Cyber Secret Sources Finally Met a Snowden Leak to Love!

/6 Comments/in /by

The NYT has a story describing the rise of the North Korean 6,000-strong hacking unit, which (the story explains) the NSA has been watching closely since 2010.

Spurred by growing concern about North Korea’s maturing capabilities, the American spy agency drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers and penetrated directly into the North with the help of South Korea and other American allies, according to former United States and foreign officials, computer experts later briefed on the operations and a newly disclosed N.S.A. document.

A classified security agency program expanded into an ambitious effort, officials said, to place malware that could track the internal workings of many of the computers and networks used by the North’s hackers, a force that South Korea’s military recently said numbers roughly 6,000 people. Most are commanded by the country’s main intelligence service, called the Reconnaissance General Bureau, and Bureau 121, its secretive hacking unit, with a large outpost in China.

It goes on to explain why, in spite of having beacons throughout North Korea’s network, it didn’t warn Sony.

The N.S.A.’s success in getting into North Korea’s systems in recent years should have allowed the agency to see the first “spear phishing” attacks on Sony — the use of emails that put malicious code into a computer system if an unknowing user clicks on a link — when the attacks began in early September, according to two American officials.

But those attacks did not look unusual. Only in retrospect did investigators determine that the North had stolen the “credentials” of a Sony systems administrator, which allowed the hackers to roam freely inside Sony’s systems.

It even suggests that Clapper knew about North Korea’s “capabilities” even as he was having dinner with the guy in charge of it (though it does not say whether he knew about this hack).

“Because of the sensitivities surrounding the effort” to win the Americans’ release, Mr. Hale said, “the D.N.I. was focused on the task and did not want to derail any progress by discussing other matters.” But he said General Clapper was acutely aware of the North’s growing capabilities.

For the moment, I’ll set aside whether this is convincing (parts of the story — such as that North Korea’s hackers trained in China and now target China) don’t add up.

But I did want to point out two things. First, NYT relies on a document liberated by Snowden to bolster its case. It’s not clear how well it actually does bolster the case: it shows the NSA piggybacking on South Korean efforts in 2007, and then setting its own beacons. It provides a different timeline and doesn’t say how extensively the US has infiltrated North Korea. In any case, though, it is a Snowden document the secret cyber sources finally love, one that backs their immediate claims.

Finally, note what else this says: this is another example where we have intelligence but aren’t using it not because of information sharing rules, but because we’re too inattentive to make use of it. This will be useful when Congress tries to pass CISPA because of Sony.

James Clapper’s Dystopian Novel about North Korea’s Hack

/4 Comments/in /by

I noted the other day how centrally James Clapper foregrounded his recent trip to North Korea in his discussion of the alleged North Korean hack of Sony. Now that the transcript is up, I see the trip was even more central in his discussion than reports had indicated. After noting that Jim Comey (whom he called “the senior expert on the investigative side of cybersecurity”) and Admiral Mike Rogers (whom he called “the senior expert on how cybersecurity ops actually happen”) would say more in following speeches, Clapper launched into a description of his trip, as if it were central to the discussion of the hack.

I’m not an expert on cyber. I guess that’s a way of saying I’m going to refer technical questions to the real experts here.

So, I was trying to think through what my contribution to this conference could possibly be. Well, I recently traveled to North Korea (and back, happily). So I thought I’d talk about that. [delayed laughter]

Yes, that’s a joke. [laughter] I learned from Father McShane that this crowd needs cuing. [laughter, applause]

I’ll talk about that and how it applies to this week’s conversation about cyber, given the Sony hack.

The first question I always get about the trip is: “Why you?” As in, “Why on earth would we send the DNI, the director of national intelligence, especially this DNI, on a diplomatic mission to get two American citizens who were imprisoned in North Korea?”

Why would they send me? The truth is, the mission had been in the works for quite a while.

I find it interesting that Clapper described such a lead-up to the meeting. At the time, it was much more closely tied to the October 21 release of Jeffrey Fowle (though that, too, could have been in the works for months).

North Korea wanted an active member of the National Security Council and a cabinet level official to come and to bring a letter from President Obama.

Note Clapper describes North Korea’s goal was that he “bring a letter” from President Obama. I find that notable given the reporting at the time about that letter — and Clapper’s unwillingness to read it during his press blitz about it.

The White House knows I’ve had a long history of working Korean issues, since I served as chief of intelligence for U.S. Forces in Korea in the mid-‘80s. So the White House put my name forward to the DPRK, the Democratic People’s Republic of Korea as they call themselves, government in Pyongyang. And I think we were all surprised, to include me, when they agreed. That’s how and why I was picked to go.

