The sophistication of the attack is pretty questionable IMO. The malware used can be purchased by anyone on the black market and had been used before by Iranian hackers in 2012. Furthermore, spearphishing emails were used to get inside the network. Furthermore, how would sophistication be evidence against a State actor with (a reported) 7,000 personnel?
There is absolutely differing levels of sophistication in cyber attacks. The presence of new exploits, clever persistence mechanisms, evidence of a staged attack involving multiple targets (i.e. attacking a company through a compromised vendor, using a certificate from a prior breach), ability to break out of security boundaries like hypervisors, custom malware, jumping of air gaps, handling of multi-factor authentication, clever use and depth of renaissance, ability to change tactics in response to detection, specialization across multiple security contexts, highly scoped and pre-planned operations; these are some things that suggest higher levels of sophistication.
Unfortunately the term is thrown around pretty loosely, limiting the usefulness of the term.
Certainly false flag operations are a tactic that has seen reliable and regular use, especially in counterintelligence. But what purpose exactly would a false flag operation against SONY serve? Definitely not as a pretext to take action against North Korea - the US could much more easily justify actions against NK than it has many other nations in its history.
The NSA is arguably having a credibility problem at home in the US. It needs to convince the tech industry that there are enemies abroad who threaten their security, and attacks by nation states (who aren't the US) is something that is real.
North Korea is a great scape goat. They can deny it all they want, and we don't care about the diplomatic costs, because it can't get any worse. People can't demand sanctions, can't demand recall of ambassadors, the only thing anyone could demand would be going to war with them, but for the most part, we don't care. They're the crazy uncle of the world stage. So basically, the only problem would be if the NSA got caught lying about it.
</ devils advocate>
However, getting caught would probably be the worst possible thing for the NSA (remember, there is likely still a leaker inside); as it would jeopardize the main benefit from doing this in the first place. So I don't think the risk versus reward pans out. That said if North Korea IS behind it, the above motivation for speaking out is still valid.
I similarly don't see the risk (and collateral damage) v. reward pan out. Plus there are so many legitimate cyber attacks against the United States, it would seem like a waste of resources. And it doesn't seem to me like the NSA would so joyously release the Lynton/Bennett/State Department emails. If they wanted to paint NK in a bad light this would seem so counter to that goal.
It's certainly being used as a pretext to lock down legal control of independent computation. The proposed updates to the CFAA and Obama's siding with Cameron on the intolerability of government-opaque communications have more credibility as a result of it. And it lends credibility to the steady reports from "a government official with knowledge of the matter" that US infrastructure is only an exploit away from being disabled by a hostile nation state, and to possible anti-hacker propaganda like the movie "Blackhat."
They could use North Korea "attack" to justify more local measures, you know, banning encryption, tighter regulations, more penalties... more or less what has been happening last weeks.
I absolutely believe that attacks are used as conveniences to justify legislative wishlists, but question whether such things are planned in advance like you are suggesting or are opportunistic responses to actual events.
Regarding encryption bans I've mostly seen justification referencing the Charlie Hebdo attacks (which are assuredly not a false flag).
Personally I believe that North Korean sympathizers were behind the SONY attacks given a number of pieces of evidence, but most heavily the #GOP leaks of emails detailing SONY collaboration with the US State Department and RAND Corporation that point toward The Interview being a strategic diplomacy product.
We know that the NSA tapped into computer systems and the backbone of essentially every country on Earth - I don't see how NK would have somehow been excluded.
What's interesting is what information the New York Times includes that is not covered in the NSA document, presumably from unidentified officials and former officials.
The document on Der Speigel speaks primarily about taking copies of intelligence from SK hacking efforts against NK and also taking copies of intelligence from NK hacking efforts that had in turn been hacked by SK (and in turn by NSA - "fifth party collection").
The document mentions the NSAs unwillingness to rely on intelligence filtered through so many third parties and made efforts to establish its own foothold.
Essentially none of the article is backed by the document as a first source and must have come from the unnamed sources.
I believe the reason this is "a big deal" is due to how the average US citizen reacted over the recent Sony Breach and the US Government's blame of NK (I might add with no supporting evidence, most industry professionals in high doubt, and even some security companies providing evidence to the contrary of statements by the government).
