Posts

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

NSA, Lazarus, and Odinaff

Reuters has a report that SWIFT — the international financial transfer messaging system — has been hacked again, what it describes as the second effort to steal big money by hacking the system.

Cyber-security firm Symantec Corp said on Tuesday that a second hacking group has sought to rob banks using fraudulent SWIFT messages, the same approach that yielded $81 million in the high-profile February attack on Bangladesh’s central bank.

Symantec said that a group dubbed Odinaff has infected 10 to 20 organizations with malware that can be used to hide fraudulent transfer requests made over SWIFT, the messaging system that is a lynchpin of the global financial system.

But it should say the third hack. As the Snowden documents revealed, NSA was double dipping at SWIFT in the 2010 to 2011 timeframe, though to steal information, not money.

What’s interesting about this latest hack, though, is it targets the US and countries closely aligned with it, though it appears to be a criminal organization not a state.

Symantec said that most Odinaff attacks occurred in the United States, Hong Kong, Australia, the United Kingdom and Ukraine.

The Reuters report also notes that Symantec thinks the Sony hack was done by a group it calls Lazarus, which may not be the same as North Korea.

As with the Yahoo scan ordered last year — which effectively appears to have hacked all Yahoo’s users — it makes sense to think of US nation-state hacks and criminal or foreign adversary ones in the same breath. Not only might an NSA hack expose methods others might use, but with an entity like SWIFT, there’s no reason to privilege US hacking over others.

Wednesday Morning: If It Ain’t Baseball, It’s Winter

It may be sunny and 90F degrees where you are, but it’s still winter here. A winter storm warning was issued here based on a forecast 12 inches of snow and 35 mph winds out of the northeast off Lake Huron. For once, Marcy’s on the lee side of this storm and won’t be blessed with the worst of this system.

I’ll cozy up in front of the fireplace and catch up on reading today, provided we don’t have a power outage. Think I’ll nap and dream of baseball season starting in roughly five weeks.

Before the snow drifts cover the driveway, let’s take a look around.

Hey Asus: Don’t do as we do, just do as we say
Taiwanese computer and network equipment manufacturer Asus settled a suit brought by the Federal Trade Commission over Asus leaky routers. The devices’ insecurities were exposed when white hat hacker/s planted a text message routers informing their owners the devices were open to anyone who cared to look. Terms of the settlement included submitting to security auditing for 20 years.

What a ridiculous double standard: demand one manufacturer produce and sell secure products,while another government department demands another manufacturer build an insecurity.

Ads served to Android mobile devices leak like a sieve
Researchers with the School of Computer Science at the Georgia Institute of Technology presented their work yesterday at 2016 Network and Distributed System Security Symposium, showing that a majority of ads not only matched the mobile user but revealed personal details:

• gender with 75 percent accuracy,
• parental status with 66 percent accuracy,
• age group with 54 percent accuracy, and
• could also predict income, political affiliation, marital status, with higher accuracy than random guesses.

Still some interesting work to be presented today before NDSS16 wraps, especially on Android security and social media user identity authentication.

RICO – not-so-suave – Volkswagen
Automotive magazine Wards Auto straps on the kneepads for VW; just check this headline:

Diesel Reigns in Korea as Volkswagen Scandal Ebbs

“Ebbs”? Really? Au contraire, mon frère. This mess is just getting started. Note the latest class-action lawsuit filed in California, this time accusing VW and its subsidiaries Audi and Porsche as well as part supplier Bosch of racketeering. Bosch has denied its role in the emissions controls defeat mechanism:

…The company has denied any involvement in the alleged fraud, saying it sold an engine control unit to Volkswagen, but that Volkswagen was responsible for calibrating the unit.

The scandal’s only just getting going when we don’t know who did what and when.

Worth noting Wards’ breathless excitement about VW passenger diesel sales uptick in South Korea. But then Wards ignores South Korea’s completely different emissions standards as well as the specifics in promotions for that market. Details, details…

Splash and dash

Don’t miss Ed Walker’s latest in his series on totalitarianism and Marcy’s fresh exasperation with polling on FBI vs Apple. Wind’s brisk out of the north, bringing the first wave of flurries. I’m off to check the gasoline in the snowblower and wax my snow shovels.

Sony Pictures Postmortem Reveals Death by Stupid

FORTUNE_SonyHack-GovtAV_25JUN2015We already knew Sony Pictures Entertainment’s (SPE) hack was bad. We knew that the parent, Sony Group, had been exposed to cyber attacks of all kinds for years across its subsidiaries, and slow to effect real changes to prevent future attacks.

