Cyber WAR indeed… <Shakes head>
Since the Charlie Hebdo attacks it seems that Anonymous has finally become self aware about the online jihad that has been going on for years now. While I can laud their determination and willingness to… Help… I cannot agree with what they are doing with their blunderbuss approach to the taking down of ISIS online. You see kids there is more to all of this than just knocking off some poorly secured sites that the jihobbyists run to end the threat of daesh. Oh, and yeah, by the way call them daesh at least huh? If you do a little reading about them you will learn that daesh loosely translated from their Arabic acronym means “to crush under a boot” they don’t like it.
Anyway, back to what I was saying here. Look, I know you want to help (some of you that is) Others are looking for a quick fix and media attention, which hey, if Mandiant and Crowdstrike can do it so can you right? The main thing though is that if you are going to prosecute a war on terror then you should at least try to be helpful to the IC while you are at it okay? The second thing is that you are all fighting a battle you cannot win here and no matter how you try you are only getting in the way of things in reality. What do I mean? Well, let’s look at it this way;
If you take all the sites down for however long you will only force them to make other sites that are more under the radar. You will be also teaching them about security and you don’t want to be doing that do you? Say, did you see the article from Glenn Greenwald about how Iran learned from our Stuxnet attacks on them and are now a real threat? Yeah, see, it’s a double edged sword kids.
I have looked at all your plans and really only one site in the lists there was important to the jihobbyists as a platform of getting the word out. On the other front though, your Twitter war has been interesting to watch as well. Take it from one guy who has been doing this a while *cough jihaditwits cough* it is not really all about taking down the accounts. It’s about learning who the talkers are, who they talk to, and what the pipeline is for propaganda to take down, not just scatter-shot take-downs of accounts. Moreover let’s talk about doxing these guys and providing that to LE huh? I know, I sound like a broken record right? Look, we could use all the help we can get out there.
Back to the Twitter war though, let’s talk about this a bit. You see that graphic above? Yeah, those are just a small sample of accounts that I have collected recently. There are ZILLIONS of these guys out there on twitter re-tweeting links to content from Syria and other places. Have you stopped them? What? You haven’t gotten them yet? Let me tell you, you won’t either. The sad fact is this is the biggest game of whack-a-mole there ever was. I recently stopped altogether because I had to take stock of what I was doing. Was it having any effect at all? Even with my targeting of players who were really plugged in was I having a positive effect? Well, I guess I was from the point that I got the fatwa’s and the warnings about the account but in the end I was kind of meh about it so I took a break. I am back though and I wanted to share with you my thoughts on your “digilante” war.
So here are my parting thoughts…
- MMD, you gotta stop bein so derpy.
- Anonymous, work smart and not just carpet bomb here
- Share your dox with LE
- If you are going to go after Twitter accounts make them count. QUALITY OVER QUANTITY PLEASE
- Do your research and understand the propaganda war going on here kids. You knock out one channel they will open another
- Understand that you are teaching these idiots! You will eventually make them smarter
- It may feel like you are doing something but you really aren’t from the perspective of the GWOT
- While you may feel like the propaganda war is being won by you, the reality is that they love to be martyrs so you are only going to make them work harder and gather more followers
With all that said, I am sure you will continue doing what you are doing. Even more so once the news cycles start stroking the collective ego’s involved. Just know that you are not stopping them. Stopping them is up to the governments of the world and the military forces that will eventually have to kill or capture them all.
In the wake of the release that Anthem has been hacked I have been taking stock of where we are today where information security is concerned. It seems that if you just look at the industry through the lens of the news media, we are all under constant assault by so called advanced actors out to steal us blind, spy on us, or take our personal data by exotic means that are inscrutable. The realities though are far from the truth where it concerns the advanced nature of the attacks that play into the media and marketing blitzkriegs by companies like Crowdstrike or Mandiant/FireEye are hawking.
The realities are that today we have businesses selling intelligence wholesale to corporations that are not mature enough to use the data they are being sold. On average, the data being sold by these companies is nothing you cannot get from open source arena’s for free and on the whole are overly focused on attribution of groups and actors. While a mature organization might have use of these feeds and reports on various groups the average company out there today just cannot use the data because they lack the practices and people to truly understand the information as well as apply it to their orgs.
Clearly the business model today is intelligence centric and completely lacking in the areas of not only showing companies how to use their intelligence feeds to help in detection but also how to fortify their environments against the attacks to start. Richard Bejtlich was recently on a panel in front of the Senate when he made the comment that many times after his company Mandiant, had been on an engagement with a client they were once again compromised shortly after they left. This comment alone shows just how little these companies like Mandiant are having any effect on teaching these companies how to at least detect if not halt attacks. Attacks mind you, that are not necessarily advanced as the APT moniker implies.
Let’s face the fact that most attacks today do not come from exotic 0day and sneaky DMZ hacks. No, instead these hacks happen through social engineering and phishing attacks. Sure some hackers may be using 0day within their phish attacks but it has been my experience along with many others, that it does not require a 0day to hack a corporate network today. The problems with many corporations stem from a lack of security awareness as well as presence within the org to instil secure practices like patch management and employee awareness on what a phish looks like and how to detect them. Neither of these skills are things that Mandiant or Crowdstrike offers as a primary service. After all, if they did and it really caught on, where would they make their money?
