Doing the Un-Walk!

Well even after all the brouhaha about the FBI report coming out and (sorta) proclaiming that North Korea was responsible for the Sony Entertainment compromise, which most of the infosec community thought was bullshit from the start, they seem to be walking this back now. This is not surprising considering the evidence that has been presented to the contrary by many respected researchers in the field. On the other hand, a great many people do find this surprising, now why is this, which is the real question…

The real reason why this is surprising to so many people is many fold. First, most of us find it easy to think of North Korea as the “bad guy” just because of their past and current social and political status in the world. No one would ever argue that North Korea is not a bastion of anything other than the suppression and cruelty towards their own people and anyone they could potentially force their will upon (which sadly is only their own people). Second, as of late, they have been flexing what weak muscles they have towards Japan (hiding under the skirt of China since there is no love lost there) with missile tests and the like. And third, well, we all like bad guys being bad guys, it’s just so much simpler when the people we think are bad are, well, acting badly.

This is the perfect formula for a nice tight story, with backup that most people don’t understand, nor really care to for that matter, other than the word of our government, which, ironically, most people don’t trust to begin with! Strange bedfellows indeed! But a great formula for deceiving the masses through the attribution of ignorance. And I do not blame the masses for this, I blame the government (and most of the media) for this, as they are the ones that are attempting to take advantage of people that don’t know any better. Most people don’t know, nor should be expected to know how “sophisticated” cyber-attacks occur, after all, we pay experts to take care of this, right? I’m not trying to go all conspiracy theory on this breach, but the foundation is perfect for laying the blame wherever it’s convenient, especially considering the lack of understanding by most normal folks in society.

Fortunately, we have a lot of very talented and well-meaning people out there that know enough about attacks like this and have the balls to speak out about the research they have done on their own, without any compensation other than wanting to know the truth of the matter. The consensus, even before the FBI even floated their weak hypothesis, was that this attack never originated from North Korea. And now, through this pressure of wanting the “facts” revealed, the FBI is walking back their initial position that this was the work of the North Koreans, which even North Korea denied (which should tell you a great deal, since, as crazy as they are, would take credit for anything if it made them look good).

But enough of that for now…

So some might say it might have been Sony to help push their movie and whatever else. That’s just really crazy talk considering the money they spent on making the movie, not to mention the huge liability their responsible for at the moment, cyber-insurance notwithstanding. So the Sony Entertainment Corporation is out of the running, other than the fact that they obviously have some major security issues that were never addressed.

So who actually breached Sony and why? Well that is the real question isn't it? We can all speculate, from people with an informed perspective or people just being couch quarterbacks, but so far, no one has actually identified a person(s) or group that has left a traceable path of evidence. One group has claimed responsibility for the breach and despite all their threats, other than some data leaks, hasn't produced anything other than smack talk.

So I’ll just leave this out there for everyone to think about, especially since I know I am talking to a limited and intelligent audience; Sony is being hush-hush about this, which is to be expected, the Incidence Response firm will be shackled by NDA’s so no information will come from them and the government has now been discredited from their initial proposition by people that actually know what they’re talking about. But you know the FBI has talented people too, so that might just mean that they are hiding something, which is not unusual, but for what reason? And that is the real question isn't it?

Throughout this whole debacle there is one conclusion can definitely be drawn from all of this though and that is, attribution is now a weapon. 

Fully Bullshitical Intelligentsia

First off, I will declare that I am in no way an expert in any of the areas of expertise in which I’m going to make comments about. That said, I’m not a moron either and I truly disdain being treated as such, as should any person that relies on their governments intelligence agencies that are bound by law to be truthful to their people unless there is a damn good reason to withhold such information. I fully believe that there are times when certain “lettered” agencies can’t and shouldn't reveal what is truly going on during certain operations, but I don’t believe that the hacking of an entertainment company qualifies as one of those instances.

So, before today there was much speculation as to who the actual perpetrators of the Sony attack were and their reasons behind such a brutal assault against an entertainment company. Sure, the idea of North Korea was being floated about, but generally not in the circles of people that are truly in the “know” about this kind of attack. And yet today, our own FBI took it upon themselves to announce that the attack was in fact the work of hackers from North Korea, never mind that the whole supposed reason behind this attack was the premise of a two-bit movie about a meaningless country’s dictator.

Making any sense so far?

No?

That’s what I thought.

Some very intelligent, yet independent people have taken upon themselves to analyze the malware that was used in this attack and almost every one of them to a tee have concluded that either this was absolutely not the work of the North Koreans, or, in the least have cast considerable doubt to this claim. Yet, the FBI’s proclamation about their findings has been swallowed hook line and sinker but all of the media outlets reporting about this major breach.

So let’s all take a step back from this and see who has something to gain from their claims; the independent researchers who took their own time to investigate the actually, albeit minimal, evidence provided, or the big government agencies that have full access to all of the data, yet have to report to someone “above their pay grade”. Politics can be a bitch no matter your political leanings, but the 1’s and 0’s never lie, if you drill down deep enough. But never forget that any data can be made to appear to be something other than what it truly is. And from what I have seen so far, the independent researchers have offered up quite a bit more technical detail that any of the “three lettered” agencies have. And if these fine people can show their good scientific methods and their conclusions, it’s really not a national security matter, it’s just a matter of truth over narrative.

So, for honesty's sake, let’s lay all the cards on the table and see who has the winning hand.

P.S.

And to anyone who wants to wave the banner of national security, if someone wanted to truly hit us hard, they could cripple our critical infrastructure, rendering us vulnerable to a variety of attacks, but I doubt they would test these attacks on an entertainment company or because of a movie, so calm that shit down. Not that this issue isn’t a real threat that needs to be addressed, just that the events aren’t related, in my unprofessional opinion.

