December 22, 2024

US Police Grapple With Rise of ‘Swatting’ Pranks

Posted on March 23, 2015 by in Security

When Florida police got a call from a man who said he shot four people at rapper Lil Wayne’s house this month, they responded as they are trained to.

Heavily armed, flanked in body armor and accompanied by sniffer dogs, officers surrounded the Miami mansion after the alleged shooter told the 911 dispatch: “I’m killing whoever else I see…”

But police found no shooter at the house, and no victims. Lil Wayne was not there either.

The rapper was the target of a “swatting” prank, a phenomenon gaining popularity in the United States and creating public safety risks and budget strains for law enforcement.

The stunt — a modern-day and much more serious version of a prank call — involves a call to emergency services claiming a crisis.

When police arrive, the alarmed victim is often greeted by angry bangs at the door from screaming officers with cocked guns.

Special weapons and tactics (SWAT) units are usually dispatched — which the term swatting comes from — because they are trained to deal with serious emergencies swatters typically falsely report, such as hostage taking, mass shootings, bomb threats and domestic violence.

Following the false alarm at Lil Wayne’s mansion, Miami police said on Twitter: “Unfortunately this appears to be a ‘Swatting’ call. No victims /no injuries /no subject at 94 LaGorce.”

Police are obliged to respond to emergency calls, but say such pranks are a waste of resources.

“Fortunately in terms of no one hurt yes. Unfortunate in the waste of resources for a hoax that we have to treat seriously,” Miami Police tweeted.

Lil Wayne is not the only celebrity swatting victim.

Famous Hollywood prankster, Ashton Kutcher, host of the hoax show “Punk’d,” has been swatted, along with Justin Bieber, Rihanna, P. Diddy, Justin Timberlake, Tom Cruise and Miley Cyrus.

Swatters have also hit politicians, journalists and schools.

Live-stream swatting

The phenomenon of swatting was first reported to the Federal Bureau of Investigation in 2008, and has steadily gained popularity since.

Officials estimate about 400 swattings occur every year, but many no longer report incidents to prevent copycat acts and to avoid giving swatters publicity.

The hoax is popular in the online gaming community, where swatters target online rivals who are live-streaming a game. When police arrive, the stunt is broadcast in real-time.

Swatting videos show victims at their computers when they are interrupted by loud bangs at the door followed by heavily armed police storming their homes.

Perpetrators target online rivals and access their addresses by hacking their computers.

Police consider the act a dangerous crime, and say swatting is a serious public safety issue.

“The swatting practice is extremely dangerous and places first responders and citizens in harm’s way,” the FBI said in a statement.

“It is a serious crime, and one that has potentially dangerous consequences.”

Beyond being a waste of resources, police say swatting creates major risks.

Some hapless victims were carrying objects that could be mistaken for a weapon. Others grabbed a real gun, mistaking law enforcement for intruders

Police are at risk too — in one incident an officer was injured in a car accident while responding to a swatting hoax.

“It’s only a matter of time before somebody gets seriously injured as a result of one of these incidents,” the FBI said.

Seeking tough laws

But tracking perpetrators is tough, as callers use software to disguise the call origin or place the calls from untraceable Internet sites.

Though there is no federal swatting legislation in place, punishment can be tough for swatters who are caught.

In 2009, 19-year-old Matthew Weigman was sentenced to 11 years in prison for orchestrating several swattings. The blind phone hacker who was a member of a swatting ring had been making the fake calls to police for five years.

Some politicians are pushing for tougher laws to deal with the crime.

California Congressman Ted Lieu introduced legislation in his state that was adopted in 2014, forcing convicted swatters to pay for costs related to fake calls, which can be as much as $ 10,000.

Lieu, himself a victim of swatting, said the bill protects the public and prevents police resources from being wasted.

Despite moves to strengthen punishments, the phenomenon continues to gain momentum, both on US soil and abroad.

Last week, French television host Enora Malagre was a victim of swatting when a man called police claiming he stabbed her and threatened to shoot at police.

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013


SecurityWeek RSS Feed

Feedback Friday: Reactions to White House Cybersecurity Information Sharing Initiative

Posted on February 14, 2015 by in Security

Obama Signs Executive Order After an Address at Stanford University

During the White House Summit on Cybersecurity and Consumer Protection at Stanford University on Friday, President Barack Obama signed an executive order to promote cybersecurity information sharing between private sector companies and the U.S. Government.

The executive order, signed by the President on stage after addressing a large audience, outlines an information sharing framework that would help companies work together, along with the federal government, to more effectively identify and protect against cyber threats.

“This has to be a shared mission,” Obama said during his speech. “So much of our computer networks and critical infrastructure are in the private sector, which means government cannot do this alone. But the fact is that the private sector can’t do it alone either, because it’s government that often has the latest information on new threats.”

