More Data on Attributing the Sony Attack

An analysis of the timestamps on some of the leaked documents shows that they were downloaded at USB 2.0 speeds -- which implies an insider.

Our Gotnews.com investigation into the data that has been released by the "hackers" shows that someone at Sony was copying 182GB at minimum the night of the 21st -- the very same day that Sony Pictures' head of corporate communications, Charles Sipkins, publicly resigned from a $600,000 job. This could be a coincidence but it seems unlikely. Sipkins's former client was NewsCorp and Sipkins was officially fired by Pascal's husband over a snub by the Hollywood Reporter.

Two days later a malware bomb occurred.

We are left with several conclusions about the malware incident:

  1. The "hackers" did this leak physically at a Sony LAN workstation. Remember Sony's internal security is hard on the outside squishy in the center and so it wouldn't be difficult for an insider to harm Sony by downloading the material in much the same way Bradley Manning or Edward Snowden did at their respective posts.

  2. If the "hackers" already had copies, then it's possible they made a local copy the night of the 21st to prepare for publishing them as a link in the malware screens on the 24th.

Sony CEO Michael Lynton's released emails go up to November 21, 2014. Lynton got the "God'sApstls" email demand for money on the 21st at 12:44pm.

Other evidence implies insiders as well:

Working on the premise that it would take an insider with detailed knowledge of the Sony systems in order to gain access and navigate the breadth of the network to selectively exfiltrate the most sensitive of data, researchers from Norse Corporation are focusing on this group based in part on leaked human resources documents that included data on a series of layoffs at Sony that took place in the Spring of 2014.

The researchers tracked the activities of the ex-employee on underground forums where individuals in the U.S., Europe and Asia may have communicated prior to the attack.

The investigators believe the disgruntled former employee or employees may have joined forces with pro-piracy hacktivists, who have long resented the Sony's anti-piracy stance, to infiltrate the company's networks.

I have been skeptical of the insider theory. It requires us to postulate the existence of a single person who has both insider knowledge and the requisite hacking skill. And since I don't believe that insider knowledge was required, it seemed unlikely that the hackers had it. But these results point in that direction.

Pointing in a completely different direction, a linguistic analysis of the grammatical errors in the hacker communications implies that they are Russian speakers:

Taia Global, Inc. has examined the written evidence left by the attackers in an attempt to scientifically determine nationality through Native Language Identification (NLI). We tested for Korean, Mandarin Chinese, Russian, and German using an analysis of L1 interference. Our preliminary results show that Sony's attackers were most likely Russian, possibly but not likely Korean and definitely not Mandarin Chinese or German.

The FBI still blames North Korea:

The FBI said Monday it was standing behind its assessment, adding that evidence doesn't support any other explanations.

"The FBI has concluded the government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment. Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector," a spokeswoman said in a statement. "There is no credible information to indicate that any other individual is responsible for this cyber incident."

Although it is now thinking that the North Koreans hired outside hackers:

U.S. investigators believe that North Korea likely hired hackers from outside the country to help with last month's massive cyberattack against Sony Pictures, an official close to the investigation said on Monday.

As North Korea lacks the capability to conduct some elements of the sophisticated campaign by itself, the official said, U.S. investigators are looking at the possibility that Pyongyang "contracted out" some of the cyber work.

This is nonsense. North Korea has had extensive offensive cyber capabilities for years. And it has extensive support from China.

Even so, lots of security experts don't believe that it's North Korea. Marc Rogers picks the FBI's evidence apart pretty well.

So in conclusion, there is NOTHING here that directly implicates the North Koreans. In fact, what we have is one single set of evidence that has been stretched out into 3 separate sections, each section being cited as evidence that the other section is clear proof of North Korean involvement. As soon as you discredit one of these pieces of evidence, the whole house of cards will come tumbling down.

But, as I wrote earlier this month:

Tellingly, the FBI's press release says that the bureau's conclusion is only based "in part" on these clues. This leaves open the possibility that the government has classified evidence that North Korea is behind the attack. The NSA has been trying to eavesdrop on North Korea's government communications since the Korean War, and it's reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un's sign-off on the plan.

On the other hand, maybe not. I could have written the same thing about Iraq's weapons of mass destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that.

I also wrote that bluffing about this is a smart strategy for the US government:

...from a diplomatic perspective, it's a smart strategy for the US to be overconfident in assigning blame for the cyberattacks. Beyond the politics of this particular attack, the long-term US interest is to discourage other nations from engaging in similar behavior. If the North Korean government continues denying its involvement, no matter what the truth is, and the real attackers have gone underground, then the US decision to claim omnipotent powers of attribution serves as a warning to others that they will get caught if they try something like this.

Of course, this strategy completely backfires if the attackers can be definitely shown to be not from North Korea. Stay tuned for more.

EDITED TO ADD (12/31): Lots of people in the comments are doubting the USB claim.

Posted on December 31, 2014 at 7:52 AM • 96 Comments

Comments

readerrrrrrDecember 31, 2014 8:36 AM

You can have terabytes in your pocket. Using flash drives would also explain why Sony didn't not notice any abnormal network activity.

Cynthia SiemensDecember 31, 2014 8:55 AM

It seems entirely possible to me that, if North Korea directed the attacks, they might deliberately have hired hackers from a variety of geographic locations specifically in order to throw the FBI and other investigators off their scent. It also seems as if they could have worked with a disgruntled insider, but the timing of the firing and massive download via USB 2.0 makes it seem less likely it would have been Sipkin.

NopeDecember 31, 2014 9:22 AM

Okay, I'm as skeptical as anyone at the NK angle on this story.

That said your source "gotnews.com" is making an even more reckless jump to conclusions and I'm surprised you bought and reported their wacky conclusions without examination. They are basing this purely on timestamps in an archive. A much simpler and more mundane explanation is that this was archived on a compromised machine on Sony's LAN or VPN before, which is exactly what you would expect a hacker exfiltrating huge quantities of data to do. Apparently "gotnews.com" got their ideas of hackers from '90s movies like Hackers and Office Space where hackers move data directly over a modem terminal into a floppy disk.

I'm even more surprised that you quoted their damaging and unsupported claims against their communications director by name. I'm not saying it's impossible that there's a connection but such a conspiracy should have evidence before it's published in such a wildly defamatory fashion.

WmDecember 31, 2014 9:22 AM

This is the problem with elements of our and all justice systems today. They are exceeding arrogant and full of pride, megalomaniacs refusing to admit to mistakes or doing any wrong. They have become extremely dangerous to the innocent and their disposition screams for people to refuse to cooperate with any interrogation attempts by authorities, immediately exercising one's right to remain silent.

RockyHorrorDecember 31, 2014 9:52 AM

It's all up in the air until Sony decides to release the information. I believe everyone and don't believe everyone. I agree with readerrr in that for a person walking out with the data makes more sense that Sony never observed anything abnormal. Could it be an exfiltration via multiple IPs at a slow pace? I don't think there are defensive tools that can detect that type of activity (detection is always retroactive, unless you had a prior active list). I think attribution is a moot point if the attack is simple and effective. The bigger problem is the possibility of the insider threat. Those are the attacks you can never count on. You've already vouched for them to work at your company. Are you saying your security process is flawed? Maybe as you can see the struggle the DoD is having. There is the thought that if a company creates a system which can alert on an events when combined can lead to an incident (for example, working abnormal hours, logging into systems they don't have a need to. I think sys admins need to be scrutinized even more).

Bruce SchneierDecember 31, 2014 9:56 AM

"That said your source 'gotnews.com' is making an even more reckless jump to conclusions and I'm surprised you bought and reported their wacky conclusions without examination. They are basing this purely on timestamps in an archive. A much simpler and more mundane explanation is that this was archived on a compromised machine on Sony's LAN or VPN before, which is exactly what you would expect a hacker exfiltrating huge quantities of data to do."

Yes, that's the second option that I quoted, above.

moffetcatDecember 31, 2014 9:58 AM

Insider, outsider, NK, whatever - what about DLP? 182GB of 'sensitive' data copied to a removable drive is significant. Is anyone watching? (Sounds like asking Target if anyone was watching FireEye.)

Bruce SchneierDecember 31, 2014 9:59 AM

"It's all up in the air until Sony decides to release the information. "

Unfortunately, it's in Sony's best interest to convince the world that North Korea was behind the attacks. I'm sure many of their contracts have a force majeure clause that would protect them from liability.

