War. War never changes. (Except when it does)

[Büge]

"I have no problem as long as we achieve our objective. And our objective is to get the guys who did 9/11 and it is to avoid another attack against the United States," former Vice President banana Cheney told NBC's Chuck Todd on "Meet the Press" last Sunday. "I'd do it again in a minute."

In which I come to the horrible realization that banana Cheney may actually have been the stupid one all along.

Mark Evanier had a pretty great comment the other day, to the effect that the real point of all this was so that banana Cheney could feel like a tough guy.

I have a feeling it's so the United States could, really. I mean, 9/11 showed the country to be vulnerable, and one thing America prides itself on is invulnerability.

There was a discussion on Talking Time about the topic of torture, and the idea of suffering came up. There's an argument to be made that U.S. officials wanted their captives to suffer, and any information that was let out, regardless of its veracity, was just a bonus. That, and torture appears effective, at least in the short term.

[Classic]

I feel like I should blame the TV show 24 in addition to FOX in general for this.

[Mongrel]

It's sort of funny but also sad to see news agencies trip over themselves to suddenly try and sell North Korea as some sort of hacking superpower, with thousands of trained men of the highest ability ready to bring down the world's infrastructure.

I guess the allure of the trope of totalitarian states as some sort of wunderkind capable of all the greatness that messy democracies are not hasn't worn off. Instead of, say, correctly recalling that every totalitarian state the world has ever seen has either burned itself out in a big hurry or become thoroughly rotten and hollow inside after only a generation or two.

[Grath]

It's sort of funny but also sad to see news agencies trip over themselves to suddenly try and sell North Korea as some sort of hacking superpower, with thousands of trained men of the highest ability ready to bring down the world's infrastructure.

I guess the allure of the trope of totalitarian states as some sort of wunderkind capable of all the greatness that messy democracies are not hasn't worn off. Instead of, say, correctly recalling that every totalitarian state the world has ever seen has either burned itself out in a big hurry or become thoroughly rotten and hollow inside after only a generation or two.

Well see, we're talking to Cuba again, so we need SOMEBODY to direct all that hate at.

[Büge]

And it's not even someone within missile distance of the US either.

[nosimpleway]

I dunno, we have much nicer missiles these days.

[Mongrel]

I mean, okay, my own idea was that their hacking capability was utterly laughable, and that appears to have been wrong - they do have something and it's a fair size. They have also been receiving training in IT warfare from Russia and China, but does anyone really think that either of those countries are prepared to give North Korea anything but the simplest of basics? Or that anyone in North Korea receives any of the sort of valuable "in the wild" training that the average hacker receives in most of the rest of the world? I seriously doubt their overall effectiveness.

So far the two highest profile attacks were one from 2013 and - MAYBE - the recent Sony job, though obviously no one really knows who the Sony job was. There have also been some other, lesser attacks, mainly directed at South Korean targets. In the most damaging case, the 2013 bank attack, it appears that the fault was more with South Korean banks for being complacent. The attack was described in multiple places as "unsophisticated", though no details were offered other than they used some off-the-shelf commonly available hacking tools. And if the Sony thing did turn out to be of North Korean origin, Sony's security failures were publicly known for a while. Not exactly a resounding case for them there either.

This is no more than NK continuing their attacks against the easiest possible targets of opportunity, just so they can show they can still do something (seriously. If you think about it, North Korea's attacks are basically one step up from insurgency warfare), while the few functioning parts left of their real-world military infrastructure rusts away uselessly. And western news organizations are eating it right up.

I suppose there's an argument that states that defensive measures are substandard throughout most of the world, so arguably just having an organized, salaried attack force of any sort constitutes some sort of valid and effective threat. How valid that sort of argument is, I don't know. Maybe our IT guys have some thoughts on that? Thad?

[Brantly B.]

Even the most sophisticated security system relies on hoping you don't attract the attention of somebody clever and determined enough to break it.

The really sophisticated security systems focus on minimizing the damage once you do.

