Category Archives: hacking

FBI’s weak case against North Korea on Sony hacking gets weaker

Reuters reports: U.S. investigators believe that North Korea likely hired hackers from outside the country to help with last month’s massive cyberattack against Sony Pictures, an official close to the investigation said on Monday.

As North Korea lacks the capability to conduct some elements of the sophisticated campaign by itself, the official said, U.S. investigators are looking at the possibility that Pyongyang “contracted out” some of the cyber work. The official was not authorized to speak on the record about the investigation. [Continue reading…]

Facebooktwittermail

Cyber bomb threats and the hacking of geopolitics

The Soufan Group IntelBrief: The capability of nations and advanced criminal groups to engage in sophisticated cyber espionage and theft is nothing new; and the capability of these actors to impact components of critical infrastructure is also nothing new (the 2012 Saudi Aramco attack comes to mind). What is new is their willingness to actually launch attacks not for intelligence or commercial gain but to impact corporate or geopolitical decisions. Whether it’s having its data stolen or even held hostage via malicious encryption, or having its operations and personnel threatened with physical violence and damage, corporations and governments will find the Age of the Cyber Bomb Threat to be as costly and frustrating as the age of counterterrorism and counter-violent extremism.

Much as in terrorism, cyber conflict runs the spectrum of ideology and motivation. And as with terrorism, cyber conflict’s impact goes far beyond the point of attack. The ubiquity of the Internet means that anyone and everyone is a potential target—which is the point of all forms of terrorism. On December 21, 2014, unidentified attackers (assumed, rightly or wrongly, to be associated with North Korea) hacked into the non-operational computer systems of a functioning nuclear power plant in South Korea. The operator of the plant, Korea Hydro and Nuclear Power (KHNP), stated that at no time were plant operations at risk since those are on a closed and independent system, but that sensitive personnel and plant design data were stolen. In what will become the standard modus operandi for cyber bomb threats, the attackers threatened to destroy the plant if it wasn’t shut down. The threat of additional cyber attacks will be paired with threats of physical attacks.

While North Korea could very well be behind the nuclear reactor hack as well as the Sony hack, so could a range of other actors, given that the malware tools are available online to anyone with sufficient expertise and knowledge of where to look. It is the lack of true certainty that makes cyber attacks so difficult to respond to with counter-attacks. IP addresses are misleading and the tools and the capabilities are widespread enough that “the usual suspects” are now too large to count. With the stakes so high and the public and private players so poorly accounted for, the risks of attacks once thought unlikely will increase with cascading repercussions. [Continue reading…]

Facebooktwittermail

The Sony hack, fearless journalism and conflicts of interest

Given that The Intercept is a publication that trumpets its commitment to fearless journalism, you’d think they’d be all over the Sony hack story. National security threats, hacking, corporate power, cyberattacks — aren’t these more than enough ingredients for some hard-hitting investigative journalism?

Apparently not.

Instead we get Jana Winter (who before moving to The Intercept was a reporter at FoxNews.com for six years) recycling an old narrative about governmental negligence: “FBI warned Year Ago of impending Malware Attacks — But Didn’t Share Info with Sony.”

Nearly one year before Sony was hacked, the FBI warned that U.S. companies were facing potentially crippling data destruction malware attacks, and predicted that such a hack could cause irreparable harm to a firm’s reputation, or even spell the end of the company entirely. The FBI also detailed specific guidance for U.S. companies to follow to prepare and plan for such an attack.

But the FBI never sent Sony the report.

The Dec. 13, 2013 FBI Intelligence Assessment, “Potential Impacts of a Data-Destruction Malware Attack on a U.S. Critical Infrastructure Company’s Network,” warned that companies “must become prepared for the increasing possibility they could become victim to a data destruction cyber attack.”

How could Sony have been adequately prepared to meet this threat if the FBI had neglected to send them their report?!