Tal KleinDecember 31, 2014 10:04 AM

Spot on Bruce.. I was on Marketplace Tech this morning echoing this, although they only used like 10 seconds of a 30 minute interview ;)

Bruce SchneierDecember 31, 2014 10:13 AM

"You can have terabytes in your pocket. Using flash drives would also explain why Sony didn't not notice any abnormal network activity."

Yes.

NopeDecember 31, 2014 10:15 AM

Your intro simply said that the leak showed they were "downloaded" at "USB 2.0 speeds" implying an insider. The most likely explanation isn't even the second option quoted, that they made a local copy before archiving, although that's another perfectly plausible explanation, it's that they made a REMOTE copy on a compromised machine. "USB 2.0 speeds" is meaningless. These timestamps could have been created by any number of ordinary network/disk configurations. There's no way to look at these timestamps and conclude "USB 2.0". At the very best all that can be concluded is that USB 2.0 interface for the last copy that touched timestamps can't be ruled out, in which case it could have just as easily happened with a local copy per option 2. There's very little that can be concluded other than a latest possible date of some copy of compromised data if you trust the timestamps. Absolutely zero evidence for an insider theory.
The source is reckless and disreputable and parroting their conclusions hurts your credibility.

Malcolm PellDecember 31, 2014 10:42 AM

I have a general comment to offer about this and other hacking/cracking/malicious attacks against western home users and small businesses.....

I have started to wonder why those Western ISPs that cover the home and small business market don't just automatically block the IP address blocks for North Korea, China, Russia and the Middle East. Those customers that specifically need to access IP addresses within these IP blocks could then ask for them to be unlocked.

As a hopefully typical IT professional, ALL of my Web and Internet work takes place within the UK/GB, USA, Canada, Australia, New Zealand, France, Germany and Italy. I cannot think of any personal or professional reason why I would need to access any other country.

I realise that this wouldn't protect against attacks from western hosted botnets and trojaned PCs, but, it would reduce the number of attacks in general and make life easier for the less technically skilled home and small business users.

If I had more IT equipment and could justify a professional grade type Cisco or equivalent Router and Firewall - then this would be one of my top defence policies.

What do other Blog readers think ?

SoWhatDidYouExpectDecember 31, 2014 11:07 AM

This is just incredible...

FBI Monitoring Hacking Targets For Retaliation

http://it.slashdot.org/story/14/12/31/1356259/fbi-monitoring-hacking-targets-for-retaliation

As one of the agencies responsible for spying on U.S. citizens and/or not pursuing the malicious hacking of worldwide infrastructure, plus doing probably little or nothing about the illegal use of hacked data, they would now move to stop businesses from fighting back. That is probably because they fear having some of their own dirty laundry uncovered. On the other hand, some of these businesses maneuver to get your data but attempt to behave as the government agencies behave when others get their data.

Really sad that we have become much of what we despised back in the iron curtain days.

AlexDecember 31, 2014 11:16 AM

@Malcom Pell I've questioned this before as well, in fact I had made a recommendation of blocking DPRK traffic to a Fortune 100 company operating within US once, only to be met with blank stares and uncertainty. I'm not sure why, but I suspect that people are worried that blocking a whole country might be painting a bullseye on your back, for hackers from that country?

GweihirDecember 31, 2014 11:16 AM

I find the time-stamp analysis highly convincing. (And a cool idea!) There are not many situations where you get 500MBit/s consistently, USB2.0 is the only obvious one. A USB 3.0 HDD connected with USB 2.0 would usually give these speeds and so would an SSD in a USB 3.0 case connected to an USB 2.0 port. That is my most likely scenario at this time.

A far less-likely scenario is Gigabit Ethernet over USB2.0, which tends to be a bit slower due to handshaking and protocol overhead. And of course, it could be plain traffic-shaping, but to what end? 500Mbit/sec shaping does not have any obvious applications.

Also I want to modify my earlier claim that the volume of data shows this was not a highly competent hack: Either it was not a highly competent hack as the attackers took lots of data which causes a huge risk of detection, or it was indeed an insider that could get at all of it in a way that does not go over the external firewalls.

Side note to all future leakers: "touch" is your friend ;-)

NopeDecember 31, 2014 11:21 AM

> Yes, I know that Chuck Johnson is unreliable and worse. But in this case, I thought the data sound enough to republish.

Wow, doubling down on crackpot nonsense and libel. Well played Bruce.

Also love how you and your other commenters somehow simultaneously have zero faith in Sony but such high faith in the ability of their IT department to catch a couple hundred gigabytes of outbound network traffic from one of their nodes and stop it midstream.

I guess somehow I expected better. Oh well.

Clive RobinsonDecember 31, 2014 11:23 AM

@ Malcolm Pell,

I have started to wonder why those Western ISPs that cover the home and small business market don't just automatically block the IP address blocks for North Korea, China, Russia and the Middle East. Those customers that specifically need to access IP addresses within these IP blocks could then ask for them to be unlocked.

It won't work.

The reason is as long as there is any connection to these places directly or indirectly then the attacks will continue.

Both China and NK have the ability to put platforms in space that they could if no other option was open to them use as communication relays to covert points they have connected to the Internet in any country of their chosing.

Thus the IP address you are attacked from by an agent of any of the countries you mention could be that of the PC in the house down the road, that is being used as a bridge from say NZ which is a bridge from say the UK, etc etc etc to some company office in Soul SK which has a private leased line to a other office in another country, but also has insecure WiFi that can be accessed via a hop or three from the NK side of the border...

The number of ways to do this is beyond what you or I could guess in a reasonable time period, and with current general use technology cannot be stopped.

The way to limit the damage is to make general use computers way way more secure than they currently are. And you can bet your last dime that US Intel and Law Enforcment agencies will fight you every step of the way using every trick they have. And don't think it's just the US it includes just about every country you would wish to live and work in and a lot of the ones you would not as well.

Clive RobinsonDecember 31, 2014 11:33 AM

@ Nope,

Also love how you and your other commenters somehow simultaneously have zero faith in Sony but such high faith in the ability of their IT department to catch a couple hundred gigabytes of outbound network traffic from one of their nodes and stop it midstream.

Err data exfiltration is a problem that has been known for a good long period of time. Even a decade ago monitoring out bound traffic statistics and other measurands was moving from "best practice" to "standard operating procedure" in organisations the size of Sony.

Which makes me wonder which organisation you work for and what their IT Department does, if you actualy know.

virmalineDecember 31, 2014 11:40 AM

"Tellingly, the FBI's press release says that the bureau's conclusion is only based "in part" on these clues. This leaves open the possibility that the government has classified evidence that North Korea is behind the attack."

This whole "classified/we can't tell you how we know" angle requires putting a lot of stock in anything the FBI or US fed government tells the public. I myself remain skeptical. I don't believe almost anything the federal government tells the public.

DerekDecember 31, 2014 11:54 AM

This is a pretty good article here! One problem that I need to point out, though — you referred to Chelsea Manning by her dead name. I'm guessing that you simply aren't aware of this, but it's usually considered immensely disrespectful (and actually bigoted) to refer to a trans person by their birth name and pronouns when they have explicitly stated preferences otherwise.

That aside, this article was definitely a good read!

NopeDecember 31, 2014 12:06 PM

Err data exfiltration is a problem that has been known for a good long period of time. Even a decade ago monitoring out bound traffic statistics and other measurands was moving from "best practice" to "standard operating procedure" in organisations the size of Sony.

First of all hacks happen due to failures in known best practices all the freaking time in big organizations like Sony. That's usually how they get hacked, okay? Again with the ironclad faith in Sony's IT organization for some reason.

Second, a couple hundred gigabytes of data is not that much data. On a fast symmetric corporate connection it could have easily happened in a couple hours without triggering any alarms, certainly before an understaffed and overworked IT department was able to react.

In the terabyte range, yeah that should be caught. But: 1. We haven't actually seen terabytes yet, we only have the hackers' own braggadocio that they successfully exfiltrated that quantity of data, and 2. Even if they did, it could still be done on full blast in a couple of days or potentially less if they were able to move it to a fast server and play their cards right. I find it completely believable that no one was watching and took action in time even if it was done obviously. That would be a legit failure on the part of their organization, but so what? There was obviously a failure on the part of their organization. One way or another there was a massive data dump. Technically speaking, there's no reason if they were totally hacked that a terabyte or two of data couldn't have been stolen via internet channels.

