Moderators: Elvis, DrVolin, Jeff
by Hunter » Sat Dec 20, 2014 8:02 pm
by Belligerent Savant » Sat Dec 20, 2014 9:12 pm
So, was it North Korea that breached Sony Pictures Entertainment (SPE)? The FBI, Whitehouse, and a pile of other people are telling you it is. But if you were to ask me my position on the matter…simple answer, unlikely.
Some items of note (provided without any tinfoil hat, partisanship, or prejudice):
The wording is carefully and purposefully used:
“the FBI now has enough information to conclude that the North Korean government is responsible for these actions.” – note, this does not clarify whether the Republic of North Korea launched, ordered, encouraged, or simply commented on the action. The use of the word “responsible” is purposefully vague.
Correlation forcing causation:
“there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.” – bad guys share code and are notoriously lazy. They will use whatever it takes to get the job done. As such, code is borrowed from other attackers, purchased in underground markets, etc.
“significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea.” – If you’ve ever seen a movie or television show where ‘hacking’ is depicted, you already know that attackers “hop” from server to server to conduct their nefarious activities. This is as much to hide their tracks as it is to leverage distributed resources.
“the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.” – again, similarities in tools and code are not enough to assign attribution.
The FBI, and other agencies, argue that the totality of the data is what makes them positive of the North Korean involvement.
In my opinion, the above components of the “total data” could be a false flag (http://en.wikipedia.org/wiki/False_flag) meant to push the investigation towards an uninvolved third-party. This would not be the first instance of false flag hacking attribution.
It is my recommendation that organizations make a conscious decision to refer to the breach simply as “The Sony Breach” and make no association to the Republic of North Korea, “cyberwar”, or “state sponsored attacks” when discussing this, and future breaches that may draw similarities.
The evidence provided thus far, or lack thereof, makes parroting and perpetuating this information irresponsible, at best, and potentially dangerous in extreme circumstances.
References:
Attack components:
SMB Worm Tool:
This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.
Listening Implant:
During installation of this tool, a portion of the binaries is decrypted using AES, with a key derived from the phrase “National Football League.” Additionally, this implant listens for connections on TCP port 195 (for “sensvc.exe” and “msensvc.exe”) and TCP port 444 (for “netcfg.dll”). Each message sent to and from this implant is preceded with its length, then XOR encoded with the byte 0x1F. Upon initial connection, the victim sends the string, “HTTP/1.1 GET /dns?\x00.” The controller then responds with the string “200 www.yahoo.com!\x00″ (for “sensvc.exe” and “msensvc.exe”) or with the string “RESPONSE 200 OK!!” (for “netcfg.dll”). The controller sends the byte “!” (0x21) to end the network connection. This special message is not preceded with a length or XOR encoded.
Lightweight Backdoor:
This is a backdoor listener that is designed as a service DLL. It includes functionality such as file transfer, system survey, process manipulation, file time matching and proxy capability. The listener can also perform arbitrary code execution and execute commands on the command line. This tool includes functionality to open ports in a victim host’s firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks. There are no callback domains associated with this malware since connections are inbound only on a specified port number.
Proxy Tool: Implants in this malware family are typically loaded via a dropper installed as a service, then configured to listen on TCP port 443. The implant may have an associated configuration file which can contain a configurable port. This proxy tool has basic backdoor functionality, including the ability to fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files.
Destructive Hard Drive Tool:
This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.
Destructive Target Cleaning Tool:
This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.
Network Propagation Wiper:
The malware has the ability to propagate throughout the target network via built-in Windows shares. Based on the username/password provided in the configuration file and the hostname/IP address of target systems, the malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these remote systems. The malware uses several methods to access shares on the remote systems to begin wiping files. Checking for existing shares via “\\hostname\admin$\system32” and “\\hostname\shared$\system32” or create a new share “cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone, FULL”. Once successful, the malware uploads a copy of the wiper file “taskhostXX.exe”, changes the file-time to match that of the built-in file “calc.exe”, and starts the remote process. The remote process is started via the command “cmd.exe /c wmic.exe /node:hostname /user:username /password:pass PROCESS CALL CREATE”. Hostname, username, and password are then obtained from the configuration file. Afterwards, the remote network share is removed via “cmd.exe /q /c net share shared$ /delete”. Once the wiper has been uploaded, the malware reports its status back to one of the four C2 IP addresses.
by elfismiles » Sun Dec 21, 2014 1:39 pm
Hunter » 21 Dec 2014 00:02 wrote:NEW DEVELOPMENTS TODAY:
Hackers threatened top level Sony execs Friday saying, "We want everything related to the movie, including its trailers, as well as its full version down from any website hosting them immediately."