Overall, industry professionals applauded the steps by the White House, but indicated this is just a small step in addressing serious threats. An executive order can only go so far and more is needed than just information sharing to combat sophisticated cyber attacks, experts said.

Feedback On White House Information Sharing Initiatve

And the feedback begins…

Phil Smith, SVP of Government Solutions and Special Investigations at Trustwave:

“The President’s remarks at today’s summit are a great beginning, especially when he explained today’s threat landscape as a ‘cyber arms race.’ That statement is significant because it puts organizations and individuals on notice that cybersecurity is a national security and public safety issue. Sharing threat intelligence across government agencies, law enforcement and the private sector is a critical component of strengthening data protection however it will not work without safe harbor protections for companies that participate.

An executive order can only go so far. It takes Congressional action to mandate information sharing on a national level that includes liability protection. Without that protection, we will not see the level of participation required for information sharing to be successful.

When organizations share information they produce actionable threat intelligence that helps them stay ahead of the criminals and build defenses to block their next move.”

 Ken Xie, CEO of Fortinet:

“During the White House’s Cybersecurity Summit, there was a lot of great discussion around information sharing. The biggest obstacle is that our industry is extremely shorthanded: it’s estimated we can only fulfillne in every 20 technology positions needed in the cybersecurity space. Who will mitigate the threat? Where and who are the cyber swat teams? Who will train the responders? Answers to these questions remain unanswered, though the conversation is a step in the right direction.”

Nate Fick, CEO of Endgame:

“Much of the talk in the room is about information sharing. In security, the advantage often goes to the team with better, more usable data. So any steps to encourage faster sharing are meaningful progress.”

Tomer Weingarten, CEO of SentinelOne:

“Information sharing is a good start. However, it needs to be handled in a way that preserves the privacy of affected organizations and prevents data from being “leaked”. In the wrong hands, this intelligence would let attackers know that their operation has been compromised, could reveal attack binaries that can be re-used and expose companies that have been breached which may lead to more attacks against them. Also, sharing data and intelligence will do little to mitigate carefully crafted attacks since they often do not demonstrate any previously seen indicators.”

Mike Brown, VP and GM Public Sector for RSA:

“It isn’t just information sharing that is needed. We have some valuable avenues to share information. What we need is liability relief and clarity about the type and format of information that needs to be shared. That is also critical so that information that is shared is actually actionable.”

Tal Klein, CMO for Adallom:

“The fact that the President is addressing the issues of cyber security is a good thing – we definitely need more awareness. That stated, I am less excited about specific directives that may offset the financial incentive for companies to be in the business of cyber security. Information sharing is good, but if a security company makes their money researching threats and then is expected to turn over their research to the public domain as soon as its complete, then the value of that research diminishes.

 

I don’t think the government should be in the business of regulating the information security industry. What I suspect is that we are close to the age of the “cyber lobby” (dare I say “cyber subsidies”) – and I’m not sure that will benefit anyone other than the companies that pay to influence policy. So, I would prefer the President’s agenda would begin and end with “awareness” and avoid tinkering with the economic  dynamics of the information security market.”

Ivan Shefrin, VP of Security Solutions at TaaSera:

“Voluntary sharing of cybersecurity intelligence can be an important step – provided it’s accompanied by appropriate liability and privacy constraints. The benefits are clear: last year’s United Parcel Service breach was in fact discovered as a direct result of threat intelligence sharing between the government and private sector.

 

Sharing cyber intelligence can have a positive impact if information sharing is made actionable. To accomplish this, security professionals should assume they’re already compromised, and implement policies, tools and budgets to balance breach prevention with pre-breach detection and response.”

Marc Gaffan, CEO & Co-Founder of Incapsula:

“President Obama is taking a bold stance be visiting with tech companies in silicon valley this week to talk about his proposed cybersecurity legislation, right on the heels of his cybersecurity agency announcement earlier this week. In the past, the sale and use of botnets, which have the potential to overwhelm a site or network with malicious activity, was surrounded by legal ambiguities and grey areas. Obama’s new legislation removes all ambiguity so for the first time companies can prosecute the so-called “bot-herders” that try to do them harm.”

Ron Gula, CEO, Tenable Network Security:

“It’s important to applaud this administration for its attention to cyber security. It’s been long overdue and at the rapid pace technology is evolving, we are already behind the curve. Executive orders such as this, while not a substitute for good security practices, raise awareness for the need to invest more heavily when it comes to cyber security.

Information sharing won’t solve the bigger problems we face in the industry, but it’s a good place to start. Everyone in IT is realizing the scale and saving from centralizing command and control. Once consolidated, the information shared will provide greater context, allowing for organizations to be more agile in mitigating sophisticated attacks.”

