Month: January 2015

Wrapping up the whole Sony thing…. for now.

3 Comments

SIGINT

So a bunch of things have come out in the last week that honestly make further discussion about attribution pointless. Once again, we are dealing with things said at conferences or deliberately leaked to the media, but given the sources, we have to at least take them somewhat seriously.

North Korean Signals Intelligence (SIGINT)

This was always a “wildcard” that couldn’t be discounted. Given what we know of the NSA and PRISM, it’s hardly surprising to hear that their sensors were “in the right place at the right time” to record some or all of the Sony hack. So what exactly did they collect? Allegedly, they saw phishing emails sent from North Korea to Sony sometime in September. Furthermore, in retrospect, they determined that those emails had been successful in compromising the credentials of at least one admin.

It seems pretty solid. There are some things about this that trouble me, however.

  1. The first is that we are hearing this in the form of bits and pieces of leaked information, passed directly to the media. This seems an unusual strategy for the NSA or the FBI – especially the NSA who have nothing to gain (and everything to lose) from leaking details about classified intelligence operations. Especially now that the White House has accepted their conclusion and taken punitive action. Just who exactly are they trying to convince? Until I hear this from a reliable source who can answer a few technical questions, I am going to continue to be politely skeptical.
  2. The second is that they are saying they have evidence of North Korea hacking Sony based on intelligence they collected from hacking hacked North Korean systems.  These North Korean systems were already owned, most likely, by South Korea, and in most cases already had “implants” which were vulnerable enough that the NSA could either hijack them or share their usage with the original group that planted them. That doesn’t inspire me with a lot of confidence. Who is to say that whoever hacked these North Korean systems in the first place wasn’t messing with them? Who is to say that some other third party came along and also compromised these already compromised North Korean systems?
  3. Without accurate identification of the Sony hack vector, it is impossible to know for sure what role these connections played in the Sony hack. Maybe they started it. Maybe someone else started it and they followed in their footsteps. Maybe someone else did it and is quietly chuckling to themselves at now naive we all are.
  4. Finally, are we seriously punishing the North Koreans for hacking our infrastructure based on intelligence we gained from hacking their infrastructure? This does not feel like a righteous position to find ourselves in.

Facebook Connections

This is perhaps the first piece of reasonably solid evidence in the whole affair. Speaking to the press at  the International Conference for Cyber Security, Director Comey alleged that while they were logging into Sony’s infrastructure, the attackers slipped up and connected to Sony’s systems directly. Then, while exposed like this, they logged into the GOP Facebook page. This allowed both Sony and Facebook to record their IP address information.

This is the sort of evidence that solid attribution cases are built upon.

However, it’s still possible to knock a few holes into this. For example, without the accurate understanding of the vector, we don’t know if they started this, or if they took over where someone else left off. We also don’t know whether this whole thing was a deliberate decoy. Without knowing what he meant by “North Korean IPs,” it is also impossible to understand how solid this evidence is. For example, if the IPs come from a North Korean machine owned by the South Koreans, the NSA, and the Chinese, my skepticism remains. It’s hard to say that anything coming from a machine that’s been “hacked to pieces” by multiple parties can definitively be attributed to anyone.

So that’s where we are. In my eyes, the preponderance of evidence definitely suggests North Korean involvement or someone trying very hard to make it look like North Korean involvement. However, I remain far from convinced that the North Koreans started this or, indeed, that they played a significant role in this. If only the NSA or FBI would invite me to look over their SIGINT and the non public evidence collected in the case… 🙂

Response to the latest Sony comments by FBI Director Comey.

Leave a comment

Here’s my responses to the latest comments on the Sony hack, as presented by Director James Comey at the International Conference of Cyber Security in New York this morning.

“The tools in the Sony attack bore striking similarities to a cyber attack the North Koreans conducted in March of last year against South Korean banks and media outlets.”

This is something they pointed out in their first press release.  See https://marcrogers.org/2014/12/21/why-i-still-dont-think-its-likely-that-north-korea-hacked-sony/

“We put our behavior analysis unit to work looking at the statements, the writings, and the diction of the people involved claiming to be the so-called Guardians of Peace in this attack and compared it with other attacks we know the North Koreans have done. And they say, easy for us, it is the same actors.”

OK, but what other attacks? Like some of the other evidence presented, this is interesting sounding, but without any of the actual science it’s not much more than hearsay. What are the other attacks they are comparing with? What are the points of similarity? How similar are those points?

“We brought in a red team and said what else might we be missing… and we end up in the same place.”

I don’t even know what this means. Maybe they are saying they brought in a team of professional penetration testers and asked them to use their experience as “hackers”? If so, it’s interesting but again it is not really evidence.

Update: I’m told that in FBI speak “red teaming” means the FBI brought in professional critics to debate competing hypotheses. “ended up in the same place” means that despite alternate hypotheses after reviewing the evidence the red team ended up with the same conclusion – i.e. that North Korea was behind the attacks.

I would be very interested in hearing what alternate hypotheses were presented and on the basis of what evidence they were subsequently eliminated.

“I know that some serious folks have suggested we have it wrong, I would suggest, I am not suggesting, they don’t have the facts I have — they don’t see what I see, but there are a couple things I have urged the intelligence community to declassify that I am going to tell you right now. The Guardians of Peace would send emails threatening Sony employees and would post online various statements explaining their work. In nearly every case they used proxy servers to disguise where they were coming from. But several times they got sloppy.

There’s several things here. First, I don’t think anyone would disagree with him when he says he has access to information that no one else has. I would hope that the FBI has access to a lot more information than me. However, what many of us are saying is that if you are going to accuse a foreign country of an egregious crime, and have the US respond in a punitive way to that country, the evidence should be clear, of a good standard, and handled in a transparent way. If the FBI is sitting on a smoking gun then they should tell us about it because so far all they have presented is flimsy, at best circumstantial, evidence.

