US Police Grapple With Rise of ‘Swatting’ Pranks
Posted on March 23, 2015 by Kara Dunlap in Security
When Florida police got a call from a man who said he shot four people at rapper Lil Wayne’s house this month, they responded as they are trained to.
Heavily armed, flanked in body armor and accompanied by sniffer dogs, officers surrounded the Miami mansion after the alleged shooter told the 911 dispatch: “I’m killing whoever else I see…”
But police found no shooter at the house, and no victims. Lil Wayne was not there either.
The rapper was the target of a “swatting” prank, a phenomenon gaining popularity in the United States and creating public safety risks and budget strains for law enforcement.
The stunt — a modern-day and much more serious version of a prank call — involves a call to emergency services claiming a crisis.
When police arrive, the alarmed victim is often greeted by angry bangs at the door from screaming officers with cocked guns.
Special weapons and tactics (SWAT) units are usually dispatched — which the term swatting comes from — because they are trained to deal with serious emergencies swatters typically falsely report, such as hostage taking, mass shootings, bomb threats and domestic violence.
Following the false alarm at Lil Wayne’s mansion, Miami police said on Twitter: “Unfortunately this appears to be a ‘Swatting’ call. No victims /no injuries /no subject at 94 LaGorce.”
Police are obliged to respond to emergency calls, but say such pranks are a waste of resources.
“Fortunately in terms of no one hurt yes. Unfortunate in the waste of resources for a hoax that we have to treat seriously,” Miami Police tweeted.
Lil Wayne is not the only celebrity swatting victim.
Famous Hollywood prankster, Ashton Kutcher, host of the hoax show “Punk’d,” has been swatted, along with Justin Bieber, Rihanna, P. Diddy, Justin Timberlake, Tom Cruise and Miley Cyrus.
Swatters have also hit politicians, journalists and schools.
Live-stream swatting
The phenomenon of swatting was first reported to the Federal Bureau of Investigation in 2008, and has steadily gained popularity since.
Officials estimate about 400 swattings occur every year, but many no longer report incidents to prevent copycat acts and to avoid giving swatters publicity.
The hoax is popular in the online gaming community, where swatters target online rivals who are live-streaming a game. When police arrive, the stunt is broadcast in real-time.
Swatting videos show victims at their computers when they are interrupted by loud bangs at the door followed by heavily armed police storming their homes.
Perpetrators target online rivals and access their addresses by hacking their computers.
Police consider the act a dangerous crime, and say swatting is a serious public safety issue.
“The swatting practice is extremely dangerous and places first responders and citizens in harm’s way,” the FBI said in a statement.
“It is a serious crime, and one that has potentially dangerous consequences.”
Beyond being a waste of resources, police say swatting creates major risks.
Some hapless victims were carrying objects that could be mistaken for a weapon. Others grabbed a real gun, mistaking law enforcement for intruders
Police are at risk too — in one incident an officer was injured in a car accident while responding to a swatting hoax.
“It’s only a matter of time before somebody gets seriously injured as a result of one of these incidents,” the FBI said.
Seeking tough laws
But tracking perpetrators is tough, as callers use software to disguise the call origin or place the calls from untraceable Internet sites.
Though there is no federal swatting legislation in place, punishment can be tough for swatters who are caught.
In 2009, 19-year-old Matthew Weigman was sentenced to 11 years in prison for orchestrating several swattings. The blind phone hacker who was a member of a swatting ring had been making the fake calls to police for five years.
Some politicians are pushing for tougher laws to deal with the crime.
California Congressman Ted Lieu introduced legislation in his state that was adopted in 2014, forcing convicted swatters to pay for costs related to fake calls, which can be as much as $ 10,000.
Lieu, himself a victim of swatting, said the bill protects the public and prevents police resources from being wasted.
Despite moves to strengthen punishments, the phenomenon continues to gain momentum, both on US soil and abroad.
Last week, French television host Enora Malagre was a victim of swatting when a man called police claiming he stabbed her and threatened to shoot at police.
CIA to Boost Cyber Capability in Sweeping Overhaul
Posted on March 7, 2015 by Kara Dunlap in Security
The CIA plans to radically overhaul operations, ramping up its capability to deal with cyber threats while boosting integration between departments via a network of new units.
Central Intelligence Agency director John Brennan outlined the proposed changes to the agency in a message to staff on Friday described as a “Blueprint for the Future” covering four key areas.
Brennan said the US espionage agency would set up a new “Directorate of Digital Innovation” to reflect the rapidly evolving cyber landscape.
“We must place our activities and operations in the digital domain at the very center of all our mission endeavors,” Brennan wrote.
“To that end, we will establish a senior position to oversee the acceleration of digital and cyber integration across all of our mission areas.”
The changes reflect the increasing emphasis on cybersecurity by the United States after a series of high-profile digital breaches in recent years, such as the Sony Pictures hack blamed on North Korea.