Ryan Shaw, Director of Research and Development at Foreground Security:

“The President’s intention to issue an Executive Order (EO) promoting government and private sector cybersecurity information sharing is an important acknowledgement of the current deficiencies in our country’s current cybersecurity defense capability. Unfortunately, EOs and new agencies will not be able to resolve the sharing challenges that have existed for years.  These challenges include:

· Lack of trust between the parties involved

· COTS cybersecurity tools (e.g. SIEM, NSM, Web Proxies, ID/PS, Next-gen Firewalls) that are ill-equipped to deal with large quantities of multi-source, non-normalized threat indicators

· Shortfall of skilled cyber-threat analysts or source-agnostic platforms to manage the deluge of threat indicators

· Multiple sharing vehicles and taxonomies (these are a portion of the Voluntary Standards for ISAOs that the President will speak of)”

John Dickson, principal at software security firm Denim Group:

 “There is no mention of increased liability protection for companies in the today’s briefing sheet.  Absent of increased protection, or at least clarity, for the corporate liability question will likely result in a lukewarm reception from industry.  Couple that with remaining post-Snowden doubts that remain over working with government and law enforcement, then you have a potential non-starter here.

The focus on strong privacy and civil liberty protections misses the point here – that’s not hurdle in more information sharing, liability protection is. Cooperation with the Congress is an imperative. My contacts in the US Capitol say these initiatives are coming out with little consultation with Congress, which also brings up the question of the measures’ ultimate implementation.”

Jeff Williams, CTO, Contrast Security:

 “I’m encouraged by all the talk about public-private partnerships that bring security to the forefront for government, large businesses, small businesses, and consumers. The panelists were right about the problems of speed and scale that cybersecurity involves.  I was thrilled to see that there is awareness of the complexity and importance of the problem at the highest levels of government and business.

 

However, the overwhelming theme of the summit was that the way forward is to focus on the threats and that communication will enable us to stop attacks.  I have serious doubts as to whether chasing the threat will have any effect whatsoever – the attribution problem is so significant in cyberattacks that after months we still have no resolution to the Sony attack, much less Anthem or others.

The worst part is that spending all this effort chasing our tails takes away from time we should be focused on building secure code and strong defenses. The fact that we are still producing code with SQL injection after almost two decades is embarrassing. The government can and should play a role in encouraging the software market to produce secure code. But with a confusing patchwork of agencies, agendas, and responsibilities, government has fallen far behind the financial industry in their ability to secure their own house.”

Jason Lewis, Chief Collection and Intelligence Officer of Lookingglass Cyber Solutions:

 “The White House is pushing a lot of recommendations that don’t seem to have gone through a vetting process by experienced technologists. The effort to weaken encryption will ultimately have the opposite of the desired effect. There are new rules that impact security researchers and will lead to less secure systems, because it will be illegal for researchers to test those systems.

 

The positive results will be the increased visibility and discussion about these issues. For me, if the US government really wanted to improve security they would be at the forefront of data sharing and making it easier for researchers to contribute, not harder.”

Dan Waddell, Director of Government Affairs, (ISC)2:

“It’s important that the American public put this issue into perspective.  As mentioned by Lisa Monaco, the White House’s top aide for counterterrorism and homeland security, the cyber threat is becoming more diverse, sophisticated and dangerous. The actions of cyber attackers, while seldom seen played out online, are potentially as egregious on many different levels including economically, militarily, and in regards to the public’s day-to-day safety.

Overall, I think it’s a positive sign that we’re having these discussions at the highest levels of both the public and private sectors as well as academia.  CEOs, CISOs, government leaders and educators are all saying the same thing – cybersecurity is an absolute necessity to help protect our nation’s interests. It has an impact on every aspect of our lives – from homeland security, to defense, to the economy, to energy and critical infrastructure, to health, etc.  Everyone shares a common interest: We need to secure information of the people, for the people.”

Chris Wysopal, CTO & co-founder at Veracode:

 “The challenge for the tech industry is they need to retain the trust of their users or they can’t grow their businesses which require more and more intimate data be stored and processed by them.  That is why after many years of security professionals complaining of the lack of SSL usage by majo7r tech companies it wasn’t until the Snowden revelations that it was finally enforced by the big players.  

 

“The federal government has to convince the people using Google, Yahoo, Apple, etc., not the executives from those companies, that their data is safe from wholesale snooping or the information sharing they want is going to be a struggle.” 

Ken Westin, Security Analyst Tripwire:

“This Order and the informatPion sharing initiatives are a step in the right direction, however the challenge will be in the implementation where citizens’ privacy and civil liberties are protected, as well as making any intelligence gathered through these initiatives relevant and actionable for government agencies as well as private industry. In order to make these initiatives effective, secure and manageable, will require strong oversight and properly allocated resources to implement, not just initially, but also over the next few years as the program evolves. There needs to be constant vigilance and review of processes, data collected and effectiveness of the program in order to ensure agencies do not overreach and that the program itself remains useful to industry and agencies alike.