The average US citizen was outraged that some other government would have the audacity to hack anything in the US. This article's goal seems to be to point out that the US Government is hacking all other nation's governments, including NK. (pot calling the kettle black)
To be fair, there were other issues involved in the Sony hack that are not present in NSA spying.
- The North Koreans attempted to impose a heckler's veto on speech by private citizens of the United States.
- The Sony hack had direct and very visible consequences for Americans (economic consequences, release of personal data like salaries and health information, embarrassment of people by releasing private communications).
It's entirely possible to take the position that countries are going to engage in espionage, but that there should be norms about how intelligence services behave. Right now we're all trying to figure out what those norms are.
Thank you for mentioning international cyber operation norms. This is the center of US international cyberpolicy efforts. Ontologies describing categories of cyber operations often place destructive attacks like the one against SONY into a category of its own and these are usually considered fair only in very particular scenarios of provocation.
An addendum here regarding 'free speech'. There is some question about The Interview being a propaganda effort on behalf of the US State Department (which was given a preview as early as July) since #GOP released emails where CEO Lynton discusses the effects of the ending with RAND Corporation strategist and nuclear deterrence specialist Bruce Bennett and Lynton confirmed analysis of its effectiveness with Senior State Department officials. (It also doesn't help that the script writer was asked specifically to consider changing his character from an anonymous leader of NK to Kim Jong-Un).
"To be fair," there are norms about how intelligence services behave. That we, the proletariat, aren't aware of them doesn't make them any less real. That they've either changed or that we've only just discovered what they are doesn't say anything about what they are or used to be.
"Norms" don't necessarily make things objectively or even subjectively better. They just make them standard. Asking for norms will get you absolutely nothing, even if you get what you ask for: They'll just establish what they're already doing as normal, and continue to not tell you about the new things they start doing. Because that's what intelligence is; if they told people what they were doing, for better or worse, people would make it harder for them to do.
The norms in question are those of cyber attacks. This includes but is not limited to intelligence operations. The SONY attack, for example, was not an intelligence operation. The downing of the Syrian airforce was not an intelligence operation. Nor was Stuxnet or the the Georgia cyberattack.
Norms are important because they are precursors to law (in this case international law). Norms create ground upon which a country can accuse another, a ground upon which you can achieve consensus among many parties, and norms set expectations of behavior that if loosely followed every country can benefit from.
I hold Sony primarily responsible for the release of private data, due to their ignoring basic security practices. Why are health records stored on Sony Pictures servers along with everything else? Why were data silos and graduated access not in place? I never see any of these corporate officers held to account for their decisions to not spend resources for security. The only people I have any measure of sympathy for are the rank-and-file employees caught in the middle of decisions made by well-compensated executives who never have to face the consequences of their disregard for anything other than themselves and their own compensation.
I have to take issue with "norms" for intelligence services as well. These are groups with no morals or ethics, what makes you think they would ever adhere to any sort of "norm." These are criminals and criminals do not adhere to norms imposed from anyone other than themselves.
I seem to be in the minority on Hacker News, but as someone in the professional computer security field I know that any company or state/department/organization can be hacked by a motivated attacker. In the case of SONY, the attackers were able to enter the network through spearphishing emails - something that essentially no investment in security is going to prevent. The malware similarly could not have been detected, as signatures for this specific compilation were not known.
I have a hard time blaming the victim of a cyber attack that would have been practically impossible to prevent. I agree that SONY made bad decisions with regard to its hording of unnecessary data, but also recognize that this is hardly unique to SONY and not standard advice given by security professionals (it should be).
Norms are important so that you can accuse 'groups with no morals or ethics' of doing something wrong. Norms may only discourage and not prevent behavior but without norms its difficult to find common ground for behavior that may otherwise be chalked up to 'culture' or 'tradition' or 'nature'.
> but as someone in the professional computer security field I know that any company or state/department/organization can be hacked by a motivated attacker.
You seem to give Sony too much credit, and also forget that they had a file server with open internal access which had a directory called "Passwords" which contained a plain text file with all the credentials to their internal servers.
That's something I'd expect to see at some small business with no professional IT on staff... certainly not from a multi-billion dollar company with thousands of employees and a full-time professional IT staff.