Director of National Intelligence James Clapper last month told lawmakers that foreign cyberattacks represented a bigger threat to national security than terrorism.
US media reports said Brennan’s sweeping changes would affect thousands of employees at the agency.
‘Bold steps’
A centerpiece of the overhaul would be the establishment of 10 new “Mission Centers” aimed at enhancing integration between departments.
“Never has the need for the full and unfettered integration of our capabilities been greater,” Brennan said in his message. “We must take some bold steps toward more integrated, coherent and accountable mission execution.”
Analysts said the introduction of Mission Centers was intended to eliminate divisions between traditional departments covering the Middle East, Africa and other regions.
Several media reports said the new units would be modeled on the CIA’s Counterterrorism Center, which grew exponentially in the years after the September 11, 2001 attacks on US soil.
The new centers will “bring the full range of operational, analytic, support, technical and digital personnel and capabilities to bear on the nation’s most pressing security issues,” Brennan said.
Each new center would be led by an assistant director who would be accountable for overall mission accomplishment in the field or geographic region assigned to their unit.
According to The Wall Street Journal, the overhaul follows an exhaustive review led by senior CIA veterans that identified several “pain points.”
“One of the things we’re trying to do here is to think about the agency operating in a way so that there are less of those… frictions that build up over time, and to have a more streamlined, a more efficient agency so we can, frankly, produce more, do a better job in some of the areas where we need to do better,” Brennan was quoted by the Journal as saying.
U.S. Offers $3 Million Reward for Russian Cybercriminal
Posted on February 24, 2015 by Kara Dunlap in Security
U.S. Offers $ 3 Million Reward for Russian Sought in Bank Hack
Washington – The United States on Tuesday offered a $ 3 million reward for information to apprehend a Russian national sought in a major hacking enterprise that stole some $ 100 million.
The State Department made the announcement of the reward for information on Evgeniy Mikhailovich Bogachev, believed to be the administrator of the group that created the “GameOver Zeus” malware that enabled thieves to break into bank accounts in 12 countries.
Bogachev is already on the FBI “cyber’s most wanted” list and is believed to be living in Russia.
“This reward offer reaffirms the commitment of the US government to bring those who participate in organized crime to justice, whether they hide online or overseas,” a State Department statement said.
Bogachev was charged last year with 14 counts including conspiracy, computer hacking, bank fraud and money laundering, after the FBI said it dismantled the operation with the help of technology companies such as Microsoft and Symantec.
According to investigators, the scheme used emails to infect up to one million computers, which could then be controlled by the hackers to gain bank login credentials to steal funds.
Some security experts said the malware re-emerged shortly after the FBI action.
Related: Gameover Zeus Most Prevalent Banking Trojan of 2013: Dell SecureWorks
Complexity is the Enemy of Security
Posted on February 11, 2015 by Kara Dunlap in Security
We’ve likely all heard the phrase “complexity is the enemy of security” many times. It’s an oft-used sound bite, but what can we learn from this concept to improve our respective security postures? Although there are many angles one could approach this concept from, I’d like to examine it from a security operations and incident response perspective.
Simplicity in Collection and Analysis
Most enterprises instrument their network to collect many different, highly specialized forms of data. For example, an organization may collect netflow data, firewall logs, DNS logs, and a variety of other specialized forms of data. This creates a stream of various different data types and formats that complicates and clouds the operational workflow. Unfortunately, the first question when performing analysis or incident response is often “Where do I go to get the data I need?” rather than “What questions do I need to ask of the data?”
In addition to the variety and complexity of these specialized forms of data, the volume of data they create often overwhelms enterprises. These huge quantities of data result in shorter retention periods and longer query times. This perfect storm of circumstances creates a very real operational challenge.
Fortunately, organizations can address this challenge by seeking out fewer, more generalized collection technologies that provides the required level of visibility with greatly reduced complexity and volume. Continuing with the above example, in lieu of many different highly specialized network data sources, an organization could consider one layer 7 enriched meta-data source.
Simplicity in Detection
Wikipedia defines an Indicator of Compromise (IOC) as “an artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion.” Associated contextual information is also usually included along with the artifact and helps an organization to properly leverage the IOC. Context most often includes, among other things, information regarding to which attack stage an indicator is relevant. Attack stages can be broken up into three main families, each of which contains one or more attack stages:
• Pre-infection: reconnaissance, exploit, re-direct
• Infection: payload delivery
• Post-infection: command and control, update, drop, staging, exfiltration
It is well known that many organizations struggle with excessive amounts of false positives and low signal-to-noise ratios in their alert queues. There are several different angles from which an organization can approach this problem, and in fact, I have previously written about some of them. Another such approach, which can be used in combination with the others, is to go for the “money shot”.
