Inside the LA Times Cyber Disaster

January 9, 2019

Originally posted with links on Medium

Why the printing press stopped.

Operations and distribution are returning back to normal for the Los Angeles Times after a recent cyber attack. Online editions were not affected. However, newspaper subscribers across multiple U.S. markets were left without physical copies for several days because The Los Angeles Times along with other newspapers such as The Wall Street Journal, Chicago Tribune and The New York Times outsource printing to the same printing facility located in California. The Los Angeles Times owns and operates this facility.


This is the latest in a string of high profile cyber attacks that have disrupted companies and government agencies around the world.


The Hit


It seems it took awhile for the Los Angeles Times to realize it was under attack. After detecting a server malfunction on Thursday night (December 27th), a chain of events then cascaded to a point where on Friday, there was a complete breakdown of the printing process. Was this a practice attack on a national supply chain or revenge on certain news outlets?


The Los Angeles Times initially reported that company officials, suspected the attack originated from outside the United States. However, the paper did not provide any evidence of the infiltration method or alleged foreign ties. The FBI is now involved so the company may be withholding some information from the public until a later phase in the investigation. Company officials are on record stating that customer data was never compromised.


The Chatter

There is lively speculation that ransomware infected back office systems. In 2018, ransomware resulted in global economic damages costing more than $8 billion. Ransomware is a practice where cyber criminals discover a vulnerability in a computer network then infect that system of the targeted company or user. Afterwards, a demand is issued to pay a ‘ransom’ in order to regain access of those computing resources or data files. Sources at the Los Angeles Times said the interface between content systems (digital files) and the system that controls the plate-making failed. This of course, is a critical task in workflow of printing newspapers. However, the same sources also claim, there was no ransom demand made.


One thing is for certain, every successful attack requires a vulnerability and a delivery mode — machine or human. There is a history of insider attacks at the Los Angeles Times. In 2016, an employee was convicted for his role in a conspiracy to hack Los Angeles Times and Tribune Publishing (former owner of the Los Angeles Times) servers. The case was tried under the Computer Fraud and Abuse Act that dates back to 1984. The conviction resulted in one count of conspiracy to make changes to the newspaper’s website and damage its computer systems, plus one count of transmitting malicious code and one count of attempting to transmit malicious code. Security research firms have noticed growing activity from online black market dealers trying to recruit company employees to help steal data, commit fraud or plant malware directly onto the company’s network.


In some cases, insiders are driven by malicious intent — financial enrichment through the sale of sensitive data or retaliation for perceived mistreatment. There are also cases where 3rd party service providers or contract workers with network privileges have been responsible for the breach again, either through malice or by accident.

It should be noted, a vast majority security breaches are created innocently by employees through accidental or inadvertent behavior without any intention of harming the employer. In fact, 91% of cyber attacks begin with spear phishing emails which are commonly used to infect organizations with ransomware. “Spear phishing” is the fraudulent practice of sending emails to induce a targeted employee to reveal confidential information. By replying to a request for information, the employee may give away key insights or by clicking on an embedded web-link, the employee could activate malicious code. This is a stark reminder that the most fundamental threat is deeply human.


Lessons Learned

Whether the attack was from the inside or not, there were apparent flaws in the security framework at the Los Angeles Times that need to be more closely examined if other companies want to prevent similar disruptions. Let’s look at two areas where any company of any size can reduce considerable cyber risk.


Source Code Due Diligence


When buying or using software from a 3rd party, it represents a unique set of risks. Free and open source software (FOSS), is software developed by informal collaborative networks of programmers. Nearly every software vendor uses FOSS to reduce overhead and increase speed to market. FOSS components are often licensed free of charge, encouraging modifications and improvements.

A source code review will be able to determine if there are any 3rd party FOSS libraries or components that pose a

  • Security Risk — Vulnerabilities that puts data, functionality, users, and intellectual property at risk of exploitation from malicious activity.

  • Code Quality Risk — Outdated or components no longer supported by the FOSS community that can expose your company to security breaches and application failures.

  • Compliance Risk — License-dependent software components that could represent a significant liability risk worthy of litigation.

Companies must identify red flags around source code ownership and vulnerability by evaluating the quality of the software product. There are few ways to proceed A) Insist of a professional review of the source code or B) Look for the OpenChain™ Certification.


Danger of 3rd Party Risk


It’s normal for businesses to rely on a growing number of 3rd party service providers and other vendors to support core business functions. It’s also common for 3rd party entities to have access to sensitive data or share computing systems. This degree of inter-connectivity presents an inherent risk that must be managed.

Organizations should take a risk-based approach to managing their 3rd parties. The process begins with a risk assessment. There are different types of risks that 3rd parties can pose to your organization including:

  • Compliance risk — Violations of laws, rules, or regulations.

  • Strategic risk — Adverse business decisions, or failure to fully implement business decisions.

  • Operational risk — Inadequate or failed internal processes.

  • Transactional risk — Issues with service or product delivery.

  • Reputational risk — Negative public opinion.

When you provide access to your 3rd parties, you may also be opening attack vectors for cyber criminals. This means you need to ensure that each 3rd party has adequate capabilities to protect your assets. Furthermore, 3rd parties must be able to maintain a service level of cyber resiliency if an attack should occur.

There are many options to help manage 3rd party risk but it often comes down to cost. Who is going to pay for the assessment, the supplier or the vendor? Also, are all the assessments comparable? One option is Cyberfense. It’s completely free to use saving businesses thousands of dollars per year. Suppliers and vendors are able to exchange relevant information in a secure manner that will help strengthen the business network and ensure industry compliance. In full disclosure, the author is associated with Cyberfense but that does not detract from the fact that the product is very effective and very free.


Become Cyber Competitive


In any event, the risk which digital technologies bring us are real. Cyber risk is never just a matter for the IT team. An organisation’s culture of risk management needs a thorough understanding of the evolving risk landscape as well as practical tools and practices to address them.


We are at a crossroads. Cyber risk can either continue to be perceived as a negative — another set of costs and legislative demands or business leaders can use good cyber risk management as a differentiator from their competitors as a selling point to clients, and as a measure of reassurance to stakeholders. Decide now.

Share on Facebook
Share on Twitter
Please reload

Featured Posts

Inside the LA Times Cyber Disaster

January 9, 2019

Please reload

Recent Posts