Sure, the attackers may very well have spearphised their way inside, but once inside, they didn't have to go through any of the normal hassles of island-hopping with more exploits, etc. They just logged in like they belonged.
Motivated attacker or script-kiddy, once inside, Sony made it awfully easy.
> You seem to give Sony too much credit, and also forget that they had a file server with open internal access which had a directory called "Passwords" which contained a plain text file with all the credentials to their internal servers.
FWIW this is my experience with multi-billion dollar companies with thousands of employees and full time professional IT staff.
Perhaps we can get other security professionals to chime in.
Once you get a foothold in a corporate environment, it is the unfortunate truth (I'm sure others will back me up here) that it is very easy to move around without 'island hopping with exploits'. For the most part, pivoting by passing-the-hash will work for 99% of networks.
It is also my understanding that the malware that was purchased for this compromise had the capability to persist across the network, to exfiltrate data, and to sabotage computers.
> the attackers were able to enter the network through spearphishing emails - something that essentially no investment in security is going to prevent
I'd challenge that assertion. Employee's are often the first line of defense for any company, be it seeing something suspicious or knowing when to alert the right people. Investing in phising attack training can be very worth-while. Or at least adopt a strict company policy that helps ward off the basic forms of this attack.
It's not uncommon to have a company-wide policy that users are not allowed to open attachments in any email from anyone without IT's approval. It's inconvenient, sure, but it protects against multiple email-based attacks (everything from simple viruses to more advanced phishing attacks).
There's even phishing attack training specifically targeted at large enterprise (they send phishing attack emails to your targeted employees and when they fall for it, they get a quick lesson and explanation). [1]
I have never seen corporate policy with regard to attachments and link following effectively thwart a spearphishing campaign and have been privy to studies done at large corporations before and after phishing-awareness training. The short of these studies is that after approximately a week employees mostly reverted to regular habits and that during the week of high alert many employees fell to the internal audit anyway.
Then again, this is only from two studies done at one large corporation.
I looked around but could not find any studies or data about the long term effectiveness of phishing awareness campaigns (only PR junk), nor could I find evidence that SONY did not engage employees with these sorts of policies and training. Do you know of any such studies?
Do you believe that #GOP would not have gotten in if there were more strict policies and more frequent training?
> In the case of SONY, the attackers were able to enter the network through spearphishing emails - something that essentially no investment in security is going to prevent.
Investment can make spearphishing much harder. Defense is not always absolute, but about raising the cost for the attacker.
I agree that all security is a cost-benefit tradeoff. This is of course folklore wisdom. The importance with regard to the SONY case is that SONY was not the victim of an opportunistic attack but was targeted specifically. In this case, it is highly likely that SONY did invest in training its employees in corporate policy and security awareness (at least as much as any other corporation).
I have trouble thinking of a cost-effective way that SONY could have prevented #GOP from getting in.
IMO SONY had two failures:
1.) The hording of data. Again I don't think that this is uncommon. I would expect to see this at pretty much any company of their size.
2.) The lack of an ability to respond to the APT once it was discovered. This is extremely tricky business, but a critical piece of security. It is common now for businesses to assume that they have been compromised and to build out the capability to recover and isolate issues as quickly as possible. Unfortunately for SONY, all of their data had been exfiltrated out of the network by the time they knew there was a problem.
Nothing is different if they are also targeted specifically.
The context of the discussion is that SONY, even if it 'increased spending on defense' would have been compromised because it was targeted in an attack rather than an attack of opportunity.
Amazon and Google also get hacked. So does Adobe and Microsoft. So does the DoD and Whitehouse. So does JPMorgan and Wallstreet.
Ditto keep in mind that so called "hacking isn't just digital. Social engineering in many instances is involved in hacks. Boil it down to not only discovering vulnerabilities in code, but people as well.
I agree about lack of basic security, and that's the reason we have security compliance programs. Security Awareness Training, classification of health records as sensitive, and properly segmenting those sensitive health records from the rest of the environment are all appropriate controls that security compliance prescribes. It took me 6 months to decipher PCI and 3 months to implement. To others, compliance may seem like a joke, but I felt very confident that at least I had done 100% my due diligence in protecting our customers and employees. I think that's all they can ask and all we can give, 100% honest due diligence.