The movie studio immediately obliged ... the movie's Twitter page no longer has any tweets, the Facebook page has been deleted and all "Interview" footage has been wiped from its YouTube page.
by elfismiles » Sun Dec 21, 2014 1:41 pm
"We have a way to prove that we have nothing to do with the case without resorting to torture, as what the CIA does," he said, adding that the U.S. lacks any specific evidence tying North Korea to the hacking.
by Wombaticus Rex » Sun Dec 21, 2014 3:25 pm
After a nights sleep I woke up this morning thinking about all this yet again. I just wanted to add to this article the idea that similar code and tactics also do not an actor make as well. Remember that all of this could lead to a cold war if not a warmer war with actors like DPRK and we are going to hang our hats on “similarities” This just does not bode well for anyone.
There is a thing in intelligence called “cognitive bias” and I fear that our intelligence agencies fall prey to this a lot as it is. However, where the information and network warfare comes into play it is even worse. This is because it’s such a slippery subject not only on a technical level, but also because it is so easy to obfuscate means, methods, and actions with technology today. Another aphorism in the IC is that of being “lost in the forest of shadows” which means that nothing is clear and it is easy to be confused. Well, this is the same thing.
Like I said on Twitter last night, I can see my way to saying that DPRK was behind this. I can use Occams Razor to apply the logic of who had motive, look at their actions on the face of it, and say “most likely” it is them. However, would I want to go to war over that? Look at the people out there like Dave Aitel screaming that we need to go to cyber war and drop logic bombs in their infrastructure over this. Over a hack and destruction of data along with a healthy dose of schadenfreude over what.. Hollywood?
Come on!
It’s time for this community (INFOSEC) to really teach these people about what it is to be BLUE TEAM as well as sell them 0day. I am sorry, but we need to be better and so far we are just a bunch of warring parties looking for attention and the almighty dollar. We are in a perilous time because of people like Aitel and his ilk as well as the people who will blindly follow them because they are cyber warriors or thought leaders and know no better. If this keeps escalating, and it will, then we will see attacks by non state and state actors that will just be for anarchy’s sake.
I wrote earlier this month about the “Laughing Man Effect” with regard to the SONY incident as it was unfolding. This attack mimicked the LulzSec attack on HB Gary. It seems we did not learn from this. They too had some bad practices going on that lead to their compromise and utter destruction. In fact Sabu and the LulzSec crew were nicer to HB Gary than the attackers in the Sony case. At least they did not raze their network altogether. Though HB Gary Federal went down in flames due to the attack.
The Chinese say “May you live in interesting times” and that is not meant to be a pleasant thing. I fear that pandora’s box just opened up a little more with yesterdays pronouncement on shaky evidence. Unless the IC has more information that is solid to point the finger at DPRK for this I just can’t get behind any kind of response, proportional or otherwise. What really needs to happen is that Sony get’s their shit together once they re-constitute their network and really have a working security model. Not the utter crap they had before but something that will actually mandate that personal information and IP be protected at least moderately.
This week I spoke with someone in the IC who does actual information warfare. In talking to him over the week I saw his frustration grow to the point that he put in his papers to separate. He plans on just going into teaching. Why? Because he said that all of this talk, this call to action over Sony was just so ridiculous that it would be hard for him to carry out an order of attack on this “evidence” His answer was to retire to teaching.
That about sums it up with me too of late. I look at the Twitter and the news feeds and see just marketing, hype, and fauxtribution… And it will be to our collective doom.
by cptmarginal » Sun Dec 21, 2014 8:31 pm
Wombaticus Rex wrote:Long but funny / informed rant:
http://krypt3ia.wordpress.com/2014/12/20/fauxtribution/
I wrote earlier this month about the “Laughing Man Effect” with regard to the SONY incident as it was unfolding. This attack mimicked the LulzSec attack on HB Gary. It seems we did not learn from this. They too had some bad practices going on that lead to their compromise and utter destruction. In fact Sabu and the LulzSec crew were nicer to HB Gary than the attackers in the Sony case. At least they did not raze their network altogether. Though HB Gary Federal went down in flames due to the attack.
