Category Archives: Hactivism

The FBI, Sony and the Attribution Problem, Part 1- Why?

Leave a reply

The recent attack on Sony has publicly paraded one of the predominant problems in incident response. While the immediate issue in incident response is of course the remediation of compromised systems and bringing these systems and IT services back online, it is entirely human to look for somewhere to cast blame. Let’s begin by fleshing out the “why” of attribution before engaging with the “how”.

Why Attribution?

For an affected entity, and for the security professionals working within it, attribution of the attacker(s) is only an ancillary concern. Certainly steps taken (or not taken) during the direct remediation of the breach are important and even essential to the later attribution effort, but priority of work must be on restoration of service. After service is restored, and the breach points corrected, the attribution process begins. Here are some reasons to perform attribution:

1. Attacker Centered Defense– If the attacker can be identified or at least have their tactics, techniques and procedures characterized, it may be possible to take steps to make their next intrusion more difficult and time consuming.

2. Legal/Governmental Retribution– Bringing criminal charges or taking other action against the attacker may deter future attackers, or may have deterrence against the current attackers if they are in a jurisdiction where criminal charges cannot be brought, but are vulnerable to intergovernmental or other pressures.

3. “Hacking Back”– This is an operation pregnant with a host of legal and ethical concerns. It may appear advantageous in the midst of an attack to attack back, but the technical reasons for doing so need to be looked at carefully. There are two scenarios where hacking back could reduce the impact of an ongoing hacking attack. One of these is a DDOS attack, where hacking back into the command and control systems of the attributed botnet may be a viable method to stem the attack. In the second scenario, stolen data belonging to the attacked entity has been definitively located (through attribution efforts) on a server, and then the entity performs a hacking operation to delete that data before it can be copied or moved. Both of these operations are patently illegal in the U.S.  due to the Computer Fraud and Abuse Act. Both also carry a low probability of success or advantage for the attacked entity. If a DDOS operation is disrupted, other botnets can be easily employed by the attacker at short notice, or they may regain control of the compromised botnet. The command and control servers may also be innocent bystanders who are unknowingly playing host to malware. Taking down the servers of a hospital or local government  or foreign military could have extremely serious human and geopolitical downsides.  In the second scenario, the attacked entity would have to be extremely proactive to get the toothpaste back into the tube. In fact, it is so difficult it may as well be regarded as functionally impossible, and there is little chance of getting all the data before it is further disseminated.

Looking at the limited reasons for attribution  and given especially the weakness of the third reason, it may be entirely reasonable for an attacked entity to decide not to pursue attribution. In the end, even having your attacker arrested will not undo the damage caused in the attack. The process of attribution is also not cost free. Additionally, any major actions taken on the basis of the attribution performed may only result in more reputation damage for the entity as the original breach and security failure is further publicized.

Why Attribute the Sony Hack? 

Obviously an attack as devastating as Sony’s–which will probably involve hundreds of millions of dollars in damage to Sony Pictures Entertainment, in addition to a substantial erosion of their reputation and personal damage to many of their prominent employees–should be answered. To decide to not attribute the attackers would make their actions seem tacitly permitted, and probably contribute to further devastating attacks against other entities. This Public Order justification is the purview of the FBI, who has taken a lead role in the investigation of the attack. Sony, of course, probably wishes nothing more than for this incident to go away and may be leaning more towards active disinterest in attribution. It isn’t as if any future lawsuit will recover their lost capital, and their threats of legal action against those who published the more tabloid-friendly portions of their internal emails are at serious risk of the Streisand Effect.

Of course, SPE is not the only actor involved. There are cyber security companies and the U.S. Government at work here as well. Attribution is in the interests of cyber security companies for reputation and prestige reasons, as a proof of their aptitude and ability. On the government side attribution can be a marker of aptitude as well, however, retribution is also a significant influence. In the global and domestic political arenas strong attribution can aid in the pursuit of other interests. Attribution has been used by the U.S. Government previously to pressure the Chinese Government in regards to their cyber espionage campaigns, and charges have been filed in the U.S. against a number of their operators.  So it comes to this. The primary reasons for attribution are political, as support for past and future actions and as an instrument of geopolitical pressure. The actions supported by attribution may include legislative efforts, international sanctions, and even electronic and physical attacks.

In Part Two of this work, having established the interests of the actors involved in attribution, we will look at the “How” of the SPE hack attribution as far as it is known publicly.

 

 

 

 

 

A Hacked DDoS-on-demand Site Offers a Look into Mind of “Booter” Users

A leaked database from a hacked denial-of-service site has provided some insight into what sorts of targets individuals will pay to knock offline for a few dollars or bitcoin. And it’s safe to say that a significant percentage of them are not the brightest stars in the sky. To get an idea of who would use such a service and for what purposes, Ars analyzed the data from a recently hacked DDoS for hire site: LizardSquad’s LizardStresser.

“Booter” or “stresser” sites offer users the ability to pay for distributed denial of service attacks against a target, and these sites promise to try to disguise the nature of the attack with the fig leaf of being legitimate load testing sites. That wasn’t so much the case with LizardStresser, the botnet-for-hire set up by the distributed denial of service crew known as LizardSquad. The group used its Christmas week DDoS attacks on Microsoft’s Xbox Live network and Sony’s Playstation Network as a form of advertising for the new service.