The devil is truly in the details, although I believe the spirit and intentions of the Order is good, it will be critical that there is transparency and oversight regarding its implementation. The government is breaking new ground and it is important to tread carefully, as there is a lot to learn in the process of developing a system of this scale and depth. I sincerely hope that the government will be involving not just law makers and political thinkers, but also technologists and security experts from both private industry and the government to ensure the program is implemented efficiently, securely and meets established requirements for the program.” 

*Additional reporting by Eduard Kovacs

Subscribe to the SecurityWeek Email Briefing

view counter

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

Feedback Friday: Is North Korea Behind the Sony Hack?

Posted on January 9, 2015 by in Security

In late November, Sony Pictures Entertainment was hacked by a group calling itself Guardians of the Galaxy (GOP). What initially appeared to be another hacktivist attack, later turned out to be a sophisticated operation possibly orchestrated by a state actor.

Feedback Friday

The hackers’ activities came to light on November 24, when the computers of Sony employees started displaying an image of a skull accompanied by a warning message. In the following days, the hackers started leaking large amounts of information stolen from the entertainment giant’s networks. The leaked data included unreleased movies, private emails, the personal details of actors, financial and business information, and employee records (including medical information).

North Korea Cyber Attacks

North Korea was named a suspect after investigators found similarities between this attack and others believed to be carried out by Pyongyang. Shortly after, the hackers told Sony to erase all traces of The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-Un. Sony initially called off the release of the movie because of the hackers’ threats, but later decided to go ahead with the release on Christmas Day, as planned.

Sony has avoided pointing a finger at North Korea. United States authorities, on the other hand, say they’re certain North Korea is behind the attack, but they haven’t provided any proof to back their claims, except for the fact that the attackers used IP addresses “exclusively used by the North Koreans.”

North Korea has denied being responsible, but officials admitted that it might be the work of supporters furious over The Interview. Last week, the US imposed new sanctions on North Korea in retaliation for the attack on Sony. On Wednesday, Director of National Intelligence James Clapper claimed that he dined with the North Korean general who Clapper says was responsible for overseeing the attack against Sony, during a secret mission to Pyongyang two months ago.

Everyone agrees that attribution is tricky. Some believe US authorities are jumping to conclusions, but others say the FBI surely has other evidence, which they might never share with the public, to back their claims.

This topic will be debated by a panel of experts and moderated by The Wall Street Journal’s Danny Yadron at the Suits and Spooks DC conference on February 4-5 at the Ritz-Carlton, Pentagon City.

And the Feedback Begins…

Jeffrey Carr, President/CEO, Taia Global, Inc:

“The evidence that the FBI believes it has against the DPRK in the Sony attack stems from the data that it received on the Dark Seoul attack last year from the private sector. The FBI, the NSA, and the private security companies upon which they rely for information believe that any attack linked to a North Korean IP address must be one that is government sanctioned since North Korea maintains such tight control over its Internet and Intranet. That is the FBI’s single point of failure because while that might have been true prior to 2009, it isn’t true any longer.

 

Access to those blocks is relatively easy if you go in through China, Thailand, Japan, Germany or other countries where North Korea has strategic connections.

 

It simply isn’t enough for the FBI director to say “We know who hacked Sony. It was the North Koreans” in a protected environment where no questions were permitted. The necessity of proof always lies with the person who lays the charges. As of today, the U.S. government is in the uniquely embarrassing position of being tricked by a hacker crew into charging another foreign government with a crime it didn’t commit. I predict that these hackers, and others, will escalate their attacks until the U.S. figures out what it’s doing wrong in incident attribution and fixes it.”

Joshua Cannell, malware intelligence analyst at Malwarebytes Labs:

“Many people continue to speculate about who was really behind the cyberattack against Sony Pictures. We know the director of the F.B.I. has made it publicly clear that North Korea was to blame, and the fact that he’s pushing to declassify that information should tell the world that they have solid evidence to back it up. If we weren’t living in a time where the ability to trust a U.S. Intelligence agency hadn’t recently been questioned during the release of incriminating N.S.A. documents, most people would have likely accepted the F.B.I.’s statement as fact long ago. It seems that by releasing more information, the F.B.I. is hoping to regain the confidence placed in U.S. Intelligence.

 

You have to look at some of the details leading up to the hack in November. North Korean officials called the release of The Interview ‘an act of terrorism,’ and there was a Facebook group sending threats to Sony Pictures months before the movie’s release. When that was shut down, actors continued to use other methods to communicate their threats, like e-mail. Finally, the threats came to fruition, and simply saying ‘it wasn’t us’ at this point doesn’t do much when all of the evidence points at them. There may have been others involved, that’s true, but that doesn’t change the conclusion of a lengthy federal investigation.”