And we knew both Sony Group and SPE shot themselves in the feet, literally asking for trouble by way of bad decisions. Sony Electronics’ 2005 copy protection rootkit scandal and SPE’s utter lack of disregard for geopolitics opened the businesses to risk.

But FORTUNE magazine’s expose about the hacking of SPE — of which only two of three parts have yet been published — reveals a floundering conglomerate unable to do anything but flail ineffectively.

It’s impossible to imagine any Fortune 500 corporation willing to tolerate working with 1990s technology for any length of time, let alone one which had no fail-over redundancies or backup strategies, no emergency business continuity plan to which they could revert in the event of a catastrophe. But FORTUNE reports SPE had been reduced to using fax machines to distribute information, in large part because many of its computers had been completely wiped by malware used in the attack.

Pause here and imagine what you would do (or perhaps, have done) if your computer was completely wiped, taking even the BIOS. What would you do to get back in business? You’ve given more thought about this continuity challenge than it appears most of SPE’s management invested prior to last November’s hack, based on reporting to date.

A mind-boggling part of FORTUNE’s expose is the U.S. government’s reaction to SPE’s hack. The graphic above offers the biggest guffaw, a quote by the FBI’s then-assistant director of its cyber division. Knowing what we know now about the Office of Personnel Management hack, the U.S. government is a less-than-credible expert on hacking prevention. While the U.S. government maintains North Korea was responsible, it’s hard to take them seriously when they’ve failed so egregiously to protect their own turf. Read more

Sony, the White House, and 10 Downing Street: What’s the Quid Pro Quo?

BrokenHollywoodLots of ugly things crawled out of Sony Pictures Entertainment’s emails leaked by hackers this past autumn.

The leak of emails and intellectual property, including then-unreleased film The Interview, was labeled “a serious national security matter” by the White House. In January this year, President Obama issued an executive order increasing sanctions against North Korea, the purported origin of the hack on SPE’s network and computers.

Sony Pictures Entertainment (SPE) is a wholly-owned subsidiary of Sony Corporation, a Japanese multinational conglomerate. In offering retaliation on behalf of SPE, the White House placed SPE on par with critical U.S. infrastructure, though no one will be physically injured or die should SPE be hacked again, and the market won’t collapse if SPE loses money on all its movies this year.

If SPE, a foreign-owned, information security-challenged entertainment firm, is now entitled to military protection against cyberattack, what is it the White House and the U.S. will receive or has received in exchange?

What’s the exchange in this quid pro quo?

Which brings us to the matter of STARZ’ cable series, Outlander, and UK Prime Minister David Cameron‘s government.

In 2013, STARZ network ordered the 16-episode adaptation of bestselling historical fiction novel, Outlander by author Diana Gabaldon, from production companies Tall Ship Productions, Story Mining & Supply Co., and Left Bank Productions, in association with Sony Pictures Television.

While STARZ was the U.S. distributor, offering the series on its own cable network, SPE’s TV arm appears to have handled overseas distribution to broadcast, cable, and video streaming services.

Outlander’s cross-genre narrative is set mainly in 1740s Scotland; the story is sympathetic to a Scottish protagonist and his time-traveling English wife who are caught between the British and Jacobites in the ramp up to the 1746 Battle at Culloden. The Scottish people and countryside are treated favorably in the series’ production.

The program debuted on STARZ in the U.S. on August 9 last year — a little less than six weeks before Scotland’s independence referendum (“IndyRef”). Outlander began airing in Canada and Australia in August also, and in October in Ireland after the IndyRef vote.

Distribution deals in other countries including Germany, Hungary, Japan, and the Netherlands led to wider release overseas last year.

But Outlander never received a distribution deal in 2014 in the UK, in spite of its many Scottish and British fans’ clamor and the source book’s status as a renewed bestseller in advance of the show’s U.S. debut. To date the series has only released on Amazon Prime Instant Video in the UK, for paid video-on-demand streaming — not on broadcast or cable.

At least one email leaked by hackers revealed that SPE personnel had a meeting or meetings with Cameron’s government. In an internal email from Keith E. Weaver, executive vice president, SPE executives were told,

“Your meeting with Prime Minister Cameron on Monday will likely focus on our overall investment in the U.K. – with special emphasis on the jobs created by Tommy Cooper [the ITV show], the importance of Outlander (i.e., particularly vis-a-vis the political issues in the U.K. as Scotland contemplates detachment this Fall), and the growth of our channels business…”

The implication is that SPE would suppress any effort to distribute Outlander to the benefit of Cameron’s anti-independence position, in exchange for “growth of our channels business…”

What exactly does this mean?

And is the pursuit of growth confined to SPE, or did “channels business” mean something else? Were Sony executives also looking for opportunities for Sony Corporation, which includes Sony Computer Entertainment, Sony Music Entertainment, Sony Mobile Communications (once known as Sony Ericsson), and Sony Financial?

Did SPE executives and the Prime Minister agree not to seek broadcast or cable distribution Outlander in the UK before this month’s election? Read more

Cyber Secret Sources Finally Met a Snowden Leak to Love!

The NYT has a story describing the rise of the North Korean 6,000-strong hacking unit, which (the story explains) the NSA has been watching closely since 2010.

Spurred by growing concern about North Korea’s maturing capabilities, the American spy agency drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers and penetrated directly into the North with the help of South Korea and other American allies, according to former United States and foreign officials, computer experts later briefed on the operations and a newly disclosed N.S.A. document.

A classified security agency program expanded into an ambitious effort, officials said, to place malware that could track the internal workings of many of the computers and networks used by the North’s hackers, a force that South Korea’s military recently said numbers roughly 6,000 people. Most are commanded by the country’s main intelligence service, called the Reconnaissance General Bureau, and Bureau 121, its secretive hacking unit, with a large outpost in China.

It goes on to explain why, in spite of having beacons throughout North Korea’s network, it didn’t warn Sony.

The N.S.A.’s success in getting into North Korea’s systems in recent years should have allowed the agency to see the first “spear phishing” attacks on Sony — the use of emails that put malicious code into a computer system if an unknowing user clicks on a link — when the attacks began in early September, according to two American officials.

But those attacks did not look unusual. Only in retrospect did investigators determine that the North had stolen the “credentials” of a Sony systems administrator, which allowed the hackers to roam freely inside Sony’s systems.

It even suggests that Clapper knew about North Korea’s “capabilities” even as he was having dinner with the guy in charge of it (though it does not say whether he knew about this hack).

“Because of the sensitivities surrounding the effort” to win the Americans’ release, Mr. Hale said, “the D.N.I. was focused on the task and did not want to derail any progress by discussing other matters.” But he said General Clapper was acutely aware of the North’s growing capabilities.

For the moment, I’ll set aside whether this is convincing (parts of the story — such as that North Korea’s hackers trained in China and now target China) don’t add up.

But I did want to point out two things. First, NYT relies on a document liberated by Snowden to bolster its case. It’s not clear how well it actually does bolster the case: it shows the NSA piggybacking on South Korean efforts in 2007, and then setting its own beacons. It provides a different timeline and doesn’t say how extensively the US has infiltrated North Korea. In any case, though, it is a Snowden document the secret cyber sources finally love, one that backs their immediate claims.

Finally, note what else this says: this is another example where we have intelligence but aren’t using it not because of information sharing rules, but because we’re too inattentive to make use of it. This will be useful when Congress tries to pass CISPA because of Sony.

North Korea and Sony: James Clapper Describes His Trip

As debates about whether North Korea hacked Sony continue (or even better, websites mockingly show you could randomly assign blame to any number of people; h/t Kim Zetter), there’s something that has long bothered me. The excuse for the government’s failure to provide a more fulsome description of the reasons it is so sure North Korea is to blame always go back to (NSA’s) sources and methods.

For example, here’s Jack Goldsmith making the legitimate argument that one reason you can’t attribute properly is because it would expose what we don’t know, and make us more vulnerable to hackers.

The problem with saying that the “secrecy of the NSA’s sources and methods is going to have to take a back seat to the public’s right to know” is that public knowledge could exacerbate the cyber threat.  For when other countries know those aspects of those sources and methods, they can hide their tracks better in the next attack.  The U.S. Government might think that the credibility hit it takes for not revealing more in the face of this relatively mild attack on Sony is outweighed by the longer-term advantages – to meeting and defeating greater cybersecurity threats – of having penetrated networks and conversations in unknown ways.  The game is iterative, and the proper balance of secrecy and disclosure at any particular time is tricky.  

There’s one part of the hack, however, for which such claims can’t be made — and which, in the government’s descriptions, has been just as weak as the FBI’s public forensic case against North Korea: motive.

Not only did the movie The Interview, only become the motive well after the hack, but — even assuming Kim Jong-Un is batshit crazy — the rest of the hack still doesn’t make sense. Why burn all those stars before targeting The Interview? Why release so much about Sony’s IP and other financial dealings before targeting The Interview? Why do nothing in the face of The Interview‘s subsequent release and broad success? In other words, why does the bulk of the attack actually not attack the purported target of it? Heck, the hackers didn’t even make the most of the materials on the Interview obtained in the hack to best serve North Korea’s interests.

No description of the motive I’ve seen makes any sense (again, even assuming that everyone in North Korean positions of authority are crazy or at least irrational).

Meanwhile, as far as I know I had been the only person to point out that James Clapper made a highly unusual trip to North Korea just weeks before the hack to pick up two Americans North Korea claims were US spies.

Curiously, claims that North Korea launched the hack make no mention of James Clapper’s highly unusual trip to North Korea, just a few weeks before the hack was discovered, to pick up two Americans North Korea had imprisoned, claiming they were spies.

It seems to me you might more likely find a rational motive for a rash attack on US soil (albeit at the US subsidiary of Japanese company) in that trip than in a movie, no matter how curious the movies’ ties to US national security figures. That is, not only did North Korea allegedly hack Sony for a movie reviewed by government officials depicting the assassination of Kim, but it did so weeks after the top US spy personally flew to North Korea to rescue two Americans North Korea claimed were spies, one of whom entered on a tourist visa and then ripped it up claiming he wanted to talk to North Koreans.

Reports from a press blitz Clapper did upon his return described Clapper delivering a letter from President Obama — which he described as doing no more than naming Clapper as envoy to pick up the two Americans but which Clapper declined to quote — and North Korea as disappointed that Obama hadn’t offered something more in exchange for the prisoners.

Mr. Clapper revealed details of the trip in an interview with The Wall Street Journal. The North Koreans seemed disappointed when he arrived without a broader peace overture in hand, he said. At the same time, they didn’t ask for anything specific in return for the prisoners’ release.

U.S. officials say the mission, which few officials within the Obama administration knew about until Mr. Clapper was returning, wasn’t meant to signal any change in the U.S.’s approach to the reclusive North.

Mr. Clapper’s earlier conversations with older North Korean officials on his one-day trip had been contentious. He heard what he called a far more “tempered” tone from a younger North Korean whom he described as an interlocutor and who accompanied him on the 40-minute drive back to the airport at the trip’s end. He said the interlocutor expressed regret that the North and South remained split and asked Mr. Clapper if he’d return to Pyongyang.

[snip]

The plan to send Mr. Clapper came together suddenly.

North Korea made clear that it wanted the U.S. to send a “senior envoy” and that it wanted a communication from the president.

The White House tapped Mr. Clapper, because he was a cabinet-level official though not a member of the cabinet or a diplomat. The White House didn’t want to signal to the North Koreans that Mr. Clapper was being sent to conduct a diplomatic negotiation. Mr. Clapper had also served as a military intelligence officer in South Korea in the mid-1980s and had a continuing interest in the Korean peninsula.

[snip]

Gen. Kim Young Chol appeared to be taken aback when handed the letter, Mr. Clapper said.

Written in English, the letter introduced Mr. Clapper as the president’s envoy and “characterized the release of the two detainees as a positive gesture,” Mr. Clapper said, declining to quote it directly. “It didn’t apologize.”

It’s possible there was more to the trip than Clapper’s very boisterous press blitz let on.

And it turns out I’m no longer the only one who links the trip to North Korea and the hack. At a speech at a cybersecurity conference at Fordham today, Clapper repeated accusations that North Korea had done the Sony hack, claiming that the General Kim Youn(g) Chol, with whom he had met on his trip, ordered the attack (see also Eamon Javers’ TL) amid more details of what went wrong with his plane and other details of his trip. The Bureau Kim Youn(g) Chol heads is among those sanctioned last week in response to the hack, though it doesn’t appear he’s among the sanction targets himself (though there is someone with a very similar name, Kim Yong Chol, who is Korea Mining Company’s representative in Iran, who was sanctioned). 

I’m still not convinced that North Korea did the hack. But if they did, then there’s more of a backstory, precisely where Clapper is pointing to it: in his trip to North Korea just weeks before the hack.

Alternately, Clapper’s fixation on his trip may suggest his meeting with Kin Youn(g) Chol has influenced analysis of the hack, leading Clapper’s subordinates to ascribe more importance to heated meetings while their boss was in North Korea than they logically should.

Either way, Clapper’s giving a very partial description of that trip. But now that he has returned to doing so, it ought to be a much more significant focus for reporting on the alleged North Korea hack.