Category Archives: Incident Response

The FBI, Sony and the Attribution Problem, Part 1- Why?

Leave a reply

The recent attack on Sony has publicly paraded one of the predominant problems in incident response. While the immediate issue in incident response is of course the remediation of compromised systems and bringing these systems and IT services back online, it is entirely human to look for somewhere to cast blame. Let’s begin by fleshing out the “why” of attribution before engaging with the “how”.

Why Attribution?

For an affected entity, and for the security professionals working within it, attribution of the attacker(s) is only an ancillary concern. Certainly steps taken (or not taken) during the direct remediation of the breach are important and even essential to the later attribution effort, but priority of work must be on restoration of service. After service is restored, and the breach points corrected, the attribution process begins. Here are some reasons to perform attribution:

1. Attacker Centered Defense– If the attacker can be identified or at least have their tactics, techniques and procedures characterized, it may be possible to take steps to make their next intrusion more difficult and time consuming.

2. Legal/Governmental Retribution– Bringing criminal charges or taking other action against the attacker may deter future attackers, or may have deterrence against the current attackers if they are in a jurisdiction where criminal charges cannot be brought, but are vulnerable to intergovernmental or other pressures.

3. “Hacking Back”– This is an operation pregnant with a host of legal and ethical concerns. It may appear advantageous in the midst of an attack to attack back, but the technical reasons for doing so need to be looked at carefully. There are two scenarios where hacking back could reduce the impact of an ongoing hacking attack. One of these is a DDOS attack, where hacking back into the command and control systems of the attributed botnet may be a viable method to stem the attack. In the second scenario, stolen data belonging to the attacked entity has been definitively located (through attribution efforts) on a server, and then the entity performs a hacking operation to delete that data before it can be copied or moved. Both of these operations are patently illegal in the U.S.  due to the Computer Fraud and Abuse Act. Both also carry a low probability of success or advantage for the attacked entity. If a DDOS operation is disrupted, other botnets can be easily employed by the attacker at short notice, or they may regain control of the compromised botnet. The command and control servers may also be innocent bystanders who are unknowingly playing host to malware. Taking down the servers of a hospital or local government  or foreign military could have extremely serious human and geopolitical downsides.  In the second scenario, the attacked entity would have to be extremely proactive to get the toothpaste back into the tube. In fact, it is so difficult it may as well be regarded as functionally impossible, and there is little chance of getting all the data before it is further disseminated.

Looking at the limited reasons for attribution  and given especially the weakness of the third reason, it may be entirely reasonable for an attacked entity to decide not to pursue attribution. In the end, even having your attacker arrested will not undo the damage caused in the attack. The process of attribution is also not cost free. Additionally, any major actions taken on the basis of the attribution performed may only result in more reputation damage for the entity as the original breach and security failure is further publicized.

Why Attribute the Sony Hack? 

Obviously an attack as devastating as Sony’s–which will probably involve hundreds of millions of dollars in damage to Sony Pictures Entertainment, in addition to a substantial erosion of their reputation and personal damage to many of their prominent employees–should be answered. To decide to not attribute the attackers would make their actions seem tacitly permitted, and probably contribute to further devastating attacks against other entities. This Public Order justification is the purview of the FBI, who has taken a lead role in the investigation of the attack. Sony, of course, probably wishes nothing more than for this incident to go away and may be leaning more towards active disinterest in attribution. It isn’t as if any future lawsuit will recover their lost capital, and their threats of legal action against those who published the more tabloid-friendly portions of their internal emails are at serious risk of the Streisand Effect.

Of course, SPE is not the only actor involved. There are cyber security companies and the U.S. Government at work here as well. Attribution is in the interests of cyber security companies for reputation and prestige reasons, as a proof of their aptitude and ability. On the government side attribution can be a marker of aptitude as well, however, retribution is also a significant influence. In the global and domestic political arenas strong attribution can aid in the pursuit of other interests. Attribution has been used by the U.S. Government previously to pressure the Chinese Government in regards to their cyber espionage campaigns, and charges have been filed in the U.S. against a number of their operators.  So it comes to this. The primary reasons for attribution are political, as support for past and future actions and as an instrument of geopolitical pressure. The actions supported by attribution may include legislative efforts, international sanctions, and even electronic and physical attacks.

In Part Two of this work, having established the interests of the actors involved in attribution, we will look at the “How” of the SPE hack attribution as far as it is known publicly.