Jay Kaplan, CEO of Synack:

“The security pundits that we’ve seen in the media disagreeing with the government’s assertion of North Korean attribution are ill-informed with conclusions that I believe to be fundamentally flawed. Even with the latest revelation of details tying North Korea to the Sony breach by “slipping up”, there is much more under the covers that the public is not seeing (and will never see as a result of classified sources.) Conclusions made by security firms after reviewing methodology, technical capability, and modus operandi are flawed given their non-complete picture of the situation at hand.

 

It is especially interesting to see how just a few months ago the world thought the government had too much information — the intelligence community was running rampant, too much data was being siphoned, and the integrity of our privacy was in question. Yet today, post-Sony breach, people are questioning the same government for coming to conclusions due to a lack of knowledge and perspective.”

Ken Westin, senior security analyst, Tripwire:

“It is difficult if not impossible for those of us in the private sector to verify the FBI¹s findings without access to the information they have.

 

However, I think it is important to note that in this latest statement they are tying their attribution case to IP addresses they say were exclusively used by the North Koreans. I think it is important to point out that Comey said they were IP addresses exclusively used by the North Koreans and not IP addresses in North Korea. The IP addresses that were issued to the public in their flash advisories were IP addresses that have been seen before and used for spam and command and control by other criminal actors. This was a key reason many in the security community were skeptical of the findings, as based on the evidence provided there wasn’t exactly a smoking gun and the information was vague and inconclusive.

 

I would like to give the FBI the benefit of the doubt and assume that they have additional evidence aside from just IP addresses, which I think they must if they have the level of confidence that Comey is claiming. The difficult part of that for the security community is trusting the FBI. Trust does not come easily to this group, as by nature of their profession they are paranoid and skeptical and want to see the evidence for themselves to establish the facts.”

Suits and Spooks: Washington DC 2015
Suits and Spooks DC: Not Just a Conference, a Collision. Washington DC, Feb 4-5. See the Agenda & Register Today

Marc Gaffan, CEO & Co-founder of Incapsula:

“While we may never know the the motives behind the Sony Pictures attack, we’ve found that some attackers will publicly deny involvement, but leave breadcrumbs in an attempt to demonstrate prowess without taking the full brunt of public criticism. As for North Korea’s cyber espionage capabilities, despite the fact that their Internet capacity is less than half of the Falkland Islands, it would be foolhardy to equate a small Internet presence with a lack of skilled individuals working with or for their government.

 

Regardless of origin or motive, companies need to turn their focus to the blind spots in their organizations. Hackers will only continue to create more illusive and inventive ways to take down websites or steal information; our global networks see new methods every day. Sony Pictures learned their lesson, but will other companies? This remains to be seen.”

Michael Sutton, VP of Security Research, Zscaler:

“Attribution is hard. This is always the case when dealing with a cyber attack where IP addresses can be spoofed, proxies can be employed and digital weapons copied. Attribution is impossible when we don’t have all the facts. The FBI was surprisingly quick to finger the DPRK for the Sony attacks. Less than a month after the breach, the FBI confidently proclaimed that they had “enough information to conclude that the North Korean government is responsible for [the attacks]”.

 

Contrast that with the grand jury indictment of five Chinese Military officials charged last year with cyber espionage, a case which involved years of investigation. Why did the FBI move so quickly this time? Was it truly an open and shut case? Were there other political motivations for fingering North Korea? Without full transparency we’ll likely never know but we can presume that attribution was needed prior to retaliatory measures. Measures that have already publicly emerged in the form of US sanctions, but other more covert responses are no doubt also currently underway and unlikely to show up in the headlines.

 

Some have claimed that the DPRK did not have the means to conduct such a successful attack, but this is a country that has had an offensive cyber capability for many years and has shown a willingness to leverage it against foreign nations/companies. The Sony breach, while broad in terms of the damage caused, would not have required great sophistication if network admin credentials were indeed stolen and the target had poor internal controls to limit the reach of that individual’s network access. Given Sony’s poor history with previous attacks, including a 23 day DoS attack on the PlayStation Network in 2011, it’s not hard to fathom that internal security controls were lacking.”

Mike Tierney, COO at SpectorSoft:

“As the feeding frenzy around the possibility a nation was behind the Sony hack calms a bit, more and more credible experts are indicating that it is at least as likely that the hack and subsequent data dump were clearly designed to embarrass Sony. The fact that the tie between a pending movie release and the hack was originally made in news reports, and not by the hacker(s), lends some credence to the idea that there may be a more mundane, but all too common, perpetrator.

 

Very often, data leaks of this type stem from a disgruntled employee. Whether the source of their anger is specific, as in the case of a poor performance review or being passed over for a promotion, or more general, as in the case of rumored layoffs (which seem to be a possibility in the Sony case), disgruntled employees can and do present significant risk to organizations.”

Greg Martin, CTO at ThreatStream:

“The big issue with the Sony hack is that any “Security Expert” outside of the core investigation can claim an “alternate theory.”

 

This has been highly confusing to the public who have been hungry for more details which the FBI finally came out with. The FBI had clear evidence that they have some ‘smoking gun’ data showing the North Korean hackers were sloppy when setting up their social media accounts.