The (Story Of Negligent Years)

Our story begins many years in the past, ending in the present day (or does it?)

Antagonist: DERP

Read everything you can about the Sony breach (or just the headlines), especially the internal parts about movie stars, executives, leaked scripts, personal information and then, forget it all. This whole mess is just a security failure of their own making, not an act of war, or any other such nonsense, nor does it even matter who perpetrated the attack. The simple fact, and the lesson that should be learned from all of this is, SECURE YOUR NETWORK PROPERLY.

The End. 

CISSP (Certified Insecure Sony Server Protocols)

MD5 hash: f46e64c568bd8816a2ca95835e2a2584

SHA-1 hash: e8da4dd2400ef4fc931a30625d8be59bf3a10eea

Well, now we know the recipe for the perfect crime: Have a 3 to 1 ratio of security executives over the people that are actually responsible for implementing and maintain said security. This, as reported by Fusion in this article: http://fusion.net/story/31469/sony-pictures-hack-was-a-long-time-coming-say-former-employees/ seems to be the template for success if you want a multi-billion dollar company to be completely pwned. But you don’t have to be a multi-billion dollar company to have this level of security, all you really have to have is an ability to pay ridiculous salaries to a few people who know very little about what they are managing, hire a few folks that actually do know what they’re doing, then underfund and require security to take a backseat to “productivity”. Boom, now you’re ready for the big time!

Now if you take this formula and apply it to practically any other business unit you can imagine, in any industry, do you know what you will get? Yep, you guessed it, complete and utter failure (excluding government agencies, which practically all of them excel at this!). And why is this? Well, most all of us know this is a self-answering question.

Again, using Sony as an example, when they make a movie, of course there are the executives making a lot of the decisions on the basic path of how making a movie will take, and while we might not all agree with their course, you can damn sure bet they are using their experience in making these calls. Sure, it may harm the storyline for some, but they are thinking of the bigger picture, making a marketable, money making movie, in other words, doing their job. But once those choices are made, they will spare no expense to make sure that all the assets, like good producers, directors, screenwriters, actors, effects groups and crew are in place to make this happen.

Now imagine a world in which security is treated with such a success oriented respect… and the irony is, the template for this success is actually a key part in Sony’s business model.

Oh the irony…

Insure-Sec-Future-Fail

A few days ago @Wh1t3Rabbit @dearestleader @DFIR_Janitor and I had a nice little conversation about insurance companies and Information Security with regards to breaches and how companies handle the potential risks. We already have red-teamers that are tasked with doing risk compliance testing for companies and now it seems that the blue-teamers are going to be dragged into being the “adjusters” in this new realm of cyber-insurance. (to be fair to the others, I will take responsibility for this post just in case it fails utterly, their good names won't be besmirched, but if they agree, even better!)

Now the article I am going to cite does not come out and say this, but this would of course be the natural progression, in my humble opinion. So without commenting any further, here is the article from  ZDNET to which I am referring: http://www.zdnet.com/police-cant-stop-cybercrimals-but-maybe-insurers-can-7000035514/

Of particular note are the following quotes:

“Encouraging the creation of an insurance market for online crimes could help enforce standards of security, just as home insurers insist on a particular type of locks on doors and windows before they will agree a policy. This makes it harder for burglars to break in as well as potentially reduces the burden on the police.”

OK, so from this we can glean that, if insurers are involved, upper management might buy into more stringent security measures because it will save them money? Really, well if they would invest and promote the best practices in security to begin with, then they wouldn't need insurance in the first place, right? Also, this begs the question, which “lock” would be the preferred lock, opening an avenue that only “insurance” approved security appliances can be used in a system?

And it continues:

”The government argues that insurers are in a good position to encourage businesses - small ones especially - to improve their cybersecurity by asking tough questions about their breach and operational risk policies.”

Again, really, it takes insurers to encourage this? I’ll say it again, this is the job of the C-level folk to make this happen not some third party that will make money off a lazy corporate security climate, regardless of a breach. Think about it this way, a bank’s physical location might be insured but they spend a hell of a lot of money on security, not to mention those large and very expensive vaults that are installed at every location. Hell, it’s easier to break into a banks IT infrastructure than it is to literally rob a bank (and get away with a respectable amount of money). Let that sink in for a minute…

To their credit, there is a somewhat sane response in the article:

“Whilst insurance offers financial protection to businesses, it does not incentivize businesses to invest in enhancing their cyber security defenses."

However, the paragraph continues down the spending the money trail with this:

“He said organizations that demonstrate good cybersecurity should be rewarded through lower premiums, adding: "This would align to steps taken by insurers offering protection against wider business interruption and ensure that such risks were being appropriately managed by businesses and not just managed through insurance coverage.”

Which looks good in print, but sounds to me like this is compliance taken to the next level instead of truly focusing on the real issues; creating and maintaining a stalwart security posture, instead of just adding another level of “bandages” into the mix.

So, is everyone ready to work for an insurance company?

So...

this started out as a joke tweet about a new company called Misguided Security, a firm that, as the blog states, will "tell you what you want to hear and check all your boxes". The reason this is such a novel idea is because this is exactly what a lot of companies want from their security auditors, a report and a checkoff sheet. But, as we all know, this is not what security is supposed to be about, in any shape or fashion.

Not sure what I will write about in this space, but it will be security related and most likely will involve some of the more insane tales that lead to security failures, hopefully with a humorous tone. But we'll see where this blog goes in the future as I'm notorious for abandoning blogs, but I'll try to make this one last, if there is an interest.