[Thad]

Ars:

The malware that thoroughly penetrated Sony Pictures Entertainment was so sophisticated it likely would have worked against nine out of 10 security defenses available to companies, a top FBI official told members of Congress.

So...I don't think there's really enough information there to form a conclusion.

"Would have gotten through 90% of defense mechanisms" isn't really a meaningful metric. Suppose that Sturgeon's Law holds and 90% of defense mechanisms are crap?

The last paragraph of the article sounds a lot like what Brent just said:

The comments don't sit well with some security professionals, who say they appear to allow Sony to hide behind a veil of persistent threats posed by determined and well-resourced hackers. While successful hacks happen to just about everyone, careful planning can often contain the damage they inflict and limit the data available to people who gain unauthorized access. So far, Demarest, Mandiant, and Sony have declined to provide any specific details about exactly what makes the malware "unprecedented."

It may be awhile before we know precise technical details. Occam's Razor says Sony Pictures just got caught with its pants down again.

Regardless of how the data was obtained, it does appear that there were several obvious mistakes Sony made:

1. Treating E-Mail like it's private. E-Mail is not private. It is trivial as fuck for someone else to read your E-Mail.

2. It sure sounds like confidential data (like SSN's) was stored in cleartext. Or, if it WAS encrypted, my guess is the people with access to it didn't use strong passwords.

3. It sure doesn't sound like data was separated properly. A single attack appears to have simultaneously compromised E-Mail, employee records, and unreleased movies. Is there a reason why having access to a server that's storing one of those things should give you access to the server(s) storing the other two? How many people are there in the company who need to have access to all three of those things?

I think Brent's on the money when he says even the most secure system can be compromised and it's more a question of minimizing the damage if it is. Sony sure doesn't seem to have done the latter, and the problem with the former is that the logical conclusion of "it can happen to anyone" is to excuse even the poorest of security measures as if there's no reason to try.

[Grath]

The story I'd heard was "physical access to servers" which is pretty much the trump card that gets you past almost all security short of possibly whole-disk encryption.

[Mongrel]

The story I'd heard was "physical access to servers" which is pretty much the trump card that gets you past almost all security short of possibly whole-disk encryption.

Curious as to where you heard this.

I'm not saying that wouldn't make sense though.

[Grath]

The story I'd heard was "physical access to servers" which is pretty much the trump card that gets you past almost all security short of possibly whole-disk encryption.

Curious as to where you heard this.

I'm not saying that wouldn't make sense though.

On my phone at the moment, but there are articles on The Verge and elsewhere with quotes from a Lena claiming to be part of GOP which suggested physical access. I'll update this post with a link when I get up.
Update: Link to article on The Verge

[Mongrel]

Interesting. Certainly gives at least partial credence to the view it's not North Korea.

What a mess though.

[Caithness]

The Obama administration has decided there's enough evidence to conclude that it was North Korea.

[Thad]

This is probably the wrong thread for the NK conversation, and it might be a good idea for some admin or other to combine the three existing threads we have on the subject into one. (Except for any posts by people who have expressed a desire not to have their thoughts out in a public thread. Unless, I suppose, we put the whole thread on the Invisible board.)

The "physical access" story is pretty strongly at odds with the FBI's claim that it's been traced to NK. I guess it's not IMPOSSIBLE that people in North Korea managed to recruit Sony insiders, but...it sure doesn't sound likely.

Obama's speech was good. Here's a YouTube video that might not be there tomorrow.



The highlight's at 6 minutes:

I think it says something interesting about North Korea that they decided to have the state mount an all-out assault on a movie studio because of a satirical movie starring Seth Rogen and James Flacko. I love Seth, and I love James, but the notion that that was a threat to them? I think gives you some sense of the kind of regime we're talking about here.

Completely aside from his not knowing James Franco's name, I love the sheer incredulity in his voice. (Italics are mine but I think accurately reflect the inflection used by the President of the United States.)

NPR had a good interview with Michael Linton, CEO of Sony Pictures, who reiterates that it was theater owners' decision and not Sony's and says that they still hope to release the film through some distributor but haven't found any takers yet.

A video-on-demand release?