At some point, when an organization wants to watch for and alert on a given attack, intrusion, or activity of concern, that organization will need to select one or more IOCs for this purpose. Going for the “money shot” involves selecting the highest fidelity, most reliable, least false-positive prone IOC or IOCs for a given attack, intrusion, or activity of concern. For example, if we look at a typical web-based re-direct attack, it may involve the following stages:
• Compromise of a legitimate third party site to re-direct to a malicious exploit site
• Exploitation of the system from the malicious exploit site
• Delivery of the malicious code
• Command and control, along with other post-infection activity
Although it is possible to use IOCs from all four of the above attack stages, using IOCs from the first three stages presents some challenges:
• Compromised legitimate third party sites likely number in the millions, meaning we would need millions of IOCs to identify just this one attack at this stage. Further, there is no guarantee that the attempted re-direct would succeed (e.g., if it were blocked by the proxy). An unsuccessful re-direct means that there was no attempt to exploit. In other words, for our purposes, a false positive.
• Exploits don’t always succeed, and as such, alerting on attempted exploits can often generate thousands upon thousands of false positives.
• If we see a malicious payload being delivered, that is certainly of concern. But what if the malicious payload does not successfully transfer, install, execute, and/or persist? We have little insight into whether a system is infected, unless of course, we see command and control or other post-infection activity.
Command and control (C2) and other post-infection activity, on the other hand, is always post-infection. That means that if we can distill a high fidelity, reliable IOC for this attack stage, we can identify malicious code infections immediately after they happen with a very low false positive rate. Obviously, preventing an attack is always preferable, but as we all know, this is not always possible. The next best option is timely and reliable detection.
Simplicity in O&M
When people began moving from the cities to the suburbs in the post-war United States in the 1950s, new infrastructure was built to serve the shifting population. The infrastructure served its population well for 50 years or so, until the 2000s, when the physical lifetime of water mains, electric power lines, and other infrastructure was reached. What people quickly realized is that although money and resources had been allocated to build and deploy infrastructure, money and resources had not been allocated to operate and maintain the infrastructure for the long term. In other words, O&M would be required to repair or replace the aging infrastructure, but the resources for that O&M would have to be found elsewhere.
Similarly, in the information security realm, as new business needs arise, new security technologies are often deployed to address them. Enterprises often forget to include O&M when calculating total cost. Another way to think of this is that each new security technology requires people to properly deploy, operate, and maintain it. If head count were increased each time a new security technology was deployed, the model would work quite well. However, as those of us in the security world know, head count seldom grows in parallel with new business needs. This presents a big challenge to the enterprise.
O&M cost (including the human resources required to properly deploy, maintain, and operate technology) is an important cost to keep in mind during the technology lifecycle. O&M cost is a large part of the overall cost of technology, but it is one that is often overlooked or underestimated. In an effort to lower total overall O&M costs, and building on the collection and analysis discussion above, it pays to take a moment to think about the purpose of each technology. Is this specific technology a highly specialized technology for a highly specialized purpose? Could I potentially retain the functionality and visibility provided by several specialized technologies through the use of a single, more generalized technology?
If the answer to these two questions is yes, it pays to think about consolidating security technologies through an exercise I like to call “shrinking the rack”. Shrinking the rack can be a great option, provided it doesn’t negatively affect security operations. Fewer specialized security technologies mean fewer resources to properly deploy, maintain, and operate them. That, in turn, means lower overall O&M costs. Lower O&M costs are always a powerful, motivating factor to consider.
The concept of simplicity is one that we can apply directly to security operations and incident response. This piece touches on just some of the variety of lessons we can learn from this topic. Although the phrase “complexity is the enemy of security” is a popular sound bite, if we dig a level deeper, we see that there is a great deal we can learn from the concept.
Tokyo Cyber Security Competition Draws 90 Hackers
Posted on February 8, 2015 by Kara Dunlap in Security
Tokyo – A cyber security competition began Saturday in Tokyo, with organizers aiming to show off the skills of young Japanese hackers by testing them against international rivals.
The final rounds of the Security Contest 2014, or SECCON, brought together 90 participants in 24 teams from seven nations and regions: China, Japan, Poland, Russia, South Korea, Taiwan, and the United States.
The winners of the Tokyo competition will advance to the prestigious Def Con CTF (Capture the Flag) competition, slated for later this year, organisers said. SECCON was designed to allow young Japanese technology engineers to show off their skills on the world stage, while also encouraging more to get into the field of cyber security.
Teams compete for points by hacking six virtual servers to discover particular keywords, and can also intervene to stop their rivals’ cyberattacks.
“There is a need for a forum where fledgling, young… hackers can grow and gain understanding of their families, schools and the outside world,” said Yoshinori Takesako, the head of the SECCON organising committee.
“This is important in order to keep them away from being pulled into the underground world,” he said in a statement to AFP.
The Japan-based event has drawn a total of 4,186 participants from 58 countries through various qualifying rounds.
Takesako said the organizers, supported by government agencies, tech firms, and scholars, also want to change the media image that Japan lags other nations in the cyber security field.