 

 

 

 

 

Obama Talks Cybersecurity, but Federal IT System Breaches Increasing

President Barack Obama has said that his proposed cybersecurity legislation is expected to bolster the private sector’s defenses. Later tonight, he is expected to urge Congress and the American public to embrace the Cyber Intelligence Sharing and Protection Act during his State of the Union address. The measure, known as CISPA, was unveiled a week ago and is controversial because it allows companies to share cyber threat information with the Department of Homeland Security—data that might include their customers’ private information.

White House

The proposal by Obama, who once threatened to veto similar legislation, comes in the wake of the December hack of Sony Pictures Entertainment and breaches of giant retailers including Target.

But new research out Tuesday from George Mason University calls into question how effective Obama’s proposal would be. That’s because the federal government’s IT professionals as a whole have “a poor track record in maintaining good cybersecurity and information-sharing practices.” What’s more, the federal bureaucracy “systematically” fails to meet its own federal cybersecurity standards despite billions of dollars in funding.

Read 7 remaining paragraphs | Comments

US (Sort of) Points to “Smoking Gun” Linking North Korea to Sony Hack

Citing anonymous sources in and close to the US government, The New York Times reports that the fingering of North Korea as responsible for the attack on the network of Sony Pictures Entertainment was through evidence gathered by National Security Agency surveillance. This includes software taps into networks associated with North Korea’s network warfare and espionage unit, Bureau 121, among others. The actual evidence, however, will likely never see the light of day because of the highly classified nature of how it was obtained.

David Sanger and Martin Fackler of the Times report that the NSA started to ramp up efforts to penetrate North Korea’s networks in 2010 to monitor the growth of Bureau 121 and the rest of the country’s “computer network exploitation” capabilities:

A classified security agency program expanded into an ambitious effort, officials said, to place malware that could track the internal workings of many of the computers and networks used by the North’s hackers, a force that South Korea’s military recently said numbers roughly 6,000 people. Most are commanded by the country’s main intelligence service, called the Reconnaissance General Bureau, and Bureau 121, its secretive hacking unit, with a large outpost in China.

The evidence gathered by the “early warning radar” of software painstakingly hidden to monitor North Korea’s activities proved critical in persuading President Obama to accuse the government of Kim Jong-un of ordering the Sony attack, according to the officials and experts, who spoke on the condition of anonymity about the classified NSA operation.

The NSA’s Tailored Access Office, according to the report, “drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers, and penetrated directly into the North with the help of South Korea and other American allies.” According to NSA documents released by Der Spiegel, some of South Korea’s initial assistance was not voluntary—the NSA secretly exploited South Korea’s existing hacks of North Korea to gain intelligence information. But despite the level of access they gained, according to an unnamed investigator into the Sony Pictures attack, the NSA and other US agencies “couldn’t really understand the severity” of the attack that would be launched against Sony when they began on November 24.

Read on Ars Technica | Comments

Hacker Lexicon: What Is a Breach Notification?

Hacker Lexicon: What Is a Breach Notification?

TL;DR: Breach Notification refers to the notification that businesses, government agencies and other entities are required by law in most states to do when certain personally identifiable information is obtained, or believed to have been obtained by an unauthorized party. Breach Notification refers to the notification that businesses, government agencies and other entities are required […]

The post Hacker Lexicon: What Is a Breach Notification? appeared first on WIRED.



Real or Not, Purported Hack on US Military is a Coup for Islamic Extremists

The Twitter and YouTube accounts belonging to the US Central Command were compromised on Monday by people who claimed they hacked sensitive US military PCs and leaked confidential material in support of the Islamic State.

The compromised CENTCOM Twitter account contained graphics and text supporting the Islamic State in Iraq and Syria (ISIS), and it warned the US to expect more hacks. It was carried out by a person or group dubbed the CyberCaliphate. Central Command is one of nine unified commands in the US military. With its area of responsibility covering Afghanistan, Iraq, Syria, and Iran, it leads the US campaign against Islamic State extremists. Monday’s attacks appeared to be carried out by the same group that earlier this month commandeered the Twitter accounts of CBS affiliate WBOC-TV and the Albuquerque Journal.

At the time this post was being prepared, there was conflicting evidence supporting the claim that anything more than CENTCOM’s Twitter and YouTube accounts were compromised. Files linked in a post on Pastebin contained what appeared to be rosters of US military personnel, including contact information for Army commands and retired Army generals. A separate series of documents, contained in a folder titled war-scenarios, showed PowerPoint slides that appeared to be related to war games exercises involving China, North Korea, and regions in Africa, Indonesia, and the Caspian. One slide in a file titled SOCOM_Africa_Scenario.ppt was dated January 12, 2015. It proposed a CIA operation in Congo and Southern Africa dubbed “Operation Cakewalk” to seize yellowcake uranium. CENTCOM officials confirmed the compromise of the social networking accounts but told CNN none of the leaked documents appeared to be classified.