Actually, I thought the New York Times had a better explanation: Clapper is “Gruff, blunt-speaking and seen by many as a throwback to the Cold War.” [laughter]

“An unlikely diplomat, but perfect for the North Koreans.” [laughter]

Clapper is adopting the NYT’s description to pitch this as a Cold War, even though reporting at the time suggested relations with North Korea might be improving.

That’s the nicest thing the New York Times has ever written about me. [laughter, applause]

After that jokey beginning, Clapper took a long diversion to talk about how to prevent hacks and to provide some characterization of our adversaries online. Which brought him back to his discussion of the alleged North Korea hack, presented in contradistinction to what Clapper claimed was China’s objective — to break into networks to steal data that would allow it to surpass the US economically (which I don’t believe fully describes their motives or their actions).

That’s China’s primary motivation: to catch up to and then surpass Western industrial and defense capabilities and to eventually pass by the U.S. economy.

From there, Clapper claims, dubiously, that the Sony hack was the most damaging hack in the US, presenting it as stemming from an “entirely different philosophy” than he ascribes to China.

The Chinese are focused on those goals; whereas the recent cyber attack from North Korea, which by the way is the most serious cyber attack ever made against U.S. interests with potentially hundreds-of-millions of dollars and counting in damages, was driven by an entirely different philosophy.

He then launches into his own representation of North Korea as the quintessential totalitarian society, where people do mundane, labor-intensive jobs (which could be said about many countries) and where people “don’t show any emotion,” where they don’t even converse or laugh.

So, back to the weekend trip I took, which was exactly two months ago today. We flew into Pyongyang, the capital city, on Friday evening, the seventh of November. And the first thing that struck me was just how dark the city and airport were, just completely dark. We damaged a tire on the plane while taxiing in the dark, because of the poor construction of the taxiways and runways at Sunan airport.

Then, when I saw the city on Saturday, I was expecting to see drab clothes and lack of modern tools, people walking to get around, people sweeping and doing similar, mundane, labor-intensive jobs. And those expectations were met, from what I saw of Pyongyang. But I was also struck by how impassive everyone was. They didn’t show any emotion. They didn’t stop to greet each other, didn’t nod hello, and we didn’t see anyone conversing or laughing. They were just going about their business, going wherever they were going. It was almost automaton like. It was eerie.

This is James Clapper the dystopian novelist, depicting what he saw in less than 24 hours of being exposed to those whom North Korea permitted to be exposed to America’s top spy.  Which Clapper then contrasts with the pleasure enjoyed by North Korea’s Generals (I’m curious how recently Clapper has considered how our menial labors’ public lives would contrast with top Generals’ festive dinners?).

And the plight of the citizens of Pyongyang stood in solemn contrast to the dinner I had the previous night, Friday the seventh, an elaborate 12-course Korean meal. Having spent time in Korea, I consider myself somewhat a connoisseur of Korean food, and that was one of the best Korean meals I’ve ever had. Unfortunately, the company was not pleasurable.

Read more

If IPs Are So Solid, Why Won’t FBI Tell Us How Many Americans Get Sucked Up in Section 702?

/8 Comments/in , /by

By his own admission, James Clapper had dinner with the North Korean General who (again, according to Clapper) ordered the hack on Sony just weeks before the hack happened. That puts him at most two degrees away from the actual hackers, according to the evidence presented by Clapper and Jim Comey. According to the Intelligence Community’s at times naive analytical game of Three Degrees of Osama bin Laden — one which has repeatedly targeted negotiators like Clapper was in November, rather than culprits —  Clapper should be sanctioned along with all the others President Obama has targeted.

That is, of course, absurd. We know James Clapper. And while his word may have not much more credibility at this point than Kim Jong-Un’s, that doesn’t mean his effort to negotiate a hostage release (and whatever else he and North Korea believed was being discussed at the time) makes him a culprit in the hack.

But I think the thought experiment provides useful background to consideration of Comey’s further explanation — littered with infantilizing language about bad guys and the “very dark jobs” of FBI’s behavioral analysts who “profile bad actors” — of why he and the rest of the Intelligence Community is so certain North Korea, the country, did the Sony hack.

Comey says the data deletion used in the hack was used by “the North Koreans” in the past (his conflation of “North Koreans” and “North Korea” continues throughout).

You know the technical analysis of the data deletion malware from the attack shows clear links to other malware that we know the North Koreans previously developed. The tools in the Sony attack bore striking similarities to another cyber attack the North Koreans conducted against South Korean banks and media outlets. We’ve done a—I have, as you know from watching Silence of the Lambs—about people who sit at Quantico, very dark jobs. Their jobs are to try to understand the minds of bad actors. That’s our behavioral analysis unit. We put them to work studying the statement, the writings, the diction of the people involved claiming to be the so-called guardians of peace in this attack and compared it to other attacks we know the North Koreans have done. And they say, “Easy. For us it’s the same actors.”

(See Errata for some nuance about that claim.)

Comey then explained how the IC (but not outside skeptics) red teamed the IC’s own conclusions.

We brought in a red team from all across the intelligence community and said let’s hack at this. What else could be explaining this? What other explanations might there be? What might be missing? What competing hypotheses might there be? Evaluate possible alternatives—what might be missing? And we ended up in the same place.

Then, before Comey admitted that FBI still doesn’t know how “the North Koreans” hacked their way into Sony, Comey offered this detail to rebut the outside skeptics’ concerns.

Now I know because I’ve read in the newspaper—seen in the news—that some serious folks have suggested that we have it wrong. I would suggest—not suggesting, I’m saying—that they don’t have the facts that I have—don’t see what I see—but there are a couple things I have urged the intelligence community to declassify that I will tell you right now.

The Guardians of Peace would send e-mails threatening Sony employees and would post online various statements explaining their work. And in nearly every case they used proxy servers to disguise where they were coming from. And sending those e-mails and then sending and pasting and posting those statements.

And several times they got sloppy. Several times either because they forgot or because they had a technical problem they connected directly and we could see them. And we could see that the IP addresses being used to post and to send the e-mails were coming from IPs that were exclusively used by the North Koreans. It was a mistake by them that we haven’t told you about before that was a very clear indication of who was doing this. They shut it off very quickly once they realized the mistake. But not before we knew where it was coming from.

That is, Comey’s new tell — which has, with apparent other leaking about a Facebook account from Mandiant, gotten headlines — is that the FBI identified the hackers using “IPs that were exclusively used by the North Koreans.” [my emphasis]

Let me interject here and remind you that NSA and the FBI refuse to count how many US persons get sucked up in Section 702 upstream and PRISM collection because IPs aren’t a reliable indicator of the location of a person. The USA Freedom Act, by law, excluded any consideration of IP (frankly, any consideration of Internet location at all) from its obligation to report on the location of people sucked up in the dragnet. According to the FBI, tracking location based off anything but a (US based) phone number is too onerous for the Bureau.

IP is unreliable when it comes to transparency on the FBI, but rock solid when it comes to claims of attribution.

Now, I admit that’s a very different thing than spending months and years tracking one IP and attributing it to one particular actor.

But as Jeffrey Carr notes, even there the FBI’s claims have problems. He points out that the claims Comey made yesterday are remarkably similar to those used to attribute the Dark Seoul attack in 2013.

This sounded remarkably similar to the mistake made by the alleged North Korean hackers in the Dark Seoul attack of March 2013:

“SEOUL – A technical blunder by a hacker appears to have reinforced what South Korea has long suspected: North Korea has been behind several hacking attacks on South Korea in recent years…. The hacker exposed the IP address (175.45.178.xx) for up to several minutes due to technical problems in a communication network, giving South Korea a rare clue into tracing the origin of the hacking attack that took place on March 20, according to South Korean officials.”

The evidence that the FBI believes it has against the DPRK in the Sony attack stems from the data that it received on the Dark Seoul attack last year from the private sector.

He then notes North Korea’s Internet isn’t as locked down as it was just a few years ago — and one possible point of entry is geographically close to the St. Regis Hotel increasingly pinpointed in such attacks.

However the easiest way to compromise a node on North Korea’s Internet is to go through its ISP – Star Joint Venture. Star JV is a joint venture between North Korea Post and Telecommunications Corporation and another joint venture – Loxley Pacific (Loxpac). Loxpac is a joint venture with Charring Thai Wire Beta, Loxley, Teltech (Finland), and Jarungthai (Taiwan).

I explored the Loxley connection as soon as this story broke, knowing that the FBI and the NSA was most likely relying on the myth of a “closed” North Korean Internet to base their attribution findings upon. Loxley is owned by one of Thailand’s most well-connected families and just 4 kilometers away is the five star St. Regis hotel where one of the hackers first dumped Sony’s files over the hotel’s WiFi. It would be a simple matter to gain access to Loxley’s or Loxpac’s network via an insider or through a spear phishing attack and then browse through NK’s intranet with trusted Loxpac credentials.

Once there, how hard would it be to compromise a server? According to HP’s North Korea Security Briefing (August 2014) it would be like stealing candy from a baby. 

Now, none of that proves the FBI is wrong (just as none of it, without more proof, is enough to unquestioningly believe the FBI). I frankly am a lot more interested in what went on in Clapper’s meeting right now than I am in IP claims without more proof.

But if the FBI is going to claim that IP is a rock solid indicator of someone’s ID, then can it also tell us how many Americans it sucks up into the dragnet?

North Korea and Sony: James Clapper Describes His Trip

/14 Comments/in /by

As debates about whether North Korea hacked Sony continue (or even better, websites mockingly show you could randomly assign blame to any number of people; h/t Kim Zetter), there’s something that has long bothered me. The excuse for the government’s failure to provide a more fulsome description of the reasons it is so sure North Korea is to blame always go back to (NSA’s) sources and methods.

For example, here’s Jack Goldsmith making the legitimate argument that one reason you can’t attribute properly is because it would expose what we don’t know, and make us more vulnerable to hackers.

The problem with saying that the “secrecy of the NSA’s sources and methods is going to have to take a back seat to the public’s right to know” is that public knowledge could exacerbate the cyber threat.  For when other countries know those aspects of those sources and methods, they can hide their tracks better in the next attack.  The U.S. Government might think that the credibility hit it takes for not revealing more in the face of this relatively mild attack on Sony is outweighed by the longer-term advantages – to meeting and defeating greater cybersecurity threats – of having penetrated networks and conversations in unknown ways.  The game is iterative, and the proper balance of secrecy and disclosure at any particular time is tricky.  

There’s one part of the hack, however, for which such claims can’t be made — and which, in the government’s descriptions, has been just as weak as the FBI’s public forensic case against North Korea: motive.

Not only did the movie The Interview, only become the motive well after the hack, but — even assuming Kim Jong-Un is batshit crazy — the rest of the hack still doesn’t make sense. Why burn all those stars before targeting The Interview? Why release so much about Sony’s IP and other financial dealings before targeting The Interview? Why do nothing in the face of The Interview‘s subsequent release and broad success? In other words, why does the bulk of the attack actually not attack the purported target of it? Heck, the hackers didn’t even make the most of the materials on the Interview obtained in the hack to best serve North Korea’s interests.

No description of the motive I’ve seen makes any sense (again, even assuming that everyone in North Korean positions of authority are crazy or at least irrational).

Meanwhile, as far as I know I had been the only person to point out that James Clapper made a highly unusual trip to North Korea just weeks before the hack to pick up two Americans North Korea claims were US spies.

Curiously, claims that North Korea launched the hack make no mention of James Clapper’s highly unusual trip to North Korea, just a few weeks before the hack was discovered, to pick up two Americans North Korea had imprisoned, claiming they were spies.

It seems to me you might more likely find a rational motive for a rash attack on US soil (albeit at the US subsidiary of Japanese company) in that trip than in a movie, no matter how curious the movies’ ties to US national security figures. That is, not only did North Korea allegedly hack Sony for a movie reviewed by government officials depicting the assassination of Kim, but it did so weeks after the top US spy personally flew to North Korea to rescue two Americans North Korea claimed were spies, one of whom entered on a tourist visa and then ripped it up claiming he wanted to talk to North Koreans.

Reports from a press blitz Clapper did upon his return described Clapper delivering a letter from President Obama — which he described as doing no more than naming Clapper as envoy to pick up the two Americans but which Clapper declined to quote — and North Korea as disappointed that Obama hadn’t offered something more in exchange for the prisoners.

Mr. Clapper revealed details of the trip in an interview with The Wall Street Journal. The North Koreans seemed disappointed when he arrived without a broader peace overture in hand, he said. At the same time, they didn’t ask for anything specific in return for the prisoners’ release.

U.S. officials say the mission, which few officials within the Obama administration knew about until Mr. Clapper was returning, wasn’t meant to signal any change in the U.S.’s approach to the reclusive North.

Mr. Clapper’s earlier conversations with older North Korean officials on his one-day trip had been contentious. He heard what he called a far more “tempered” tone from a younger North Korean whom he described as an interlocutor and who accompanied him on the 40-minute drive back to the airport at the trip’s end. He said the interlocutor expressed regret that the North and South remained split and asked Mr. Clapper if he’d return to Pyongyang.

[snip]

The plan to send Mr. Clapper came together suddenly.

North Korea made clear that it wanted the U.S. to send a “senior envoy” and that it wanted a communication from the president.

The White House tapped Mr. Clapper, because he was a cabinet-level official though not a member of the cabinet or a diplomat. The White House didn’t want to signal to the North Koreans that Mr. Clapper was being sent to conduct a diplomatic negotiation. Mr. Clapper had also served as a military intelligence officer in South Korea in the mid-1980s and had a continuing interest in the Korean peninsula.

[snip]

Gen. Kim Young Chol appeared to be taken aback when handed the letter, Mr. Clapper said.

Written in English, the letter introduced Mr. Clapper as the president’s envoy and “characterized the release of the two detainees as a positive gesture,” Mr. Clapper said, declining to quote it directly. “It didn’t apologize.”

It’s possible there was more to the trip than Clapper’s very boisterous press blitz let on.

And it turns out I’m no longer the only one who links the trip to North Korea and the hack. At a speech at a cybersecurity conference at Fordham today, Clapper repeated accusations that North Korea had done the Sony hack, claiming that the General Kim Youn(g) Chol, with whom he had met on his trip, ordered the attack (see also Eamon Javers’ TL) amid more details of what went wrong with his plane and other details of his trip. The Bureau Kim Youn(g) Chol heads is among those sanctioned last week in response to the hack, though it doesn’t appear he’s among the sanction targets himself (though there is someone with a very similar name, Kim Yong Chol, who is Korea Mining Company’s representative in Iran, who was sanctioned). 

I’m still not convinced that North Korea did the hack. But if they did, then there’s more of a backstory, precisely where Clapper is pointing to it: in his trip to North Korea just weeks before the hack.

Alternately, Clapper’s fixation on his trip may suggest his meeting with Kin Youn(g) Chol has influenced analysis of the hack, leading Clapper’s subordinates to ascribe more importance to heated meetings while their boss was in North Korea than they logically should.

Either way, Clapper’s giving a very partial description of that trip. But now that he has returned to doing so, it ought to be a much more significant focus for reporting on the alleged North Korea hack.

Hacking in the IOB Reports

/3 Comments/in , /by

If I’m not mistaken, this — in the Q3 2008 NSA Report to the Intelligence Oversight Board — is the first mention of Computer Network Exploitation in the reports.

Screen Shot 2015-01-04 at 9.25.22 AM

 

As with almost every single reference to CNE — that is, hacking, or the use of malware to be able to spy on a target — this one is entirely redacted. (The sole exception is a targeted email that was detasked because the target entered the US, in the Q1 2009 report).

The number/complexity of incidents or details expand for some years, as with this in Q2 2009.

Screen Shot 2015-01-04 at 9.31.07 AM

The entries invariably cite 18 USC 798 as a FOIA exemption. They vary on whether they’re FVEY (that is, permissibly shared with members of the Five Eyes) or NF (that is, not to be shared with any foreign government), though in later years the entries have much more frequently been NF — take that, Brits! And the entries appear under “Other,” not EO 12333 (which is curious, given that hacking should be governed by EO 12333).

After that first, single-incident mention, CNE appears in each report until Q4 2011, after which it doesn’t appear again (though there is an entirely redacted section that appears in all but the most recent report in the EO 12333 section).

I make these observations not because they tell us anything about what kind of hacking the NSA is doing (you can look to Snowden’s documents for that). But to lay out several questions.

If — as claimed in Shane Harris’ @War hacking is increasingly how we collect SIGINT — how is it regulated? Did NSA, does NSA still, consider it to be something other than EO 12333 collection? What counts as a violation when you’re hacking to collect intelligence? To what degree is IOB overseeing the methods used, as opposed to just the actions that’d be violations regardless of the collection type (as detasking someone in the US would be)? And if CNE (hacking) has entirely disappeared from these reports, does that mean NSA has just cleaned up its act, or that it simply doesn’t report on this anymore?

I get why these passages are entirely redacted. In part, NSA is sustaining the same myth it sustains when it doesn’t admit StuxNet. It’s pretending it is not engaging in the same hacking it sanctions North Korea for.

Only it is. Which raises real questions about what kind of oversight it gets.

 

As FBI’s Amerithrax Case Continues to Crumble, Bureau Digs in on North Korea Claims

/28 Comments/in , /by
Screen shot 2014-12-30 at 12.16.49 PM

In ads released even as their claims about North Korea come under scrutiny, FBI tries to make cybersecurity Agents look like Eliot Ness.

Less than 10 days ago, Jim laid out yet more evidence that the FBI’s claimed explanation for the anthrax attack — that USAMRIID researcher Bruce Ivins not only perpetrated the attack, but did so acting alone — was scientifically problematic. So 13 years ago, anonymous sources blamed Iraq for the attack, 12 years ago they blamed Steven Hatfill, and 6 years ago, they started blaming Bruce Ivins. Probably, none of those claims are true.

The FBI still hasn’t solved one of the most alarming terrorist attacks in this country, an attempt to kill two sitting US Senators. Instead, it persists in a claim (versus Ivins) that doesn’t comport with the science, to say nothing of the other circumstantial evidence. FBI only ever sustained that claim by assuming — based on no known evidence — that a Lone Wolf, rather than conspirators, launched the attack.

Even as new evidence undermining the FBI’s obstinate claims about Ivins got released, the FBI has been making equally obstinate claims that North Korea is behind the Sony hack.

And then someone crashed North Korea’s Internet which, given how tiny it is, is the strategic equivalent of launching spitballs at a small group of North Korea’s elite. A truly awesome use of American power!

As I noted on Salon, even as the FBI was leaking its certitude to the big press that North Korea was behind the hack, Kim Zetter was pointing out all the reasons that made no sense.

Now, with a week of holiday cheers under their belts, more of the press is beginning to note all the experts questioning the FBI’s claim. Shane Harris describes the FBI “doubling down” on its original theory.

In spite of mounting evidence that the North Korean regime may not have been wholly responsible for a brazen cyberassault against Sony—and possibly wasn’t involved at all—the FBI is doubling down on its theory that the Hermit Kingdom solely bears the blame.

“We think it’s them,” referring to the North Koreans, an FBI spokesperson told The Daily Beast when asked to respond to reports from private investigators that other culprits were responsible. The latest evidence, from the cyberanalysis firm the Norse Corp., suggests that a group of six individuals, including at least one disgruntled ex-Sony employee, is behind the assault, which has humiliated Sony executives, led to threats of terrorist attacks over the release of a satirical film, and prompted an official response from the White House.

The FBI said in a separate statement to journalists on Monday that “there is no credible information to indicate that any other individual is responsible for this cyberincident.” When asked whether that left open the possibility that other individuals may have assisted North Korea or were involved in the assault on Sony, but not ultimately responsible for the damage that was done, the FBI spokesperson replied, “We’re not making the distinction that you’re making about the responsible party and others being involved.”

Time catalogs the alternatives to FBI’s theories.

And Politico notes that when one cybersecurity company, Norse, shared its analysis, the FBI refused to share its own data, as the company had expected.

The FBI says it is standing by its conclusions, but the security community says the agency has been open and receptive to help from the private sector throughout the Sony investigation.

Norse, one of the world’s leading cyber intelligence firms, has been researching the hack since it was made public just before Thanksgiving.

Norse’s senior vice president of market development said the quickness of the FBI’s conclusion that North Korea was responsible was a red flag.

“When the FBI made the announcement so soon after the initial hack was unveiled, everyone in the [cyber] intelligence community kind of raised their eyebrows at it, because it’s really hard to pin this on anyone within days of the attack,” Kurt Stammberger said in an interview as his company briefed FBI investigators Monday afternoon.

He said the briefing was set up after his company approached the agency with its findings.

Stammberger said after the meeting the FBI was “very open and grateful for our data and assistance” but didn’t share any of its data with Norse, although that was what the company expected.

It’s a bad thing, given how much evidence is out there about this hack, that the FBI won’t let more of its thinking be tested publicly.

Meanwhile, in a remarkable joining of opinion, both Jack Goldsmith and Moon of Alabama note that Obama may have wasted US credibility by so quickly accusing North Korea.

And NYT’s Ombud, Margaret Sullivan, admits that NYT too quickly repeated — and granted anonymity to — FBI’s flimsy claims.

[A]s a reader, Brad Johnson, noted in an email. He wrote: “Did NYT learn its lesson from the Iraq WMD debacle, or is the paper back to bad habits of writing stories from whole cloth based on anonymous White House and intelligence agency officials?”

Now that the matter of who was behind the hack is coming under more scrutiny, including in The Times (though with less prominence), those kinds of questions are even more germane.

One thing is certain: Anonymity continues to be granted to sources far more often than a last-resort basis would suggest.

Though Sullivan’s caution didn’t lead the Editorial Board to show any.

I’m glad people are now showing skepticism, even if it is too late to preserve American credibility (as if we had that anyway after StuxNet).

There’s one more factor that deserves notice here: the role of cybersecurity firms in laundering government propaganda.

One of the most pregnant observations in Zetter’s Countdown to Zero Day comes after Symantec published the first details implicating the US and Israel in the StuxNet attack. The Symantec team expected a bunch of others to jump in and start validating their work. Instead, they were met with almost complete silence. While Zetter didn’t say it explicitly, the implication was that the security industry is driven by its interest in retaining the good will of the US Government. Here, the first security firm to back the North Korea claim was Mandiant, the firm that served as a surrogate for claims against China.

And while in this case there is no lack of experts willing to push back against US claims, I just wonder whether at least some of the initial credulity on the North Korea claims arose because of the dominance of USG contractors among the earliest reports on the hack? While there are some equivalents in the WMD vein, the cyberindustry, in particular, seems particularly prone to serving as a cut-out for both poorly analyzed intelligence and even propaganda.

Ah well. It’s not like anyone is demanding FBI resume its hunt for the terrorist who might have killed two sitting US Senators. Why do I think this will be any different?

We’re Going to Start a War to Protect a Negligent Corporation’s Property?

/43 Comments/in /by

Over at Salon, I’ve got a piece pushing back against claims that threats made by hackers attributed to — with little concrete evidence — North Korea is an attack on our First Amendment rights. It’s not. It’s an attack on Sony’s property (or, to put it another way, Sony’s right to make a profit off its speech). And as Rayne has pointed out, Sony was unbelievably negligent in protecting its own property.

The decision to pull the film has been criticized as an attack on free speech, most notably by Aaron Sorkin, but also by other commentators. “Today the U.S. succumbed to an unprecedented attack on our most cherished, bedrock principle of free speech,” Sorkin said.  And free speech is one of the things — the last thing — Sony addressed in its statement on the decision. “We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome.”

But the threat against the film, which the Department of Homeland Security says is not credible, was only directed at one means of distributing the film: via theater release. A number of people suggested Sony should respond to the threat via other means. Mitt Romney suggested Sony release the film online, for free. Democratic congressman Steve Israel suggested Sony release it directly to DVD. BoingBoing’s Xeni Jardin suggested a global torrent party.

The point is, there are many ways to release the film, most of which would not expose theatergoers and theaters — in the wake of an altered liability landscape after the 2012 mass killing in an Aurora, Colorado, movie theater — to any danger, no matter how remote. Most of those ways would result in far more people watching the film. Some of them might even result in a few North Koreans viewing it.

If the issue is airing the views in the film — and defying the threats of the hackers — such a release would accomplish the goal.

But there’s another issue that seems far more central to this hack than speech: property.

Even before Sony mentioned its filmmakers’ free speech rights, for example, it mentioned the assault on its property rights. “Those who attacked us stole our intellectual property, private emails, and sensitive and proprietary material.” And while free release of its movie would assert its right to free speech, it would result in further financial losses, on top of the other movies (such as “Annie” and “Fury”) released on piracy sites after the hack.

[snip]

The attack on Sony’s property, even more than speech, raises real questions about another detail that has gotten far too little attention during coverage of this hack. Sony Corp. gets hacked a lot, more than 50 breaches in 15 years, and more than some of its rivals, including some fairly significant attacks in recent years that bear no resemblance to this attack. Maybe that’s because it did things like store all its passwords in a file called “password.”

The Administration is already twisting itself in knots trying to retroactively include “multinational movie studio” into its prior definition of critical infrastructure (which normally would include things like electric grid and utilities) so it can make this a state issue. Assuming, all the while, that its certainty North Korea was behind the hack are more certain than that Iraq was behind 9/11.

We’d do well to think a bit about how central to national interests negligently-protected movie company property really is to national interests before this thing spirals out of control.

Sony, Hacked: It’s Not One Massive Breach – It’s More Than 50 Breaches in 15 Years

/22 Comments/in , /by

Cybersecurity_MerrillCollegeofJournalismEver try to follow an evolving story in which the cascade of trouble grew so big and moved so fast it was like trying to stay ahead of a pyroclastic flow?

That’s what it’s like keeping up with emerging reports about the massive cyber attack on Sony. (Granted, it’s nothing like the torture report, but Hollywood has a way of making the story spin harder when it’s about them.)

The second most ridiculous part of the Sony hack story is the way in which the entertainment industry has studiously avoided criticizing those most responsible for data security.

In late November, when the hacker(s) self-identified as “Guardians of Peace” made threats across Sony Pictures’ computer network before releasing digital film content, members of the entertainment industry were quick to revile pirates they believed were intent on stealing and distributing digital film content.

When reports emerged implicating North Korea as the alleged source of the hack, the industry backpedaled away from their outrage over piracy, mumbling instead about hackers.

The industry’s insiders shifted gears once again it was revealed that Sony’s passwords were in a password-protected file, and the password to this file was ‘password.

At this juncture you’d think Sony’s employees and contractors – whose Social Security numbers, addresses, emails, and other sensitive information had been exposed – would demand a corporate-wide purge of IT department and Sony executives.

You’d think that anyone affiliated with Sony, whose past and future business dealings might also be exposed would similarly demand expulsion of the incompetents who couldn’t find OPSEC if it was tattooed on their asses. Or perhaps investors and analysts would descend upon the corporation with pitchforks and torches, demanding heads on pikes because of teh stoopid.

Nope.

Instead the industry has been tsk-tsking about the massive breach, all the while rummaging through the equivalent of Sony Pictures’ wide-open lingerie drawer, looking for industry intelligence. Reporting by entertainment industry news outlets has focused almost solely on the content of emails between executives.

But the first most ridiculous part of this massive assault on Sony is that Sony has been hacked more than 50 times in the last 15 years.

Yes. That’s More Than Fifty.

Inside Fifteen Years. Read more

Reagan? No, Regin — Yet Another [GCHQ] Intelligence Malware

/5 Comments/in , , /by

Recently, computer security firm Symantec reported discovery of another intelligence-gathering malware, dubbing  it “Regin.”

What’s particularly interesting about this malware is its targets:

  • It infected computers in Afghanistan, Austria, Belgium, India, Iran, Ireland, Mexico, Pakistan, Russia, Saudia Arabia;
  • At 48% of total infections, the largest group of targets were private individuals and small businesses.

Please do read Symantec’s blog post and its technical paper on Regin to understand how it works as well as its targets. Many news outlets either do not understand malware and cybersecurity, or they get facts wrong whenever major malware attacks are reported. Symantec’s revelation about Regin is no different in this respect.

Independent.ie offers a particularly exceptional example distorting Symantec’s report, claiming “Ireland is one of the countries worst hit globally by a dangerous new computer virus that spies on governments and companies, according to a leading technology firm.”

If by “worst hit,” they mean among the top four countries targeted by this malware? Sure. But only 9% of the infections affected Irish-based computers, versus 28% of infections aimed at Russian machines, and 24% affecting Saudi machines. The Independent.ie’s piece reads like clickbait hyperbole, or fearmongering, take your pick.

What wasn’t addressed by the Independent.ie and numerous other outlets, including those covering the tech sector are some fundamental questions:

  • What assets or activities might the targeted countries have in common that would make them targets of a single intelligence operation organized by one or more nation-states?
  • What are so many private individuals and small businesses targeted by this malware, in contrast to other malware-based intelligence-collection operations seen to date?

The Guardian came closest to examining these issues, having interviewed researchers at computer security firm F-Secure to ask the origins of the malware. As of 24-NOV-2014, the firm’s Mikko Hypponen speculated that the US, UK, and/or Israel were behind Regin’s development and deployment.

As of the video embedded above, Hypponen firmly says the UK’s intelligence entity GCHQ is behind Regin, in particular the malware’s invasion of a Belgian telecom network (see video at 07:20). Read more

US Persons on Military Intelligence Sharing Databases

/3 Comments/in /by

Steven Aftergood catches Charles McCullough, the Intelligence Community Inspector General who has resisted exercising oversight over spying, doing his job.

“A civilian employee with the Army Intelligence and Security Command made an IC IG Hotline complaint alleging an interagency data repository, believed to be comprised of numerous intelligence and non-intelligence sources, improperly included U.S. person data,” the IC IG wrote. “The complainant also reported he conducted potentially improper searches of the data repository to verify the presence of U.S. persons data. We are researching this claim.”

Given prior reports about ICREACH — which purportedly focuses on foreign collected data but therefore would include US person data collected overseas — this is not that surprising. (I don’t think this should be ICREACH, however, because that’s not explained as a repository.)

But I find it particularly interesting that this complaint comes from someone at INSCOM, the Army intelligence outfit where Keith Alexander tried to ingest US person data in 2001, only to have Mikey Hayden refuse (!).

The heartburn first flared up not long after the 2001 terrorist attacks. Alexander was the general in charge of the Army’s Intelligence and Security Command (INSCOM) at Fort Belvoir, Virginia. He began insisting that the NSA give him raw, unanalyzed data about suspected terrorists from the agency’s massive digital cache, according to three former intelligence officials. Alexander had been building advanced data-mining software and analytic tools, and now he wanted to run them against the NSA’s intelligence caches to try to find terrorists who were in the United States or planning attacks on the homeland.

By law, the NSA had to scrub intercepted communications of most references to U.S. citizens before those communications can be shared with other agencies. But Alexander wanted the NSA “to bend the pipe towards him,” says one of the former officials, so that he could siphon off metadata, the digital records of phone calls and email traffic that can be used to map out a terrorist organization based on its members’ communications patterns.

“Keith wanted his hands on the raw data. And he bridled at the fact that NSA didn’t want to release the information until it was properly reviewed and in a report,” says a former national security official. “He felt that from a tactical point of view, that was often too late to be useful.”

Hayden thought Alexander was out of bounds. INSCOM was supposed to provide battlefield intelligence for troops and special operations forces overseas, not use raw intelligence to find terrorists within U.S. borders. But Alexander had a more expansive view of what military intelligence agencies could do under the law.

“He said at one point that a lot of things aren’t clearly legal, but that doesn’t make them illegal,” says a former military intelligence officer who served under Alexander at INSCOM.

In November 2001, the general in charge of all Army intelligence had informed his personnel, including Alexander, that the military had broad authority to collect and share information about Americans, so long as they were “reasonably believed to be engaged” in terrorist activities, the general wrote in a widely distributed memo.

Indeed, given the timing (IC IG’s report describes this as happening in the fourth quarter of calendar year 2013, so in the months after this Shane Harris report), it’s possible this report is what led the tipster to check whether US person data was available in repositories available to INSCOM.

While INSCOM focuses on battlefield intelligence, it also does cybersecurity and force protection, the kind of thing that has, in the past, targeted Americans (even Americans peddling porn!). So while this might just reflect oversharing, it also might reflect a return to the mentality of Keith Alexander.