 

This is a common mistake made by many hackers – even the very sophisticated ones – and it’s one of the more common ways they get caught. My question to the ‘truthers’ is: why is that so hard to accept?”

Tal Klein, VP of Strategy, Adallom:

“The trouble with breach attribution is that smoking guns are hard to come by. A more concerning issue to those of us watching from the sidelines is that the initial attack vector has still not been discovered, and no breach containment announcement has been made thus far. That means we don’t know whether the attackers still have a foothold in Sony’s infrastructure or if there are more exfiltrated data dumps coming.

 

It is strange that the U.S. would rush to point fingers at North Korea, especially given that any recourse would doubtlessly punish the hapless DPRK proletariat more than government or military. Further, it seems obvious in hindsight that the FBI’s most recent revelations, as presented, would not quell detractors’ call for solid attributable evidence—so one wonders, ‘Why bother?’”

Lior Div, CEO and Co-founder of Cybereason, a MalOps protection company:

“When a company is attacked, it reduces the liability and blame of the attacked company if the public believes it is a nation state attack. This attack may have very well been done or aided by insiders, or other players, including North Koreans that are not nation state cyber attackers, but…certainly the legal and PR fallout for Sony will be less severe if it was believed the attack was state sponsored terrorism as opposed to a disgruntled insider.

 

From all that we’ve read so far, we haven’t seen significant hints for attribution to North Korea as a nation-state sponsored attack. The FBI stated that the attackers were negligent, leaving evidence that ties the attack to North Korea, but in my experience hackers with the capacity to exfiltrate the amount of data involved in the Sony attack are very far from being negligent. It is quite possible that any indicators pointing to North Korea were intentional, left or intentionally planted in order to mislead investigators.

 

So either the FBI knows things that were not shared with the media (possible) that clearly proves it in NK, or – somebody is leveraging it for his own political purposes. That includes the US government, Sony, the hackers…really, we may never know…”

Brendan Spikes, CEO, Spikes Security:

“Given the dangers of using the web today, is it not unreasonable to assume that any network can be breached by web malware trojans? This could surely include servers thought to be used exclusively by North Koreans. I wouldn’t be so quick to assume that someone intending to frame NK for the Sony attack could not intentionally leave breadcrumbs leading back to compromised NK servers.”

TaaSera CTO, Vice President and Founder, Srinivas Kumar:

“Attacker attribution requires reliable information to analyze how the breach was orchestrated internally, identifying the origin of the malicious code (supply chain), and finally tracking down the location of the attackers. The warrant required in a breach investigation to convict the cyber criminals must provide credible evidence as assurance that no evasion techniques were detected, including use of Tor networks, Fast flux DNS, and IP address spoofing. Further, for long duration and high volume data haul, determination of the corpus of actors by geo-location may be an authoritative assertion of the locality or distribution of the attackers.

 

Most investigations today that typically follow in the wake of high profile breaches rely on static geo-location markers for the network addresses and domain names linked to the security episode. The availability of cloud computing services, elastic IPs, Tor networks coupled with the dynamic domain name services, domain name and IP address fast flux warrant evidence beyond reasonable doubt to determine true actors (perpetrators).”

TK Keanini, CTO at Lancope:

“While attribution can be difficult in the physical world, it is incredibly tricky in the digital world. Not only are there effective tools to remain anonymous but there are equally as many tools to make it look like it is attributed to a certain source when it is actually another.

 

Conflict in simpler times was very symmetrical in that the red team versus the blue team but these days in the digital realm of the Internet, it is almost never that simple. an orange team can make it look like the red team is to blame for the attack on the blue team and from there it can grow even more complex. This asymmetrical pattern is the new pattern of cyber conflict and the sooner we all recognize it the better.

 

Ultimately there is an information layer that is adjacent to the physical world meaning at some point you do get back to a person or set of people who are behind the attacks. The synthesis and analysis that lead up to this is complex and not well understood by everyone. Those that understand the dynamics of information spaces are slow and cautious to point fingers as we have seen in the controversy around attribution the Sony Pictures attacks. Even when the culprit stands up, makes themselves known as the Guardian of Peace (GOP), law enforcement still struggles to ties it all back to the physical world where laws can be enforced.”

Ian Amit, Vice President of ZeroFOX:

“Attribution is always a dangerous game. Attackers leave plenty of red herrings to cover their footsteps and make following their trail next to impossible. This is exactly the case with Sony – a few lines of code or IP addresses indicate North Korea, making for a great story, but the actual attack could have come from anywhere.

 

In short, attribution is not a technology game, and trying to deduce attribution based on technical indicators is inherently flawed. If a hacker has deep access in the system, it is extremely easy to change the evidence in order to throw off the trail. What you find from a forensic perspective can mean a thousand different things all at once, based on little fragments of code here or there or the geographic location where an attack was routed though. All these red herrings mean is that attribution becomes political very quickly: any party can conduct their own analysis and come to a conclusion that suits their purposes, all supported by some pieces of incomplete technical evidence.”