Since then, attacks on gamers have made up a significant percentage of the LizardStresser’s workload. While more than half of the attacks launched by customers of the service have been against Web servers, a significant portion have targeted individuals or small community gaming servers—including Minecraft servers.

Read 12 remaining paragraphs | Comments

Doxing Victim Zoe Quinn Launches Online “Anti-Harassment Task Force”

On Friday, Depression Quest developer and doxing victim Zoe Quinn launched an online “anti-harassment task force” toolset, staffed by volunteers familiar with such attacks, to assist victims of a recent swell of “doxing” and “swatting” attacks.

The Crash Override site, built by Quinn and game developer Alex Lifschitz, offers free services from “experts in information security, white hat hacking, PR, law enforcement, legal, threat monitoring, and counseling” for “victims of online mob harassment.” According to the site, those experts are “mostly former clients” who have faced similar online threats, and their efforts will not include “retaliatory action against abusers.”

In addition to a contact form and a lengthy summary of Crash Override’s pre- and post-harassment services, the site includes links to a guide to help people control how much personally identifiable information appears on the Internet, along with a Twitter feed containing public statements from two users claiming to have used Crash Override’s services to mitigate the effects of online harassment.

Read 4 remaining paragraphs | Comments

Real or Not, Purported Hack on US Military is a Coup for Islamic Extremists

The Twitter and YouTube accounts belonging to the US Central Command were compromised on Monday by people who claimed they hacked sensitive US military PCs and leaked confidential material in support of the Islamic State.

The compromised CENTCOM Twitter account contained graphics and text supporting the Islamic State in Iraq and Syria (ISIS), and it warned the US to expect more hacks. It was carried out by a person or group dubbed the CyberCaliphate. Central Command is one of nine unified commands in the US military. With its area of responsibility covering Afghanistan, Iraq, Syria, and Iran, it leads the US campaign against Islamic State extremists. Monday’s attacks appeared to be carried out by the same group that earlier this month commandeered the Twitter accounts of CBS affiliate WBOC-TV and the Albuquerque Journal.

At the time this post was being prepared, there was conflicting evidence supporting the claim that anything more than CENTCOM’s Twitter and YouTube accounts were compromised. Files linked in a post on Pastebin contained what appeared to be rosters of US military personnel, including contact information for Army commands and retired Army generals. A separate series of documents, contained in a folder titled war-scenarios, showed PowerPoint slides that appeared to be related to war games exercises involving China, North Korea, and regions in Africa, Indonesia, and the Caspian. One slide in a file titled SOCOM_Africa_Scenario.ppt was dated January 12, 2015. It proposed a CIA operation in Congo and Southern Africa dubbed “Operation Cakewalk” to seize yellowcake uranium. CENTCOM officials confirmed the compromise of the social networking accounts but told CNN none of the leaked documents appeared to be classified.

Read 2 remaining paragraphs | Comments

Central Command’s Twitter Account Hacked…As Obama Speaks on Cybersecurity

Central Command’s Twitter Account Hacked…As Obama Speaks on Cybersecurity

Twitter and YouTube accounts belonging to the military’s US Central Command were hacked on Monday. Hackers supportive of the terrorist group Islamic State, also known as ISIS, took credit and issued a warning to the U.S. military.

The post Central Command’s Twitter Account Hacked…As Obama Speaks on Cybersecurity appeared first on WIRED.



DDoS Service Targeting PSN and Xbox Powered by Home Internet Routers

The miscreants taking credit for knocking image board site 8chan offline, and earlier for taking down Sony’s and Microsoft’s gaming networks, operates an attack platform powered mostly by thousands of hacked home Internet routers, according to a published report.

The revelation, in an article posted Friday by KrebsOnSecurity, is the latest evidence documenting a big uptick in the hacking of Internet routers. Over the past 18 months, researchers have uncovered several other large-scale attacks on routing devices, including those made by Asus, Linksys, and many other manufacturers. Routers are often ripe targets because users fail to change default passwords, and the devices often contain security vulnerabilities that can easily be exploited by attackers halfway around the globe.

Those compromising routers for financial gain appear to be members of the Lizard Squad, a group that operates an online attack service that promises to take down any site a paying customer has requested. KrebsOnSecurity namesake Brian Krebs cited security researchers assisting law enforcement officials investigating the group. The researchers asked to remain anonymous. According to Krebs, the for-hire denial-of-service service is powered by a network of compromised devices that mostly include home routers from around the world that are protected by little more than default usernames and passwords. Krebs wrote:

Read 1 remaining paragraphs | Comments

Critics Say New Evidence Linking North Korea to the Sony Hack Is Still Flimsy

Critics Say New Evidence Linking North Korea to the Sony Hack Is Still Flimsy

If the FBI’s revelations on Wednesday about the sloppiness of North Korea’s hackers was meant to silence critics who doubt the government’s attribution for what happened to Sony, it failed. Despite assertions from FBI Director James Comey that he has very high confidence in the attribution to North Korea and a statement by Director of […]

The post Critics Say New Evidence Linking North Korea to the Sony Hack Is Still Flimsy appeared first on WIRED.