The Chinese say “May you live in interesting times” and that is not meant to be a pleasant thing
This is the juncture where the Ghost In The Shell comes in and a certain arc in the story line from the Standalone Complex. If you are a fan you might remember the series of episodes concerning “The Laughing Man” In these episodes we are introduced to a hacker who appears from nowhere and begins a campaign of attacks against corporations for their misdeeds. In particular one company that was colluding in surveillance and stock manipulation but I will leave all that to you to watch.
What happens though is that The Laughing Man takes on the corporation and through hacking exposes them for what they had done as well as effects their bottom line greatly financially as well as damaging their reputation. It was the spectacular nature of the hack though, on live TV in this future Japan that got others completely obsessed with the Laughing Man and what he had done. If you have not seen the series there is a box set of just the episodes that concern the Laughing Man you can watch.
The story line though sparked with me because it showed the great asymmetric power of this kind of warfare that could be carried out by one person. One person with the skill sets to do it, could affect the bottom line of a company at a distance as well as anonymously. This is a powerful thought and one that in today’s society is much more of a reality than ever before and it is precisely because of technology. This idea I personally now call “The Laughing Man Effect” and in tandem with meme’s could spell real trouble for the world today. We have seen this already taking place with Anonymous and their various wars against injustice or just for the lulz as we saw in LulzSec. In fact, I would claim that HB Gary would have been the first instance of the Laughing Man Effect and it just took the Sony incident for it to solidify in my head.
by elfismiles » Mon Dec 22, 2014 10:50 am
by Luther Blissett » Mon Dec 22, 2014 3:56 pm
A Lot of Smart People Think North Korea Didn't Hack Sony
The evidence linking agents of the Democratic People's Republic of Korea to the recent digital implosion of Sony remains vague. And even though the feds are squarely blaming North Korea, many security experts aren't buying it.
Long before the FBI made it official, North Korean blame for the attack against Sony was taken as a given. Even if the best reason to credit Kim Jong-Un's goons was because it just sort of feels right and Hey, that movie is about North Korea, most people following the story—both in and out of the media—ran with the story. It happens to be a very politically convenient story, featuring the world's favorite cartoon henchman at the lead.
But independent, skeptical security experts have been poking holes in this theory for days now. Evidence provided by the FBI last week in an official accusation against the North Korean government was really more of a reference to evidence—all we got were bullet points, most of them rehashing earlier clues. It still doesn't seem like enough to definitively pin the attacks to North Korea.
Security consultant Dan Tentler didn't take long to brush off the FBI's points:
But the weightiest rebuttal of the case against North Korea has come from renowned hacker, DEFCON organizer, and CloudFlare researcher Marc Rogers, who makes a compelling case of his own. Highlights below:The broken English looks deliberately bad and doesn't exhibit any of the classic comprehension mistakes you actually expect to see in "Konglish". i.e it reads to me like an English speaker pretending to be bad at writing English.
[...]
It's clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony's internal architecture and access to key passwords. While it's plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam's razor suggests the simpler explanation of an insider. It also fits with the pure revenge tact that this started out as.
Furthermore, "The attackers only latched onto "The Interview" after the media did – the film was never mentioned by GOP right at the start of their campaign. It was only after a few people started speculating in the media that this and the communication from DPRK "might be linked" that suddenly it became linked."
Even after the FBI officially named North Korea as orchestrators, Rodgers remains entirely unconvinced by their case:What the FBI is essentially saying here is that some of the IP addresses found while analyzing the malware samples and the logs of the attack have been used in the past by North Korea. To me, this piece of evidence is perhaps the least convincing of all. IP addresses are often quite nebulous things. They are addresses of machines connected to the Internet. They are neither good, nor bad.
The IP address is never what is interesting. It's what's running on the system that has that IP address that is interesting. Furthermore, to imply that some addresses are permanent fixtures used by North Korean hackers implies a fundamental misunderstanding of how the internet works and in particular how hackers operate.
[...]
So where does that leave us? Well essentially it leaves us exactly where we were when we started. We don't have any solid evidence that implicates North Korea, while at the same time we don't have enough evidence to rule North Korea out. However, when you take into consideration the fact that the attackers, GOP, have now released a message saying that Sony can show "the Interview" after all, I find myself returning to my earlier instincts – this is the work of someone or someones with a grudge against Sony and the whole "Interview" angle was just a mixture of opportunity and "lulz".