Urrr… maybe Sony’s global chief information security officer Philip Reitinger knew something about the risks of a data destruction cyber attack. After all, directly before moving to Sony in 2011, Reitinger had been Deputy Under Secretary of the National Protection and Programs Directorate (NPPD) and Director of the National Cyber Security Center (NCSC) at the United States Department of Homeland Security. It seems likely that one way or another, Reitinger saw the FBI report.

Winter closes her “report” by quoting a source within the “information security industry” who said: “The question is, who dropped the ball?”

The Intercept in its headline and paragraph two doesn’t hesitate to answer that “question”: The FBI.

This is really a bizarrely irrelevant narrative to be spinning, given that there has already been so much reporting on Sony’s own negligence in handling cyber-security.

Winter makes the dubious assertion that in the eyes of the U.S. government, Sony is part of this nation’s “critical infrastructure” — the implication apparently being that the FBI is responsible for safeguarding the company’s cyber-security standards.

For The Intercept to want to portray the Sony story as a story about the failings of the U.S. government, is perhaps to be expected, given the ideological straightjacket inside which the publication remains trapped.

But maybe I’m just being cynical in thinking that there might be another explanation: that Glenn Greenwald hasn’t abandoned all hope Sony will produce his Snowden movie — even though a leaked November 14 email from Sony executive Doug Belgrad wrote that the Greenwald project “is unlikely to happen” — and so doesn’t want to embarrass his commercial partner.

Even if the Snowden movie has no bearing here, there is a deeper philosophical problem that the Sony hack story presents to The Intercept and everyone with a visceral fear of government.

American companies, fully aware of the government’s data collection capabilities want to see a more proactive partnership between the public and private sectors to improve information security and thwart cyberattacks. At the same time, libertarians and much of the public at large want to see these capabilities reined in, and businesses themselves don’t want to be burdened by overregulation.

Much as free-market economics promotes a myth of a self-balancing system that functions most efficiently by suffering the least governmental interference, the information economy sustains similar myths about its ability to self-organize.

But on the cyber frontier, threats from the likes of North Korea are probably smaller than those posed by agents whose identities remain forever concealed and whose motives may be as difficult to discern.

This year, hackers caused “massive damage” to a steel factory in Germany by gaining access to control systems that would have generally been expected to be physically separated from the internet, yet the emerging Internet of Things in which as many as 30 billion devices are expected to be connected by the end of the decade, suggests that physically destructive cyberattacks are destined to become much more commonplace.

The politics of information security right now favors an approach in which everyone is expected to maintain their own systems of fortification and yet the protection of collective interests may demand that we live in a world where there is much greater data transparency.

As things stand right now on the information highways, none of the vehicles are licensed, no one has insurance, most of the drivers are robots, and most of the robots are employed by crooks.

Facebooktwittermail

Was the FBI wrong on North Korea?

CBS News reports: Cybersecurity experts are questioning the FBI’s claim that North Korea is responsible for the hack that crippled Sony Pictures. Kurt Stammberger, a senior vice president with cybersecurity firm Norse, told CBS News his company has data that doubts some of the FBI’s findings.

While Norse is not involved in the Sony case, it has done its own investigation.

“We are very confident that this was not an attack master-minded by North Korea and that insiders were key to the implementation of one of the most devastating attacks in history,” said Stammberger.

He says Norse data is pointing towards a woman who calls herself “Lena” and claims to be connected with the so-called “Guardians of Peace” hacking group. Norse believes it’s identified this woman as someone who worked at Sony in Los Angeles for ten years until leaving the company this past May. [Continue reading…]

The New York Times adds: A number of private security researchers are increasingly voicing doubts that the hack of Sony’s computer systems was the work of North Korea.

President Obama and the F.B.I. last week accused North Korea of targeting Sony and pledged a “proportional response” just hours before North Korea’s Internet went dark without explanation. But security researchers remain skeptical, with some even likening the government’s claims to those of the Bush administration in the build-up to the Iraq war.