Still however, it is not Mandiant or Crowdstrikes problem is it? They are in the business of incident response and threat intelligence right? No, the real issue here is that both of these companies perpetuate the idea that attribution is the key to stopping all your hacking woes and not so much about having the proper security infrastructure to mitigate these attacks. And by infrastructure I do not mean just hardware and software, I also mean people with skill sets and an organization that understands security from the CEO down. This is the primary issue that I have seen throughout my career in penetration testing and information security. Frankly, it is one of the biggest reasons that pentesters love doing what they do, the corporations make it easy for them because they don’t have a security mindset.
I cannot tell you how many times over the years I have seen orgs that had grossly misconfigured systems as well as a lack of processes or policies that would mandate that things be run securely. Add this to the notion that these companies also lack real telemetry to track incursions and you have an org without any insight into how it operates as well as what traffic is going in and out of their domain. This is endemic in corporate America and anyone who tells you any different has an agenda to cover their own ass. Collectively corporate America should be totally afraid of what POTUS has proposed in the way of intelligence sharing and not because they should be worried about PII. The real fact of the matter is that they are all going to be worried that they will have to actually perform due diligence, spend money, and have actively operational security programs to feed that information to the sharing program to start.
I would like to change the rhetorical argument then from caring about the who so much and more about the how a hack happens. How did the adversary get in? How did they leverage the vulnerabilities within the company to steal the data without being seen? How did the company miss all of this ex-filtration of data in the first place? These are questions I would be asking first say about Sony than who did it? Was it North Korea? Instead, let’s talk about the organizations failures in security and how they can better shore them up to stop the next attack instead of banging the attribution gong so loudly.
With the announcement today of approximately 80 million records being stolen from Anthem and the usual buzz words of advanced attack ringing in the air, I for one had to say something about the realities we face in security. Simply put, it is too often the case that organizations place security in the category of red headed step child and relegate them to the sub basement as a necessary annoyance. Security is a cost centre and is troublesome all of which is anathema to business as usual. Security causes things to perhaps move slower, make people take a little more time to think, and generally feel like a drag on the hyper-kinetic business model so many corporations feel they need to be today. As such it is always a battle to insure that basic security practices are carried out like patching and hardening of systems. It’s a sad truth and you all must have run into this if you are a blue team player.
How do we fix it all? I have no idea. All I do know is that we are losing the battle and it is not because China is hacking us all with advanced malware on par with Stuxnet. We all need to understand that what we see out of the media is hype and what we see out of the vendors is marketing and not necessarily what we really need. Until such time as all organizations out there understand security and it’s nuances we, the workers within the security field as blue team members will be Sisyphus.
Threat Intelligence Report – December/January 2014/2015
In the months of December 2014 and January 2015 many paradigms on how the security of the Internet was perceived began to change. With the advent of the Sony hack and all of the fallout since, there has been quite a bit of angst on the part of governments across the globe in response to the attack.
This concern is warranted because the Sony hack set a precedent in destructive actions on the part of a nation state (ostensibly) to attack a private corporation and completely destroy it’s capability to function as a company for many months. To date, Sony is still off line internally with all of it’s various systems being reconstructed to enable workers to resume regular business.
Alternatively, other attacks like the Christmas day attacks on Sony and Microsoft’s PSN and Xbox networks took their functions off line at a key time for gamers with new consoles to play the games they got for Christmas. These DoS (Denial of Service) attacks were carried out by a group of “script kiddies” (hackers without real skills) called “The Lizard Squad” and their arrests are now happening in January by the FBI and others across the globe.
The final assessment though is that the game has changed and the rules are yet to be determined on a legal level as well as on an attackers decision process on how far is too far to go. In the case of the Sony attack, whether or not it was a nation state doing so, the game changer is that they completely destroyed the capabilities for Sony to operate their business. This situation ups the stakes for other adversaries, both nation state and other, to a level at which nothing is taboo and everything is possible.
In short, we are living is “Interesting Times” as the Chinese say, and we had all be ready to handle the outcomes of potential attacks like the Sony attack because it is likely that it will not be the last one of it’s kind.
The Sony attack was not new in the sense that the malware had been around for some time on the Internet. A version of it had been used in 2013 on banks in South Korea and it managed to destroy quite a bit of data. However, the attacks in 2013 had been stopped before the complete destruction of the banks systems was complete. However, the notion of using such malware attacks by an adversary in such a way had not been carried out before on private entities and this was the game changer.
In the case of Sony, an iteration of the malware from 2013 (DarkSeoul) was upgraded with about forty percent more changes to the base code that refined the process a bit. The malware, after editing was leaner and able to destroy drives in a very quick fashion. The crux of the attack lay in the malware choosing a certain section of the drive (middle) and quickly taking that section out with destructive wiper tools. In essence, that one stripe made the drive useless.
This in tandem with the hard coded domain names, addresses, and passwords of high level accounts, made the attack all the more destructive and pervasive. The sole intent of the upgrades and deployment of this malware package (4 variations of malware in total) was to take Sony off line hard at a maximum cost.