Rodgers recommends a more technical refutation of the FBI's evidence by a peer of his—worth reading if you dig nuts and bolts.
Kim Zetter of Wired also has a fantastic article on North Korean skepticism. She makes a very, very strong case (emphasis is her own):But in their initial public statement, whoever hacked Sony made no mention of North Korea or the film. And in an email sent to Sony by the hackers, found in documents they leaked, there is also no mention of North Korea or the film. The email was sent to Sony executives on Nov. 21, a few days before the hack went public. Addressed to Sony Pictures CEO Michael Lynton, Chairwoman Amy Pascal and other executives, it appears to be an attempt at extortion, not an expression of political outrage or a threat of war.
"[M]onetary compensation we want," the email read. "Pay the damage, or Sony Pictures will be bombarded as a whole. You know us very well. We never wait long. You'd better behave wisely."
Harvard Law professor and security expert Jack Goldsmith is skeptical of the FBI's case so far:First, the "evidence" is of the most conclusory nature – it is really just unconfirmed statements by the USG. Second, on its face the evidence shows only that this attack has characteristics of prior attacks attributed to North Korea. We know nothing about the attribution veracity of those prior attacks. Much more importantly, it is at least possible that some other nation is spoofing a North Korean attack. For if the United States knows the characteristics or signatures of prior North Korean attacks, then so too might some third country that could use these characteristics or signatures – "specific lines of code, encryption algorithms, data deletion methods, and compromised networks," and similarities in the "infrastructure" and "tools" of prior attacks – to spoof the North Koreans in the Sony hack.
Third, the most significant line in the FBI statement is this: "While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following." Let us assume that the United States has a lot of other evidence, including human or electronic intelligence from inside Korea, that corroborates its attribution conclusion. This might give the USG confidence in the attribution and might support the legality of a proportionate response. But if protection of "sources and methods" prevents the United States from publicly revealing a lot more evidence, including intelligence beyond mere similar characteristics to past attacks, then there is no reason the rest of the world will or, frankly, should believe that a response on North Korea is justified. (Compare Adlai Stevenson and Colin Powell before the United Nations.)
Reporter Thomas Fox-Brewster tells me he was contacted by lena@spambog.com, one of the hacker email addresses listed in the original leak of Sony files. When he tweeted part of an email says he received from this account, his followers were dubious:Thomas Fox-Brewster @iblametom
Charming email from one of Sony's alleged hackers: Dear Sir,
Fuck yourself.
Sincerely,
North Korean Hacking Team
"모든 영광스러운 김정은 우박"sung ho choi @choisungho
@iblametom looks like a poor machine translation. Looks like google translate of "all hail glorious kim jong-un"Jeremy Bae @opt9
@iblametom @hackerfantastic "모든 영광스러운 김정은 우박" <- It isn't a natural Korean sentence. Looks like translated English->Korean with Google.
Also, "North Korean Hacking Team"? C'mon.
Another security researcher who goes by the handle "Grugq" is equally unconvinced of North Korean participation:To handle this sophisticated media / Internet campaign so well would require a handler with strong English skills, deep knowledge of the Internet and western culture. This would be someone quite senior and skilled. That is, I can't see DPRK putting this sort of valuable resource onto what is essentially a petty attack against a company that has no strategic value for DPRK.
At the website of Virginia-based security consultancy Risk Based Security, there's an impressively thorough rundown of the whole Sony saga, from day one. The most recent conclusions are unimpressed by the North Korean attribution, too:One point that can't be said enough is that "attribution is hard" given the nature of computer intrusions and how hard it is to ultimately trace an attack back to a given individual or group. Past attacks on Sony have not been solved, even years later. The idea that a mere two weeks into the investigation and there is positive attribution, enough to call this an act of war, seems dangerous and questionable.
[...]
At this point, it certainly could be North Korea. Or China. Or a group of people with no political affiliation, laughing at their tricks that have thrown the rest of society for a loop. As we have said before, it would be best if we reserve judgement until there is a documented forensic trail that truly establishes some level of attribution with certainty.
