Wednesday, December 31, 2014

Rethinking "The Hack"

Barely 11 days ago, the FBI announced they had identified the chief culprit behind the hack of Sony Pictures, which delayed the release of a major holiday film, and exposed damaging e-mails and financial information that embarrassed the corporation and top executives.

According to the bureau's cyber experts, North Korea was behind the hack, apparently in retaliation for Sony's planned release of "The Interview" a comedy about a talk show host (and his producer) hired by the CIA to kill DPRK dictator, Kim Jong-un.  Needless to say, the hermit kingdom didn't find that premise very amusing, so they (allegedly) launched a major cyber strike on Sony, revealing everything from the social security numbers of studio employees, to gossip-filled e-mails between executives and top producers which confirmed that many of Hollywood's elites are nothing more than hypocrites.

While that revelation was hardly surprising, the Sony hack represented the most serious cyber attack (to date) against a major corporation and it even became a free speech issue when the studio--temporarily--threatened to pull the picture.  Since then, "The Interview" has been shown in limited release, at independent movie theaters and on-line.

But security experts have long expressed doubt that Pyongyang was entirely responsible for the hack, citing a lack of conclusive evidence.  And that theory has gained steam in recent days, with various security firms claiming that the attack was, at least partially, an "inside job."  From the Hollywood Reporter:

Despite the FBI declaring that North Korea was behind the devastating cyberattack on Sony Pictures Entertainment, security experts continue to believe that the hack was an inside job, reports The Security Ledger. 

Security firm Norse claims it has evidence that shows the Sony hack was perpetrated by six individuals, including two based in the U.S., one in Canada, one in Singapore and one in Thailand. Norse senior vp Kurt Stammberger told the Ledger, a security industry news website, that among the six was one former Sony Pictures employee, a 10-year veteran of the company with a very technical background who was laid off in May following restructuring.

The Ledger writes: “Researchers from the company followed that individual online, noting angry posts she made on social media about the layoffs and Sony. Through access to IRC (Internet Relay Chat) forums and other sites, they were also able to capture communications with other individuals affiliated with underground hacking and hacktivist groups in Europe and Asia.”

While the analysis from Norse is not considered conclusive, the company's findings were shared with the FBI earlier this week, and they are consistent with those of other experts.  Almost a month ago, senior officials at AlienVault and Exabeam (among others) postulated that an insider was involved, noting that hackers knew the hardcoded names of Sony network servers, along with the credentials/usernames and passwords needed to access the system.  

So far, the FBI is sticking by its publicly-stated theory.  And there may be a good reason for that, namely the fact that the bureau has access to information beyond the reach of security companies in the private sector.  Fact is, the FBI maintains a close working relationship with NSA on cyber-security issues and can draw upon that agency's vast expertise in that field.   In fact, some members of the FBI's cyber division are stationed at NSA HQ at Fort Meade, MD, to facilitate liaision efforts between the organizations.  It's a safe bet the FBI's "North  Korea"  analysis was based, at least in part, on data provided by NSA, and so far, the feds have said virtually nothing about the role of the SIGINT agency in the Sony investigation. If the assessment is based on NSA data, it would add more credence to the North Korean angle.

In fact, a better question might be why NSA hasn't established a partnership with Sony and other American entertainment companies, given their prominence in the global market.  Shane Harris provided new details on these alliances in his recently-published book @War: the Rise of the Military-Internet Complex (H/T: Tech Dirt):

The NSA helps the companies find weaknesses in their products. But it also pays the companies not to fix some of them. Those weak spots give the agency an entry point for spying or attacking foreign governments that install the products in their intelligence agencies, their militaries, and their critical infrastructure. Microsoft, for instance, shares zero day vulnerabilities in its products with the NSA before releasing a public alert or a software patch, according to the company and U.S. officials. Cisco, one of the world’s top network equipment makers, leaves backdoors in its routers so they can be monitored by U.S. agencies, according to a cyber security professional who trains NSA employees in defensive techniques. And McAfee, the Internet security company, provides the NSA, the CIA, and the FBI with network traffic flows, analysis of malware, and information about hacking trends.

Companies that promise to disclose holes in their products only to the spy agencies are paid for their silence, say experts and officials who are familiar with the arrangements. To an extent, these openings for government surveillance are required by law. Telecommunications companies in particular must build their equipment in such a way that it can be tapped by a law enforcement agency presenting a court order, like for a wiretap. But when the NSA is gathering intelligence abroad, it is not bound by the same laws. Indeed, the surveillance it conducts via backdoors and secret flaws in hardware and software would be illegal in most of the countries where it occurs. 


According to Mr. Harris, a number of companies have been invited to form partnerships with NSA, including tech firms, on-line security providers, and organizations that fall within the 16 categories of "critical infrastructure" that are allowed to have alliances with the agency.  Communications companies form one category of infrastructure, but it doesn't appear that entertainment firms fall under that heading, although "theme parks and casinos" are also defied as critical infrastructure elements.  

With the Sony hack, the categories of companies that can partner with NSA may be expanded once again.  Under current rules, there isn't much the agency can do.  In recent testimony before Congress, the NSA Director, Admiral Michael Rogers, said his organization can "watch" an attack develop and follow its targeting of specific companies and networks, but the agency cannot contact an affected firm on its own, unless it falls under a critical infrastructure category, and a formal agreement is in place. 

In his book. Mr. Harris notes that NSA offers classified briefings and "limited-duration" security clearances to executives from tech firms.  The presentations are aimed at "scaring" the companies into partnerships with NSA, based on threat information provided by the spy agency.  According to individuals familiar with the program, NSA has little difficulty convincing companies to work with them, since many of the presentations offer information beyond the reach of most security firms.  

That's why the North Korean connection cannot be completely ruled out in the Sony case, and it's the likely reason the FBI hasn't retracted its original assessment.  There may be information--beyond the limited forensic data offered so far--that puts Pyongyang in league with the hackers.  Of course, that assumes the feds have their facts straight and that isn't always the case.  According to Business Insider, an FBI bulletin on the threat of future attacks was based (in part) on fake posts and messages created by a prankster. 

Unfortunately, such errors don't inspire much confidence in the federal guardians of our on-line infrastructure.  Neither do new reports about NSA analysts using the agency's vast collection resources to spy on current and former lovers and spouses.  It's hard to do you job when you're trying to trace the phone calls, e-mails and text messages of an ex-wife or current girlfriend or boyfriend.       

1 comment:

Just My 2¢ said...

Seems to me that protecting corporate and personal data of US citizens is a perfect job for the CIA, NSA and CERT.

Too bad they're more focused on getting inside instead of keeping everybody else locked out.