Fueling their suspicions is the fact that the government based its findings, in large part, on evidence that it will not release, citing the “need to protect sensitive sources and methods.” The government has never publicly acknowledged doing so, but the National Security Agency has begun a major effort to penetrate North Korean computer networks.

Because attributing the source of a cyberattack is so difficult, the government has been reluctant to do so except in the rarest of circumstances. So the decision to have President Obama charge that North Korea was behind the Sony hack suggested there is some form of classified evidence that is more conclusive than the indicators that the F.B.I. made public on Friday. “It’s not a move we made lightly,” one senior administration official said after Mr. Obama spoke.

Still, security researchers say they need more proof. “Essentially, we are being left in a position where we are expected to just take agency promises at face value,” Marc Rogers, a security researcher at CloudFlare, the mobile security company, wrote in a post Wednesday. “In the current climate, that is a big ask.”

Mr. Rogers, who doubles as the director of security operations for DefCon, an annual hacker convention, and others like Bruce Schneier, a prominent cryptographer and blogger, have been mining the meager evidence that has been publicly circulated, and argue that it is hardly conclusive. [Continue reading…]

Facebooktwittermail

No, North Korea didn’t hack Sony

Marc Rogers writes: All the evidence leads me to believe that the great Sony Pictures hack of 2014 is far more likely to be the work of one disgruntled employee facing a pink slip.

I may be biased, but, as the director of security operations for DEF CON, the world’s largest hacker conference, and the principal security researcher for the world’s leading mobile security company, Cloudflare, I think I am worth hearing out.

The FBI was very clear in its press release about who it believed was responsible for the attack: “The FBI now has enough information to conclude that the North Korean government is responsible for these actions,” they said in their December 19 statement, before adding, “the need to protect sensitive sources and methods precludes us from sharing all of this information”.

With that disclaimer in mind, let’s look at the evidence that the FBI are able to tell us about. [Continue reading…]

Facebooktwittermail

U.S. puts new focus on fortifying cyber defenses

The Wall Street Journal reports: The Obama administration is increasingly concerned about a wave of digital extortion copycats in the aftermath of the cyberattack on Sony Pictures Entertainment, as the government and companies try to navigate unfamiliar territory to fortify defenses against further breaches.

About 300 theaters on Thursday screened the movie that apparently triggered the hacking attack, a comedy about the assassination of North Korean leader Kim Jong Un, after Sony reversed its initial decision to acquiesce to hacker demands that the film be shelved.

Still, the threat to Sony — allegedly by North Korea—marked “a real crossing of a threshold” in cybersecurity, given its unusually destructive and coercive nature, said Michael Daniel, the cybersecurity coordinator for the White House National Security Council.

“It really is a new thing we’re seeing here in the United States,” Mr. Daniel said. “You could see more of this kind of activity as countries like North Korea and other malicious actors see it in their interest to try and use that cyber tool.” [Continue reading…]

Countries like North Korea is arguably a category of one. “Other malicious actors” is the group to be more concerned about — a category in which governments may still be in the minority. It’s a group that includes disgruntled employees, hackers, hactivists, criminal organizations, and corporate competitors.

Facebooktwittermail

Is Sony’s crackdown a bigger threat to western free speech than North Korea?

Trevor Timm writes: After a pre-Christmas week full of massive backlash for caving to a vague and unsubstantiated threat by hackers supposedly from North Korea, Sony has reversed course and decided it will allow The Interview to be shown after all – thus all but ending what Senator John McCain absurdly called “the greatest blow to free speech that I’ve seen in my lifetime probably”.

Don’t get me wrong: it’s unequivocally good news that North Korea (or whoever hacked Sony) won’t succeed in invoking a ludicrous heckler’s veto over a satirical movie starring Seth Rogen, but there are far greater threats to our freedom of speech here in the United States. For example, Sony itself.

Lost in the will-they-or-won’t-they controversy over Sony’s potential release of The Interview has been the outright viciousness that Sony has unleashed on some of the biggest social-media sites and news outlets in the world. For the past two weeks, the studio has been trying to bully these publishing platforms into stopping the release of newsworthy stories or outright censoring already-public information contained in the hacked emails, despite a clear First Amendment right to the contrary.