Interesting. I had thought it was common knowledge at this point that the US regularly hacks and is hacked by other nations.
I think the biggest splash this article may have is added narrative supporting the truthiness of USG attribution to NK - something that seems to be held in high doubt by a large percentage of the technical crowd (but that I think seems pretty reasonable).
It's perfectly fine to be OK with your government hacking other countries while also being mad when those other countries do the same thing (though it's foolish to be shocked when it happens).
It's perfectly fine to be OK with your government hacking other countries while also being mad when those other countries do the same thing (though it's foolish to be shocked when it happens).
I would disagree that this opinion is fine; this is only fine if one selfishly considers oneself more important than the 7000000000+ other people on the planet.
Do you really not consider yourself and family more important than most of the 7000000000+ other people on the planet? There are plenty of people more important than me, but I wouldn't sacrifice myself for any of them. In the same vein, it would be foolish for me, a US citizen, to say that my government should intentionally weaken itself for the benefit of the citizenry of other countries.
...government should intentionally weaken itself for the benefit of the citizenry of other countries.
Considering that the majority of Earth's people and natural resources lie outside the US, the long-term best move for the US is to promote global stability and equality. It's not a matter of weakness vs. strength, but short-term vs. long-term thinking.
There are plenty of people more important than me, but I wouldn't sacrifice myself for any of them.
Personally, I think humanity as a whole is pretty important. I wouldn't sacrifice myself for one other person without a really good reason, but I'm more than happy to accept a small short term decrease in local living standards in exchange for the long term stability and prosperity that would come from raising global living standards.
Specifically with regards to surveillance, the NSA is weakening the long-term position of US companies by leaving their systems and software vulnerable to known exploits, and by their actions, encouraging other countries to do the same. It's a negative sum game.
Searching all directions
with your awareness,
you find no one dearer
than yourself.
In the same way, others
are thickly dear to themselves.
So you shouldn't hurt others
if you love yourself.
And another thing from Spiegel's article. NSA routinely attacks targets and then makes it look as if someone else did it:
> But the loot isn't delivered directly to ROC's IP address. Rather, it is routed to a so-called Scapegoat Target. That means that stolen information could end up on someone else's servers, making it look as though they were the perpetrators.
So how do we really know it was North Korea, and not just NSA planting that evidence that NK hacked Sony in those two months? I mean other than "trusting NSA"?
We can't really know. There is no way to be perfectly certain.
That said one can apply an Occam's calculus using whatever information and reasoning you do trust. I personally trust that, whomever the #GOP was, they were motivated by SONY's role in developing "the movie of terrorism". This seems to me to be consistent with what the group published and with their 'Christmas surprise' showing collaboration between the State Department and SONY on the development of the movie related to its diplomatic value - something I don't think the NSA or allies would do. So I think the group had NK sympathies in mind. Granted, this doesn't rule out attribution to other states or hacktivists who hold these sympathies.
This post is another example of a trend in this thread to down vote the on-topic posts. Am I the only one that noticed that the highest voted comment in this thread is about Clapper splitting the bill? Why aren't we discussing the rest of the article?
> there is no encryption for there to be escrowed for large or critical parts of the infrastructure
That is to say that TLAs get access to records before encryption is ever applied to them (I would tend to agree with this) thus obviating the need for escrow. Laws requiring key escrow, then, become red herrings to the larger discussion about the legality of access.
I personally would classify 'partnerships' under extralegal pressure. Under this interpretation you do seem to agree with the GP comment - though I would understand if one were to argue that for some important semantic reason I asked the question with the wrong word. I would probably agree that 'partnerships' are only a strict subset and not synonyms for extralegal pressure.
It does appear that there are partnerships with some digital corporations and that PRISM is a program for corporations that resist 'partnered' access to records. Given the history of telecoms and their development of partnerships, current development of partnerships in our industry and known applications of extralegal pressure in our industry, we ought to be especially watchful.
Briefly: There has been plenty of misreporting about PRISM. I tried to correct some of that in 2013 here: http://www.cnet.com/news/no-evidence-of-nsas-direct-access-t... (Note the Washington Post backed away from their initial claims and rewrote its original PRISM story.)