Hackers Announce ‘World War III’ on Twitter
Posted on January 17, 2015 by Kara Dunlap in Security
Washington – Hackers took over the Twitter accounts of the New York Post and United Press International on Friday, writing bogus messages, including about hostilities breaking out between the United States and China.
One tweet posted under the UPI account quoted Pope Francis as saying, “World War III has begun.”
Another message delivered on the Post account said the USS George Washington, an aircraft carrier, was “engaged in active combat” against Chinese warships in the South China Sea.
The tweets were subsequently deleted.
A Post tweet later noted that “Our Twitter account was briefly hacked and we are investigating.”
The fake tweets were not just about war. One posted on UPI said “Just in: Bank of America CEO calls for calm: Savings accounts will not be affected by federal reserve decision.”
The Post is owned by Rupert Murdoch’s News Corp. Several media organizations have had their Twitter feeds hacked over the past two years including Agence France-Presse, the BBC and others.
A Pentagon official said the tweet about hostilities with China was “not true.”
Feedback Friday: Is North Korea Behind the Sony Hack?
Posted on January 9, 2015 by Kara Dunlap in Security
In late November, Sony Pictures Entertainment was hacked by a group calling itself Guardians of the Galaxy (GOP). What initially appeared to be another hacktivist attack, later turned out to be a sophisticated operation possibly orchestrated by a state actor.
The hackers’ activities came to light on November 24, when the computers of Sony employees started displaying an image of a skull accompanied by a warning message. In the following days, the hackers started leaking large amounts of information stolen from the entertainment giant’s networks. The leaked data included unreleased movies, private emails, the personal details of actors, financial and business information, and employee records (including medical information).
North Korea was named a suspect after investigators found similarities between this attack and others believed to be carried out by Pyongyang. Shortly after, the hackers told Sony to erase all traces of The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-Un. Sony initially called off the release of the movie because of the hackers’ threats, but later decided to go ahead with the release on Christmas Day, as planned.
Sony has avoided pointing a finger at North Korea. United States authorities, on the other hand, say they’re certain North Korea is behind the attack, but they haven’t provided any proof to back their claims, except for the fact that the attackers used IP addresses “exclusively used by the North Koreans.”
North Korea has denied being responsible, but officials admitted that it might be the work of supporters furious over The Interview. Last week, the US imposed new sanctions on North Korea in retaliation for the attack on Sony. On Wednesday, Director of National Intelligence James Clapper claimed that he dined with the North Korean general who Clapper says was responsible for overseeing the attack against Sony, during a secret mission to Pyongyang two months ago.
Everyone agrees that attribution is tricky. Some believe US authorities are jumping to conclusions, but others say the FBI surely has other evidence, which they might never share with the public, to back their claims.
This topic will be debated by a panel of experts and moderated by The Wall Street Journal’s Danny Yadron at the Suits and Spooks DC conference on February 4-5 at the Ritz-Carlton, Pentagon City.
And the Feedback Begins…
Jeffrey Carr, President/CEO, Taia Global, Inc:
“The evidence that the FBI believes it has against the DPRK in the Sony attack stems from the data that it received on the Dark Seoul attack last year from the private sector. The FBI, the NSA, and the private security companies upon which they rely for information believe that any attack linked to a North Korean IP address must be one that is government sanctioned since North Korea maintains such tight control over its Internet and Intranet. That is the FBI’s single point of failure because while that might have been true prior to 2009, it isn’t true any longer.
Access to those blocks is relatively easy if you go in through China, Thailand, Japan, Germany or other countries where North Korea has strategic connections.
It simply isn’t enough for the FBI director to say “We know who hacked Sony. It was the North Koreans” in a protected environment where no questions were permitted. The necessity of proof always lies with the person who lays the charges. As of today, the U.S. government is in the uniquely embarrassing position of being tricked by a hacker crew into charging another foreign government with a crime it didn’t commit. I predict that these hackers, and others, will escalate their attacks until the U.S. figures out what it’s doing wrong in incident attribution and fixes it.”
Joshua Cannell, malware intelligence analyst at Malwarebytes Labs:
“Many people continue to speculate about who was really behind the cyberattack against Sony Pictures. We know the director of the F.B.I. has made it publicly clear that North Korea was to blame, and the fact that he’s pushing to declassify that information should tell the world that they have solid evidence to back it up. If we weren’t living in a time where the ability to trust a U.S. Intelligence agency hadn’t recently been questioned during the release of incriminating N.S.A. documents, most people would have likely accepted the F.B.I.’s statement as fact long ago. It seems that by releasing more information, the F.B.I. is hoping to regain the confidence placed in U.S. Intelligence.
You have to look at some of the details leading up to the hack in November. North Korean officials called the release of The Interview ‘an act of terrorism,’ and there was a Facebook group sending threats to Sony Pictures months before the movie’s release. When that was shut down, actors continued to use other methods to communicate their threats, like e-mail. Finally, the threats came to fruition, and simply saying ‘it wasn’t us’ at this point doesn’t do much when all of the evidence points at them. There may have been others involved, that’s true, but that doesn’t change the conclusion of a lengthy federal investigation.”