On top of Sony’s worrying and legally dubious threats, the most explosive and under-read story inside the hacked trove involves Sony and its close allies at the Motion Picture Association of America (MPAA) attempting to censor the internet on a much larger scale, by reviving a re-tooled version of a highly controversial bill known as Sopa that was scuttled back in 2011 because of widespread fears that it would destroy online free speech as we know it. [Continue reading…]

Facebooktwittermail

Putting North Korea’s ‘widespread’ internet outage in perspective

If a tree falls in a forest and no one is around to hear it, does it make a sound?

When four networks go down in a country where hardly anyone has internet access, does it make any sense to say that North Korea had an internet outage?

Every single day there are outages on a much larger scale all over the world and apart from for the technicians whose task it is to fix them, they largely go unnoticed.

Two weeks ago there was an outage of 148 networks in the U.S. It didn’t merit media coverage — just a tweet.

A 9 hour 31 minute outage that prompted headlines suggesting the U.S. government might have launched a cyberattack in response to the Sony hack, drew this more measured observation from Mashable:

While nobody knows who blocked access for the four networks and 1,024 IP addresses in the country, the consensus is clear: it wouldn’t have taken much. The attack appears to have been a relatively simple distributed denial of service, or DDoS — the kind of thing just about any experienced hacker could launch.

Meanwhile, North Korea, never known to exercise restraint when it comes to launching fusillades of wild rhetoric, on Sunday threatened to destroy America, which is to say, they are ready to “blow up” every city in this country. The Policy Department of the National Defence Commission of the DPRK said:

The army and people of the DPRK who aspire after justice and truth and value conscience have hundreds of millions of supporters and sympathizers, known or unknown, who have turned out in the sacred war against terrorism and the U.S. imperialists, the chieftain of aggression, to accomplish the just cause.

Obama personally declared in public the “symmetric counteraction”, a disgraceful behavior.

There is no need to guess what kind of thing the “symmetric counteraction” is like but the army and people of the DPRK will never be browbeaten by such a thing.

The DPRK has already launched the toughest counteraction. Nothing is more serious miscalculation than guessing that just a single movie production company is the target of this counteraction. Our target is all the citadels of the U.S. imperialists who earned the bitterest grudge of all Koreans.

The army and people of the DPRK are fully ready to stand in confrontation with the U.S. in all war spaces including cyber warfare space to blow up those citadels.

Funny how a nuclear-armed government can threaten to destroy this country and no one takes it seriously and yet when unknown hackers ominously evoke memories of 9/11, Sony executives panic.

Facebooktwittermail

Tor network possible target of raids by law enforcement authorities

CSO Online reports: The Tor Project said on Friday that the online anonymity network may go dark in coming days due to an attempt to incapacitate it.

The project’s leader Roger Dingledine aka “arma” drew attention to the possible outage on the project’s blog, flagging a tip-off that its directory authority servers — a handful of servers that form a consensus on which relays that Tor clients should use — may be the target of an upcoming “seizure”.

“The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities,” Dingledine warned.

The wording of the alert suggests that the attacker is law enforcement rather than hackers. Should an attacker gain control of a majority of those servers, they would be able to vote in a fake Tor network.

As the project explains in its FAQ: “The directory authorities provide a signed list of all the known relays, and in that list are a set of certificates from each relay (self-signed by their identity key) specifying their keys, locations, exit policies, and so on. So unless the adversary can control a majority of the directory authorities (as of 2012 there are 8 directory authorities), he can’t trick the Tor client into using other Tor relays.”

A thread on Hacker News notes there are actually now nine directory authorities located across Europe and the US, so the attackers would need to gain control of five in order point Tor users to a phoney Tor network.

“We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use,” Dingledine noted.