TylerDecember 31, 2014 12:19 PM

I've been saying this looks more like a "state-tolerated" attack since before the FBI attributed it to North Korea. It makes sense for them to hire it out - it gives plausible deniability (unless, of course, you have human or signals intelligence to indicate otherwise.) It matches a pattern we've seen in Russia during the Estonia and Ukrainian attacks - they seem to have some level of command and control beyond a single organized crime group, like apparently shared target lists. The attacks are in the interest of the state, but not necessarily legitimate military or industrial espionage targets.

In Russia, the state looks the other way on criminal activity as long as they can call in favors when in the interest of the state. This sounds similar, but it is likely that they would have to hire out the capability if they didn't want to do it internally.

ChristianDecember 31, 2014 12:30 PM

Is there any possibility that this sony hack is a marketing campaign to make money from a rather bad movie?

AdrianDecember 31, 2014 12:39 PM

@ Nope,

"At the very best all that can be concluded is that USB 2.0 interface for the last copy that touched timestamps can't be ruled out, in which case it could have just as easily happened with a local copy per option 2."

A local copy wouldn't affect the mtime values on the files. The ctime and atime would be affected, but the article says mtime.

WaelDecember 31, 2014 12:49 PM

@Christian,

Is there any possibility that this sony hack is a marketing campaign to make money from a rather bad movie?
That thought has crossed my mind as well. Can't say for sure if it's true.

Nobody N. ParticularDecember 31, 2014 12:52 PM

Regarding whether or not this was plausibly an insider attack: why do we assume that there would only be one insider involved? Why could it not have been multiple employees, or even a single employee with outside help?

WaelDecember 31, 2014 1:10 PM

Pointing in a completely different direction, a linguistic analysis of the grammatical errors in the hacker communications implies that they are Russian speakers:
A clever hacker, being aware of the sort of analysis to follow, can deliberately make it sound like a Russian or other nationality. I can write text resembling a Russian, Spanish, or German, Chinese national with the typical mistakes in spelling, grammar, idiom use and misuse and sentence construction in addition to direct translations from that language that would point to the intended target nationality -- not exactly rocket science...

gordoDecember 31, 2014 1:12 PM

@ Clive Robinson

"...make general use computers way way more secure...Law Enforcment agencies will fight you ...just about every country you would wish to live and work in...."

Thus, the efficacy by necessity of incident response? The age of getting (some)one('s) back up?

What's interesting, as well, are the numerous researchers and organizations studying the attribution question. Prosecutions, should any occur, in the face of evidence from the various threat-intelligence haystacks, may end up telling the story. I wonder how this kind of thing might actually play out in either international, national, or local courts. I suppose, depending on how all this goes, the current episode might serve as a case study of nascent open source information sharing, albeit, after the fact.

@ Nope
The current episode may also serve as a common point of reference for object lessons in best practices not practiced (they appear to be numerous).

Note to self:
Then again, except for maybe the insurance industry, if media coverage wanes, it might all be for naught. "Tonight, the plausible deniability of liability in the civil case against Company X, and last year's data breach, leads our newscast..."

Tony H.December 31, 2014 1:15 PM

This linguistic analysis seems extremely dodgy to me. Not that the notion of identifying the writer's native language using various clues in the English text is unscientific, but this all assumes that there's no spoofing going on. And if it's a state sponsored hack, there will be. Even the smallest and least competent nation state has native English speakers at its disposal, and if (say) it was NK and they don't want it attributable, they would use their native English speakers to craft the messages with various introduced errors to make it look (say) Russian. Sure, a fluently bilingual English/Korean speaker isn't going to do a great job of making the English look Russian, but then NK doubtless also has fluently bilingual Russian/Korean speakers to consult with. And it doesn't have to perfectly encode Russian in some way; it's just a matter of avoiding uniquely Korean-pointing clues and leaving some Russian-style grammatical breadcrumbs around for the analysts to find.

Can someone who's read the actual Taia paper (it's not directly online) comment on whether they discuss spoofing?

NobodySpecialDecember 31, 2014 1:24 PM

@Nope - Detecting a few 100gb of data on a corporate lan is tricky.
Having a corporate LAN where even an insider can have access to both the HR details of employees AND the video files of unreleased movies is in the words of the great movie character "inconceivable".

Not CliffDecember 31, 2014 1:30 PM

"The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage" is about the USSR hiring East German hackers to hack into DOD via university computers. Contracting with outside personnel is a common intelligence technique. It puts the hack at arm's length from the nation behind it.

Alan BostickDecember 31, 2014 1:31 PM

It's important to remember that "attack facilitated by an insider" does not rule out "attack directed by a state actor." Covert action programs have been suborning or placing insiders to access targets for about as long as covert actions have been taking place (e.g., Samson and Delilah).

Bayes' Theorem and Occam's Razor suggest that if an insider was involved, the likelihood of state action goes dramatically down. But this likelihood does not entirely vanish.

Robert ThauDecember 31, 2014 1:34 PM

On top of everything else, it's possible that the timestamps were just forged with deliberate obfuscatory intent. That sort of thing has happened in the past, most notoriously with the forged evidence in the Turkish Ergenekon trials -- in which documents were presented as dated 2003 even though internal evidence showed references to fonts and software available only in 2007 or later:

http://balyozdavasivegercekler.com/2012/10/04/dani-rodrik-did-microsoft-steal-its-fonts-from-the-turkish-army/

WaelDecember 31, 2014 1:49 PM

@ Gweihir,

Side note to all future leakers: "touch" is your friend ;-)
And command history logs can be your enemy, too :)

NopeDecember 31, 2014 2:02 PM

> A local copy wouldn't affect the mtime values on the files. The ctime and atime would be affected, but the article says mtime.

No. Assuming they were using Linux locally (another assumption), cp for instance does not preserve mtime even across a the same mounted volume, unless it's invoked with -p
Neither does tar.

bpDecember 31, 2014 2:03 PM

Even if you thought it was useful to share the speculation from GotNews.com, it's a mistake to do so without telling your readers that Charles C. Johnson is an unreliable knucklehead.

Clive RobinsonDecember 31, 2014 2:05 PM

@ Nope,

Again with the ironclad faith in Sony's IT organization for some reason

How on god's little green apple do you figure that?

If you go to one of the other threads on the SPE hack, soon after it happened, you will find me making the same argument about the --then reported terabytes of-- exfiltrated data and concluding that Sony had been negligent.

You will also find an argument as to why I belived that either external hackers had got very lucky or the hack was made by or assisted by a disgruntled SPE or ex-SPE employee.

From the little evidence we have, I see nothing to indicate that SPE were a "shining light" at anything other than iniquity and brown nosing elected US Politico's.

Further I've given an example of how those exfiltrating that sort of data could relativly easily setup things so that the NSA web of network surveillance could be easily fooled into indicating that the data had been exfiltrated to NK whilst in reality it was taken from an intermediate relay point (think oh a hotel...) on removable media which would not be visable to the NSA web of surveillance Internet taps.

The problem I'm mainly concerned with is that there is little or no public evidence, and those that did investigate have well known "vested interests" to the point of wearing red tinted glasses if their publicaly reported history is anything to go by.

In fact if you step back a step or so it's easy to see that there is insufficient evidence released by those investigating to say it actually happened at all, let alone point the finger in any particular direction. The only evidance we otherwise have has come from one or more groups that had access internaly to SPE's network, how is unclear, it could be by the network gateway ir via a USB drive in somebodies pocket/bag.

Moving on from this point we thus have a real problem US Pres BO chose to create a diplomatic incident by publicaly naming NK, but not providing any evidence. From what little evidence we have we can conclude that this was probably an unwise thing to do as there is not even a smoking gun, nore the shadow of one that could be considered reliable evidence in what we have publicaly available to us.

There are a couple of conclusions you can draw from this, one is there is no "golden thread evidence" the other is that the US has penetrated NKs networks sufficiently far to get it or they have an asset in place. Either way you can be sure NK are going to investigate and go looking for the "methods and sources", and you can be sure that in the process a lot of people will "get fed to the dogs". The problem is there may well be other countries who have "methods and sources" in NK and thus there is a high probability they will get burnt and years of work killed off.

The US Administration across the last two presidencies have repeatedly made public things that have burnt their own and other nations sources, which is not a good way to behave as it harms not just the methods and sources but civilians in the targeted countries and civilians in the US and other nations, because people will nolonger cooperate if there is any risk the US will get to know about them, thus real intelligence will be lost, before there is an opportunity to gain it...

Bruce SchneierDecember 31, 2014 2:34 PM

"This is a pretty good article here! One problem that I need to point out, though — you referred to Chelsea Manning by her dead name. I'm guessing that you simply aren't aware of this, but it's usually considered immensely disrespectful (and actually bigoted) to refer to a trans person by their birth name and pronouns when they have explicitly stated preferences otherwise."

Agreed. Note that I was quoting someone else up there.

Bruce SchneierDecember 31, 2014 2:37 PM

"Even if you thought it was useful to share the speculation from GotNews.com, it's a mistake to do so without telling your readers that Charles C. Johnson is an unreliable knucklehead."

Yes. I should have done that.

WaelDecember 31, 2014 3:01 PM

@Bruce Schneier,

Agreed. Note that I was quoting someone else up there.
That's just great. Now you are proclaiming prophethood? :)

AdrianDecember 31, 2014 3:53 PM

@ Nope,

OK... I just tried copying some files and you're absolutely right about cp not preserving mtime by default. You're wrong about tar, but you're right about cp.

Assuming the hackers used cp to copy the files to a USB drive, the mtime values could represent the times at which the files were last copied by such a method, be it onsite or offsite. Conversely, if cp did preserve mtimes we'd be seeing the original mtimes as found on Sony's computers rather than mtimes produced by the hack.

It's possible to come up with scenarios whereby modification times would be preserved after making an initial onsite copy, but there's nothing to indicate that.

M.V.December 31, 2014 4:55 PM

There is a little problem, USB 2.0 doesn't deliver a 480 MBit/s payload transfer rate. Under best conditions one can get 425 MBit/s. 13 Packets with 512 Byte payload fit in one microframe, which has a duration of 125 µs. (Table 5-10 in USB 2.0 spec).

WaelDecember 31, 2014 6:49 PM

@M.V.,

There is a little problem, USB 2.0 doesn't deliver a 48...
How about if it were more than one USB 'stick' or a Thunderbolt port? What if an entire backup library "disappeared"? Why not a USB-3 external drive, or two...?

M.V.December 31, 2014 7:40 PM

@Wael

With 2 drives should be 2 threads visible in the timestamps.

Your other options, Thunderbolt, USB-3, and i will add eSata is quite possible. Also a write speed of 60 MByte/s is quite in the range of existing pocket drives (even slower SSD!).

Another possibilty is that the target USB-2 drive was cached, the flushing of the cache at the end would be not visible in the timestamps. But this will should show up as a faster speed at the begining (filling the cache) followed by a sudden drop when the cache is full. If this is the case (i haven't checked) it would be a miuch stronger hint for an inside job.

dseDecember 31, 2014 9:58 PM

One way to test the USB claim would be to replicate the copy by different methods and on multiple OS many times then look at the timestamps distribution and see if there is any statistical significance to one of them being used.

fork_in_the_roadDecember 31, 2014 10:20 PM

@RockyHorror, @Malcolm Pell

There is a way to track exfiltration, it's called "show conn" on a cisco firewall. Aggregate the results over time and a long-running connection you don't know would definitely be there.

We know Sony went cheap and apparently indifferent on IT everything. That translates to the chances staff was populated by point-and-click admins is near 80%.

There's no way this is PR for a bad movie. Apparently the personal data compromise is very real. Exposing c-level staff as little more than high school politics it actually is would not happen if it were just a PR ploy.

Nick PDecember 31, 2014 10:22 PM

re storage options

Another option is that it's one of the people with access to or control of the backups. And they just kept making extras over time. ;)

Nick PDecember 31, 2014 10:26 PM

EDIT: Oops I thought this was a different thread. Haven't read this one. My scenario is out but still viable on other exfiltrations. And a Cisco router wouldn't see it. Also, network taps are a classic way to avoid being seen doing external connections. Use them to intercept backups and other key data.

AndrewDecember 31, 2014 11:28 PM

If NSA was wrong about this, it means that all the capabilities we assume they have are wrong.

Clive RobinsonJanuary 1, 2015 1:40 AM

@ Nick P,

(Hopefully that's the "new year" gremlins out of the way for you in 2015 ;-)

The thought had occured to me originaly when I heard of the attack and the scope of the data --supposadly-- exfiltrated across the network. That is the first thought was how did external hackers get the data from all the different back end servers...

There were three immediate further thoughts,

1, Improbably negligent security.
2, The hackers had been cautiously there for a considerable period of time.
3, The hackers had got at either a common storage network or backups.

Initialy assuming SPE were not negligent in their ICT practice either that hackers had improbably got into all the backend systems without triping alarms or they had got behind the systems into common data storage or the backup system. The reason I say improbably got into all the systems is because it implied the use of a zero-day used extreamly cautiously over an extended time period, which is not normaly seen external hacker behaviour.

If it was a common data attack then the backup system would be the most likely, afterall if you can get at the backups it saves the risk and difficulty of going after every other system on the network.

But there were two thoughts against it for an outsider attack. The first was the quantity of data "originaly" claimed that would have to have been buffered or sent at the speed of the backup process to stop it being obvious to the backup admin that something significant had happened. The second being the systems that usually do backups because of their "access all areas" view of the world are often better protected in various ways, which brings us back to the first point of negligent security.

So access to backups would tend to be indicative of very poor practice by the admins, or an insider attack.

There was also the question of the size of the data stolen, several terabytes chugging out over the network in a short time period again pointed to either negligent security practice or insider knowledge you would not expect an external only hacker to have.

Then thinking about why Sony had been in security news fairly frequently suggested that negligent security practice and an unhappy insider or ex-insider were not at all unlikely...

The problem was without further information, it was just a thought process rather than an attribution process. But "state level attack" from NK felt considerably less probable than a blackmail / revenge attack by an insider or ex-insider.

Then I heard who had been brought in to investigate, and their long running preferance for seeing through Red Tinted Glasses, and it gave me a further uneseay fealing. Especialy when NK's --supposed-- previous attacks were of quite a different MO.

Untill we get more evidence all we can do is try and wring out as much usefull information as we can from what we have got. And so far it boils down to either negligence by Sony or a Sony insider as the root cause for the data getting out. The initial extortion / blackmail attempt and later release of personal data, is more indicative of the MO of an insider or hacker group than a --supposed-- state level attack by NK. Then there is the very odd timing over the supposed demands to have the film held for release, which is indicative of somebody playing games.

And that's where the worms come jumping out of the can with avengence, neither Sony nor NK are popular, in fact they both have a lot of enemies who would want to attack / frame them for so many reasons it would be difficult to list them all, and on top of this there is "super power" politics with China, Russia and the US all having agenders over NK. Most of which involve SK which has many mixed opinions over NK and how to deal with them and thus many vested interests. Any number of which could be playing games, before you consider some others would just do it for a joke to relieve lifes little boredoms, or claim bragging rights for manipulating the Politicos / Press / Public...

Which makes it all a "very target rich environment", which in turn needs much more evidence to sort out, which we just don't have...

To make it worse there is the behaviour of US Pres BO, creating a diplomatic incident, for reasons that are not clear, but decidedly unhelpfull if not dangerous. Supposedly there is "secret evidence" from either the US Intel or Law Enforcment communities.

As I've indicated it would not be terribly difficult to spoof the NSA network taps to make it look like the data was being exfiltrated to NK when in fact it was being pulled off via a non network method the NSA taps cannot see.

To make a public diplomatic incident would normally require a "golden thread of evidence" not suspicion or supposed circumstantial evidence. For a number of reasons one of which is to limit collateral damage you would make this evidence available.

Not having done so and now giving all the indications of "back peddling" has made the situation much much worse.

At the very least it makes it likely that the actuall hackers will not be brought to justice.

WatchedJanuary 1, 2015 3:37 AM

welcome to the most beautifully executed psy-op we have witnessed in modern time.

AndrewJanuary 1, 2015 3:51 AM

@Nick P - "The FBI or NSA?"
"Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector," a spokeswoman said in a statement"

Now I see what I said earlier, what I meant was:
"If NSA was wrong about this, it means that all assumptions about their capabilities made here are wrong"

We miss a lot of technical details (basically all), while the discussions are around files timestamps, intelligence profs may consist in processor ID that extracted the Sony data and where this was bought or even hackers voices or whatever.

Clive RobinsonJanuary 1, 2015 5:41 AM

@ Moderator,

The above comment #6685864 from Peter has the hallmarks of link spam.

Clive RobinsonJanuary 1, 2015 7:03 AM

@ Andrew,

"If NSA was wrong about this, it means that all assumptions about their capabilities made here are wrong"

Whilst the NSA might be able to break the laws of man, I don't think they can break the laws of physics.

Neither are the NSA possesed of omnipotence or omnipresence, though the "collect all" policy sounds like they are trying to do the latter plus a bit of backwards time travelling whilst staying with inside the laws of physics.

However the NSA cannot collect all, infact by comparison to the information out there they can only collect the high lights of what we give them.

For the NSA to be collecting more they have to have accessed the machines involved either prior to or during the attack and placed eavesdropping software of some type on them or hardware that does simillar.

It's a reasonable assumption that even the NSA don't have the resources let alone the access to do this to any and every machine.

Thus the NSA have to chose which machines to do this to. It is a fair bet that they will have considered every router and gateway machine into the NK asigned range they can see but not every machine behind those.

Due to the closer association of NK to China and the fact China has more than sufficient high end machine manufacturing capability it is a reasonable assumption that not all those machines in NK have had extra hardward added (unless in certain chips). Nor that all those machines are actually accessible by any network the NSA could get access to.

Backwards as many people like to think the NKs are, they are not, and as individuals they are with the appropriate resources just as capable as those in SK and most other countries. In fact we will probably find as we did with the Russian's that a restriction on resources actually makes them more capable than most would expect when it comes to ability within mainly intangible information sphere, due to the fact they have to get the best they can from the limited resources.

Further access to the machines that the NSA can see in NK is via network segments the NSA do not have control over but the likes of China do.

This means that the NSA are playing in hostile waters and any data they may want to exfiltrate is very likely to be watched for, not just by NK but China as well. Further it also means that any data they do get will be limited in quantity and very possibly suspect as well (ie China might decide to carry out it's own activities as though they are NKs for various reasons).

Thus there are very real human imposed limits on what the NSA can do via the likes of the internet and not get caught out in various ways. And it's a reasonable bet that the NKs have worked this out for themselves or have had assistance from the likes of a Super Power or two.

There are other "methods and sources" available to the NSA and other intelligence gathering agencies. On the "methods" side they could park a satellite or two over that part of the world or fly "rusty rivit" missions at the edge of NKs borders and sniff the EM spectrum, however there are the laws of physics applying constraints on what is possible with these.

Then there are "sources" which covers HumInt and "agents" within NK and it's leadership structures. Due to the closed nature of NK, getting intelligence assets in there is quite difficult (though various journalists have blundered in and got away with it in the past). Thus the few human assets they would have would be rare and very valuable, so you would assume well protected and not needlessly expended.

Which is why you have to question the wisdom of the last two US administrations, they have repeatedly burned not just their own intelligence assets but those of other nations for what appears to be political grandstanding.

Which raises the question of if the US or other nations have human assets in NK has the behaviour of US Pres BO just put them in jeopardy because to most nations a national leader publicaly causing a diplomatic incident of that sort will mean that that leader believes they have enough "golden thread evidence" to go to war.

Which means that the NKs will go on a witch hunt, and if they do find an asset or someone that looks like an asset. Then on past behaviour the NK leadership will "throw them to the dogs".

Which oddly perhaps indicates the US don't have any human assets in NK nore do they know of any belonging to their other allies, nor do they believe they are likely to...

Does that help with what you are trying to get your head around?

Dirk PraetJanuary 1, 2015 7:48 AM

@ Malcolm Pell

I have started to wonder why those Western ISPs that cover the home and small business market don't just automatically block the IP address blocks for North Korea, China, Russia and the Middle East.

Because unlike you, other individuals and companies may have a legitimate need to communicate/do business with those countries.

@ Nope

Also love how you and your other commenters somehow simultaneously have zero faith in Sony but such high faith in the ability of their IT department to catch a couple hundred gigabytes of outbound network traffic from one of their nodes and stop it midstream.

If the IT division of a company the size of Sony and that has been hacked numerous times before has no controls whatsoever in place to detect and drop such traffic, than they are morons. So actually most of us here think both management and IT are incompetent. It's even beyond me that in the post-Manning era and with malware being ubiquitously introduced through infected memory sticks, a company taking its security serious is not keeping logs of USB-device connects allowed on a limited number of machines only.

fork_in_the_roadJanuary 1, 2015 10:52 AM

@Nick P

A Cisco *router* might not see it. I've never used router as a firewall. But a cisco pix firewall absolutely reports all connections.

Is anyone getting fired for buying Microsoft? Didn't think so.

AndrewJanuary 1, 2015 11:55 AM

@Clive Robinson

North Korea is a close system, very hard to penetrate from outside, so as soon as they installed internet lines probably they were in US intelligence attention and they were considered Achilles' heel.
As already stated, the proofs in Sony case are not based on data gathered AFTER incident ON internet but on a full scale long term surveillance over NK. NSA implants do not install themselves over internet and North Korea seems to have very few physical lines.
It's very few information around from "inside" about such a complex subject to make assumptions. But I wouldn't go that far take in consideration few focused details and ignore US capability about spying on NK traffic. Other then everything being a lie.

Clive RobinsonJanuary 1, 2015 12:06 PM

@ Jan Winter,

I'm generaly not that impressed with what Richard Bejtlich has to say...

However,

@ All,

You might want to read this,

http://www.taosecurity.blogspot.co.uk/2014/12/five-reasons-attribution-matters.html

And fill it in for what we know for SPE, if nothing else it will tell you how bad your "Welcome 2015 Party Head" is ;-)

More seriously whilst "attribution" can be a worthwhile excercise, it does kind of asume you have some kind of handle on who your attackers might be. In many cases this is guess work and thus can result in misplaced resources.

Further it's also got the same problems "Defence Spending" has. Implicitly you know if you either don't spend or spend to little you will be attacked, but how do you find that fine line between just enough and to much or way to much.

But then there is the problem of general -v- specific spending. If you assume that your Credit Card DB or equivalent is what attackers are going to go for, you will probably spend to much there and not enough in some other area such as R&D or Development.

Also it's often not possible to "know your enemy" for various reasons, I doubt for instance we know even a fraction of the people going after CC details, therefore unless they have distinctly similar MO's assuming they are all similar to the last lot who hit the headlines may be the equivalent of "Generals fighting the last war again". But those going after CC data are but a small but quite visable part of the attacker ecosystem, many others are very much more successful but due to what they go after and how don't get seen or caught, and thus like them their MO are almost entirely unknown. In essence this is what APT used to be, the first you knew you had been owned was when a competitor launches a new product with what you thought was your "secret technology" inside it.

This goes on in manufacturing etc rather more than we hear about as even when an attacker is tracked down, very often the "Who What How Why" details remain hidden due to other business concerns, thus the MO etc even though known never becomes of use to others.

Similar issues apply to all the lower levels, so whilst attribution may be a desirable goal to often it's not practicaly possible except for "bottom feeder" type attackers who use low cost of the shelf tools and methods to go after CC data and the like.

It's why organisations C-levels realy need to think longer than the next couple of quaters income, especially in what appears to many as intangibles like relations and ethics. Further CSIOs need to be aware of trends in attacks as well as being able to communicate effectivly with other Execs responsible for business direction etc.

Sonny and Cher's adopted baby girl CuiJanuary 1, 2015 1:09 PM

Andrew, we can't ignore "US capability," how come we get to ignore US government credibility? We are so indoctrinated with the idea that North Korea's lying that no one bothers to make this key assumption explicit - even though North Korea says, "we'll prove it." Instead, here we all are, embroiled in a discussion of North Korean culpability premised on what FBI says, when FBI lies like a rug. They lied about Lockerbie, they lied about OKC, they lied about WTC '93, they lied about Amerithrax, they lied about the Boston Marathon bombing. What are they lying about this time?

Marcos El MaloJanuary 1, 2015 2:13 PM

@Clive Robinson

Another possibility is that US agencies have evidence it was NOT DPRK, so are safe in assigning blame to DPRK. It's diplomacy theater. The DPRK won't go on a witch hunt beyond ascertaining that it indeed wasn't them. The announcement is a ruse to discredit DPRK, with little to no downside.

janJanuary 1, 2015 2:34 PM

My hard drive is supposed to be able to write 60 MB/s when connected via USB2.0? Someone should tell my hard drive. 60 MB/s is the speed I get with USB 3.0, USB 2.0 gives me something around 30. And I'm literally talking "plug the cable into a different port" here.

Coincidentally, 480 Mbit/s is also what you would get if you had a server with a Gbit connection actually throttled to 1 Gbps (i.e. not allowing you to use full duplex) and were using it as a relay.

This is about as dumb as the claim that NK couldn't have done it because they don't have the bandwidth. I don't have the bandwidth to torrent a movie within a few minutes, but my seedbox seems to be unimpressed by the physical impossibility.

I'm somewhat willing to believe the official theory, because I'm pretty sure the NSA knows who did it, and if they were to say so, they would likely do so via the FBI and without providing any proof to keep their capabilities hidden.

The alternative, of course, is the FBI lying their asses off, which is plausible too.

DanielJanuary 1, 2015 2:52 PM

@Clive.

Agreed: Re attribution.

@Mark the Bad

I don't agree. I'm puzzled by this claim that the USA can lie on the international stage with impunity. The USA already has a bad rap from the Snowden leaks of being deceitful; if it turns out not to be North Korea it will look like one of two things--they are doubling down on deceit or they are incompetent. It is simply irrational to claim that lying about NK is strategically smart. It's stupid and I don't want to think they are that stupid.

Sancho_PJanuary 1, 2015 6:00 PM

So … a(ny) timestamp is called “evidence” in America ???
Don’t get me wrong, but we don’t know who got what and why, let alone the technical issues at the point of origin.

“… a linguistic analysis of the grammatical errors in the hacker communications implies that they are Russian speakers”

While I love the word “implies” (thanks, Bruce, for not calling it evidence) here the question would be whether the “communication” is from the “hacker” or other "personas".


But seriously, that’s the final evidence we needed to point at the “duo infernale”,
the final nail to their coffin:

(1) Devil = Satan = el Diablo = “Der pöze Russe” = Putin.
We have strong evidence that he is evil, hates America and speaks some English.

(2) Ed Snowden, a “low level analyst”, also called “The Traitor”.
He’s in need of money (why?) and just bright enough to help Putin with the details.

Together they are a serious threat to the US.

-> Let’s bomb them / the Kremlin / Moscow first, forget NK for a while.

And let's propose Pres. OB for another Nobel Peace Prize for “… the most or the best work for fraternity between nations, for the abolition or reduction of standing armies and for the holding and promotion of peace congresses.”.

/sarcasm // just to make sure the Skeptical will not immediately hit the red button!

@ Marcos El Malo

I’m afraid you underestimate the paranoia of democratic regimes (here: NK). Think about the US going after whistleblowers.

The ”… little to no downside” is that many living outside the US would see “The Americans” as being dense?

albertJanuary 1, 2015 6:02 PM

@Daniel

"...It is simply irrational to claim that lying about NK is strategically smart..."
.
The US State Department and the Executive Branch aren't stupid, but they are the folks who decide how to promote US foreign policy. You don't think the director of the FBI(or NSA, DOD, etc.) suddenly decides to issue statements like the 'NK did it' on their own? This stuff is carefully vetted, and often pre-orchestrated.
.
It is US foreign policy that is 'irrational', even given the unstated goals of such policy. If 'assigning' the blame to NK advances those goals, then it is 'strategically sound' as far as the USDS is concerned.
.
I think, at the end of the game, when the cards are counted, this will amount to a tempest in a teapot. The real issues are computer security in general. I wouldn't cry in my beer for Sony Pictures Entertainment. Corporate fails always brighten my day.
.
I gotta go...

PeterJanuary 1, 2015 7:32 PM

Another theory is that foreign policy is opportunistic in general. If you call losing a battle to win a war a strategem, then fact-checking (forensics looks into the past) is irrelevant, because the focus here is forward-looking. If we keep that mindset then this is an entirely different theatre.

Clive RobinsonJanuary 1, 2015 9:27 PM

@ Sancho_P,

So … a(ny) timestamp is called “evidence” in America ???

Leaving the sarcasm aside, the question of what is and is not evidence is one that is confusing many people.

All of the "evidence" so far given in this case is not nor can it be evidence in the restricted sense of the law or scientific enquiry.

From the legal sense it is at best inadmissible "hearsay" and not admissible as evidence to either civil or criminal proceadings, or atleast that's the way it used to be... sadly this nolonger appears to be the case and thus the "burden of proof" is now more a case of showmanship for the jury and fawning submissiveness towards the judge.

Prosecutors are alowed to throw in any "bag of bits" and claim it proves guilt, and many judges just nod it in as evidence, however when the defense challenge it the same judges appear to take it as a personal afront bordering on contempt.

Some suppliers of "forensic systems" don't reveal the way their systems work and train law enforcment to just accept what the control pannel says and thus proper evidence testing does not happen.

To understand what that means in a tangible way you need to look at it this way. The weapon used to kill somebody is found in a bag under a table in a dark and smoky bar. The police perform no tests and ask no questions and in court the prosecution claim that this means that the owner of the bar is guilty of the murder as it was found on their property. If that were to happen most juries would say "you've got to be kidding me".

The simple fact is when you connect a computer up to the internet and use the supplied browser "as is" as many people do, you have no control over the behaviour of the "guests" that come with the page you have clicked a link for. Thus as the "owner" you have little or no control over what gets "left" in the computers short and longterm memory and you will almost certainly not see it either as you have no idea of where to look.

If judges have no idea about what goes on in computers how do we expect the general public who may not even use them to understand what is and is not evidence and what it is evidence for.

What we have from the SPE hack is a number of statments from SPE and various others, that cannot be tested by us, and some files that have been released by an unknown third party, that we have no way of knowing are genuine and untampered with. Whilst there has been very limited corroboration that some of the details in those files are true, we have no way to know if the rest of the file contents or file metadata is true.

Whilst there are statistical tests that can be performed on the file contents and the file meta data the results will be probabalistic and of low confidence, thus by no means be evidence let alone evidence that might be considered circumstantial.

We don't even have evidence of how the data left SPE or how much data left and over what time period, thus the reality is we can not even say they were negligent with anything aproaching "beyond reasonable doubt".

Whilst most of those posting to this blog are well aware of that as are many longterm readers, we know from past experience that we cannot say the same of journalists and other non domain experts that may read this blog based on links from news stories and the like.

The downside of this is that in effect we are playing into the hands of the Government because we put into peoples minds that we are talking not of maybes and guess work but hard evidence. Thus we give the government "spin speak" a credibility in lay minds that it in no way deserves.

WooJanuary 2, 2015 4:39 AM

Regarding traffic monitoring...
Sony Pictures, being a movie studio, has to transfer huge amounts of data in and out daily (raw cuts from and to effects subcontractors, movie files to streaming providers and disc replicators etc), so they will definitely have a rather fat pipe to the internet (10G or similar class, where a deviation of a few hundred MBits won't get noticed) and probably no connection monitoring, due to a high chance for false positives coming from regular business processes. Even if there was a connection monitoring, chances are high that a bunch of servers routinely doing movie transfers would have been on whitelist.

Steve FriedlJanuary 2, 2015 9:46 AM

@Bruce:

It requires us to postulate the existence of a single person who has both insider knowledge and the requisite hacking skill.

A customer of mine once told me "You never know who your secretary is sleeping with"; all you need is a disgruntled employee with shady friends, not a difficult prospect in LA.

Sancho_PJanuary 2, 2015 10:07 AM

@ Clive Robinson (and Bruce Schneier)

This is exactly why I’d like to urge technicians with public audience to avoid the term “evidence” and call it what it is: hearsay or rumor.

Journalists, the masses, judges or gov are not evil but simply unaware.
Using our everyday’s informal speak we technicians keep them ignorant.
It is a moral duty of the specialist to name the truth.

Sancho_PJanuary 2, 2015 10:15 AM

@ Woo

Good point.
That’s one side of connection monitoring at Sony or any other biggie.
On the other hand, when I dump “my” company’s data, would I trigger my own alarm?

How useful is such an alarm? Would it stop + undo the dump of emails?

The perfect user, behind a router from his ISP, having a very common OS and browser and “the best AV you can buy”, all of them up to date:
Who would come forward to guarantee that (s)he is safe?

But the poor user will be held reliable for any damage related to to the system (s)he doesn’t own.

Sony is culpable for it’s culture in the first place, I’m afraid the breach can happen everywhere.
Hopefully American nationalism (call it patriotism, anyway) will help them out.

fork_in_the_roadJanuary 2, 2015 11:04 AM

@Woo,

You are not thinking clearly.

SPE->vendor connection would mean another gigabit-class connection, not on a Home Internet subnet/service. Therefore your list of trusted addresses would be long, but, relatively stable.

A long-running SPE-> hostile connection would be easy to track poling/storing firewall connections.

I track and report connections with two cron jobs. Database queries makes a short list of untrusted addresses easy. It's not hard to classify the types of connections either... VPN,ssl,voice,skype, etc.

Maybe there's a commercial opportunity for my "awesome" perl scripts with point-and-click admins...

PacoJanuary 2, 2015 1:12 PM

Is there any possibility that this sony hack is a marketing campaign to make money from a rather bad movie?

Although I think the initial hack was probably an insider, they definitely took advantage of the publicity to market their movie.

If an insider sold corporate secrets to North Korean or Chinese hackers, would that be treason?

...just automatically block the IP address blocks for North Korea, China, Russia and the Middle East.
So quick to take away Internet Freedom rights? Freedom House has a decent article about how some authoritarian states may want to further control the internet.


You never let a serious crisis go to waste. And what I mean by that it's an opportunity to do things you think you could not do before. -Rahm Emmanuel

The government is using this as a crutch to limit our freedoms by getting citizens against a common enemy and to increase spending for cyber terrorism.

NickJanuary 2, 2015 4:06 PM

Still no mention by the mainstream media this might be revenge for the Sony Rootkit.

Gerard van VoorenJanuary 2, 2015 4:29 PM

@ Thomas_H

The truth is coming out now. Not about the claimed evidence, but about the motives of USG. It is revenge. Here is my 2 cent advise for USG: Make all the secret evidence public. As long as they don't do that there will always be a smell. You know, stinkeroo.

And if they don't have the claimed evidence, well, history will be the judge then.

NoSuchAgencyJanuary 2, 2015 10:48 PM

I read somewhere that the attackers exfiltrated something like 200 Gb of data in 6 hours. That implies that the attacking system had to have at least as much bandwidth as Sony's own networks. How is this known?

The other problem I have with this "hack" is how on earth did they get access to such a wide array of data? I'm not suggesting it isn't possible, or even unlikely, but it strongly suggests that Sony made no attempt at data segregation (whether on their regular corporate networks or backup systems). Apart from being a gross oversight by Sony's IT department, I just can't believe that a company could be so careless as to leave everything in one place.

The other question is: in what form did the data leave Sony's networks? Was it one huge archive, multiple archives, or the files as they were found on the network?

It also seems that only one insider was involved (in that attack scenario). What if it involved multiple insiders, in multiple departments, working together? That would go a long way to explaining the wide range of data involved.

Wesley ParishJanuary 4, 2015 3:22 AM

@NoSuchAgency

I read somewhere that the attackers exfiltrated something like 200 Gb of data in 6 hours. That implies that the attacking system had to have at least as much bandwidth as Sony's own networks.

Which is in itself the best argument that this was an inside revenge job. A siphoning off of the back-ups, I'd argue, myself, because that way it's hiding in plain sight, and backups are grabbags that tend to aggregate. Which would explain the haphazard nature of the datadump, godaloneknowswhat ...

Phil KarnJanuary 4, 2015 8:47 AM

Everybody is assuming all that bulk data was exfiltrated directly from Sony's servers over Sony's internet connection. But I presume they keep physical backups, probably offsite. What about stealing backup tapes/drives, either in transit or at the offsite storage site, with or without insider help?

This neatly gets around the problem of transferring so much data without tripping any alarms on Sony's own Internet connections. It also explains the diversity of the data stolen, from HR files to complete movies, that might not be found on a small subset of compromised servers. Backups would undoubtedly also reveal a lot of useful credentials, such as /etc/shadow files, server SSH secret keys, router config files and probably a fair number of plaintext passwords here and there (if Sony's practices are typical).

I have absolutely no evidence that this was the case; I'm merely suggesting it as another possibility that should be considered.

WaelJanuary 4, 2015 10:15 AM

@Phil Karn,

Everybody is assuming all that bulk data was exfiltrated directly from Sony's servers over Sony's internet connection. But I presume they keep physical backups, probably offsite
Everybody? And what am I? Chopped liver?

You assumed that everybody assumed.

Clive RobinsonJanuary 4, 2015 12:01 PM

@ Wael,

Unless you have a long neck, and have been force fed grain for the past couple of months to give you NAFLS then I assume your liver is not for Pâté de Foie Gras...

@ Phil Kahn,

The initial argument was several terabytes of data had been exfiltrated from SPE by "outside hackers" in NK, apparently "network" information indicated a hotel close to NKs service provider was used to exfiltrate the data.

It was pointed out at the time by others and myself that if that was the case then Sony was not following standard practice let alone best practice, and thus could be said to be negligent, a point I'm sure is not lost on their managment or shareholders.

Since then the story from those involved with the investigation has changed more frequently than many people change their clothes.

As I've indicated above one of my first thoughts were that the hackers had got into the infrustructure such as backend storage network or backup systems. If true it would again show Sony were not following standard practice, which means negligence again.

However bearing in mind the power of an "insider" to know things about "intrusion detection" that cannot be figured out by an "outside hacker" I indicated very early on I belived an "insider" was involved, thus negligence would not of necessity been required.

Thus I doubt the official story of "NK hackers". As I have also pointed out is a fabrication which is conveniant not just for the US political agender or SPE defending themselves in court. It is if you think about it rather convenient for whoever did hack SPE because now any prosecution is going to require some evidence that the hackers had direct contact with NK, otherwise the US Gov and the current administration are going to end up looking fairly stupid. And of course the US has just made their position worse as they have used the SPE hack to increase sanctions (which we know will kill NK citizens in their thousands, whilst not changing the leadership, and will put the possibility of re-unification etc back years if not decades).

Unless the data did go out across SPE's connection to the Internet the probability of an inside rises to near certainty or SPE were negligent.

On the assumption the data was obtained from a backup tape a series of questions need to be asked such as "Why was the tape not encrypted?", "How/where was it intercepted and copied?" or if the tape was End of Life "Why was it not treated as confidential waste?", all of which again would point to an insider / negligence.

I guess the real answers will remain "secret" for many years, unless those that carried out the attack "spill the beans" but that gives rise to a "credibility issue" that the US Administration is not going to want to see discussed, thus those involved may now have a genuine fear for their lives if they are bright enough to think that far... which no doubt will give rise to "Deadman's Switch Fail Safes" being placed at various places on the Internet etc, let's hope they don't tell a UK Guardian reporter the "key" lest it appear in a book...

WaelJanuary 4, 2015 9:03 PM

@Clive Robinson,

Unless you have a long neck, and have been force fed grain for the past couple of months to give you NAFLS then I assume your liver is not for Pâté de Foie Gras...

I would rather stretch the necks of those conscienceless people that think animal cruelty is ok for a delicacy. I would then force feed them GMO corn until they grow their own "Foie Gras" ;)

ramriotJanuary 4, 2015 9:31 PM

Something that keeps coming up time and again on this is the initial assumption of a single attacker. Thereby allowing all sorts of reductio-ad-absurdum, against any scenarios where the attack requires both involvement from both NK and RU and or an insider.

This is I think a fallacy.

The key issue here is what I will call the 'conspiracy leak timescale' i.e.

The more people involved in any criminal or otherwise conspiracy the more quickly will infomation pointing to the conspirators leak by normal human frailties.

Old Security Saying - 'Best way to keep a secret between two conspirators is to make sure one of them is dead'

Therefore for the present timing I think what we have here is single close nit group of only a few members with a possible associated single insider tied to them by mutually assured destruction (MAD) should either any of the group or the insider leak.

If the perpetrators are to be found then that MAD needs to be broken, by offering something more valuable to a member than what they could loose.

BTW I am mostly excluding the assumption of NK a being directly involved as a result of threats made by the attackers as the timing of the linkage to 'The Interview' and mentions of NK was not raised by the attackers until after it was mentioned in the press.

That is not to say that some nation state's peripheral involvement as a 'money man' cannot be excluded, it just cannot be asserted until credible evidence is shown.

That said, what is the nature of the US Federal Government's secret evidence that makes them believe NK is the originator of all this? I am thinking here that there is a case of put-up-or-shut-up to the FBI etc unless charges can be brought because forming policy on secret evidence is no way to run a democratic state.

kissdskyeJanuary 5, 2015 4:23 AM

I see an angle on the theft that I haven't seen discussed here in the thread:corporate theft.Counting the other industry heavyweights who would literally"kill"for a rival's film portfolio isn't being considered.I wonder why.
Sony Pictures is a company ripe for a takeover since their country is going broke as this is being written and has been since the 2011 Fukushima nuclear explosions.Japan hired Paul Krugman as their financial guru and he could be the fox in the henhouse and be the ultimate raider for rival houses.The usual suspects have to be other movie houses and,if I'm a betting man,all these studios have spies in their rival's buildings.Corporate espionage is not well known but the US gov't is an active player in the field.When it's convenient,the issue is highlighted by a press release by the alphabet agencies on stealing secrets or so-and-so country is/has stolen American corporate secrets.If their business secrets are so valuable to a foreign country,it sure is valuable to American businesses,too.Also,I agree with others that the very bad,D-Grade movie got priceless publicity for being the helpless do-gooder caught between a rock and a hard place being bullied by NK."You never let a serious crisis go to waste.And what I mean by that it's an opportunity to do things you could not do before." - Rahm Emmanuel,Mayor of Chicago and the former"enforcer"in the POTUS Cabinet.As an ex-CIA operative famously opined,"Nothing happens without a reason,"a theme echoed here by Schneier,too.
While we assess the technical aspects of the"break-in,"let's not forget that intellectual property is worth more in the hands of a corporate spy than the pirated movie downloader.Check outand peruse the corporate lawsuits,it's an eye-opener.Schneier's article covered everything that has been occurring except the robber baron mentality of corporate America.This scenario needs more light from all of us.
I'm sure someone on this thread has the investigative wherewithal to look at the financial aspect.As it's always said:Follow the money.

Clive RobinsonJanuary 5, 2015 5:45 AM

@ kissdsky,

It is something I considered as another reason why the US might behave that way.

However when I started discussing the political implications first to "set the scene" various people disagreed with the reasoning.

The simple fact is the US has a massive imbalance between the far east and it's self and it is at the point where as you note the weakining Yen is going to give rise to people "buying out" Japanese companies. It would be highly undesirable from a US perspective if Japanese companies were bought out by China, and that would certainly classify as a National Security issue economically.

So I think it goes a lot lot deep than just the normal "buy out" issues and industrial espionage.

After all you have to consider what would happen if China owned as it does a very sizable proportion of the US national debt, and additionaly aquired a significant number of US based companies that are in effect owned by other far eastern countries.

It is clear that both China and Russia belive that their national intrests were unfairly harmed after WWII and later and belive that it is time for the US to leave the world stage it runs as an unoficial empire, either voluntarily or by force. Currently China is applying a lot of economic preasure as well as more war like forcefull activity in the East and South China Seas, which significantly effect Japan and Taiwan, which China appear to believe belong to them.

Thus the issue with NK / SK reunification. Whilst China has NK as a buffer nation they don't currently have any call on SK. However if reunification happens then China will see an extension of SK and a loss of a buffer nation, which would result from their prospective with the US sitting on China's border. We have seen how Russia has behaved with regards the expansion of NATO do we serioisly consider that China will behave in any way less?

From the US perspective to much of the technology it relies on comes not from Japan but South Korea, which makes keeping the status quo a paramount consideration for the US. Thus quashing attempts to get NK / SK reunification is currently in the USs economic national interest.

Some European economic observers believe that the US over extention in the middle east has left it incapable as a force of power in the far east, and that China's major changes in the weapons it makes / trains / uses from defensive / policing to offensive indicate it is going to force the issue quite hard and fairly soon, and that Korean reunification could well be the peace breaking issue.

Sancho_PJanuary 5, 2015 12:47 PM

@kissdskye

No offense intendedbut checkyour punctuationmarksforblanksifyouexpectsomepeopletoread.

Otherwise, interesting thinking, however, I doubt it.
The issue (with the emails) could backfire so deadly that no regular entity / business would go there.
Not even the USG.

XachJanuary 5, 2015 10:36 PM

@ Clive

The concept of foreign buy-outs can only be prevented by cross border controls, but that is dis-qualified by the "race" to free trade, so I wouldn't put too much stock into that.

GuyDecember 30, 2016 3:45 AM

So it seems very strange what happened to norse corp following its disagreeing with the stasi or nsa or whomever it was that was claiming norse corea was to blame.
Question is whos going to have the balls to correctly attribute the democrats hacking in a qualified way when they have seen the strange fates of companies indulging in whistleblowing~like behaviour that challenges the pseudo narratives of intelligence entities. (Apart from wikileaks testimonial which however reliable is not comprehensive.)

Clive RobinsonDecember 30, 2016 6:50 AM

@ Gary,

From what I remember of Norse Corps demise, they were over ambitious and did not get their financing via investment properly sorted out.

They made a round of layoffs around two years ago to try and tighten the belt a bit and get their burn rate down.

So far not much different to many companies going through growth issues.

Then one of the people who were laid off connected with Brian Krebs and a story was published. From what has been said Brian was not as diligent about the research as he should have been, especially when alleging criminal behaviour (alleged shell companies and murky financial past, including serial financial irregularity / imprudence and accusation of "Scam").

The result was Norse Corp suffered a sales financial shortfall and new investment freeze and hit the wall hard, after the Krebs article.

Which leaves the questions as to the how and why of the Krebs article and where the allegations came from and why Krebs was not as dilligent as he should have been.

As we have found out more recently Brian Krebs was overly reliant on others as to the prominence of his web site etc and nearly disapeared himself when attacked recently. So he himself had a house of cards structure and very nearly hit the wall.

The take away point is that a greate deal of what people think is the Internet Security Industry is in effect "frontage" and thus "brittle" and almost but not quite built as a confidence trick. Whilst some organisations will develop substance with time, others will not, and even for those that could make it there is a high vulnerability transition period. Any lack of confidence in that transition period will kill the organisation no matter how good or promising their technology is (you can see this by the way patent trolls behave).

Most people with market experience can tell when a growing organisation is most vulnerable to a tiny nudge or push, especially an organisation with a high publicity profile. The question is why nudges and pushes don't happen as frequently as you might think. There are two main reasons, the first is the "rising tide effect" the second is "cheaper than inhouse R&D". If a market sees a lot of growth it effects all entities in the market and a market that looks good brings in investment and thus profit for all, thus if just one person sneezes then everyone can catch a cold as money rapidly moves to what it thinks are safer markets. But realistically even with a good solid profitable idea less than one in ten of organisations make it past the vulnerability point, and of those that fail their hard won assets get given the "fire sale treatment" and can be picked up for a few cents in the dollar of their real cost. In essence this is what patent trolls try to do, and many larger organisations, you get other peoples hard work for pennies, it's one of the reasons behind the "Second mouse" comments.

So most of the time it's in nobodies interest to give a nudge or a push, because they are all in the same boat. Which begs the question of what is to be gained by giving a push or a nudge. Obviously you need to be not in the same boat, and further be sure the boat you are in will not get swamped or drawn in when the target boat sinks.

Almost by definition a government is financially an unsinkable boat because they realy are in the "to big to fail" class, because they have "sovereign immunity" and "tax raising" as their fall backs. Which means that the people most likely to not get swamped by the sinking of a market are government entities.

Thus some have put together the notion that because of the nudge, it must have been the government. Whilst this can not be ruled out there are many other people not in the boat who might not care what happens to them come the time it sinks... Thus those laid off behaving irrationally for revenge etc are both more likely, and more likely to be used as cover by others.

So there is plenty of room for people to concoct their own theories, based not on actual facts, which are usually not available, but assumptions they believe are axiomatic to their case. This is the usual "Attribution Bias" problem because the theories can not be tested thus disproved.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.