Read 2 remaining paragraphs | Comments

How Splitting a Computer Into Multiple Realities Can Protect You From Hackers

How Splitting a Computer Into Multiple Realities Can Protect You From Hackers

Jelle Martens Eight years ago, Polish hacker Joanna Rutkowska was experimenting with rootkits—tough-to-detect spyware that infects the deepest level of a computer’s operating system—when she came up with a devious notion: What if, instead of putting spyware inside a victim’s computer, you put the victim’s computer inside the spyware? At the time, a technology known […]

The post How Splitting a Computer Into Multiple Realities Can Protect You From Hackers appeared first on WIRED.



FBI’s Most Wanted Cybercriminal Used His Cat’s Name as a Password

When he was arrested at his Chicago home in 2012 for hacking the website of security think tank Stratfor, the dreadlocked Jeremy Hammond was the FBI’s most wanted cybercriminal. Authorities tracked him down with the help of top LulzSec member Hector Xavier Monsegur. But it has never been known how they managed to shut the lid of him computer, effectively encrypting the contents of Hammond’s hard drive, which the hacker was able to encrypt as agents armed with assault rifles were raiding his home.

An Associated Press profile of the 29-year-old’s life behind bars provides a possible answer. Hammond’s password was “Chewy 123.”

Hashing algorithms protecting encryption keys are by design extremely slow, making cracking attacks harder to carry out. The more guesses the attacker tries the exponentially longer it will take. As demonstrated in previous Ars articles such as Why passwords have never been weaker—and crackers have never been stronger and Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”, “Chewy 123” would be among the earlier candidates any experienced cracker would try. And assuming agents performed any research on their then suspect, “Chewy 123” would almost certainly have been near the top of the list. “Chewy,” it turns out, was the name of Hammond’s cat.

Read 1 remaining paragraphs | Comments

This System Will Self Destruct: Crimeware Gets Powerful New Functions

Researchers have discovered new capabilities in the BlackEnergy crimeware tool that significantly extend its reach. The ability to run on network devices, steal digital certificates, and render infected computers unbootable are just a few of new-found weapons in its arsenal.

BlackEnergy emerged as a tool for launching denial-of-service attacks. It later morphed into crimeware used to funnel banking credentials and most recently was observed as a refitted piece of software for espionage that targeted the North Atlantic Treaty Organization, Ukrainian and Polish government agencies, and a variety of sensitive European industries over the last year. In this last incarnation, BlackEnergy in some cases was installed by exploiting a previously unknown vulnerability in Microsoft Windows systems.

According to a report published Monday by security firm Kaspersky Labs, the breadth of BlackEnergy goes even further. A host of extensions customized for both Windows and Linux systems contain commands for carrying out DoS attacks, stealing passwords, scanning ports, logging IP sources, covertly taking screenshots, gaining persistent access to command and control channels, and destroying hard drives. Researchers Kurt Baumgartner and Maria Garnaeva also acquired a version that works on ARM- and MIPS-based systems and uncovered evidence BlackEnergy has infected networking devices manufactured by Cisco Systems. They are unsure precisely what the purpose is for some plugins, including one that gathers device instance IDs and other information on connected USB drives and another that collects details on the BIOS, motherboard, and processor of infected systems.

Read 3 remaining paragraphs | Comments

RemoteIE gives free access to Internet Explorer VMs without the VM

For some time now, Microsoft has offered free Windows virtual machine images to make it easier for Web developers to test their work in a bunch of different Internet Explorer versions. A new beta scheme launched today takes that one step further: with RemoteIE, devs don’t even need to download and run the virtual machine. Microsoft will run the VMs instead, using its Azure RemoteApp service to provide remote access.

Access to the remote Internet Explorer is provided through the RemoteApp client. This is a close relative of the regular Windows Remote Desktop app, and like the Remote Desktop app, it’s available on a number of platforms; not just Windows and OS X, but also iOS, and Android.

With RemoteIE, developers have full access to Internet Explorer and all its features, albeit only with software-mode WebGL. F12 developer tools are available, though there’s no ability to install add-ons or extensions to the remote browser. Sessions are limited to 60 minutes presently and will disconnect after 10 minutes of inactivity.

Read 1 remaining paragraphs | Comments