Java, not China, to blame for Twitter attacks
By Nicole Kobie
Posted on 5 Feb 2013 at 07:00
Forget China when it comes to the recent high-profile hacking attacks - focus on Java instead.
That's the message from security experts following a recent spate of hacks against US newspapers and Twitter.
Twitter didn't specifically say China was at fault for its security woes: it referenced the attack on the New York Times, for which the blame was pinned on Chinese hackers.
Based on the targets - journalists at the New York Times and Wall Street Journal who had been reporting on China - the source of the attacks seems clear, but little hard evidence has been revealed, said Jason Steer, EMEA product manager and architect at security firm FireEye.
It shouldn't make you feel paranoid, maybe it should make you feel more annoyed
"There’s a lot of elements that would certainly indicate that China would be one of the main potential perpetrators of it, but it’s very easy today for vendors to point the finger at China without any data to substantiate it," he told PC Pro. "If we put it into perspective, we see over 190 countries [launching] attacks... without having full data it’s really hard to say."
"There’s a lot of people going after China, but there’s a lot of other nation states equally guilty of playing at this level," he added. "The data speaks, and our data reveals that there’s a lot of other countries playing this game."
Asked who they are, he said: "Everyone... nation state attacks are on the rise, so everyone is after everyone, unfortunately."
Steer said it appears the newspaper attackers had different intentions than those who targeted Twitter, but said the hack was comparable to previous attacks on Gmail - which eventually led the company to pull out of China.
"It’s like the Aurora attacks against Gmail – I suspect Twitter is just the communications channel of choice in 2013," agreed Sean Sullivan, security advisor at F-Secure.
Sullivan suggested the attack against Twitter was targeting specific users, and other users simply got caught up as "collateral damage".
"In the case of Twitter, if they’re going after a few dozen accounts and managed to browse through 250,000, that’s not reassuring that those passwords were exposed," he said. "It shouldn't make you feel paranoid, maybe it should make you feel more annoyed. I guess that’s the world we’re living in."
Sullivan said there's a common theme between the attacks: the recently highlighted Java vulnerabilities. Not only did they feature in the New York Times and Twitter attacks, but Apple and Mozilla have blocked affected versions - and more significantly, the US Department of Homeland Security (DHS) has advised users to disable it.
- Is it worth upgrading a media centre to Windows 8?
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software