Jason Lewis, Chief Collection and Intelligence Officer of Lookingglass Cyber Solutions:

“Attribution is an extremely complex challenge that requires the support of all forms of intelligence to include network, signals, physical, human, etc. In this case, let’s assume the attacker is highly skilled. A highly skilled attacker would understand that leaving false evidence would confuse investigators and lead them to conclusions that point away from themselves.

 

I view this scenario based on how I would compromise a target. First, I would be sure to have multiple launch points between my clandestine Internet connection and my target. That means I would chain multiple compromised hosts through a series of VPNs that encrypt all my traffic. If an investigator was able to trace from the target to my last launch point, they would only find evidence of my tunnel termination. All of my traffic would be passing through the host, never leaving a trace of my activity. If I was determined to frame a person or entity for my activity, I would certainly attempt to compromise a host on their network that was used by many other users, a proxy for example. My malicious traffic would be lost in the noise of thousands of other users.

 

Tracing activity back to me through my tunneled infrastructure may not be impossible, but it would be extremely difficult given that I’m focused on not being caught. If I accessed this network on multiple occasions, I would change the compromised hosts I used for my tunnels and never use the same combination twice. Every comment referencing attribution in the SONY attack introduces more questions.”

Don’t miss the upcoming panel “Sony and the DPRK: A Question of Attribution” at Suits and Spooks DC moderated by The Wall Street Journal’s Danny Yadron.

Until Next Friday…Have a Great Weekend!

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Indian Police Arrest ‘Jihadi Tweeter’

Posted on December 13, 2014 by in Security

Indian police on Saturday arrested a 24-year-old executive believed to be the handler of an influential Twitter account supporting the Islamic State group, officials said.

Mehdi Masroor Biswas, employed with an Indian food conglomerate in the southern city of Bangalore, is alleged to be the handler of the Twitter account @ShamiWitness.

The account had 17,700 followers, including many foreign fighters, until it was shut down following a report by Britain’s Channel 4 News on Thursday.

Tweets from @ShamiWitness contained jihadist propaganda as well as information for would-be recruits and messages praising fallen fighters as martyrs.

Related Reading: ISIS Cyber Ops: Empty Threat or Reality?

“He has been taken into custody,” police director general L.R. Pachuau told AFP. Police raided his house in an upscale suburb of Bangalore early Saturday and seized “incriminating documents, Islamic literature and many photos”, Pachuau said.

Pachuau added that details of his arrest would be revealed at a news conference later Saturday.

The Channel 4 report quoted Biswas as saying that he had personally not joined IS ranks in Iraq and Syria because his family was financially dependent on him.

“If I had a chance to leave everything and join them I might have,” he was quoted as saying.

However, in an interview to the Indian Express newspaper published Saturday Biswas said his claims to Channel 4 were meant to get the television reporter off his back.

“When Channel 4 called me first and asked if @ShamiWitness was my Twitter handle, I did not oppose it… my outright rejection would not have convinced them. I therefore decided to admit that I was indeed @ShamiWitness in the hope that they would not air the programme,” Biswas told the daily.

The Press Trust of India news agency said Biswas was likely to be charged with cyber terrorism and sentenced to life imprisonment.

The IS militant group has made extensive use of social media for propaganda and recruitment, as well as for disseminating grisly execution videos.

Related Reading: US Cyber-Warriors Battling Islamic State on Twitter

Related Reading: ISIS Cyber Ops: Empty Threat or Reality?

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013


SecurityWeek RSS Feed

US Spies on Mobile Phones From the Sky: Report

Posted on November 13, 2014 by in Security

SAN FRANCISCO – US justice officials are scooping up mobile phone data from unwitting Americans as part of a sophisticated airborne surveillance program designed to catch criminals, the Wall Street Journal reported Thursday.

Small aircraft deployed by the US Marshals Service from at least five major airports have been taking to the skies with “dirtbox” equipment designed to mimic signals from cell towers, according to the Journal.

That in turn tricks mobile phones into revealing unique identifying numbers and general locations, according to the report.

The name “dirtbox” was said to be derived from an acronym of Digital Recovery Technology Inc., the Boeing subsidiary that makes the device.

The range of aircraft in the program covers most of the US population, the Journal reported, citing unnamed sources familiar with the operation.

Details of flights were not given, but they were said to take place regularly with each outing potentially gathering data from tens of thousands of mobile phones.

The Journal reported that the US Justice Department declined to comment for the story other than to say that its agencies comply with the law when it comes to surveillance.

Mobile phones are programmed to connect with the closest signal tower, but trust signals from towers or imposters when it comes to making decisions, hackers have demonstrated.