It’s not clear what the motivation is for the possible seizure, nor which authority may be behind it. However, there is speculation it may be related to the Sony Pictures investigation due to the hackers having used Tor in the attack. [Continue reading…]

The Register today reports: As foreshadowed last week, Tor network exit nodes have gone down after what appear to be raids by law enforcement authorities.

Thomas White (@CthulhuSec) warned users to steer clear of his Tor servers after he lost control following what he’s called “unusual activity” that meant “I have now lost control of all servers under the ISP and my account has been suspended,” White wrote in an update on the Tor mailing list.

“Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken.

“From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers.”

White said users should treat the servers as hostile until control was regained signified by a PGP signed message from himself.

He also urged them not to jump to conclusions about the identity of any possible agency nor harbour concern for the integrity of the Tor network.

Facebooktwittermail

Did North Korea really attack Sony?

Bruce Schneier writes: I am deeply skeptical of the FBI’s announcement on Friday that North Korea was behind last month’s Sony hack. The agency’s evidence is tenuous, and I have a hard time believing it. But I also have trouble believing that the U.S. government would make the accusation this formally if officials didn’t believe it.

Clues in the hackers’ attack code seem to point in all directions at once. The FBI points to reused code from previous attacks associated with North Korea, as well as similarities in the networks used to launch the attacks. Korean language in the code also suggests a Korean origin, though not necessarily a North Korean one since North Koreans use a unique dialect. However you read it, this sort of evidence is circumstantial at best. It’s easy to fake, and it’s even easier to interpret it wrong. In general, it’s a situation that rapidly devolves into storytelling, where analysts pick bits and pieces of the “evidence” to suit the narrative they already have worked out in their heads.

In reality, there are several possibilities to consider: [Continue reading…]

Facebooktwittermail

Why there’s still reason to doubt North Korea was behind the Sony attack

Why would the FBI say it has “enough information to conclude that the North Korean government is responsible for these actions,” if that’s not really true?

Firstly, the FBI and the U.S. government as a whole is always reluctant to present itself as ignorant. Presenting itself as having privileged access to secret information is something every government does in order to bolster its image of power. The FBI can’t tell us exactly how it knows what it claims to know because “the need to protect sensitive sources and methods precludes us from sharing all of this information” — trust us; we know; we’re the FBI.

Secondly, the only way that North Korea can convincingly refute the accusation is to identify the real culprits — and they have no means of doing that.

Given the appalling reputation of the leaders of the hermit kingdom, there is a prevailing assumption of guilt even in the absence of compelling evidence, which makes the FBI’s accusation an easy sell.

Sean Gallagher recently wrote: “Based on the amount of data stolen, and the nature of the malware itself, it’s likely the attackers had physical access to the network and that the attack may have been ongoing for months…”

Are we to imagine that North Korea not only instigated the attack but was also able to recruit inside collaboration?

I can see this as central to the plot that numerous Hollywood screenwriters must currently be working on for a blockbuster thriller about how an evil dictator tries to destroy Hollywood, but I can’t really see it in real life.

Michael Hiltzik writes:

The North Korea/”Interview” narrative is comforting in several ways. It feeds into the tendency to attribute almost God-like capabilities to an adversary, especially a secretive one; that’s very much a scenario favored by Hollywood. (Think of the all-time definitive James Bond movie line, from “Dr. No”: “World domination–same old dream.”) And it helps Sony executives deflect blame — how could anyone expect them to defend against an attack by such a sinister, all-powerful enemy? You can expect to see more coverage, like this piece from CNN, about North Korea’s shadowy “Bureau 121,” purportedly its Cyberattack Central.

There are great dangers in mistaken attribution — it shifts attention from the real perpetrators, for one thing. A counterattack against North Korea could needlessly provoke the regime, wrecking the few diplomatic initiatives taking place.

Here’s a rundown of the counter-narrative.

–“Whitehat” hacker and security expert Marc W. Rogers argues that the pattern of the attack implies that the attackers “had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s plausible that an attacker could have built up this knowledge over time … Occam’s razor suggests the simpler explanation of an insider,” perhaps one out for workplace revenge. (N.B. “Occam’s razor” is the principle that the simplest explanation for something is often the best.)

–The assertion that the attack was uniquely sophisticated, which is an element of the accusation against North Korea, is both untrue and incompatible with the North Korea narrative. It presupposes that a nation-state without a native computer infrastructure could launch an unprecedented assault. More to the point, very similar hacking technology has been used in earlier hacks in Saudi Arabia and elsewhere. The consulting firm Risk Based Security has a discussion of these and other aspects of the Sony affair.

It’s worth noting that Risk Based Security’s team isn’t entirely convinced by the FBI statement. In an update to their commentary Friday, they observed that the agency has “not released any evidence to back these claims.” They add: “While the FBI certainly has many skilled investigators, they are not infallible. Remember, this agency represents the same government that firmly stated that Iraq had weapons of mass destruction, leading the U.S. into a more than ten year conflict, which was later disproven.

Finally, Caroline Baylon from Chatham House, in an interview with ITN, laid out the reasons why the North Korean government was probably not behind the hack:

Facebooktwittermail

Feds release new details about malware targeting Sony

Ars Technica reports: The highly destructive malware believed to have hit the networks of Sony Pictures Entertainment contained a cocktail of malicious components designed to wreak havoc on infected networks, according to new technical details released by federal officials who work with private sector security professionals.

An advisory published Friday by the US Computer Emergency Readiness Team said the central malware component was a worm that propagated through the Server Message Block protocol running on Microsoft Windows networks. The worm contained brute-force cracking capabilities designed to infect password-protected storage systems. It acted as a “dropper” that then unleashed five components. The advisory, which also provided “indicators of compromise” that can help other companies detect similar attacks, didn’t mention Sony by name. Instead, it said only that the potent malware cocktail had targeted a “major entertainment company.” The FBI and White House have pinned the attack directly on North Korea, but so far have provided little proof. [Continue reading…]

Facebooktwittermail

FBI offers circumstantial evidence that North Korea is responsible for Sony hack

FBI statement: As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:

  • Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
  • The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
  • Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

The emphasis above is mine.

It’s reasonable to assume that the hackers don’t want to get caught and thrown in jail. It’s also reasonable to assume that they would want to evade detection by disguising themselves as North Korean. An abundance of clues that this attack emanated from North Korean sources may just as likely indicate that it came from somewhere else.

Moreover, given that the U.S. government takes a firm position on refusing to pay ransoms for the release of hostages, why would they not have strongly advised Sony to refuse to capitulate in the face of implausible threats?

President Obama now says that Sony “made a mistake” by pulling the release of the film.

Hmmm… Maybe Sony will now reconsider its decision — they can pitch the release of The Interview as an appropriate form of retaliation and also take advantage of the most massive run of free publicity a movie has ever had.

Sony executives may honestly believe that this film is “desperately unfunny,” but at the end of the day, this isn’t about free speech — it’s about making money.

Facebooktwittermail

Lessons from the Sony hack

Peter W. Singer and Allan Friedman write: The hack of Sony has often been lumped in with stories ranging from run of the mill online credit card theft to the Target, Home Depot and JP Morgan breaches to the time that Iranian-linked hackers allegedly “erased data on three-quarters of Aramco’s corporate PCs.” In fact, most of these crimes have little more in common than the fact that they were committed using computers. It’s a lot like lumping together every incident in New York that involves a gun, whether it’s a bank robbery, a murder or a football player accidentally shooting himself.

What made the Sony hack distinct is that it mixed an evidently organized effort, using advanced tools (what is known as an “advanced persistent threat”) that some have linked to the North Korean state, but with the goal of maximizing attention and embarrassment for the target. That is, they weren’t a few hackers phishing after any target, nor were they trying to keep quiet, so that they could continue to secretly exfiltrate data. Rather, they appear to have wanted to cause havoc — and make sure everyone knew.

Differentiating between these kinds of threats is critical, because different risks require different types of responses. The claims some have made that the Sony hack is an act of “cyberterrorism” are a case in point. The FBI definition of cyberterrorism requires “an act that results in violence,” which stealing scripts about James Bond carrying out acts of violence wouldn’t meet. This also applies to the recent threats by the hackers to create 9/11 style events at any movie theater that shows the film. Rapidly becoming an illustration on how not to handle online threats, virtually all the major U.S. theater companies have now said they won’t show the movie. Yet the ability to steal gossipy celebrity emails is clearly not the same as having the capacity to undertake physical attacks at thousands of movie theaters across the country. So, at least based on their actions so far, the “bitter fate” the hackers promised moviegoers is most likely to be the price they pay for popcorn. [Continue reading…]

Facebooktwittermail

Hackers tell Sony ‘The Interview may release now’ — with edits

Ars Technica reports: In a message sent to company executives, someone claiming to represent the hacker group calling itself the Guardians of Peace has given Sony Pictures Entertainment the go-ahead to release the film The Interview — with some minor caveats. First of all, they want any death scene for Kim Jong-un dropped from the film.

“This is GOP. You have suffered through enough threats,” the message, which was also posted to Pastebin, read. “The interview may release now. But be careful. September 11 may happen again if you don’t comply with the rules: Rule #1: no death scene of Kim Jong Un being too happy; Rule #2: do not test us again ; Rule #3: if you make anything else, we will be here ready to fight.”

Sony dropped plans for the release of the film following the cancellation of screenings by major theater chains. [Continue reading…]

Facebooktwittermail

Who hacked Sony? It probably wasn’t North Korea

Regardless of who is responsible, the president views this as a serious national security matter — that is a very close paraphrase of White House Press Secretary Josh Earnest answering questions this afternoon about the Sony hacking.

OK. That’s it. The United States can now be declared certifiably insane!

The hacking may well have nothing to do with North Korea — it may indeed involve disgruntled Sony employees — and yet this is a serious national security matter?!

The only way that claim could marginally make sense would be if one fudged the definition of national security and said that it should include cybercrime committed by Americans targeting Americans — though by that definition, all crime would thence become an issue of national security.

Hollywood, the media, and the public all like stories. Narratives convey meaning in its most easily digestible form: a plot.

Sony Pictures made a movie, The Interview — a political action comedy which ends with the assassination of North Korean leader Kim Jong-un — and the North Koreans didn’t think it was funny. Indeed, they were so outraged they set about trying to make sure the movie would never be released. By yesterday afternoon they seemed to have succeeded.

The problem with this story is it’s probably a work of fiction — and maybe that shouldn’t be any surprise, given its source.

There’s one compelling reason to believe that the real story here has nothing to do with North Korea: in all likelihood the hackers were busy at work before anyone in the Democratic People’s Republic had even heard of Seth Rogen and James Franco.

Sebastian Anthony writes:

The hackers managed to exfiltrate around 100 terabytes of data from Sony’s network — an arduous task that, to avoid detection, probably took months. Given how long it would’ve taken to gain access to Sony Pictures, plus the time to exfiltrate the data, I think the wheels started turning long before North Korea heard about The Interview.

Even if we take the movie out of the equation, the hack just doesn’t feel like something that would be perpetrated by a nation state. The original warnings and demands feel like the attacker has a much more personal axe to grind — a disenfranchized ex employee, perhaps, or some kind of hacktivist group makes more sense, in my eyes.

So far, the sole purpose behind the Sony Pictures hack appears to be destruction — the destruction of privacy for thousands of employees, and the destruction of Sony’s reputation. Much in the same way that murder is a crime of passion, so was the hack on Sony Pictures. Bear in mind that the hackers gained access to almost every single piece of data stored on Sony’s network, including the passwords to bank accounts and other bits of information and intellectual property that could’ve been sold to the highest bidder. The hackers could’ve made an absolute fortune, but instead opted for complete annihilation. This all feels awfully like revenge.

