USB is the latest favorite hacking tool


Users are being warned about a new security vulnerability related to USBs. New research reveals the USB standard boasts a security flaw that can give a hacker the ability to take over any device the USB is connected to.

The researchers were able to hack into USB devices, where they accessed the USB controller chip that allows the device to communicate with the computer. The researchers then were able to change the device’s firmware.

ll USB devices, from a USB key to an external keyboard connected through a USB, can be hit and compromised, said researchers Karsten Nohl and Jakob Lell. The two said they will present their proof-of-findings at the Black Hat conference next week.

“These problems can’t be patched,” says Nohl. “We’re exploiting the very way that USB is designed.”

“You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s clean, [but] the cleaning process doesn’t even touch the files we’re talking about.”

Virus protectors? Not going to work here, as even if your computer is fully protected against malware.

It is the latest privacy and security issue to hit the tech world, which has been rocked over the past 18 months by privacy and cybersecurity concerns. That applies especially after whistleblower Edward Snowden revealed a massive surveillance project by the National Security Agency against regular citizens.

The issue of cybersecurity has become a main point of interest for users, and Tech Times reported recently that the ability to defend against cyberattacks remains limited and more efforts need to be made to ensure users are safe from outside hackers.

A study published by the Ponemon Institute and Unisys revealed critical infrastructure industries across the planet have major security gaps.

Nearly 70 percent of the surveyed companies are also responsible for water, power and other critical functions, and all of them reported a breach in security at their companies that led to either a disruption in operations or loss of sensitive information in the last 12 months.

Russian Hackers Amass Over a Billion Internet Passwords

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.

Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.


“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”

Mr. Holden, who is paid to consult on the security of corporate websites, decided to make details of the attack public this week to coincide with discussions at an industry conference and to let the many small sites he will not be able to contact know that they should look into the problem.

There is worry among some in the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. In December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from the retail giant Target by hackers in Eastern Europe.

And in October, federal prosecutors said an identity theft service in Vietnam managed to obtain as many as 200 million personal records, including Social Security numbers, credit card data and bank account information from Court Ventures, a company now owned by the data brokerage firm Experian.

But the discovery by Hold Security dwarfs those incidents, and the size of the latest discovery has prompted security experts to call for improved identity protection on the web.

“Companies that rely on user names and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at the research firm Gartner. “Until they do, criminals will just keep stockpiling people’s credentials.”

Websites inside Russia had been hacked, too, and Mr. Holden said he saw no connection between the hackers and the Russian government. He said he planned to alert law enforcement after making the research public, though the Russian government has not historically pursued accused hackers.

So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.

But selling more of the records on the black market would be lucrative.

While a credit card can be easily canceled, personal credentials like an email address, Social Security number or password can be used for identity theft. Because people tend to use the same passwords for different sites, criminals test stolen credentials on websites where valuable information can be gleaned, like those of banks and brokerage firms.

Like other computer security consulting firms, Hold Security has contacts in the criminal hacking community and has been monitoring and even communicating with this particular group for some time.

The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are thought to be in Russia.

“There is a division of labor within the gang,” Mr. Holden said. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”

They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity. Mr. Holden surmised they partnered with another entity, whom he has not identified, that may have shared hacking techniques and tools.

Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as an SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.

“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.

By July, criminals were able to collect 4.5 billion records — each a user name and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.

“Most of these sites are still vulnerable,” said Mr. Holden, emphasizing that the hackers continue to exploit the vulnerability and collect data.

Mr. Holden said his team had begun alerting victimized companies to the breaches, but had been unable to reach every website. He said his firm was also trying to come up with an online tool that would allow individuals to securely test for their information in the database.

The disclosure comes as hackers and security companies gathered in Las Vegas for the annual Black Hat security conference this week. The event, which began as a small hacker convention in 1997, now attracts thousands of security vendors peddling the latest and greatest in security technologies. At the conference, security firms often release research — to land new business, discuss with colleagues or simply for bragging rights.

U.S. Marshals to auction bitcoin seized in raid on Silk Road market

The U.S. government plans to auction about 30,000 bitcoin, the electronic currency, valued at about $17.4 million, on June 27 the U.S. Marshals Service said.

The bitcoin were seized during an FBI raid in October on the Internet marketplace Silk Road, known as a hub for transactions involving illegal drugs and criminal activities.

The bitcoin up for auction were contained in wallet files on the Silk Road servers and do not include the bitcoins contained on the computer hardware belonging to Silk Road owner Ross William Ulbricht, known online as “Dread Pirate Roberts.”

The virtual currency is transacted independent of central control and is not backed by any government or central bank.

The FBI arrested Ulbricht in October and charged him with one count each of narcotics trafficking conspiracy, computer hacking conspiracy and money laundering conspiracy.

The auction will take place on June 27 on the U.S. Marshals Service website over a 12-hour period and consists of nine blocks of 3,000 bitcoins and one block of 2,657 bitcoins. (

The U.S. Marshals Service said it would notify the winning bidders by June 30.

FBI spokeswoman Kelly Langsmesser confirmed that about 144,342 additional seized bitcoins were transferred from the FBI e-wallet to the U.S. Marshals Service e-wallet. The seized bitcoins are part of the civil forfeiture and criminal action brought against Ulbricht and the assets of Silk Road, the U.S. Marshals Service said in a statement. These coins have not been put up for auction.

Bitcoin prices fell about 6.74 percent to $585.56 today, on the news, according to the digital currency exchange


The Most Useful Things You Can Do with ADB and Fastboot on Android


The Easiest Way to Install Android’s ADB and Fastboot Tools on Any OS

These commands are intended to give you an idea of what you can do with ADB and fastboot. They are not direct instructions and not all commands work on all devices. It’s perhaps better to think of this as a glossary. Due to the sheer number and variety of devices and implementations in the Android world, it’s impossible for us to provide step-by-step instructions for every single device. Be sure to research your specific phone or tablet before throwing commands at it

Manage Your Device with ADB


ADB has a wide variety of functions for managing your device, moving content to and from your phone, installing apps, backing up and restoring your software, and more. You can use ADB while your phone is plugged in to a computer. You can also use ADB with your device wirelessly by following these instructions. You’ll need to briefly connect your device to your computer with a USB cable for this to work, but it should only take a few seconds to execute these commands and then you’re good to use ADB wirelessly if you so choose.

adb devices
Function: Check connection and get basic information about devices connected to the computer.

When using ADB, this is probably the first one command you’ll run. It will return a list of all devices that you have connected to your computer. If it returns a device ID like the one seen above, you’re connected and ready to send commands.

adb reboot recovery
Function: Reboot your phone into recovery mode.

A lot of functions like flashing ROMs to your phone require you to boot into recovery mode. Normally, this requires you to hold down a particular set of buttons on your phone for a certain length of time, which is obnoxious. This command allows you to boot directly into recovery mode without performing the complex finger dance of your people.

adb reboot-bootloader
Function: Reboot your phone into bootloader mode.

Along the same lines as the previous command, this one allows you to boot directly to your phone’s bootloader. Once you’re in the bootloader, ADB won’t work anymore. That’s where fastboot comes in (which we’ll get to in a bit). However, much like the recovery command, it’s much easier to boot into your bootloader with a command on your computer than a complex series of buttons on your phone.

adb push [destination]
Function: Copy files from your computer to your phone.

The push command allows you to copy files from your computer to your phone without touching your device. This is particularly handy for copying large files from your computer to your phone like movies or ROMs. In order to use this command, you’ll need to know the full file path for both your source and destination. If the file you want to copy is already in your tools folder (where ADB lives), you can simply enter the name of the file as the source.

adb pull
Function: Copy files from your phone to your computer.

The yin to to push’s yang, the pull command in ADB allows you to copy files from your phone to your computer. When pulling files, you can choose to leave out the destination parameter. In that case, the file will be copied to the folder on your computer where ADB itself lives. You can then move it to wherever you’d prefer like normal.

adb install
Function: Remotely install APKs on your phone.

You can use this command to install an app on your phone without touching it. While this isn’t a terribly impressive trick for an app that’s on the Play Store (where you can already remotely install, uninstall, and update apps), it’s quite handy if you need to sideload an app.

adb shell [command]
Function: Open or run commands in a terminal on the host Android device.

We love the terminal here at Lifehacker. There are so many great things you can do with it. Most of us don’t tend to bother with the terminal in Android because we don’t want to type long text-based commands on a tiny touchscreen. However, the adb shell command allows you to open up a full terminal on the host device. Alternatively, you can type “adb shell” followed by a valid terminal command to execute just that one command by itself.

adb backup
Function: Create a full backup of your phone and save to the computer.Backing up your Android phone is already something you can and should be doing automatically. However, if you need to create a complete backup before hacking away at something particularly risky, you can create a full backup with a single command. You don’t even need root access (though this may mean that some protected data can’t be backed up).

adb restore
Function: Restore a backup to your phone.

The corollary to the previous command, adb restore allows you to point to an existing backup file and restore it to your device. So, for example, type “adb restore C:\[restorefile].zip” and your phone will shortly be back to normal.

These commands are just some of the more useful ones you can use with ADB installed on your computer. You may not want to use it all the time for everyday tasks, but when you need them, you’ll be glad you have them.

Unlock and Modify Your Phone’s Firmware with Fastboot


As stated in our previous article, fastboot allows you to send commands to your phone while in the bootloader (the one place ADB doesn’t work). While you can’t do quite as many things here, the things you can do are awesome, including unlocking certain phones—like Nexuses and certain others—as well as flashing custom recoveries and even some ROMs. It should be noted, though, that not all phones support fastboot and if you have a locked bootloader, you’re probably out of luck here. That being said, here are some of the most useful tools in fastboot’s arsenal.

fastboot oem unlock
Function: Grant your phone root access.

When people go on about how “open” Nexus devices are, this is what they’re talking about. Most phones require a root exploit to gain superuser access and the ability to heavily modify your phone’s firmware. Nexus devices come with this ability built in (which is why this method isn’t always referred to as a “root” at all, though it does, technically, provide root user access).

This command will provide you with superuser access on your phone with just this one command. However, it will also completely wipe your phone. This means it’s a great command to run when you get a brand new phone, but if you’ve been using yours for a while, do a backup first.

fastboot devices
Function: Check connection and get basic information about devices connected to the computer.

This is essentially the same command as adb devices from earlier. However, it works in the bootloader, which ADB does not. Handy for ensuring that you have properly established a connection.

fastboot flash recovery
Function: Flash a custom recovery image to your phone.

Flashing a custom recovery is an essential part of the ROM-swapper lifestyle. As with everything else in this list, you can install a custom recovery on your device without touching it by using this command.

fastboot sideload
Function: Push and flash custom ROMs and zips from your computer.

This command is a relative newcomer to the ADB field and is only supported by some custom recoveries. However, you can use this single command to flash a .zip that’s on your computer to your phone. Once again, this allows you to flash whole ROMs (or anything else you can flash with a .zip file) without touching your phone

Microsoft Attacks ‘Army of Zombie Computers’

960135-6-20131206060124A major hacking operation involving a worldwide “army of zombie computers” hit a snag yesterday when the FBI, Europol, and Microsoft teamed up to shut it down. A months-long investigation by Microsoft found the ZeroAccess botnet infecting some 2 million computers with malware that generated bogus clicks on ads, netting criminals $2.7 million a month from online advertisers. Microsoft cut connections between infected machines in the US and European-based servers, while Europol seized servers tied to 18 IP addresses in Latvia, Germany, Switzerland, Luxembourg, and the Netherlands, the Wall Street Journal reports. “These aren’t just kids operating in their parent’s basement,” explains an advertising technology exec. “What we have here are organized crime groups in foreign countries targeting the ad world.” Microsoft’s Digital Crimes Unit spent months studying ZeroAccess in a Redmond, Washington, lab, learning that the botnet isn’t controlled by a dedicated server, but can respond to commands issued by any infected computer. But even after Microsoft’s move, which included filing a civil suit against eight “John Doe” defendants, ZeroAccess isn’t necessarily dead for good, notes PC World. Investigators didn’t expect to stop the botnet completely, and a previous attack by Symantec only disrupted the operation. “If we can’t put the bad guys in jail,” says a Microsoft investigator, “at least we can take away some of their money.”

Iran Spies Built Fake News Site to Trick US Targets


Iranian hackers savvy with social media created a fake news site and false Facebook credentials to spy on top-ranking officials in the US and elsewhere, the Wall Street Journal reports. Cybersecurity firm iSight Partners uncovered what it says is the most elaborate such scheme it has ever seen, reports Reuters. According to iSight’s report, hackers created 14 fake but credible-looking profiles on sites such as Facebook and LinkedIn of “defense contractors,” “government officials,” and “journalists,” the latter from a fictional news agency called (The website is still up, but iSight says it’s bogus.) Then the hackers set about befriending their targets, first by becoming online friends with some of the victim’s contacts. Once friends with the victim, they would, for example, send a video requiring a log-in and password. That personal information would go directly back to the hackers, who would use it to try to gather data elsewhere on economic sanctions, nuclear talks, the US-Israel relationship and more. The targets included a four-star Navy admiral, politicians, ambassadors, lobbyists, and senior government and military figures around the world, dating back to 2011. The security firm isn’t providing specifics on who got duped or what information might have leaked, but it is working with the FBI.

Hackers in China Attacked The Times for Last 4 Months

File photo of China's Premier Wen Jiabao standing in front of a Chinese national flag at the Great Hall of the People in Beijing

SAN FRANCISCO — For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees.

After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and computer security experts have expelled the attackers and kept them from breaking back in.

The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.

Security experts hired by The Times to detect and block the computer attacks gathered digital evidence that Chinese hackers, using methods that some consultants have associated with the Chinese military in the past, breached The Times’s network. They broke into the e-mail accounts of its Shanghai bureau chief, David Barboza, who wrote the reports on Mr. Wen’s relatives, and Jim Yardley, The Times’s South Asia bureau chief in India, who previously worked as bureau chief in Beijing.

“Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,” said Jill Abramson, executive editor of The Times.

The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them, said computer security experts at Mandiant, the company hired by The Times. This matches the subterfuge used in many other attacks that Mandiant has tracked to China.

The attackers first installed malware — malicious software — that enabled them to gain entry to any computer on The Times’s network. The malware was identified by computer security experts as a specific strain associated with computer attacks originating in China. More evidence of the source, experts said, is that the attacks started from the same university computers used by the Chinese military to attack United States military contractors in the past.

Security experts found evidence that the hackers stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees, most of them outside The Times’s newsroom. Experts found no evidence that the intruders used the passwords to seek information that was not related to the reporting on the Wen family.

No customer data was stolen from The Times, security experts said.

Asked about evidence that indicated the hacking originated in China, and possibly with the military, China’s Ministry of National Defense said, “Chinese laws prohibit any action including hacking that damages Internet security.” It added that “to accuse the Chinese military of launching cyberattacks without solid proof is unprofessional and baseless.”

The attacks appear to be part of a broader computer espionage campaign against American news media companies that have reported on Chinese leaders and corporations.

Last year, Bloomberg News was targeted by Chinese hackers, and some employees’ computers were infected, according to a person with knowledge of the company’s internal investigation, after Bloomberg published an article on June 29 about the wealth accumulated by relatives of Xi Jinping, China’s vice president at the time. Mr. Xi became general secretary of the Communist Party in November and is expected to become president in March. Ty Trippet, a spokesman for Bloomberg, confirmed that hackers had made attempts but said that “no computer systems or computers were compromised.”

Signs of a Campaign

The mounting number of attacks that have been traced back to China suggest that hackers there are behind a far-reaching spying campaign aimed at an expanding set of targets including corporations, government agencies, activist groups and media organizations inside the United States. The intelligence-gathering campaign, foreign policy experts and computer security researchers say, is as much about trying to control China’s public image, domestically and abroad, as it is about stealing trade secrets.

Security experts said that beginning in 2008, Chinese hackers began targeting Western journalists as part of an effort to identify and intimidate their sources and contacts, and to anticipate stories that might damage the reputations of Chinese leaders.

In a December intelligence report for clients, Mandiant said that over the course of several investigations it found evidence that Chinese hackers had stolen e-mails, contacts and files from more than 30 journalists and executives at Western news organizations, and had maintained a “short list” of journalists whose accounts they repeatedly attack.

While computer security experts say China is most active and persistent, it is not alone in using computer attacks for a variety of national purposes, including corporate espionage. The United States, Israel, Russia and Iran, among others, are suspected of developing and deploying cyberweapons.

The United States and Israel have never publicly acknowledged it, but evidence indicates they released a sophisticated computer worm starting around 2008 that attacked and later caused damage at Iran’s main nuclear enrichment plant. Iran is believed to have responded with computer attacks on targets in the United States, including American banks and foreign oil companies.

Russia is suspected of having used computer attacks during its war with Georgia in 2008.

The following account of the attack on The Times — which is based on interviews with Times executives, reporters and security experts — provides a glimpse into one such spy campaign.

After The Times learned of warnings from Chinese government officials that its investigation of the wealth of Mr. Wen’s relatives would “have consequences,” executives on Oct. 24 asked AT&T, which monitors The Times’s computer network, to watch for unusual activity.

On Oct. 25, the day the article was published online, AT&T informed The Times that it had noticed behavior that was consistent with other attacks believed to have been perpetrated by the Chinese military.

The Times notified and voluntarily briefed the Federal Bureau of Investigation on the attacks and then — not initially recognizing the extent of the infiltration of its computers — worked with AT&T to track the attackers even as it tried to eliminate them from its systems.

But on Nov. 7, when it became clear that attackers were still inside its systems despite efforts to expel them, The Times hired Mandiant, which specializes in responding to security breaches. Since learning of the attacks, The Times — first with AT&T and then with Mandiant — has monitored attackers as they have moved around its systems.

Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time. Usually they continued for a standard work day, but sometimes the hacking persisted until midnight. Occasionally, the attacks stopped for two-week periods, Mandiant said, though the reason was not clear.

Investigators still do not know how hackers initially broke into The Times’s systems. They suspect the hackers used a so-called spear-phishing attack, in which they send e-mails to employees that contain malicious links or attachments. All it takes is one click on the e-mail by an employee for hackers to install “remote access tools” — or RATs. Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers.

Michael Higgins, chief security officer at The Times, said: “Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”

Lying in Wait

Once hackers get in, it can be hard to get them out. In the case of a 2011 breach at the United States Chamber of Commerce, for instance, the trade group worked closely with the F.B.I. to seal its systems, according to chamber employees. But months later, the chamber discovered that Internet-connected devices — a thermostat in one of its corporate apartments and a printer in its offices — were still communicating with computers in China.

In part to prevent that from happening, The Times allowed hackers to spin a digital web for four months to identify every digital back door the hackers used. It then replaced every compromised computer and set up new defenses in hopes of keeping hackers out.

“Attackers target companies for a reason — even if you kick them out, they will try to get back in,” said Nick Bennett, the security consultant who has managed Mandiant’s investigation. “We wanted to make sure we had full grasp of the extent of their access so that the next time they try to come in, we can respond quickly.”

Based on a forensic analysis going back months, it appears the hackers broke into The Times computers on Sept. 13, when the reporting for the Wen articles was nearing completion. They set up at least three back doors into users’ machines that they used as a digital base camp. From there they snooped around The Times’s systems for at least two weeks before they identified the domain controller that contains user names and hashed, or scrambled, passwords for every Times employee.

While hashes make hackers’ break-ins more difficult, hashed passwords can easily be cracked using so-called rainbow tables — readily available databases of hash values for nearly every alphanumeric character combination, up to a certain length. Some hacker Web sites publish as many as 50 billion hash values.

Investigators found evidence that the attackers cracked the passwords and used them to gain access to a number of computers. They created custom software that allowed them to search for and grab Mr. Barboza’s and Mr. Yardley’s e-mails and documents from a Times e-mail server.

Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.

A Symantec spokesman said that, as a matter of policy, the company does not comment on its customers.

The attackers were particularly active in the period after the Oct. 25 publication of The Times article about Mr. Wen’s relatives, especially on the evening of the Nov. 6 presidential election. That raised concerns among Times senior editors who had been informed of the attacks that the hackers might try to shut down the newspaper’s electronic or print publishing system. But the attackers’ movements suggested that the primary target remained Mr. Barboza’s e-mail correspondence.

“They could have wreaked havoc on our systems,” said Marc Frons, the Times’s chief information officer. “But that was not what they were after.”

What they appeared to be looking for were the names of people who might have provided information to Mr. Barboza.

Mr. Barboza’s research on the stories, as reported previously in The Times, was based on public records, including thousands of corporate documents through China’s State Administration for Industry and Commerce. Those documents — which are available to lawyers and consulting firms for a nominal fee — were used to trace the business interests of relatives of Mr. Wen.

A Tricky Search

Tracking the source of an attack to one group or country can be difficult because hackers usually try to cloak their identities and whereabouts.

To run their Times spying campaign, the attackers used a number of compromised computer systems registered to universities in North Carolina, Arizona, Wisconsin and New Mexico, as well as smaller companies and Internet service providers across the United States, according to Mandiant’s investigators.

The hackers also continually switched from one I.P. address to another; an I.P. address, for Internet protocol, is a unique number identifying each Internet-connected device from the billions around the globe, so that messages and other information sent by one device are correctly routed to the ones meant to get them.

Using university computers as proxies and switching I.P. addresses were simply efforts to hide the source of the attacks, which investigators say is China. The pattern that Mandiant’s experts detected closely matched the pattern of earlier attacks traced to China. After Google was attacked in 2010 and the Gmail accounts of Chinese human rights activists were opened, for example, investigators were able to trace the source to two educational institutions in China, including one with ties to the Chinese military.

Security experts say that by routing attacks through servers in other countries and outsourcing attacks to skilled hackers, the Chinese military maintains plausible deniability.

“If you look at each attack in isolation, you can’t say, ‘This is the Chinese military,’ ” said Richard Bejtlich, Mandiant’s chief security officer.

But when the techniques and patterns of the hackers are similar, it is a sign that the hackers are the same or affiliated.

“When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction,” he said.

Mandiant has been tracking about 20 groups that are spying on organizations inside the United States and around the globe. Its investigators said that based on the evidence — the malware used, the command and control centers compromised and the hackers’ techniques — The Times was attacked by a group of Chinese hackers that Mandiant refers to internally as “A.P.T. Number 12.”

A.P.T. stands for Advanced Persistent Threat, a term that computer security experts and government officials use to describe a targeted attack and that many say has become synonymous with attacks done by China. AT&T and the F.B.I. have been tracking the same group, which they have also traced to China, but they use their own internal designations.

Mandiant said the group had been “very active” and had broken into hundreds of other Western organizations, including several American military contractors.

To get rid of the hackers, The Times blocked the compromised outside computers, removed every back door into its network, changed every employee password and wrapped additional security around its systems.

For now, that appears to have worked, but investigators and Times executives say they anticipate more efforts by hackers.

“This is not the end of the story,” said Mr. Bejtlich of Mandiant. “Once they take a liking to a victim, they tend to come back. It’s not like a digital crime case where the intruders steal stuff and then they’re gone. This requires an internal vigilance model.”

Report: Nearly Half of American Adults Have Been Hacked

Up to 432 million. That’s the number of hacked accounts in the United States during the last 12 months. That translates to hackers getting their hands on the personal identifying information of 110 million Americans. And that translates to about half of U.S. adults falling victim to cybercrime.

These data points come from a survey CNN Money commissioned. Ponemon Institute researchers drew those conclusions based on public information about data breaches. Even still, the actual number may be even greater because, CNN Money noted, all companies aren’t forthcoming with details about data security breaches. CNN Money pointed to AOL and eBay as examples of companies that don’t fully disclose breach stats.

Nevertheless, the Identity Theft Resource Center and CNNMoney’s internal review of corporate disclosures are offering what staff reporter Jose Pagliery calls mind-boggling numbers. Those numbers include massive data breaches from Target (70 million) and smaller data breaches from Adobe (33 million), Snapchat (4.6 million), Michaels (3 million), Neiman Marcus (1.1 million). To Pagliery’s point, we don’t know how many of AOL’s 120 million or how many of eBay’s 148 million account holders were impacted in recent breaches.

Why Is This Happening?

“First, we’re increasingly moving our lives online. Shopping, banking and socializing are now chiefly digital endeavors for many people. Stores rely on the Internet to conduct and process all transactions. As a result, your data is everywhere: on your phone, laptop, work PC, Web site servers and countless retailers’ computer networks,” Pagliery said. “Second, hacks are getting more sophisticated. Offensive hacking weapons are numerous and cheap. And hackers have learned to quietly roam inside corporate networks for years before setting off any alarms.”

The article also pointed out end-of-life issues associated with Windows XP. Microsoft for months urged consumers to upgrade or risk a security breach but many are still using the outdated operating system. The Heartbleed bug also made headlines for weeks. Heartbleed is going to go down in history as one of the worst bugs ever. It could give hackers access to user passwords and even trick people into using fake versions of popular Web sites.

Getting Back to Basics

We caught up with Jon Rudolph, a senior software engineer at security firm Core Security, to get his take on the report. He told us he’s seeing the effects of trading impermeable security for the convenience of paying bills from our phones in a cafe.

“Another part of this trend is the arrival of two big audiences,” Rudolph said. “On the one hand you have more users and accounts than ever — and on the other you have more hackers using better tools and taking advantage of human mistakes in security.”

Rudolph said the latter can happen when a user selects a weak password or uses it in several places. Security experts are constantly warning users how to create strong passwords and why they should not use the same passwords on multiple sites. The second reason, though, is not the end user’s fault. The second reason is when a company is the target of an attack.

“As a result, users and security professionals need to focus not on limiting the risk of a compromise and making it easier for the company and the user to recover from,” he concluded. “By using two-factor authentication or a password manager, users can take action to limit risk in the event that one of their sites are compromised.”

Twitter fixes popular TweetDeck program after hack


Twitter plugged a security vulnerability in its popular TweetDeck application Wednesday, after disabling the system for over an hour earlier in the day to fix it.

People logged into the service during the breach got odd pop-up messages. Their systems also randomly re-tweeted messages containing potentially malicious computer code scripts.

RELATED: Twitter users react to Tweetdeck hack

When the site was taken down, TweetDeck tweeted, “We’ve temporarily taken TweetDeck services down to assess today’s earlier security issue. We’ll update when services are back up.”

A Twitter spokesman declined to comment.

The entire episode may have been inadvertently caused by a 19-year-old Austrian programmer. According to multiple sources, the young man, whose first name is Florian, realized that using “&hearts” makes a “♥” symbol in the coding language HTML used on the web.

He told CNN that as he was experimenting, he found that the heart symbol created an opening in the site’s software. That in turn made it possible to inject computer program commands via tweets.

The young man alerted Twitter and posted his finding online. Others then used it to hijack the site before Twitter programmers could fix the problem.

Florian’s Twitter account was quickly deluged by journalists and angry Twitter users.

In response to interview requests, he replied “I don’t want any more publicity. Everyone is hating me, because I reported a major security-bug in TweetDeck. Enough said.”

It took Twitter programmers several hours to plug the hole. Earlier in the day, Twitter pushed out a code fix that was supposed to close the security hole. However it didn’t work.

At that point, the company tweeted out, “A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix.”

Less than an hour later, the site was taken down. It went up again by mid afternoon.

TweetDeck is a free download for desktop computers, iPhones, Google’s Android devices and the Google Chrome browser. The software allows users to organize their Twitter streams and offers a more user friendly view of Twitter feeds.

“Tweetdeck appears to have jumped on this issue and patched it, but we’re still seeing it spread like wildfire through Twitter,” said Trey Ford, a security expert at Rapid7, a security firm based in Boston.

“This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet. The current attack we’re seeing is a “worm” that self-replicates by creating malicious tweets,” he said.

It was originally reported that the vulnerability only affected the app’s desktop program and only when it was run on Google’s Chrome browser. However users on other platforms, including Internet Explorer 9, are also reporting getting hacked

According to the website Verge, users reported getting random pop-up windows containing messages such as “Yo!” or “Please close now TweetDeck [sic], it is not safe.”

Twitter bought TweetDeck in 2011 for about $40 million.

Released in 2008, it was the first third-party Twitter application to catch on with Twitter users.