China. But, of course, we don't condone China doing it to America, but that might answer some of it.
FISHERNicole Perlroth, any truth to that concept?
PERLROTHWell, certainly the U.S.'s hands are not clean. We have now attributed several sophisticated attacks in Iran to the U.S. and Israel. But in terms of data mining and particularly intellectual property theft, it's very -- what we would describe as a very asymmetrical war with China. In China, you know, technically when you think about it, the Chinese government or Chinese military decided to attack a company and steal their intellectual property, they could pass that along to China's state-owned enterprises.
PERLROTHIn the U.S., if you imagined a scenario where the NSA hacked into a Chinese company, which company in the U.S. would they pass that intellectual property off to? We live in a free-market company, and that's just not our M.O. So in terms of the intellectual property theft, this is something that the U.S. is really way behind China when you think about the amount of activity that China is doing and what they're doing with it. We would not do that.
PERLROTHBut in terms of things like cyber sabotage, certainly we believe the U.S. was behind Stuxnet, which was the attack that took out several centrifuges in an Iranian nuclear facility and was part of a larger program called Olympic Games the U.S. has been working on for some time.
FISHERLet's hear from Cheryl in the District. Cheryl, you're on the air.
CHERYLYes. Good afternoon. I've been listening to all of the comments and questions, and I would just like to know what international regulatory type of safeguards are being put in place to prevent this type of cyber espionage.
BEJTLICHThe problem with that approach is that when you talk about computer security or Internet security globally, the West considers it one of stopping the theft of information and preventing cyber crime. And the more repressive regimes around the world, led primarily by China and Russia, talk about control of information and suppression of the opposition.
BEJTLICHSo we saw this come together within the last few months at the WTU or the ITU, I should say, where the world are divided into two blocks. One block considered security to be a way to preserve Internet freedom, and the other block considered security to be a way to control their population. So I don't see a way to resolve that yet, and that's why we're not seeing any action at the global level.
FISHERMike Hicks, in this war over cybersecurity, it seems like the advantage always lies with the hacker rather than the person or business trying to defend themselves. Is there just something systemic about that that gives the hacker the advantage?
HICKSI think there probably is. As I was mentioning before, when you build a software system, it's very difficult to get all of the pieces of that system correct. We are all familiar with bugs, our programs crash, they don't quite do what we want them to do. And then over time, those bugs get fixed and the systems get better.
HICKSNow, if you're a regular user of a system and you notice that when you typed in this weird key sequence into this field, your program crashes, you'll stop doing that because you want your program to do something useful. However, if you're an adversary, you're going to try to find all the crazy code sequences you can possibly think of to type into that field in the hopes that you can manipulate that program into doing something that you wanted to do that it was not intended to do.
HICKSAnd so the testing process, the customer usage process of regular software systems tends to focus on usability, on features, on things that people who will buy product will want to have. And there is just -- it would cost a lot more resources to then spend more time to try to find all of the misfeatures that that software system might have and to tamp those down.
HICKSIf you look at industries like the aerospace industry or the power -- nuclear power plants and things like this, where they have to build very highly assured, has-to-work-no-matter-what kind of software, it cost a whole lot more. And so in this space we're talking about, it's very difficult to get systems exactly right.
FISHERWhich I guess means that they'll be a secure future for Richard Bejtlich, the chief security officer of Mandiant Corp. Thank you for joining us. Michael Hicks is director of the University of Maryland's Cybersecurity Center where he's a professor of computer science. And Nicole Perlroth is a reporter for New York Times, who broke some of the stories on Chinese hacking that we've been talking about through this hour. I'm Marc Fisher, sitting in for Kojo Nnamdi. Thanks so much for joining us.
Most Recent Shows
Kojo talks with author Briana Thomas about her book “Black Broadway In Washington D.C.,” and the District’s rich Black history.
Poet, essayist and editor Kevin Young is the second director of the Smithsonian's National Museum of African American History and Culture. He joins Kojo to talk about his vision for the museum and how it can help us make sense of this moment in history.
Ms. Woodruff joins us to talk about her successful career in broadcasting, how the field of journalism has changed over the decades and why she chose to make D.C. home.