The assessment that goes along with this attack on Sony is alluded to in the executive summary. The crux of the meaning being that this malware was not advanced. It has been around since 1998 as a concept, and the attacks used to place it in the network were not new as well. What is different is that the actor was willing to carry out such an attack on their target in the first place.
The changes to laws you are seeing proposed by the Obama Administration show just how in earnest they are to respond to this change in tempo of cyber warfare. There are few international laws that handle this type of attack and we have yet to have any real substantive ground rules that all countries would abide by in this battle space.
Additionally, the attack on Sony also sets the tone for non state and chaotic actors who may want to just wreak havoc wherever they can with the same tools. Remember that the code is already out there and the access can be granted through phishing attacks or insider access at any company. This attack and the narrative on how it happened should be paid heed by every company today because they too could be the next Sony with the right adversary set to destroy them.
As stated above, the US Government has been actively seeking to update and create new policy on hacking and cyber warfare since the Sony attacks occurred. The Obama White House has in fact put forth changes to the CFAA (Computer Fraud and Abuse Act) as well as new legislation covering all manner of information sharing as well as repercussions for hacking.
The primary concern for business though should be the changes to reporting on incidents as well as the proposals for an information sharing between companies and the government on security threats being seen in the wild. These information sharing programs already exist in the private defense contractor space but as yet do not exist outside of that realm. The matter of the reporting of incidents however is a new and prickly topic and as such should be watched closely by corporations to be sure of what they may have to report on and in what time frames. Additionally, they should be concerned with fines for non reporting as well as issues over releasing data on vulnerabilities they may have.
The primary concern that companies will be looking at will be the reporting and repercussions from doing so. At present this is all notional and with the president being a “lame duck” it may not be something that companies will have to concern themselves with at all. That is unless the Senate and House decide to act on these proposals.
The Lizard Squad, is a loosely knit group of script kiddies that created a now defunct DoS (Denial of Service) software package that was used to take Sony PSN and MS Xbox networks down on 12/25/14.
These attacks were chaotic in that the Lizard Squad just did it because they wanted to. There was no political agenda, there was no real stated reason, they just took things off-line to make people unhappy and to gather fame for themselves.
At present, the Lizard Squad’s tool is off-line, the code of which has been dumped online, and the services users passwords (which were not encrypted) are in the open. The FBI is investigating the incident and has in fact captured three of the hackers from the group already with more to come.
The Lizard Squad is just one group of many that come into existence and go out of existence on-line regularly. Loosely modeled on Anonymous, the Lizard Squad acted out of a need to chaotically cause mischief on-line without much more reason than they wanted to.
This type of actor is becoming more prominent with actions like this and with each big story, and the attention they are given, more will rise up like them to sow havoc on companies on-line. These actors for the most part usually carry out attacks though that are not as complex or devastating as the Sony attack but they could also evolve and carry out like attacks.
It is thus important that companies pay more attention to groups like these and monitor OSINT and other threat intelligence feeds to be aware of groups that might target them. Being armed with information may make all the difference in the world to your OPSEC against such attacks by these actors.
Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers discovered malware that bypasses authentication on Active Directory (AD) systems that implement single-factor (password only) authentication. Threat actors can use a password of their choosing to authenticate as any user. This malware was given the name “Skeleton Key.”
CTU researchers discovered Skeleton Key on a client network that used single-factor authentication for access to webmail and VPN, giving the threat actor unfettered access to remote access services. Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal. Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers.
This malware is novel in that it uses a flaw in the Active Directory in tandem with single factor authentication. This novel approach, if not mitigated by Microsoft, could be enhanced and used more widely by attackers. There is however one flaw in the malware that mitigates the attack;
The only known Skeleton Key samples as of this publication lack persistence and must be redeployed when a domain controller is restarted. CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers. Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim’s network to redeploy Skeleton Key on the domain controllers.
However, if you have a level of compromise that would grant the access needed to install malware on the domain controller, then this attack is secondary because the adversary has already compromised you at a deep level.
Full report for download HERE: Report
I have another word though for it all..
Ok, I have said this before and I guess it is time for me to say it again as all I see in the news today is hyperbolic bullshit about how Anon’s took down a jihadist site. For the record the site in question was the lowest of the low hanging fruit. It has been pwn3d three ways to Sunday and is mostly full of other agent provocateurs looking to hook themselves a stupid jihobbyist anyway. So really, what has Anon done by taking this site out of all the sites out there down?
Look, if you guys want to do something of worth then you use all your doxing powers to locate all these fuckers online in these forums and pass it to the authorities ok? Failing that what you are only doing is managing to garner headlines by lackluster reporters looking for a story that will give them page clicks is all. It will mean fuck all to the jihad, the GWOT, and most of all it will NOT stop another attack by those loon wolf enough to do it. It’s a simple equation kids and I know you want to feel like you are doing something, which I laud you for, but do it smartly would you?
The same thing goes for the Twitter accounts. I tried to do this too and I was actually taking the time to single out the big players. You get them banned and they just come right back. However, when you DOX them with their real information they tend to get popped by authorities. So why not take the time and do some real work on stopping these fuckheads?
You all can be better than this. Evaluate the ops.. Is it for you or is it for the greater good?
Do some research: https://krypt3ia.wordpress.com/category/internet-jihad/
Hoodie can be made on http://www.zazzle.com if so inclined.
The Evidence is Where?
Right, well James Comey (FBI) came out yesterday at a conference in NYC with what he might think is definitive proof that North Korea attacked and destroyed Sony digitally. Of course the reality is when you really look at what he said once again you are left saying “Uhh what?” In an article on the Daily Beast which I have captioned below Comey says that the proof that DPRK did it was in the form of IP addresses only DPRK has access to and uses. Sure, fine, I will buy that. So show me the logs and the IP addresses please?
In a speech to a cybersecurity conference in New York, Comey took the unusual step of revealing previously classified intelligence that he says shows North Korea is to blame.
The new information consisited of Internet protocol addresses that Comey said are “exclusively used” by North Korea. Comey did not specify what those addresses are. The FBI’s case to date has hinged partly on Internet addresses it says were used in previous attacks by North Korea, and numerous experts have pointed out that hackers routinely use different addresses to mask their true location.
Comey’s new evidence struck some experts as inconclusive. “Short of the government disclosing the actual IP addresses, and those being in the netblock range of those known to be associated with North Korea or used by North Korea-backed actors, I simply can’t jump on the North Korea bandwagon,” Stuart McClure, the president and founder of cybersecurity company Cylance, told The Daily Beast. “We need more evidence.”
It gets better though, in Comey’s diatribe on this he goes on to talk about spear phishing emails that went to the CEO of SPE previously in September of last year that “may” have been pre-cursors to the attack that finally played out. This is of course very likely as a start of an attack and I can buy into that as I have seen the Chinese and others do the same thing. Hell, I have done the same thing on penetration tests!
FBI Director James Comey said on Wednesday that investigators have found spear-phishing emails that were sent to Sony employees as late as September. Such emails were the “likely vector” that the hackers used to get inside the company’s network, Comey said, from which they stole and deleted large amounts of data, including business emails and employee salaries.
So yes there are emails and they are spear phishing, which are likely to be in the dump that GOP put out when they dumped Lynton’s email spools (go check kids!) that we can look at the headers of. Perhaps that is what Comey want’s us all to do? I am not sure, in fact I really don’t care for Comey all that much as all I have seen out of him is dire hyperbole. Anyway he goes on from there to talk about the IP addresses that the government allegedly has;
In nearly every case, [the Sony hackers known as the Guardians of Peace] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy. Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using… were exclusively used by the North Koreans.
They shut it off very quickly once they saw the mistake. But not before we saw where it was coming from.
Wait, he is basing this all off of the emails and pastes? I have the emails and I saw no DPRK addresses in those headers from Yopmail and the servers in the EU. So where are these headers you are speaking of James? Do you have emails that we are not aware of? If so just please say so. Alternatively, does the government in fact have the logs from Pastebin on these posts where the alleged IP’s show up? If so, once again, show them. Show me the subpoena’s and show me the logs. Why not? I mean you guys aren’t prosecuting this in a court anywhere are you? You should be able to drop those dox on us all to prove your case right? If not why not? Please explain a bit more would you?
Like I have said many times already I can believe it was the work of DPRK or actors paid by them but really, give me a little substantiating information to go with it or just tell me everything is classified and HUMINT where I will have nowhere to go. Instead you keep offering hollow statements of facts that just don’t really add up. It should not be this hard really. You are reacting as a nation against another nation with evidence that is what exactly? This is my big problem here with the cyberwars, we go to war footing on what? Supposition much? If the GOP fucked up and used their straight IP’s to do things and you are telling us that then show us the data. Give us an IP address within the two /24’s that they have and be done with it.
Truthers and Discrediting Language
As if the whole debacle wasn’t bad enough with a coy government we now have self serving talking heads like Tao (Bejtlich) now labelling anyone who wants to at least have a modicum of proof to be presented to the American people as “Truthers” See quote below from Mr. Bait-Lick
“I don’t expect anything the FBI says will persuade Sony truthers,” Richard Bejtlich, the chief security strategist for cyber security company FireEye, told The Daily Beast. “The issue has more to do with truthers’ lack of trust in government, law enforcement, and the intelligence community. Whatever the FBI says, the truthers will create alternative hypotheses that try to challenge the ‘official story.’ Resistance to authority is embedded in the culture of much of the ‘hacker community,’ and reaction to the government’s stance on Sony attribution is just the latest example.”
Firstly, FUCK YOU Richard.
Secondly, FUCK YOU Richard.
Thirdly, What the hell? Does questioning things for actual data to be presented cut into your business model? Oh yeah, right, it does Mr. Mandiant rah rah. How many times have I heard that you and yours have turned out shitty reports with bad attribution in the past as well? I am sorry if I don’t want to just believe you Richard, or your company, or for that matter the government when they fail to provide any data that is of merit. Maybe that’s just me but now you want to make myself and anyone who might question your findings as nutbags with a common colloquial today for an Alex Jones Tinfoil Hatter?
If asking for evidence is so crazy in this time of extra judicial searches and over prosecution of crimes that involve hacking is so crazy then why do we even bother with the law in the first place Richard? All of us asking the questions have legitimate rights to beg the questions as well as the ability to be experts in the field. See, it’s not just you Dick that can look at logs and perform incident response. Some of us also do it for a living daily, we aren’t just titular heads of large IR firms.
Reasonable doubt is that thing we use in the law to say that you have to prove beyond one that someone is guilty. Of course this isn’t a case where we will be taking DPRK to court unless Sony wants to. Nope, this is statecraft and warfare. Unfortunately we have many cyber chicken hawks out there as well as corporate bodies that will make OODLES of money as well as consolidate power if this all goes hot cyber right? All we have seen lately is how this was the first shot in the cyber war and that we need to respond. Well, as a citizen I would like to see some proof before we go starting cyber wars. Of course that is a little cart before the horse now since Stuxnet right?
With a populace that has been shown to have been lied to by the government, where excesses have happened infringing on rights and doing things in our name that perhaps we don’t want them to, I think it is important that we are at least get some evidence. Assurances are just not enough in my book as they move forward in prosecuting statecraft and perhaps even military action albeit cyber actions when the result is political upheaval and reprisals.
That’s all I am saying.. Logs or GTFO.
Pastebin posted 12/31/14
#G…O……P……. express highest regard to the People of North Korea. It is the juche we strive to free the world. It is our stance that 공화국영웅 shall be given to the most powerful leader whom have save Korea from shame. 재일본 조선인 총련 our family of old friends will always look over our Leader and protect him from dishonor even in the event he would not see us. Soon our film of 리설주 will made ready for the sons of Korea to witness. Through our leadership the 2 korea will be made whole and our brother will live in peace. Our power is ultimate and strong as our secret war is being won in the world of American hate.For we are the Guardians of Peace in Democratic People’s Republic of Korea and want no more fighting in the family.
** Follow links in kanji to meanings above**
Theories and Suppositions:
I was Googling through the Pastebin’s as is my custom nowadays and came across this little post from December 31st. It caught my eye because of the Korean as well as the content. Now, language wise the Korean is standard, and not the Korean you would see coming from a DPRK person. I also noticed that the transliteration was direct into English which to me, implies that this was a translation carried out on Google translate. However, the translated text is all place names, people’s names or names of organizations that will stand fairly static in the linguistic play book so a variance issue on vernacular is less a factor in this case. Interestingly though they chose to use the English phonetc of “Juche” instead of Korean kanji for a term that covers “self reliance”, a term for how DPRK perceives itself against the world.
The idea has been floated in the past that the Chongryon may have had something to do with the attack on Sony and it is one that I could buy into, all I would need is some real proof from the government on things like IP’s they claim to know about or some other secret sources they refuse to release on the whole affair. This paste though is subtle and as such I thought I would bring it all to you as an interesting tidbit to think on with regard to Sony and the debacle of SPE’s hack. This morning I posted a tweet linking a story about how Sony may still be compromised because they were so utterly owned. It is entirely possible that they are and also that not only SPE was the target. Once again I will mention the Sony IP’s in the malware and the fact that the language of the GOP’s email on 11/30/14 talked specifically about human rights, reparations, and issues that they claimed to have directly with Sony itself and not just SPE.
So let’s once again take a step back and imagine that this was not just about “The Interview” and not just about SPE but Sony itself. A company that is Japanese and has their own history and issues with Korea as well as the DPRK. Consider that DPRK kidnapped Japanese citizens in the 70’s that they still have not accounted for. Or perhaps let’s talk about how the Chongryon headquarters is being sold out under them by the Japanese government which has caused consternation. There are many aspects of the region that seem to be lost on the media and it is disconcerting that this seems to be just about America but hey, we invented the Streisand Effect didn’t we?
The Last Sentence:
I suppose the most interesting bit for me is the last sentence in this possible troll; “For we are the Guardians of Peace in Democratic People’s Republic of Korea and want no more fighting in the family.” It hit me once I had read it a couple of times that it made more and more sense if you consider the Chongryon as involved with this hack. The allegations of all the issues with human rights, the language around Sony and the restructuring that happened over the last year in particular, all of it. It makes a kind of a sense but it certainly is not evidence I would bring to a court. However, the sentiment and the language jive with what the DPRK rhetoric has always been inside and out. A long slog of “Poor North Korea against the world!” amongst other ideals that are indoctrinated into their people from the get go. So read it with that mindset. Is it really GOP? I can’t say that it is. What I can say though is that they writer knows some things about DPRK and the tensions in the region.
As I was writing this the AP came out with a story about how POTUS has approved sanctions against ten individuals from the DPRK in an attempt to cut off their access to American money. This is a flaccid response really added to the other sanctions we have against the DPRK. It has not stopped the DPRK and Un from carrying on but they have made it at least a little harder on him. I highly recommend that you take a look at this YouTube “Money & Power in North Korea – Hidden Economy“ to get a sense of just how much money Un has and how he gets it as well as where. This will help you understand just how these sanctions are supposed to work. Once again the US reacts and I await the unintended consequences.
Previous posts on Sony:
In talking to Steve Ragan over the time between the Sony initial hack and now he confided in me that he had some emails and data that may come to bear on the whole attribution drum that I have been banging on. As he is a friend I cajoled him into sending me the data (THANKS STEVE-O!) and lo and behold it’s got some interesting twists for all those out there playing the home attribution game! As you all likely have seen on my Twitter feed and here I am not a real fan of the whole attribution thing to start and now with everyone screaming CYBERWAR NOW! I have been all the more disgusted with the companies all falling over each other for air time on CNN and CBS to conjecture their own theories cum free advertising.
I am writing this post to offer counter narratives to all of the various pundits and companies offering their services while selling you the attribution on a case that they have no real evidence on other than that which the adversary has given them. This is an important fact that most seem to fail to comprehend too. Like The Gruqq say’s;
“This brings us to the problem of cyber attribution. Fundamentally, the core problem is that when you’re working from forensic evidence you are dealing with information channels that are exclusively under the direct control of the adversary.”
~ The Gruqq
…. And I am with him here. The adversary or adversaries have had control of the situation all along. Think about it, they completely owned SONY for such a long time and at a level where trusting any data that comes from the incident response has to be at least nominally considered to be tampered with or suspect. So the FBI calling it as being DPRK at least has the illusion of there being other HUMINT or SIGINT that the NSA may have provided that shows traffic from some point leaving Sony, going through an intermediary system(s) and then on to a known dead drop that has been or is controlled by the DPRK or China… Right? Well, maybe, you see the government has not said overtly to my knowledge that they have CLASSIFIED data that is too “sensitive” to destroy sources and methods to actually release to the public.
At the end of the day though I feel that attribution really is a nation state thing until such time as the courts all catch up on this. Attribution is hard as the Gruqq says and it surely is but the reality is that unless you can prove something unequivocally it’s all just speculation right? Speculation is often something you will hear being yelled by lawyers in a courtroom on TV as something for the judge to strike from testimony, so what good is it to us all in this scenario? Well other than titillation for the churnalistas right? You see, Attributing a hack is not important. Seeing how they did something and how the company that got hacked was unprepared is a lot more important because you can in fact learn from those things and fortify against it happening again or at all.
Alas though, people are too focused on the who and not so much on the how and that makes me have a frowny face. Anyway on to the post here. Prepare for theory hole poking, counter narratives, and general bitch slapping of those who have a serious case of confirmation bias!
Stylometry & Obfuscation
First off let’s talk about Stylometry which is a neat little tool in the attribution tool box. Now it is not a real hard science as some might suspect and I am not sure just how much weight it is given in a court much like Graphology. In the case of the Sony hack this has of late been trotted out by the likes of Jeff Carr and his little band of scientists. Out of the pastebin posts from GOP he and his crew have determined that the writer(s) of the posts were not at all Asian but in fact Russian! Oh really? Out of a sampling of pastes with what seems to be deliberately bad “engrish” and sourced from pastebin you are going to go on national and local TV to attribute this? That is some advertising chutzpa!
It was Jeff and his TV appearances that set me off on the Stylometry and thus my chat with Steve. I wanted to see all the emails that he had from the GOP to gauge all of the language. What came to me from Steve was the usual series of pastes that we all saw but one email that had not been released to the public. The email is a response to Steve from questions he had sent them about who they are and what this was all about. Below, you can see the response and I have marked out particularly interesting areas of sytlometry (blue) as well as notional or attributional statements by the GOP themselves about their ethos and politics (red)
The overall thing I want you all to comprehend though, is that stylometry is just as useless as attribution on the whole. This is specifically the case with the Sony hack and trying to attribute who may have hacked them. There are signs of deliberate tampering of language in this email and because it is more than just a quick paste with links there is a narrative that emerges where you can see the writer go back and forth attempting to obfuscate their knowledge of English as well as perhaps cover any tell tale evidence that they speak it as a first language.
In the end the probative quality of this evidence, even here is mostly useless but I wanted to make a point. Oh, and I almost forgot. Jeff and his team were working with less than the usual amount of text needed to really perform a stylometry of merit so there is that too. Maybe this little ditty will help them.
Our answers to your questions
11/30/2014 09:09 AM
Steve Ragan <email@example.com>Hi, Many consider us as a small group consisting of only several hackers, but it is not true. We are an international organization including famous figures in the politics and society from several nations such as United States, United Kingdom and France.
We are not under direction of any state.
Our organization continues to grow.
Our philosophy is peace and equality of the world.
Our main effort is to take care of neighbors in difficulties and to protect human rights of the world.
We are just unknown to the public, but many have seen us. In recent years, Sony and Sony Pictures frequently brought damage to many people and preyed on the weak through terrible racial discrimination and human rights violation, indiscriminate tyranny and restructuring.
There are some victims of them among us.
Nowadays Sony Pictures is gonna prey on the weak for their own benefits with another plan of indiscriminate restructuring. This became a motive of our action.
We required Sony Pictures to stop this and pay proper monetary compensation to the victims. Followings are our answers to your questions: 1) Our aim is not at the film “The Interview” as Sony Pictures suggests. But it is widely reported as if our activity is related to “The Interview”. This shows how dangerous film “The Interview” is. “The Interview” is very dangerous enough to cause a massive hack attack. Sony Pictures produced the film harming the regional peace and security and violating human rights for money. The news with “The Interview” fully acquaints us with the crimes of Sony Pictures. Like this, their activity is contrary to our philosophy. We struggle to fight against such greed of Sony Pictures.
2) We demanded Sony Pictures to stop indiscriminate restructuring which brings forth innocent victims and to pay proper monetary compensation to the victims. Sony and Sony Pictures neglected our repeated warning and chances. They didn’t even show their some faith to us.
We think such a shameless company doesn’t need to exist. We won’t give up this attack unless Sony Pictures collapse to the end.
We have already started the efforts on full scale. We will release all data of the company as we proclaimed.
Sony Pictures is surely to collapse unless it kneels down to us.
We have another plan to correct the incidents of Michael Brown. Thanks
Stylometry Interesting Bits:
- The writer uses the contraction/slang of “nowadays” “gonna” correctly in a grammatically correct sentence
- The writer then uses “fully acquaints us” as a term for familiarity on a topic instead of another contraction
- Neighbors instead of Neighbours (UK)
- The switching back and forth between what seems to be a native speaker of American English and perhaps a non english speaker like this was crowd sourced or obfuscated deliberately.
Assessing this one email as the most whole of communications that has not been released in it’s entirety according to Steve show’s some real dissonance in the creation of the email and perhaps that it was not a sole writer. This all however is speculative and as I mentioned above little more than a fun diversion. It should not be taken as a real indicator of anything on whoever hacked Sony and that is what the media needs to realize along with the rest of the public. It does not matter what nationality anyone is here. It could be a conglomerate of people like they (GOP) claim. It could be a group either paid or just pissed off.. It doesn’t matter! What does matter is that Sony got hacked and HOW they got hacked.
Parsing The Language of Politics and Rhetoric:
Now what is far more interesting and perhaps germane to the whole whodunnit of the Sony hack is the language and ideals that the hackers put out there as to why they were doing what they were doing. I have highlighted those passages in (red) Once again, attribution here is not really important but this is interesting as well as may lend to counter narratives to all of the claptrap in the news cycle now. So let me prize out some of what the GOP was saying here in the email.
- They claim they are international and much like Anonymous but come off more like The Illuminati
- They claim Sony had been trodding on human rights and had done damage to people they were trying to help (preying on the weak)
- They want reparations to victims and for Sony to stop whatever they perceive them to be doing
- They use the term “restructuring” in reference to victims and compensation
- They claim they made “repeated warnings” to Sony on this
- Then they throw in the Michael Brown notion which seems to be just a throw away
Interestingly GOP at the start claimed that they had no impetus against Sony concerning “The Interview” except to say; “Sony Pictures produced the film harming the regional peace and security and violating human rights for money.” which is interesting in and of itself since the whole debacle has bloomed into a cyber war between DPRK and the US over that turd of a film. So do we take the GOP at face value here and accept that they were generally upset about Sony’s behavior on rights issues as well as the care of employees? Let’s take a look at some counter narratives to the current assumptions in attribution on the news today shall we?
Alternate Narratives and Attribution:
Let’s just for the sake of argument believe that GOP was, at the time of the November 30th email to Steve, telling the truth about their motives for the most part. There is a full narrative in the email about how Sony was a bad and greedy corporation that must be punished for their actions. If we go along with this line of thought we have the following interesting tidbits from a quick Google-Fu session that lend credence to the argument.
- In April 2012 Sony announced a global re-structuring (their words) of the whole company: http://www.sony.net/SonyInfo/News/Press/201204/12-056E/index.html to be done by March 2015 by the CEO Kazuo Hirai (Japan)
Sony announces massive restructuring plan costing $925m, 10,000 job losses confirmed http://www.digitaltrends.com/web/sony-announces-massive-restructuring-plan-costing-925m-10000-job-losses-confirmed/
Japan’s electronics giants are struggling to improve competitiveness and profit margins. Panasonic cut 71,000 jobs in 2013 and is undergoing a dramatic shift from consumer electronics to alternative energy.12 Later that year, Sharp set out to cut 10,000 jobs and sell a California-based solar power developer it purchased in 2010. Sony announced plans in early 2014 to spin off its TV operations and sell its personal computer division.13 http://www.alixpartners.com/en/Publications/AllArticles/tabid/635/articleType/ArticleView/articleId/1289/Seize-the-Day.aspx#sthash.9yjwwUUN.dpuf
Sony Mobile Announces 1,000 Layoffs http://www.dailytech.com/Sony+Mobile+Announces+1000+Layoffs+Restructuring+Plan/article25499.htm#sthash.T3va2GOx.dpuf affecting China, Japan, Sweden, and Beijing China
- As losses mount, Sony’s Hirai seeks cure for TV business in spinoff http://uk.reuters.com/article/2014/02/06/uk-sony-results-restructuring-idUKBREA1509B20140206
As you can see the restructuring has been in the news for a long time and the numbers of employees taking the hit has been upward of 10K with many of them coming from areas of manufacturing. The link just above here shows that the primary target in February of 2014 was the Vaio laptop line. Many of the parts for these were made in other places including Korea and China as well as Japan. In general though, you can see from the rhetoric that layoffs and perhaps pay as well as care about employees might factor into what GOP was saying. This then leaves me with the thought that perhaps the culprits here were in fact upset about the restructuring as well as may not in fact be American in origin. Though the layoffs did touch the US the primary areas where things were cut was actually in Asia to start with.
Suppose for a minute that we take GOP at their word and assume *assuming is bad usually but hey, let’s run with it* that the attackers are in fact responding to Sony’s cuts. Let’s also assume that they are from the Asia region and in fact could be from Japan as well. Tie that in to the fact of the Sony Japan IP’s coded in one of the malware variants and that becomes more of a possibility and you have an alternate narrative. If we take them at their face value, GOP was reacting to Sony’s attempts to make themselves more profitable at the cost of people’s jobs. Jobs mind you that in Japan are hard to come by to start right? As well, the jobs in China and Korea might also be harder to come by when you think about it when a giant conglomerate pulls out. Add to this Japan’s politics and tensions in the region (as they mention with the movie as well) then you can further postulate that they are telling the truth about their motives.
So with all that said, I would really like to see what those threats to Sony were as well as their demands. None of which I think anyone has seen right? So maybe Sony can drop those emails on the net or something…. HAHA.. Right. I also think it is rather amusing that everyone has just assumed that all of this is about the USA and a movie to start. Talk about the Streisand effect! Is it so inconceivable that “The Interview” as GOP states had nothing to do with this at all? Of course once the GOP failed to get what they wanted from Sony SPE (which was the weakest point in the chain security wise) got hit. It is also interesting to note that no other division of Sony has mentioned any hacking at all until the recent Lizard strikes against their PSX network. Why is that exactly? One would assume that the networks are all connected at some level.
So let’s boil it down…
- GOP did it because of the restructuring
- Their perceived beefs against Sony because of layoffs etc that are stressing people in regions like China and Korea (both of which have long political histories of tensions with Japan)
- SPE was really just low hanging fruit and had been hacked along with PSX numerous times making it a prime target
- SPE was not secure because they failed to secure things
- GOP hit them and demanded reparations which were not paid
- GOP began dropping data and trying to get that money from SPE/Sony
- Once Variety had put DPRK on the map with the Interview the idea was there for the taking once things started going south and the GOP used it
I am not attributing this to anyone in particular. It could be anyone but at least there may be some motive to it now per their own communication early on. Could it be DPRK? Sure. Could it be Lizards? Sure. Could it have been Colonel Mustard? Sure! Attribution on this is just pointless. Well, unless you have services to sell or want to use the notion in your political machinations that is. However, here is my counter narrative..
A group of persons hacked Sony because they were upset with their actions cutting jobs. They likely were not some 40 year old woman who got laid off from being an assistant accountant at SPE. (oh and yeah, many of those jobs were technical people.. just sayin)
How bout them apples?
Attribution As A Weapon and Marketing Tool:
I have said it numerous times online already but let me repeat it now. Attribution is mostly useless. It is really only useful as a naming convention at the most to describe a group acting in a particular way when they attack. That’s really it and all it should ever be. Unfortunately it has become the new hotness with companies like Norse, Mandiant, Crowdstrike and their like. They are selling themselves on actors not so much on real use-able data for the common corporation. Focusing on stupid names for groups and trying to sell people on having the inside skinny on actors in foreign countries is just snake oil. Give us the feeds on how they act and who they seem to be attacking and be done with it. By trying to horn into this whole SPE thing with all their theories, getting free advertising time on major and minor networks makes me sick.
Another factoid for you all should be on the notion of using attribution as a weapon. The US Government has shifted into the naming and shaming business on the backs of the Mandiant’s of the world with Tao at it’s head crying CHINA CHINA CHINA! for years now. China may or may not be behind all of the hacking, it’s all subject to forensics and evidence that can be hard to say is pristine like I point out above with the Gruqq quote. In the case of the SPE debacle we have yet to see anything out of our government as to evidence that is convincing and they have talked about proportionate responses. This is hubris at it’s worst and why I wrote my first post on SPE. If we are going to go to a cyber war footing we had better be able to provide proof to the world that it was in fact DPRK. So far we have nothing but “We are the government.. Trust us” and that no longer works.
The worst thing of all is all the marketing that is being generated by this incident. I have seen companies take very little in the way of evidence and spin stories that they are telling to the media and the people as “the truth” when they have no real idea. of what the truth is. This industry has jumped the shark and while I personally saw my post and others make a dent in the narrative that the media was playing for us all, it did nothing to deter the FBI and the government from blaming the DPRK and seeking to respond in kind. Since then we have seen DoS attacks against the “hermit kingdom” including my own incident where I Nmapped them and they DoS’d me for a while. It’s all a fucking nightmare and I am at my wits end trying to inject any sense into the derpstream out there today.
Maybe I can just become a gentleman farmer and goat herd to a flock of narcoleptic goats. At least I will be amused by their running and passing out while the world burns in cyber flames.
UPDATE: I am told that the email above was public so there is that. I guess perhaps people have studied it in its totality? Meh, the post still stands.