The United States imposed new sanctions Friday on North Korea in retaliation for a cyber attack on Hollywood studio Sony Pictures.

In an executive order President Barack Obama authorized the US Treasury to place on its blacklist three top North Korean intelligence and arms operations, as well as 10 government officials, most of them involved in Pyongyang’s arms exports.

Obama said he ordered the sanctions because of “the provocative, destabilizing, and repressive actions and policies of the Government of North Korea, including its destructive, coercive cyber-related actions during November and December 2014.”

The activities “constitute a continuing threat to the national security, foreign policy, and economy of the United States,” he added, in a letter to inform congressional leaders.

“The order is not targeted at the people of North Korea, but rather is aimed at the Government of North Korea and its activities that threaten the United States and others,” Obama added.

The sanctions come after hackers penetrated Sony’s computers in late November, stealing and releasing over the Internet employee information, unreleased films and an embarrassing trove of emails between top company executives.

The hackers — a group calling itself Guardians of Peace — then began to issue threats against the company over the looming Christmas release of the comedy film “The Interview”, which depicts a fictional CIA plot to kill North Korea’s leader.

The threats led first to worried movie theater owners dropping the film and then Sony cancelling the public debut altogether, before releasing it online.

After the hackers invoked the 9/11 attacks in their threats, the White House branded it a national security threat, and an investigation by the FBI said North Korea was behind the Sony intrusion.

Pyongyang repeatedly denied involvement, but has applauded the actions of the shadowy Guardians of Peace group.

‘Proportional’ response

The White House stressed Friday that its response will be “proportional”, but also that the sanction actions were only “the first aspect of our response.”

“We take seriously North Korea’s attack that aimed to create destructive financial effects on a US company and to threaten artists and other individuals with the goal of restricting their right to free expression,” said White House press secretary Josh Earnest.

In parallel with the White House announcement, the Treasury named the first targets of sanctions in the Sony case.

They included the Reconnaissance General Bureau, the government’s main intelligence organization, and two top North Korean arms exporters: Korea Mining Development Trading Corporation (KOMID) and Korea Tangun Trading Corporation.

The individuals named included agents of KOMID in Namibia, Russia, Iran and Syria, and other representatives of the government and the sanctioned organizations.

An administration official, briefing reporters, said that they remain “very confident” in their assessment that Pyongyang is behind the attack on Sony, amid doubts raised by security experts.

The official said the three organizations had “no direct involvement” with the hacking. “They’re being designated to put pressure on the North Korean government,” the official said.

It was the first time the Treasury sanctions mechanism had been invoked due to a threat to a private company, the official acknowledged.

The sanctions forbid US individuals and companies from doing business with those blacklist, and freezes any assets those blacklisted might have on US territory.

A particular aim of such sanctions is to limit their access to international financial services by locking them out of the US financial system.

All three of the organizations blacklisted in the Sony case are already under US sanctions for the country’s persistence with its nuclear weapons program, its alleged provocations on the Korean peninsula, and other “continued actions that threaten the United States and others,” as Obama said in his letter.

Tags:

BrowserStack is back online after temporarily suspending service due to an attack.

The company stated it had been hacked after someone sent an email to customers claiming the company was shutting down and had failed to follow-through on promises related to security. Founded in 2011, BrowserStack is a cross-browser testing tool used to test websites and servers.

A copy of the email was posted to Pastebin.

“Not only do all of our administrators have access, but so does the general public,” the hacker claims in the email. “We have no firewalls in place, and our password policies are atrocious. All virtual machines launched are open to the public, accessible to anyone with the alpha password “nakula” on port 5901, a password which is stored in plaintext on every VM. As well, our infrastructure uses the same root passwords on all machines, which is also stored in plaintext on every VM launched (“c0stac0ff33″).”

“Given the propensity for cyber criminals to target infrastructure services such as ours, it is almost certain all of your data has been compromised,” the email states. “These passwords take no less than 15 minutes to find for anyone who is looking. We hope we have not caused you too much trouble, and to our enterprise customers who signed deals contracts based on a fabrication, we are equally sorry.”

It is not known whether any of the hacker’s claims in the email are true. According to BrowserStack, the hacker’s access was limited solely to a list of email addresses.

“All BrowserStack services are now up and running,” the company tweeted shortly after noon PST. “We are keeping a strong check and will email all users the entire analysis.”

The company said it will post a post-mortem of the attack.

BrowserStack serves some 25,000 customers and more than 520,000 registered developers across the world.

Tags:

• NEWS & INDUSTRY
• Cybercrime

On Monday afternoon, Yahoo confirmed to SecurityWeek that servers associated with Yahoo Games had been hacked as a result of the recently disclosed “Shellshock” vulnerability, but has since said its original conclusion was wrong.

In its original statement issued Monday afternoon, the company said that on Sunday night, a “handful” of its servers were impacted but said there was no evidence of a compromise to user data.

Hours later, Yahoo! Contacted SecurityWeek with a change in tune, saying that after all, the servers in question were NOT compromised via the Shellshock vulnerability, but rather a “minor bug in a parsing script”.

“Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by Shellshock. After investigating the situation fully, it turns out that the servers were in fact no affected directly by Shellshock, but by a minor bug in a parsing script,” a Yahoo! Spokesperson told SecurityWeek. “Regardless of the cause, our course of action remained the same — to isolate the servers at risk and protect our users’ data.”

The company maintained its position that no evidence has been found suggesting that user information was affected by the incident.

Yahoo! CISO, Alex Stamos provided additional details in a post to Y Combinator’s Hacker News.

“Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers,” Stamos explained. “These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.

Stamos, who became VP of Information Security and CISO at Yahoo! in March 2014, continued:

“As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public. Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock. Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected!

The original story with more background on the incident can he found here. 

Tags:

• NEWS & INDUSTRY
• Incident Management
• Vulnerabilities