Really, though, the biggest indicator that it was an inside job is that the malware used during the attack used hard-set paths and passwords — the attacker knew the exact layout of the Sony Pictures network, and had already done enough legwork to discover the necessary passwords. This isn’t to say that North Korea (or another nation state) couldn’t have done the legwork, but it would’ve taken a lot of time and effort — perhaps months or even years. A far more likely option is that the attack was carried out by someone who already had access to (or at least knowledge of) the internal network — an employee, a contractor, a friend of an employee, etc.

Before the hacking became public, Sony executives received what looked like a fairly straightforward extortion demand — a demand that made no reference to The Interview.

In the digital variant of a note pasted together from letters cut out of a newspaper, the extortion note came in broken English.

We’ve got great damage by Sony Pictures.
The compensation for it, monetary compensation we want.
Pay the damage, or Sony Pictures will be bombarded as a whole.
You know us very well. We never wait long.
You’d better behave wisely.
From God’sApstls

Maybe there are indeed some telltale signs in the syntax or maybe the author took advantage of Google and Bing’s translation-mangling capabilities by writing in English, translating in Korean (or any other language) and then translating back into English.

If the story here is really about extortion, then to recast it as political probably serves the interests of all parties — including North Korea.

No corporation wants to be publicly exposed as having capitulated to extortion demands — it would much rather hand over the money in secret while portraying itself as a political victim of the hostile foreign government. The North Koreans get the double reward of being credited with a hugely successful act of cyberwar while also getting removed from Hollywood’s list of favorite countries to target. And the Obama administration is able to sidestep a much larger a thornier issue: how to protect the American economy from the relentlessly growing threat of from global cybercrime whose points of origin are notoriously difficult to trace.

Finally, there is another theory about the real identity and motive of the hackers: they are Sony employees begging that no more Adam Sandler movies be made.

Facebooktwittermail

Sony leaks reveal Hollywood is trying to break the internet

The Verge reports: Most anti-piracy tools take one of two paths: they either target the server that’s sharing the files (pulling videos off YouTube or taking down sites like The Pirate Bay) or they make it harder to find (delisting offshore sites that share infringing content). But leaked documents reveal a frightening line of attack that’s currently being considered by the MPAA: What if you simply erased any record that the site was there in the first place?

To do that, the MPAA’s lawyers would target the Domain Name System (DNS) that directs traffic across the internet. The tactic was first proposed as part of the Stop Online Piracy Act (SOPA) in 2011, but three years after the law failed in Congress, the MPAA has been looking for legal justification for the practice in existing law and working with ISPs like Comcast to examine how a system might work technically. If the system works, DNS-blocking could be the key to the MPAA’s long-standing goal of blocking sites from delivering content to the US. At the same time, it represents a bold challenge to the basic engineering of the internet, threatening to break the very backbone of the web and drawing the industry into an increasingly nasty fight with Google. [Continue reading…]

Facebooktwittermail

Malware used to attack Sony was the software equivalent of a crude pipe bomb

Ars Technica reports: According to multiple reports, unnamed government officials have said that the cyber attack on Sony Pictures was linked to the North Korean government. The Wall Street Journal reports that investigators suspect the attack was carried out by Unit 121 of North Korea’s General Bureau of Reconnaissance, the country’s most elite hacking unit.

But if the elite cyber-warriors of the Democratic People’s Republic of Korea were behind the malware that erased data from hard drives at Sony Pictures Entertainment, they must have been in a real hurry to ship it.

Analysis by researchers at Cisco of a malware sample matching the MD5 hash signature of the “Destover” malware that was used in the attack on Sony Pictures revealed that the code was full of bugs and anything but sophisticated. It was the software equivalent of a crude pipe bomb.

Compared to other state-sponsored malware that researchers have analyzed, “It’s a night and day difference in quality,” said Craig Williams, senior technical leader for Cisco’s Talos Security Intelligence and Research Group, in an interview with Ars. “The code is simplistic, not very complex, and not very obfuscated.” [Continue reading…]

Facebooktwittermail