"Yes, those are other avenues and we are actively exploring them .... to date, we don't have any takers — neither on the video demand side nor on the e-commerce side. People have been generally fearful about the possibility of their systems being corrupted, and so there have been a lot of conversations about the robustness of various systems to be able to make sure they're not hacked, if and when we put the movie out digitally."

"I shouldn't say if — when. We would very much like that to happen. But we do need partners to make that happen. We ourselves do not have a distribution platform to put the movie out."

How about streaming on Playstation systems?

"That can be explored, I think in general we need to bring together a coalition of platforms to make this operate properly."

[Thad]

NK government continues to deny responsibility; some prominent people still aren't buying the President and FBI's claims.

"I've been very sceptical throughout and now I have no idea," security guru Bruce Schneier told The Register. He added that the evidence the Feds had presented so far was flimsy at best.

"It's WMDs [weapons of mass destruction] all over again; we're being asked to believe this blind," he said.

He's got a good point. On the one hand, North Korea DOES seem like the most obvious possible source; on the other, the only public justification the FBI's given for believing that is that there are North Korean IP addresses hardcoded into the malware. Which is pretty damn circumstantial.

Who's got access to NK IP's? If North Korea's Internet is routed through China, then there are plenty of Chinese IT guys who could grab a few IP's out of the range. Alternately, even assuming the attack IS coming from inside NK, how do we know it was the government? Presumably there's not widespread Internet access in the country, but I'm betting there are, say, university students with Internet access.

And that's assuming the data's actually being sent to NK in the first place. I mean, anybody could write a program with NK IP addresses hardcoded into it. Whoever wrote the malware sure seems to WANT people to believe it originated in North Korea, so why wouldn't they put North Korean IP's in it?

I'm still inclined to think it was probably NK, and it was probably state sponsored. But the evidence the FBI has given isn't exactly convincing, and I'm hoping they share more of what they know.

[Mongrel]

I don't know. I've remained skeptical myself. The wording of the hacks really doesn't seem anything like previous North Korean pronouncements. It also doesn't really fit the pattern of making strikes to show they can - I mean, on the surface it does, but none of the details really line up with their usual modus operandi (This also be the first confirmed major target outside South Korea, FWIW). Also, if a man on the inside was part of this, that REALLY puts me against the possibility of North Korea. While you could stretch credibility to the absolute limit to imagine a North Korean agent somehow gaining access to a Japanese server site (maybe through one of their Chongryon/Yakuza connections), something like that happening to a US location seems pretty wildly improbable.

As for access, if it IS a North Korean hack, it pretty much has to be a state military job because of how restricted internet access is in North Korea. Government hackers are given a lot of privileges and are presumably among those few who are allowed relatively unfiltered internet access (if only by necessity), but I doubt very many people have fully unrestricted, unmonitored internet access in North Korea, if at all.

[Mongrel]

Ars Technica has more:

http://arstechnica.com/security/2014/12 ... es-attack/

Apparently the code also mirrors code used previously by North Korea, but the article itself undermines that claim by pointing out that North Korea obtained its code from common providers on the black market (and that some of those tools may originally have been Iranian in origin).

[Thad]

Well, but the evidence that it was an inside job pretty much consists of "Somebody said it was an inside job" at this point, right?

I'm still more inclined to believe it was NK than to believe the "disgruntled employees" story. But I think Schneier's right to caution skepticism of everybody until we've got real hard evidence.

Krebs has a lot more, and he mentions the Chongryon too.

While the United States government seems convinced by technical analysis and intelligence sources that the North Koreans were behind the attack, skeptics could be forgiven for having doubts about this conclusion. It is interesting to note that the attackers initially made no mention of The Interview, and instead demanded payment from Sony to forestall the release of sensitive corporate data. It wasn’t until well after the news media pounced on the idea that the attack was in apparent retribution for The Interview that we saw the attackers begin to mention the Sony movie.

He also links a breakdown by HP.

[Mongrel]

Annnnd North Korea's entire internet now appears to have "suspiciously" collapsed.

Couldn't happen to a nicer bunch.