Boxes in planes could automatically assure mobile phones they are the optimal signal tower, then accept identifying information from handsets seeking connections.

Fake cell towers could then pass connections onto real signal towers, remaining as a conduit with the ability to tune into or block digital transmissions.

Hackers refer to such tactics as “man-in-the-middle attacks.”

The Journal quoted American Civil Liberties Union chief technologist Christopher Soghoian as calling the program “dragnet surveillance” that is “inexcusable.”

The program is reportedly in place to reveal locations of mobile phones associated with criminals or those suspected of crimes, but collect data about other handsets that connect, according to the Journal.

After sifting through data collected, investigators could determine the location of a targeted mobile phone to within about three meters, the report indicated.

Similar devices are used by US military and intelligence officials operating in other countries to locate terrorist suspects, according to the Journal.

Trust in US authorities has already been shaken by revelations about a sweeping Internet surveillance program.

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013


SecurityWeek RSS Feed

AT&T Admits Insider Illegally Accessed Customer Data

Posted on October 6, 2014 by in Security

AT&T is advising customers that a rogue employee illegally accessed their personal information.

In a breach notification letter sent to customers and the Vermont attorney general, AT&T explained the breach occurred in August. The employee responsible is no longer with the company.

According to the letter, the employee was able to view and may have accessed customer information ranging from social security numbers to driver’s license numbers. In addition, while accessing user accounts, the employee would have been able to view their Customer Proprietary Network Information (CPNI) without authorization. CPNI data is associated with services customers purchase from AT&T.

It is not clear how many customers were affected by the breach or if consumers in other states may have been involved.

“AT&T’s commitments to customer privacy and data security are top priorities, and we take those commitments seriously,” according to the letter.

“Simply stated, this is not the way we conduct business, and as a result, this individual no longer works here,” the letter notes.

AT&T is offering affected consumers a year of free credit monitoring, and said in the letter that any unauthorized changes that had been made to accounts would be reversed. The company has contacted federal law enforcement as well.

Earlier this year, employees of one of AT&T’s service providers accessed customer information without authorization as well. According to AT&T, the perpetrators in that case were trying to gather information that could be used to request codes to unlock AT&T mobile phones so that they could be used with other telecommunications providers.

“Insiders are worse than hackers because there’s no way to protect against them that’s truly effective,” opined Jonathan Sander, strategy and research officer for STEALTHbits Technologies. “If you need to do business, you need people to access information. If the wrong person or the person in the wrong frame of mind decides to use that access badly, what can you do?”

“This proves, yet again, that humans are the weakest link in any security plan,” he added. “It’s the old IT administrator joke about a system error called PEBKAC – Problem Exists Between Keyboard And Chair.”

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Dropbox Got Up to 249 National Security Requests in First Half of 2014

Posted on September 12, 2014 by in Security

Dropbox released another transparency report on Thursday and announced that moving forward, it will do so every six months in an effort to keep the public informed of its interactions with authorities.

Bart Volkmer, a lawyer with the company, revealed in a blog post that Dropbox had received 268 request for user information from law enforcement agencies between January and June of this year. In addition, while he hasn’t specified an exact number due to restrictions, the Dropbox representative said there had been 0-249 national security requests.

The company received a total of 120 search warrants and provided content (files stored in users’ accounts) and non-content (subscriber information) in 103 cases. In response to 109 subpoenas, the company hasn’t provided law enforcement with any content, but it has produced subscriber details in 89 cases. While many of the requests came from the United States, the report shows that there have been a total of 37 requests from agencies in other countries.

Volkmer has pointed out that while these numbers are small considering that the company has 300 million customers, Dropbox only complies with such requests if all legal requirements are satisfied. He claims cases in which agencies request too much information or haven’t followed proper procedures are “pushed back.”

The report also shows that the rate of data requests from governments remains steady. An interesting aspect is that agencies keep asking Dropbox not to notify targeted users. However, customers are notified as per the company’s policies, except for cases where there’s a valid court order. A total of 42 users were notified when the file sharing service was presented with search warrants, and 47 individuals were informed in the case of subpoenas.

There haven’t been any requests from governments targeting Dropbox for Business accounts, the company said.

“We’ll push for greater openness, better laws, and more protections for your information. A bill currently in Congress would do just that by reining in bulk data collection by the US government and allowing online services to be more transparent about the government data requests they receive,” Volkmer said. “Another would make it clear that government agencies must get a warrant supported by probable cause before they may demand the contents of user communications. We’ll continue to lend our support for these bills and for real surveillance reform around the world.”

While many companies publish transparency reports to keep the public informed of requests from governments, interesting details can also emerge from court documents. A perfect example are a series of recently unsealed documents showing that US authorities threatened to fine Yahoo $ 250,000 a day if it failed to comply with PRISM, the notorious surveillance program whose existence was brought to light last year by former NSA contractor Edward Snowden.

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed