Saturday, December 27, 2014

Doing the Un-Walk!

Well even after all the brouhaha about the FBI report coming out and (sorta) proclaiming that North Korea was responsible for the Sony Entertainment compromise, which most of the infosec community thought was bullshit from the start, they seem to be walking this back now. This is not surprising considering the evidence that has been presented to the contrary by many respected researchers in the field. On the other hand, a great many people do find this surprising, now why is this, which is the real question…

The real reason why this is surprising to so many people is many fold. First, most of us find it easy to think of North Korea as the “bad guy” just because of their past and current social and political status in the world. No one would ever argue that North Korea is not a bastion of anything other than the suppression and cruelty towards their own people and anyone they could potentially force their will upon (which sadly is only their own people). Second, as of late, they have been flexing what weak muscles they have towards Japan (hiding under the skirt of China since there is no love lost there) with missile tests and the like. And third, well, we all like bad guys being bad guys, it’s just so much simpler when the people we think are bad are, well, acting badly.

This is the perfect formula for a nice tight story, with backup that most people don’t understand, nor really care to for that matter, other than the word of our government, which, ironically, most people don’t trust to begin with! Strange bedfellows indeed! But a great formula for deceiving the masses through the attribution of ignorance. And I do not blame the masses for this, I blame the government (and most of the media) for this, as they are the ones that are attempting to take advantage of people that don’t know any better. Most people don’t know, nor should be expected to know how “sophisticated” cyber-attacks occur, after all, we pay experts to take care of this, right? I’m not trying to go all conspiracy theory on this breach, but the foundation is perfect for laying the blame wherever it’s convenient, especially considering the lack of understanding by most normal folks in society.

Fortunately, we have a lot of very talented and well-meaning people out there that know enough about attacks like this and have the balls to speak out about the research they have done on their own, without any compensation other than wanting to know the truth of the matter. The consensus, even before the FBI even floated their weak hypothesis, was that this attack never originated from North Korea. And now, through this pressure of wanting the “facts” revealed, the FBI is walking back their initial position that this was the work of the North Koreans, which even North Korea denied (which should tell you a great deal, since, as crazy as they are, would take credit for anything if it made them look good).

But enough of that for now…

So some might say it might have been Sony to help push their movie and whatever else. That’s just really crazy talk considering the money they spent on making the movie, not to mention the huge liability their responsible for at the moment, cyber-insurance notwithstanding. So the Sony Entertainment Corporation is out of the running, other than the fact that they obviously have some major security issues that were never addressed.

So who actually breached Sony and why? Well that is the real question isn't it? We can all speculate, from people with an informed perspective or people just being couch quarterbacks, but so far, no one has actually identified a person(s) or group that has left a traceable path of evidence. One group has claimed responsibility for the breach and despite all their threats, other than some data leaks, hasn't produced anything other than smack talk.

So I’ll just leave this out there for everyone to think about, especially since I know I am talking to a limited and intelligent audience; Sony is being hush-hush about this, which is to be expected, the Incidence Response firm will be shackled by NDA’s so no information will come from them and the government has now been discredited from their initial proposition by people that actually know what they’re talking about. But you know the FBI has talented people too, so that might just mean that they are hiding something, which is not unusual, but for what reason? And that is the real question isn't it?

Throughout this whole debacle there is one conclusion can definitely be drawn from all of this though and that is, attribution is now a weapon

1 comment:

  1. Comment monster ate my first attempt at a reply, so I'm trying again.

    Disclaimer -- I am not an expert in intelligence, I am not directly/indirectly involved in the investigation and am only interested in this as an outside observer.

    My position- I'm inclined to believe the DPRK narrative, mainly because logically it makes sense to me, and because people I trust tell me this is the reality.

    So here are a few points in no particular order--

    -- There is some half-truth here when people talk about the "malware" being the indicator for DPRK. From the people I've spoken with, who have *seen, reversed, and analyzed* the malware samples directly from this incident, it's more than just code snippets in otherwise *potentially* re-used malware code. There are indicators that are conclusively linking this specific code to others which have been directly attributed to DPRKs cyber offensive capabilities. Initially we heard about the compiler language being set to Korean, I believe and everyone shrugged, rightly. There is more evidence here than many of those discussing the malware samples are talking about, and thus the case seems weak when it really isn't.
    -- If you take a step back and analyze the history of the DPRK in the physical world, you'll see that this event's profile is perfectly in line with their modus operandi. They are the quintessential antagonist. They like to push the limits of what their "enemy" will tolerate, and then go just slightly over. They do this with cold calculation knowing that retaliation will likely be nil, and thus maximizing their benefit. They are the brother or sister in the back seat next to the sibling on the family road trip with their hand a 1/4" from the sibling's face saying "I'm not touching, I'm not touching". Inflicting maximum displeasure for the victim, but also guaranteeing that retaliation would be seen as disproportional. This is genius, I hate to admit. Hypothetically if they DID take out SPE, what will be the US's response to a foreign government attacking (allegedly) an American (Japanese, technically) company? Nothing! We can't go kinetic as it would be disproportional response. We aren't going to go hack them because well ... do they even computer? There is just enough doubt here, so that the IC and victim *know* who it was, but they either can't share, or won't share the evidence and the general public doubts. Again, unfortunately it's perfect.
    -- The idea that the "government" is pushing this narrative along (via the FBI) is false. The people who were directly involved with this case are telling the same story. That alone doesn't automatically make it true, I agree, but it dispels the FUD that "the government is pushing this narrative".
    -- "Attributing to a foreign government requires a higher burden of proof!" - Yes, I agree completely. Who's to say that intelligence community and SPE don't actually have this irrefutable proof, but just aren't sharing it with Joe security enthusiast? Contemplate that for a minute.
    -- The final point is that there are generally two classes of people here. I'll quote Dmitri Alperovitch here and say that "Those who *know* can't talk about it in great detail, those who don't can't seem to keep their opinions out of the media circus" (paraphrased).

    -- One last point. So many of the "security researchers" who are demanding to see evidence to analyze for themselves ...on what basis? Neither the government nor the victim (SPE) have any legal requirement to share the evidence and artifacts from this incident. Until there is some law on the books, that requires this, the cries will go unheeded.

    Anyway... this is already too long so I'll end it there. Hope it made sense and helps explain a little of my thinking here.

    //Rafal ( @Wh1t3Rabbit )