Jay Kaplan, CEO of Synack:
“The security pundits that we’ve seen in the media disagreeing with the government’s assertion of North Korean attribution are ill-informed with conclusions that I believe to be fundamentally flawed. Even with the latest revelation of details tying North Korea to the Sony breach by “slipping up”, there is much more under the covers that the public is not seeing (and will never see as a result of classified sources.) Conclusions made by security firms after reviewing methodology, technical capability, and modus operandi are flawed given their non-complete picture of the situation at hand.
It is especially interesting to see how just a few months ago the world thought the government had too much information — the intelligence community was running rampant, too much data was being siphoned, and the integrity of our privacy was in question. Yet today, post-Sony breach, people are questioning the same government for coming to conclusions due to a lack of knowledge and perspective.”
Ken Westin, senior security analyst, Tripwire:
“It is difficult if not impossible for those of us in the private sector to verify the FBI¹s findings without access to the information they have.
However, I think it is important to note that in this latest statement they are tying their attribution case to IP addresses they say were exclusively used by the North Koreans. I think it is important to point out that Comey said they were IP addresses exclusively used by the North Koreans and not IP addresses in North Korea. The IP addresses that were issued to the public in their flash advisories were IP addresses that have been seen before and used for spam and command and control by other criminal actors. This was a key reason many in the security community were skeptical of the findings, as based on the evidence provided there wasn’t exactly a smoking gun and the information was vague and inconclusive.
I would like to give the FBI the benefit of the doubt and assume that they have additional evidence aside from just IP addresses, which I think they must if they have the level of confidence that Comey is claiming. The difficult part of that for the security community is trusting the FBI. Trust does not come easily to this group, as by nature of their profession they are paranoid and skeptical and want to see the evidence for themselves to establish the facts.”
Suits and Spooks DC: Not Just a Conference, a Collision. Washington DC, Feb 4-5. See the Agenda & Register Today |
Marc Gaffan, CEO & Co-founder of Incapsula:
“While we may never know the the motives behind the Sony Pictures attack, we’ve found that some attackers will publicly deny involvement, but leave breadcrumbs in an attempt to demonstrate prowess without taking the full brunt of public criticism. As for North Korea’s cyber espionage capabilities, despite the fact that their Internet capacity is less than half of the Falkland Islands, it would be foolhardy to equate a small Internet presence with a lack of skilled individuals working with or for their government.
Regardless of origin or motive, companies need to turn their focus to the blind spots in their organizations. Hackers will only continue to create more illusive and inventive ways to take down websites or steal information; our global networks see new methods every day. Sony Pictures learned their lesson, but will other companies? This remains to be seen.”
Michael Sutton, VP of Security Research, Zscaler:
“Attribution is hard. This is always the case when dealing with a cyber attack where IP addresses can be spoofed, proxies can be employed and digital weapons copied. Attribution is impossible when we don’t have all the facts. The FBI was surprisingly quick to finger the DPRK for the Sony attacks. Less than a month after the breach, the FBI confidently proclaimed that they had “enough information to conclude that the North Korean government is responsible for [the attacks]”.
Contrast that with the grand jury indictment of five Chinese Military officials charged last year with cyber espionage, a case which involved years of investigation. Why did the FBI move so quickly this time? Was it truly an open and shut case? Were there other political motivations for fingering North Korea? Without full transparency we’ll likely never know but we can presume that attribution was needed prior to retaliatory measures. Measures that have already publicly emerged in the form of US sanctions, but other more covert responses are no doubt also currently underway and unlikely to show up in the headlines.
Some have claimed that the DPRK did not have the means to conduct such a successful attack, but this is a country that has had an offensive cyber capability for many years and has shown a willingness to leverage it against foreign nations/companies. The Sony breach, while broad in terms of the damage caused, would not have required great sophistication if network admin credentials were indeed stolen and the target had poor internal controls to limit the reach of that individual’s network access. Given Sony’s poor history with previous attacks, including a 23 day DoS attack on the PlayStation Network in 2011, it’s not hard to fathom that internal security controls were lacking.”
Mike Tierney, COO at SpectorSoft:
“As the feeding frenzy around the possibility a nation was behind the Sony hack calms a bit, more and more credible experts are indicating that it is at least as likely that the hack and subsequent data dump were clearly designed to embarrass Sony. The fact that the tie between a pending movie release and the hack was originally made in news reports, and not by the hacker(s), lends some credence to the idea that there may be a more mundane, but all too common, perpetrator.
Very often, data leaks of this type stem from a disgruntled employee. Whether the source of their anger is specific, as in the case of a poor performance review or being passed over for a promotion, or more general, as in the case of rumored layoffs (which seem to be a possibility in the Sony case), disgruntled employees can and do present significant risk to organizations.”
Greg Martin, CTO at ThreatStream:
“The big issue with the Sony hack is that any “Security Expert” outside of the core investigation can claim an “alternate theory.”