Thank you again for your reply. I am aware of the confusion regarding PRISM and its 'vernacular' use to encompass the activities from other disclosed programs in addition to confusion about its particular details.
In your haste I'm afraid you may have drafted a response that is not on the topic of its parent, though this is okay since it appears the conversation found a natural and agreeable conclusion.
I agree with the author that in the short game not providing your own accounts is attractive. However in the long game it doesn't look so good. Unfortunately there are problems with using federated auth everywhere.
* It's a single place for a compromise to occur - the devastation of a serious identity provider hack completely upends the security of huge swaths of the internet in a single shot
* Breaks in fedauth protocols and implementations, similarly, presents a large auth crisis for the entire Web
* It's a single place for legal or extralegal pressure for governments to access services and data on behalf of everyone
* It creates market friction. If federated login had been around in large numbers when Myspace was the big social platform we'd still be using Myspace for the sheer reason we need it to vouch for our identity. It makes the big fedauth players 'too important to fail'
One should consider options carefully and determine whether a good user experience can be offered without further centralizing the Web.
- The malware used by the group had fingerprints and components of known Iranian, Korean and Russian malware and is a package sold on black market forums.
- The malware used was nearly identical to the that used by the Iranian group who attacked the Aramco oil company in Saudia Arabia in 2012.
- Linguistic analysis of the communications by #GOP suggest a native Russian author.
- SONY had given the US State Department a preview of The Interview in July 2014 (after the Mundt-Smith anti-propaganda law was immolated) and SONY was contracting with RAND Corporation specialist Bruce Bennett, a specialist on nuclear deterrence (NK is a nuclear state) and North Korea.
- Leaked emails with Bennett have him discussing the effectiveness of the movie to cause instability in North Korea.
Now McAfee is claiming the group had anti-trust motivations?
Err... what? Maybe I'm dense, but if you want to cause instability in a dictatorship, a blatantly Hollywood-style comedy movie where some American dudes kill the nation's leader in a graphically gruesome fashion is not what I'd expect. If anything, it will help North Korean propaganda. ("See those American Imperialists insult our great country! Death to America!")
Besides, how many North Koreans would ever see this movie, anyway?
If there is anyone in doubt in NK about their glorious leader, seeing this film may just push them over the edge, knowing that the assassination of their leader is something that the world wants. Plus, there's more to the movie than just assassination - its also a reflection of the condition of the North Korean people, and the constraints placed upon their lives by a repressive regime. Sometimes all thats needed to push the needle into the red-zone of revolution is a reminder that things are not always as they seem; while I personally think its a stupid movie from a purile industry, my opinion doesn't matter here. The North Korean people have to decide for themselves if they can do something about their dire circumstances, and what to do.. perhaps this movie will plant some hints in someones mind, and something will get done about it.
(Disclaimer: I'm no fan of Hollywood being used as a tool for propaganda against us by our own imperial, authoritarian masters, either.. its a double-edged sword..)
Besides, how many North Koreans would ever see this movie, anyway?
The number is not zero. According to a PBS Frontline documentary, there are smugglers that bring video players, USB thumb drives, and DVDs with movies into North Korea.
Well, your analysis differs from the North Korean specialists and the State Department.
From the leaked SONY emails:
“The North has never executed an artillery attack against the balloon launching areas. So it is very hard to tell what is pure bluster from North Korea, since they use the term ‘act of war’ so commonly,” wrote Bennett. “I also thought a bunch more about the ending. I have to admit that the only resolution I can see to the North Korean nuclear and other threats is for the North Korean regime to eventually go away.”
“In fact, when I have briefed my book on ‘preparing for the possibility of a North Korean collapse’ [Sept 2013], I have been clear that the assassination of Kim Jong-Un is the most likely path to a collapse of the North Korean government. Thus while toning down the ending may reduce the North Korean response, I believe that a story that talks about the removal of the Kim family regime and the creation of a new government by the North Korean people (well, at least the elites) will start some real thinking in South Korea and, I believe, in the North once the DVD leaks into the North (which it almost certainly will). So from a personal perspective, I would personally prefer to leave the ending alone.”
As far as it leaking into NK, South Korean activists had promised publicly that they would fly some via the balloons Bennett mentions in the quote.
Further leaked conversation with Lynton (CEO) confirm that senior State Department officials agree with Bennett's analysis.
Oh, and executives asked Dan Sterling (the script writer) to change his character from a non-descript anonymous leader of North Korea to Kim Jong-Un and a member of the Kim family specifically.
It is not about terrorism - it is that technology like this threatens the current level of the capability of the state to enforce its laws. Imagine instead the use of encryption among the financial elite to conspire to defraud speculation markets or manipulate stock prices. Or enemy states using encryption to thwart espionage attempts. Or insurgents and soldiers engaged with US troops around the world to organize efforts to put up resistance.
Remember that Julius Caesar famously sought to make pen and paper illegal because he saw such low barriers to fast potentially secret communication a threat to Rome's security.
I know of no case reasonably called terrorism where encryption played a role in thwarting intelligence efforts.
> I suppose if we make it illegal, the terrorists will just have to make do with weak encryption.
When encryption is outlawed, only outlaws will have encryption.
If it's not about terrorism, somebody should tell Obama; that's his quote I pulled.
Now, regarding:
> the use of encryption among the financial elite to conspire to defraud speculation markets or manipulate stock prices
Is anyone going to attempt to argue that encryption facilitates more fraud than it prevents?
> When encryption is outlawed, only outlaws will have encryption.
Right. I find it hard to believe that Obama and Cameron are going to take away our encryption and somehow convince our adversaries to abide by those rules.
Oh he knows. Lip service to the public about terrorism is just that.
> Is anyone going to attempt to argue that encryption facilitates more fraud than it prevents?
No idea.
Keeping things on topic financial fraud, insider trading, etc is an example where strong encryption does complicate the state's ability to enforce and investigate illegal activity. The purpose here is to draw from a well of motivation other than oft cited but never seen use of encryption in 'terrorism'.
The government's fear is that ubiquitous access to these tools will deprecate the executive branch. All tools from nuclear enrichment to hammers to animal husbandry have noble and malicious potential. Encryption is no different. The executive branch's job is to allow the noble purposes and to discourage, prevent, investigate and indict the malicious.
From the perspective of the executive, encryption presents a serious hurtle to the pursuit of the malicious.
Yet disagreements between the public and the executive about the the scope and breath of executive practices along with the US incarceration rate, of legal exceptionality of the rich and powerful, and general unease with current power structure coupled with traditional mythical US values means that the public would like guarantees about their ability to communicate without being searched.
The US public wants its cake and to eat it too. Secure and private communication for the masses that can not be intercepted. But it wants the executive branch to be able to enforce the law and to investigate broadly.
The executive branch has made many proposals to this middle ground: the clipper chip and key escrow, proliferation of weak cryptography and the use of third party doctrine as a buffer zone mechanism all represent compromises the executive branch has made.
What it comes down to is that the US public does not trust the executive branch not to abuse a middle ground - it points to historical and current examples of extralegal abuse - and in general feels that its government represents their interests but only after compromises with other 'more important' interests (international and domestic elite).
That is to say that the current state of "front door" encryption is a compromise made by the executive but one that the public does not trust.
Yet the public still wants law enforcement to be able to investigate insider trading.
So the government is in a bind. The government is justified to the people by its ability to enforce the laws of the land - if it can't, even for technical reasons - it will have difficulty seeming justified. The government's solution is to invoke the boogieman. 'Terrorists' will get you if we don't compromise. 'Pedophiles' will get your kids if we don't compromise.
But no, it's not about terrorism - it's that the government does not know how it will be able to stand up to proper strong cryptography in the case of true and perceived malicious use.
Freedom is like a dove, yadda yadda.
Encryption is like osteoporosis.
> Right. I find it hard to believe that Obama and Cameron are going to take away our encryption and someone convince our adversaries to abide by those rules.
Entirely. Historically this has been achieved by subversion of cryptographic methods, consumer products and standards and misinformation about security margins. It has made legitimate strong cryptography hard to come by but not specifically illegal. It is likely to become more and more difficult to perform this sort of influence now that the cat is out of the bag.
This kind of "privacy" (lack of the existence of institutionalized absolute compelled disclosure to law enforcement and along with broadly cast suspicion less search) was once called liberty and freedom by American mythological forefathers.