The Year’s Worst Hacks, From Sony to Celebrity Nude Pics

The Year’s Worst Hacks, From Sony to Celebrity Nude Pics

With each passing year, data breaches get bigger and more invasive. But 2014 saw a new twist to the breach phenomenon with the Sony hack. The attackers didn’t just steal data, they scorched Sony’s digital earth as they exited its networks, wiping data from servers and leaving administrators to clean up the mess and restore systems.

The post The Year’s Worst Hacks, From Sony to Celebrity Nude Pics appeared first on WIRED.



Craigslist DNS Hijacked, Redirected at Infamous “Prank” Site for Hours

Around 5:00pm PST on November 23, the Domain Name Service records for at least some of the sites hosted by the online classified ad and discussion service Craigslist were hijacked. At least some Craigslist visitors found their Web requests redirected toward an underground Web forum previously associated with selling stolen celebrity photos and other malicious activities.

In a blog post, Craigslist CEO Jim Buckmaster said that the DNS records for Craigslist sites were altered to direct incoming traffic to what he characterized as “various non-craigslist sites.” The account was restored, and while the DNS records have been corrected at the registrar, some DNS servers were still redirecting traffic to other servers as late as this afternoon.

Craigslist’s domain registrar is Network Solutions, which is owned by Web.com. [Update, 5:32 PM EST November 24: John Herbkersman, a spokesperson for Web.com, told Ars,“The issue has been resolved. At this time we are continuing to investigate the incident.”]

Read 4 remaining paragraphs | Comments

Seattle PD Cuts a Deal With Mass-Video Requestor, Institutes “Hack-a-Thon”

A computer programmer whose massive public records request threatened Seattle’s plan to put body cameras on its police officers has made peace with the police department.

Today’s Seattle Times reports that Seattle Police Department COO Mike Wagers has invited the man into police headquarters to meet with him and tech staff to discuss how he could receive video regularly. As a condition of the meeting, he has dropped the public records request.

“I’m hoping he can help us with the larger systemic issue—how can we release as much video as possible and redact what we need to redact so we can be transparent?” Wagers told the newspaper. “What do we have to lose? We have nothing to hide. There are no secrets.”

Read 7 remaining paragraphs | Comments

iPhone, Galaxy S5, Nexus 5, and Fire Phone fall like dominoes at Pwn2Own

An iPhone 5S, Samsung Galaxy S5, LG Nexus 5, and Amazon Fire Phone were all hijacked by whitehats on the first day of an annual hacking contest that pays hefty cash prizes for exploits bypassing security sandbox perimeters.

Day one of the Mobile Pwn2Own competition at the PacSec conference in Tokyo repeated a theme struck over and over at previous Pwn2Own events. If a device runs software, it can be hacked—regardless of claims made by marketers or fans. Organized by the Hewlett-Packard-owned Zero Day Initiative and sponsored this year by Google and Blackberry, Mobile Pwn2Own awards as much as $150,000 for the most advanced hacks, with a total prize pool of $425,000. In exchange, contestants agree to turn over technical details to the organizer and keep them confidential until the underlying vulnerabilities have been patched.

During the first day, according to this HP blog post, the following hacks took place:

Read 2 remaining paragraphs | Comments

Cindy Cohn, Digital Rights Freedom Fighter, Named EFF Executive Director

Cindy Cohn
Dave Maass

Cindy Cohn, the Electronic Frontier Foundation’s legal director at the forefront of trying to dismantle the National Security Agency’s domestic spying apparatus long before Edward Snowden became a household name, has been named the digital rights group’s executive director.

Cohn’s elevation, effective in April, is part of a major management overhaul to the San Francisco-based group whose budget has blossomed from $1 million annually in 1999 to about $9 million this year, the group announced Wednesday. Cohn, who has been litigating the constitutionality of the NSA’s electronic eavesdropping since 2007, succeeds Shari Steele, the EFF’s top executive the past 14 years.

“Cindy is one of the smartest lawyers I’ve ever known, and a great strategist,” EFF co-founder John Gilmore said in a statement. “Cindy truly understands what makes EFF successful, and we’re thrilled she will lead the organization.”

Read 4 remaining paragraphs | Comments

Security Scorecard Finds Messaging Apps Need More Development

Only six out of 39 messaging applications have the features needed to guarantee the security of communications sent over the Internet, according to an analysis by the Electronic Frontier Foundation (EFF).

The results of the analysis, published as a scorecard on Tuesday, found that popular messaging apps—such as Facebook Chat, Apple’s FaceTime and iMessage, Microsoft’s Skype, and Yahoo Messenger—failed to meet all seven criteria, such as whether the application implements perfect forward secrecy and whether the source code had been audited for security. The group did the analysis as part of its campaign to promote the development of secure and usable cryptography, which is necessary in a world where government surveillance has become more common, Peter Eckersley, EFF’s technology projects director, told Ars.

The study is intended to help direct companies who are actively developing secure-communication software, he said.

Read 7 remaining paragraphs | Comments