This has been highly confusing to the public who have been hungry for more details which the FBI finally came out with. The FBI had clear evidence that they have some ‘smoking gun’ data showing the North Korean hackers were sloppy when setting up their social media accounts.
This is a common mistake made by many hackers – even the very sophisticated ones – and it’s one of the more common ways they get caught. My question to the ‘truthers’ is: why is that so hard to accept?”
Tal Klein, VP of Strategy, Adallom:
“The trouble with breach attribution is that smoking guns are hard to come by. A more concerning issue to those of us watching from the sidelines is that the initial attack vector has still not been discovered, and no breach containment announcement has been made thus far. That means we don’t know whether the attackers still have a foothold in Sony’s infrastructure or if there are more exfiltrated data dumps coming.
It is strange that the U.S. would rush to point fingers at North Korea, especially given that any recourse would doubtlessly punish the hapless DPRK proletariat more than government or military. Further, it seems obvious in hindsight that the FBI’s most recent revelations, as presented, would not quell detractors’ call for solid attributable evidence—so one wonders, ‘Why bother?’”
Lior Div, CEO and Co-founder of Cybereason, a MalOps protection company:
“When a company is attacked, it reduces the liability and blame of the attacked company if the public believes it is a nation state attack. This attack may have very well been done or aided by insiders, or other players, including North Koreans that are not nation state cyber attackers, but…certainly the legal and PR fallout for Sony will be less severe if it was believed the attack was state sponsored terrorism as opposed to a disgruntled insider.
From all that we’ve read so far, we haven’t seen significant hints for attribution to North Korea as a nation-state sponsored attack. The FBI stated that the attackers were negligent, leaving evidence that ties the attack to North Korea, but in my experience hackers with the capacity to exfiltrate the amount of data involved in the Sony attack are very far from being negligent. It is quite possible that any indicators pointing to North Korea were intentional, left or intentionally planted in order to mislead investigators.
So either the FBI knows things that were not shared with the media (possible) that clearly proves it in NK, or – somebody is leveraging it for his own political purposes. That includes the US government, Sony, the hackers…really, we may never know…”
Brendan Spikes, CEO, Spikes Security:
“Given the dangers of using the web today, is it not unreasonable to assume that any network can be breached by web malware trojans? This could surely include servers thought to be used exclusively by North Koreans. I wouldn’t be so quick to assume that someone intending to frame NK for the Sony attack could not intentionally leave breadcrumbs leading back to compromised NK servers.”
TaaSera CTO, Vice President and Founder, Srinivas Kumar:
“Attacker attribution requires reliable information to analyze how the breach was orchestrated internally, identifying the origin of the malicious code (supply chain), and finally tracking down the location of the attackers. The warrant required in a breach investigation to convict the cyber criminals must provide credible evidence as assurance that no evasion techniques were detected, including use of Tor networks, Fast flux DNS, and IP address spoofing. Further, for long duration and high volume data haul, determination of the corpus of actors by geo-location may be an authoritative assertion of the locality or distribution of the attackers.
Most investigations today that typically follow in the wake of high profile breaches rely on static geo-location markers for the network addresses and domain names linked to the security episode. The availability of cloud computing services, elastic IPs, Tor networks coupled with the dynamic domain name services, domain name and IP address fast flux warrant evidence beyond reasonable doubt to determine true actors (perpetrators).”
TK Keanini, CTO at Lancope:
“While attribution can be difficult in the physical world, it is incredibly tricky in the digital world. Not only are there effective tools to remain anonymous but there are equally as many tools to make it look like it is attributed to a certain source when it is actually another.
Conflict in simpler times was very symmetrical in that the red team versus the blue team but these days in the digital realm of the Internet, it is almost never that simple. an orange team can make it look like the red team is to blame for the attack on the blue team and from there it can grow even more complex. This asymmetrical pattern is the new pattern of cyber conflict and the sooner we all recognize it the better.
Ultimately there is an information layer that is adjacent to the physical world meaning at some point you do get back to a person or set of people who are behind the attacks. The synthesis and analysis that lead up to this is complex and not well understood by everyone. Those that understand the dynamics of information spaces are slow and cautious to point fingers as we have seen in the controversy around attribution the Sony Pictures attacks. Even when the culprit stands up, makes themselves known as the Guardian of Peace (GOP), law enforcement still struggles to ties it all back to the physical world where laws can be enforced.”
Ian Amit, Vice President of ZeroFOX:
“Attribution is always a dangerous game. Attackers leave plenty of red herrings to cover their footsteps and make following their trail next to impossible. This is exactly the case with Sony – a few lines of code or IP addresses indicate North Korea, making for a great story, but the actual attack could have come from anywhere.
