Weekend Argus (Saturday Edition)
Chinese hackers put US on alert
E-mail-based security attacks worry experts
STANFORD: The New York Times’s announcement in January that Chinese hackers had compromised its computers, stolen employee passwords and wormed around its network for four months made for a chilling read to those of us concerned about media safety and digital security. But the paper’s latest instalment, based on a report by computer security firm Mandiant, lays out even more spectacular and serious possibilities that China’s military has stolen information from companies “involved in the critical infrastructure of the United States – its electrical power grid, gas lines and waterworks”.
An alarmed American public may wonder whether it’s time to push the panic button, but in many respects, this is old news to those in the digital security industry. Chinese hackers have been tracked and traced before. Experts with a dismal view assume everything’s hacked, until proven otherwise.
“There’s a saying in the security industry,” says Eva Galperin of the Electronic Frontier Foundation, an internet advocacy group. “Everybody is ‘owned’ all the time. These attacks are constant.”
Mandiant’s report is the result of years spent tracking a Shanghaibased hacking team dubbed the “Comment Crew”, also known as APT1. The company’s investigators even managed to pinpoint the hackers’ work space: a Shanghai building owned by Unit 61398 of the People’s Liberation Army. Mandiant says it has observed about 140 attacks by Comment Crew since 2006.
While the corporate and governmental attacks described by Mandiant and the attacks against New York Times reporters are separate cases executed by different hacking groups, the digital trail leads back to the same location: China.
Galperin has the solution. “If organisations are concerned about security, and they want to know what the one thing is that they can do – they can teach their users not to click on these links or open these attachments,” she says.
The problem is, Chinese hackers are getting dangerously good at tricking users into clicking on what are known as “phishing e-mails” – messages with links or attachments that seem innocuous, but actually dump spyware on recipients’ computers. One of the secrets? Language skills. Over the course of my five years in China, hackers targeting foreign correspondents became more advanced, upgrading from early phishing attempts using haphazard “Chinglish” to more convincing and polished English.
Mandiant’s report observes the same developing sophistication: “They begin with aggressive spear phishing, proceed to deploy custom digital weapons, and end by exporting compressed bundles of files to China – before beginning the cycle again. They employ good English – with acceptable slang – in their socially engineered e-mails.”
Some phishing e- mails were bespoke. To my knowledge, I was the only recipient in August 2011 of an e-mail that took advantage of the CVE-2010-3333 vulnerability, a flaw in Microsoft Word’s codebase. The message, in Chinese, concerned a July 2011 high-speed rail crash in the city of Wenzhou, a story I had covered and complemented with prolific live-tweeting. The message discussed comments from press freedom organisation Reporters Without Borders concerning media access to the crash site. The hackers would have had to know I understood Chinese and would have put in some time to research recent stories I’d worked on. A few other journalists received custom phishing attempts during this period, each e-mail message different, but all tak- ing advantage of the same exploit.
Mandiant’s report underscores how difficult it is these days to spot a hacker. “The subject line and the text in the e-mail body are usually relevant to the recipient. APT1 also creates webmail accounts using real people’s names – names that are familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel – and uses these accounts to send the e-mails.”
The irony in this brave new world of the digital frontier is that we need to return to old technologies. If you want to check an attach- ment’s safety, pick up the phone and call the sender. Even writing back with e-mail might not work. Mandiant describes how in one instance, the hacker responded to a query by confirming the attachment (“It’s legit,” the e- mail read). E- mail back… and you may well start chatting with the very person who is trying to deceive you.
Keeping an eye out for suspicious file extensions no longer works, either. The primitive days of mysterious and suspicious .exe, .rar, and .zip attachments have been replaced by attachments with reassuring but false file formats. The hackers from Unit 61398 “even went to the trouble of turning the executable’s icon to an Adobe symbol to complete the ruse”, Mandiant notes.
Mandiant’s report, titled “APT1”, refers to “advanced persistent threats” – hacker groups of an institutional, well- resourced nature. Those who’ve followed APTs know they’re nothing new.
Even the most advanced technology companies have been hit. In this one month alone, Twitter, Facebook and Apple all announced their systems had been penetrated by hackers. Bloomberg’s latest report says they belong to an Eastern European criminal group. Chinese hackers, while not the sole culprits, pose a bigger geostrategic threat: the same group of hackers targeting a Fortune 500 company may well go after the State Department, or a lone activist, the next day.
That pattern will likely continue because of one compelling fact: it’s affordable. Frank Smyth is founder of Global Journalist Security, an organisation working to equip reporters with complete security training, including a digital component. “No one should be surprised, because it doesn’t take that much infrastructure. If you have a team of people in a room, you can create a lot of havoc,” he says. “That’s much cheaper than building a tank or a jet fighter.”
Chan is a John S Knight journalism fellow at Stanford University and an Al Jazeera correspondent. TOKYO: Will augmented reality replace fitting rooms?
Augmented reality technology, which overlays digital images on to pictures of real objects or backgrounds, is becoming more widely used in product selection and advertising.
Along with the focus on the technology as a new avenue for sales promotion, market players such as cellphone companies offering augmented reality software hope the market will continue to expand.
Interior retailer Francfranc hopes to release a mobile devices application that will let customers simulate furniture arrangements in their homes before purchase as early as next month. To use the app, a user takes a picture of a room with a smartphone or tablet and selects pieces of furniture to sample. An image of the furniture inside the room appears on screen.
Toshiba offers a similar app that allows customers to visualise what television sets and other large appliances will look like in their homes. The firm says the app has boosted sales of products not on display at retail stores.
Similar technology is also being used in clothing retail. Uniqlo, the casual clothing chain run by Fast Retailing, has outfitted its San Francisco outlet with two virtual fitting rooms. Customers have their pictures taken while standing in front of a large monitor. They then select clothing items on a tablet and an image of them wearing the clothes appears on the screen.
“We’re using the feel of video games to get people to try colours they’ve never worn before,” a Fast Retailing official said.
A-net, another clothing retailer, has installed systems at a store in Tokyo and one in Osaka that can adjust virtual clothes to body type and follow body movements.
Augmented reality applications are expanding as hi- tech smartphones become more common and data networks increase in speed. – Washington Post