So too is author Peter W. Singer, who provided a splendid, scathing indictment of Sony's buckling (and general stupidity surrounding this story) over at Motherboard:Reaction to the Sony Hack Is 'Beyond the Realm of Stupid'
Peter W. Singer, one of the nation's foremost experts on cybersecurity, says Sony's…
Read more motherboard.vice.comSo far, the information that's come out has pointed the finger at North Korean proxy groups, but it's been context based. It wouldn't meet the level needed in a court of law. The context combines the fact that they're pissed about this movie, and certain techniques in it are similar to what has been used in other attacks linked not definitively to North Korea. It's enough for most people to talk about [it being from North Korea], at least.
We want to keep talking about a perpetrator, because unlike the film that's been sucked into the center of this, Sony's mess is a deeply interesting story. Stories need endings, and this one is fascinating, mammoth, and unprecedented. But if we're going to also insist on employing turkey jargon ("CYBER TERROR!") and saber rattling, let's at least make sure we're rattling in the right direction first.
by 82_28 » Mon Dec 22, 2014 4:07 pm
Yeah, the NK hacker thing is so stupid. Though I don't totally know, it is basically impossible to whip out a hack of this sort and to totally lay the blame with a (albeit NK) country. Peering through, as it were, from the other end of things as basically an apprentice who is teaching himself this shit as I learn telco whatnots, it seems impossible to spoof the origin of the hack. For my job I have to build a trail that is traceable in all ways -- I get to peek behind the scenes a bit, look at fiber counts and numbers, distances between COs, what the COs are, where they are. Granted it doesn't explain the "word wide web" just how we in nuorth amerigo access it. As we know it all comes down to devices. Devices mounted everywhere, I assume quite advanced. However, it comes down to light -- fiber optics that still must go through COs.
by Wombaticus Rex » Mon Dec 22, 2014 4:29 pm
Peering through, as it were, from the other end of things as basically an apprentice who is teaching himself this shit as I learn telco whatnots, it seems impossible to spoof the origin of the hack.
by Pele'sDaughter » Mon Dec 22, 2014 5:03 pm
by 82_28 » Mon Dec 22, 2014 5:17 pm
Pele'sDaughter » Mon Dec 22, 2014 1:03 pm wrote:http://news.yahoo.com/north-korea-experiencing-severe-internet-200418060.html
North Korea experiencing severe Internet outages
Severe Internet connectivity problems seen in North Korea in wake of Sony hacking attack
WASHINGTON (AP) -- North Korea experienced sweeping and progressively worse Internet outages extending into Monday, with one computer expert saying the country's online access is "totally down." The White House and the State Department declined to say whether the U.S. government was responsible.
President Barack Obama said Friday the U.S. government expected to respond to the hacking of Sony Pictures Entertainment Inc., which he described as an expensive act of "cyber vandalism" that he blamed on North Korea. Obama did not say how the U.S. might respond, and it was not immediately clear if the Internet connectivity problems represented the retribution. The U.S. government regards its offensive cyber operations as highly classified.
"We aren't going to discuss, you know, publicly operational details about the possible response options or comment on those kind of reports in anyway except to say that as we implement our responses, some will be seen, some may not be seen," State Department spokeswoman Marie Harf said.
North Korea has forcefully denied it was responsible for hacking into Sony.
Doug Madory, the director of Internet analysis at Dyn Research, a company that studies Internet connectivity, said the problems were discovered over the weekend and grew progressively worse to the point that "North Korea's totally down."
"They have left the global Internet and they are gone until they come back," he said.
He said one benign explanation for the problem was that a router suffered a software glitch, though a cyber-attack involving North Korea's Internet service was also a possibility.
Routing instabilities are not uncommon, but this particular outage has gone on for hours and was getting worse instead of better, Madory said.
"This doesn't fit that profile," of an ordinary routing problem, he said. "This shows something getting progressively worse over time."
by justdrew » Mon Dec 22, 2014 8:59 pm
Wombaticus Rex » 22 Dec 2014 12:29 wrote:Peering through, as it were, from the other end of things as basically an apprentice who is teaching himself this shit as I learn telco whatnots, it seems impossible to spoof the origin of the hack.
"seems impossible" should read "operationally routine," FYI
by seemslikeadream » Tue Dec 23, 2014 1:54 pm
by Morty » Wed Dec 24, 2014 7:57 am
seemslikeadream » Tue Dec 23, 2014 10:54 am wrote:Sony is going to release The Interview on Christmas day
Users browsing this forum: No registered users and 159 guests