In short, attribution is not a technology game, and trying to deduce attribution based on technical indicators is inherently flawed. If a hacker has deep access in the system, it is extremely easy to change the evidence in order to throw off the trail. What you find from a forensic perspective can mean a thousand different things all at once, based on little fragments of code here or there or the geographic location where an attack was routed though. All these red herrings mean is that attribution becomes political very quickly: any party can conduct their own analysis and come to a conclusion that suits their purposes, all supported by some pieces of incomplete technical evidence.”
Jason Lewis, Chief Collection and Intelligence Officer of Lookingglass Cyber Solutions:
“Attribution is an extremely complex challenge that requires the support of all forms of intelligence to include network, signals, physical, human, etc. In this case, let’s assume the attacker is highly skilled. A highly skilled attacker would understand that leaving false evidence would confuse investigators and lead them to conclusions that point away from themselves.
I view this scenario based on how I would compromise a target. First, I would be sure to have multiple launch points between my clandestine Internet connection and my target. That means I would chain multiple compromised hosts through a series of VPNs that encrypt all my traffic. If an investigator was able to trace from the target to my last launch point, they would only find evidence of my tunnel termination. All of my traffic would be passing through the host, never leaving a trace of my activity. If I was determined to frame a person or entity for my activity, I would certainly attempt to compromise a host on their network that was used by many other users, a proxy for example. My malicious traffic would be lost in the noise of thousands of other users.
Tracing activity back to me through my tunneled infrastructure may not be impossible, but it would be extremely difficult given that I’m focused on not being caught. If I accessed this network on multiple occasions, I would change the compromised hosts I used for my tunnels and never use the same combination twice. Every comment referencing attribution in the SONY attack introduces more questions.”
Don’t miss the upcoming panel “Sony and the DPRK: A Question of Attribution” at Suits and Spooks DC moderated by The Wall Street Journal’s Danny Yadron.
Until Next Friday…Have a Great Weekend!
US Slaps Sanctions on North Korea After Sony Hack
Posted on January 4, 2015 by Kara Dunlap in Security
The United States imposed new sanctions Friday on North Korea in retaliation for a cyber attack on Hollywood studio Sony Pictures.
In an executive order President Barack Obama authorized the US Treasury to place on its blacklist three top North Korean intelligence and arms operations, as well as 10 government officials, most of them involved in Pyongyang’s arms exports.
Obama said he ordered the sanctions because of “the provocative, destabilizing, and repressive actions and policies of the Government of North Korea, including its destructive, coercive cyber-related actions during November and December 2014.”
The activities “constitute a continuing threat to the national security, foreign policy, and economy of the United States,” he added, in a letter to inform congressional leaders.
“The order is not targeted at the people of North Korea, but rather is aimed at the Government of North Korea and its activities that threaten the United States and others,” Obama added.
The sanctions come after hackers penetrated Sony’s computers in late November, stealing and releasing over the Internet employee information, unreleased films and an embarrassing trove of emails between top company executives.
The hackers — a group calling itself Guardians of Peace — then began to issue threats against the company over the looming Christmas release of the comedy film “The Interview”, which depicts a fictional CIA plot to kill North Korea’s leader.
The threats led first to worried movie theater owners dropping the film and then Sony cancelling the public debut altogether, before releasing it online.
After the hackers invoked the 9/11 attacks in their threats, the White House branded it a national security threat, and an investigation by the FBI said North Korea was behind the Sony intrusion.
Pyongyang repeatedly denied involvement, but has applauded the actions of the shadowy Guardians of Peace group.
‘Proportional’ response
The White House stressed Friday that its response will be “proportional”, but also that the sanction actions were only “the first aspect of our response.”
“We take seriously North Korea’s attack that aimed to create destructive financial effects on a US company and to threaten artists and other individuals with the goal of restricting their right to free expression,” said White House press secretary Josh Earnest.
In parallel with the White House announcement, the Treasury named the first targets of sanctions in the Sony case.
They included the Reconnaissance General Bureau, the government’s main intelligence organization, and two top North Korean arms exporters: Korea Mining Development Trading Corporation (KOMID) and Korea Tangun Trading Corporation.
The individuals named included agents of KOMID in Namibia, Russia, Iran and Syria, and other representatives of the government and the sanctioned organizations.
An administration official, briefing reporters, said that they remain “very confident” in their assessment that Pyongyang is behind the attack on Sony, amid doubts raised by security experts.
The official said the three organizations had “no direct involvement” with the hacking. “They’re being designated to put pressure on the North Korean government,” the official said.
It was the first time the Treasury sanctions mechanism had been invoked due to a threat to a private company, the official acknowledged.
The sanctions forbid US individuals and companies from doing business with those blacklist, and freezes any assets those blacklisted might have on US territory.
A particular aim of such sanctions is to limit their access to international financial services by locking them out of the US financial system.
All three of the organizations blacklisted in the Sony case are already under US sanctions for the country’s persistence with its nuclear weapons program, its alleged provocations on the Korean peninsula, and other “continued actions that threaten the United States and others,” as Obama said in his letter.
MBR Wiper Attacks Hit Korean Power Plant: Trend Micro
Posted on December 24, 2014 by Kara Dunlap in Security
Researchers at Trend Micro revealed details of an attack against a major Korean utility company hit by malware designed to wipe the master boot records (MBR) of compromised computers.
According to Trend Micro, the malware is believed to have infected the targeted systems through a vulnerability in the Hangul Word Processor (HWP), a commonly-used application in South Korea. The attackers used a variety of social engineering lures as well.
“We detect the malware as TROJ_WHAIM.A, which is a fairly straightforward MBR wiper,” according to Trend Micro. “In addition to the MBR, it also overwrites files that are of specific types on the affected system. It installs itself as a service on affected machines to ensure that it will run whenever the system is restarted. Rather cleverly, it uses file names, service names, and descriptions of actual legitimate Windows services. This ensures that a cursory examination of a system’s services may not find anything malicious, helping this threat evade detection.”
“This particular MBR-wiping behavior, while uncommon, has been seen before,” the researchers noted. “We observed these routines in March 2013 when several attacks hit various South Korean government agencies resulting in major disruptions to their operations. The malware involved in this attack overwrote the MBR with a series of the words PRINCPES, HASTATI, or PR!NCPES. The recent attack on Sony Pictures also exhibited a similar MBR-wiping capability.”
Trend Micro also found similarities to the previous MBR wiper attacks as well. All three attacks overwrite the MBR with certain repeated strings; this attack uses the repeating “Who Am I?” string, while the Sony attack used a repeating 0xAAAAAAAA pattern.
The attack on Sony has caused a further rift between North Korea and the United States, as U.S. President Barack Obama promised last week that the United States would offer a proportional response to North Korea’s involvement in the attack.
North Korea has denied any involvement in the incident. The country began suffering Internet outages this week, though the cause of those outages remains unclear.
“While there are definite similarities in the behavior of all these attacks, this is not enough to conclude that the parties behind the attacks are also related,” according to Trend Micro. “All three attacks have been well documented, and it is possible that the parties behind each attack were “inspired” by the others without necessarily being tied. Without sufficient evidence, we cannot make claims either way.”
“These attacks highlight our findings about the destructive, MBR-wiping malware that appear to have become a part of the arsenal of several threat actors,” the researchers added. “This is a threat that system administrators will have to deal with, and not all targeted attack countermeasures will be effective. Techniques to mitigate the damage that these attacks cause should be considered as a part of defense-in-depth networks.”
U.S. Leads Way in PoS Malware Infections in Q3: Trend Micro
Posted on December 2, 2014 by Kara Dunlap in Security
The United States is at the top of the list of countries with the most infections of point-of-sale (PoS) malware during the third quarter of the year, according to research from Trend Micro.
In its threat report for Q3, Trend Micro reported that the U.S. accounted for 30 percent of PoS malware infections. The next three places on the list – Taiwan, Philippines and Italy – each accounted for six percent of infections.
“Early this year, one of the largest retail companies in the U.S. disclosed that approximately 40 million consumer credit and debit card information was compromised as a result of a breach in its systems,” according to the report. “Not long afterward, Home Depot topped that record when it disclosed that more than 100 million customer records that included credit card information was stolen as a result of a payment systems breach. The threat actors behind these breaches attacked the retailers’ point-of-sale (PoS) systems. BlackPOS was implicated in the incident reported early this year, while BlackPOS version 2 was used in the Home Depot breach. This further indicates that PoS networks are highly accessible and vulnerable.”
The report identified three new pieces of PoS malware that were spotted during the third quarter: BrutPOS (Tibrun), Backoff (POSLOGR) and BlackPOS Version 2 (MEMLOG).
Recently, researchers at Trend Micro identified a new piece of PoS malware detected by the firm as TSPY_POSLOGR.K that is designed to read the memory associated with specific processes written in the .INI file. It then saves the data to files named “rep.bin” and “rep.tmp.”
“Based on the other PoS malware behaviors we observed, it appears to be designed as multicomponent malware similar to an earlier BlackPOS variant named TSPY_MEMLOG.A, as it might require another component to retrieve the dumped data,” Anthony Joe Melgarejo, threat response engineer at Trend Micro, explained in a blog post. “It is highly possible that this is deployed as a package.”
The report also noted a spike in online banking malware infections between the second and third quarters. As in the case of PoS malware, the United States was the most affected country, accounting for about 13 percent of infections.
“Our findings confirm that we are battling rapidly moving cybercriminals and evolving vulnerabilities simultaneously,” said Raimund Genes, CTO at Trend Micro, in a statement. “With this fluidity, it’s time to embrace the fact that compromises will continue, and we shouldn’t be alarmed or surprised when they occur. Preparation is key and as an industry we must better educate organizations and consumers about heightened risks as attacks grow in volume and in sophistication. Understanding that cybercriminals are finding vulnerabilities and potential loopholes in every device and platform possible will help us confront these challenges so technology can be used in a positive way.”