Let’s look at the email claim:

First, they are saying that these guys, who so were careful to route themselves through multiple public proxies in order to hide their connections, got sloppy and connected directly. It’s a rookie mistake that every hacker dreads. Many of us “hackers” even set up our systems to make this sort of slip-up impossible. So, while its definitely plausible, it feels very unlikely for professional or state-sponsored hackers in my books. Hackers who take this much care when hiding their connections have usually developed a methodology based around using these kinds of connections to hide their origin. It becomes such common practice that it’s almost a reflex. Why? Because their freedom depends on it.

However, even if we take that to one side and accept that these emails came from North Korean IP addresses, what are those addresses? If they are addresses in the North Korean IP ranges then why don’t they share them? If they are North Korean servers, then say so! What about the possibility that this attacker who has shown ability and willingness to bounce their connections all over the world is simply bouncing their messages off of North Korean infrastructure?

Finally, how do they even know these emails came from the attackers? From what I saw, the messages with actual incriminating content were dumped to pastebin and not sent via email. Perhaps there are messages with incriminating content – and by this I mean links to things only the attackers had access to – which they haven’t shared with us? Because from where I am sitting, it’s highly possible that someone other than the attacker could have joined in the fun by sending threatening messages as GOP, as we have already seen happen once in this case.

It would be far more interesting to me if these IP addresses were from connections that resulted in data being moved in or out of the network or connections involved in the control of compromised systems. For example:

  • Connections that can be directly implicated in placing tools into the network or logging into Sony machines
  • Connections involved in directly ex-filtrating the terabytes of information that GOP stole from Sony out of the network.

Once you have thoroughly excluded the risk of these connections being bounced through a compromised “patsy” system or through a series of proxies.  Once you are able to demonstrate that they are direct, or that you can account for every single point or hop in the connection. At this point, it would be hard for the connections to be anything but as a result of the attackers themselves.  However, the risk that somehow the connection is being redirected or that you are being misdirected is VERY hard to eliminate.

This is what makes attribution is so hard.

“Several times, either because they forgot or they had a technical problem, they connected directly and we could see them. And we could see that the IP addresses that were being used to post and to send the emails were coming from IPs that were exclusively used by the North Koreans.”

I think I covered this above.  I agree that it is certainly possible for an attacker to make mistakes like this, but it seems very unlikely. It would be a rookie mistake for an accomplished hacker. However, people do make mistakes.

Equally, however, it could be a sign that different people are involved – one who is being extremely careful, and one possibly an opportunist who is sending lots of threatening messages. Perhaps the hacker and an opportunistic emailer taking advantage of the chaos?

Finally, what are the IP addresses, and how can you say “exclusively North Korean”? The only addresses that I can think of as exclusively North Korean are ones that belong to the North Korean IP ranges, and if that’s the case, why not say so? Those addressees are hardly a matter of national security. Also, how did they rule out the possibility that someone is faking those IP addresses, or bouncing off of them, or hijacking them?

“It was a mistake by them that we haven’t told you about before that was a very clear indication of who was doing this. They would shut it off very quickly once they realized the mistake, but not before we saw them and knew where it was coming from.”

“We have a range of other sources and methods that I will continue to protect because we think they are critical to the entire intelligence community’s ability to see future attacks and understand this attack better.”

So we are back to the SIGINT. I respect their need to keep matters of national security discreet. After all, disclosure can jeopardize the operation, the source, and any future use.  However, if SIGINT is the only really strong evidence they have then say so. Stop presenting the rest of this weak circumstantial evidence, passing it off as a smoking gun.

“I remain where I started not just with high confidence but VERY high confidence that the North Koreans perpetrated this attack.”

Likewise, while I agree there is some interesting information here, I see nothing that conclusively incriminates the North Koreans. Instead, if anything, this evidence just leaves me with even more questions.

“We are still looking to identify the vector – so how did they get into Sony. We see so far spear phishing coming into Sony as late as September this year. We’re still working on that, and when we figure that out we’ll do our best to give you the details on that. But that seems the likely vector of entry into Sony.”

Wow. That’s potentially a HUGE bombshell. Is the FBI really saying that they don’t know what the vector was, or are they just being coy? If they genuinely don’t know what the vector was then I have even more concerns. The vector is often the single most important piece of evidence you can uncover in a cyberattack like this.

I don’t mean to be blasé because really do I appreciate that running an investigation like this is a very difficult exercise with many moving pieces. However, for me, the vector is a HUGE factor in understanding what happened and ultimately in correctly attributing the criminals that perpetrated it.

I do also appreciate that it is easy commenting from the peanut gallery, and not so easy to be sitting in the hot seat, especially with the kinds of constraints that the FBI have.

Finally a few folks have asked me what I would like to see in order to be convinced that it really was North Korea.

That’s a tough question to answer. I would love to see a smoking gun but a smoking gun can mean so many things in the world of digital forensics. It’s also something that you so rarely get. Some of the things that would help, though, would be –

  • Evidence of direct symmetrical connections – i.e. either data connections or control connections that were not routed from a proxy. Not asymmetric connections such as an email moving from server to server.
  • Connections that were routed through proxies supported by logs from every single proxy involved.
  • Comprehensive forensic evidence from a “staging system” used by the attackers to control or deploy their attacks.
  • Evidence of highly specific code, which can then be tied to an individual or individuals.
  • Evidence of a highly specific vulnerability or 0day that can be traced.
  • Details (not just hints) about highly specific tools used by the attackers, which can be linked back to the attackers.
  • The attacker’s laptop with tools, code and logs intact.
  • A confession 😉