Tuesday, January 20, 2015

NSA Docs Show Almost No Access To North Korea Before 2010, And Limited Access Thereafter

“We lack uniform agreement on assessing many things in North Korea” - DNI James Clapper (2013)
According to the same NSA document released yesterday by Der Spiegel and quoted by the New York Times, NSA's access to North Korea "was next to nothing" prior to 2010. That rules out any direct NSA evidence into North Korea being responsible for the 2009 Independence Day attacks against U.S. and South Korean websites.  Yet "un-named officials with knowledge of the case" made the exact opposite claim (U.S. Spies Say They Tracked Sony Hackers For Years); a claim that can only be considered either fantasy or patently false considering the staggering amount of intelligence failures that we've experienced with North Korea over the long term and up to the present.  Here are just a few examples:

2010: North Korea spent 18 months building a new uranium enrichment plant that we never discovered until they announced it in 2010.
2011: Kim Jung-Il's death went undiscovered until NK television announced it over two days later.
2013: Three months after NK's third nuclear test, the U.S. still couldn't assess the state of NK's uranium enrichment. CIA had to reverse its initial assessment of Kim Jung-Un's military ambitions (greater than the CIA thought), and the DIA's assessment of the North's ability to shrink a warhead got publicly disputed by both Clapper and Obama.
2013: The Washington Post reported that the NSA's own Black Budget reveals that their North Korean access is the worst of any country.
More broadly, the lapses also raise a question of why, 63 years after the outbreak of the Korean War — itself a move the United States did not see coming — gathering information about the North has, in the words of one frequent intelligence consumer, “made Syria and Iran look like an open book.” - David Sanger and Choi Sang-Hun (NYTimes, May 2013)

What Do We Know About Attacks Blamed On North Korea

Pretty much everything that we think we know about cyber attacks coming from North Korea originates in South Korea. So the first question is - how accurate is South Korea's intelligence on the North? The answer based upon multiple sources is that its questionable at best and fraudulent at worst.

The Economist featured an article about South Korea's troubled National Intelligence Service (NIS) in March, 2014.
"But the South’s efforts have been complicated by a series of intelligence mishaps. Won Sei-hoon, the former head of the NIS who resigned last March, is himself currently undergoing trial on charges of discrediting key opposition figures as pro-North leftists online and manipulating public opinion in favour of Ms Park in the run-up to the 2012 presidential election that brought her to power. The NIS says that its online posts were routine psychological warfare operations against North Korea. Now the president’s new spy chief, Nam Jae-joon, is under mounting pressure from the opposition and ruling-party politicians alike to step down amid an investigation into his agency's alleged fabrication of evidence in an espionage case. Last week prosecutors carried out a rare raid of the spooks’ headquarters—the second time the offices have been searched in just over a year. On March 15th prosecutors arrested an NIS agent in connection with the forgery."
The Economist article also addressed the benefits provided to North Korean defectors and the problems associated with fraudulent defector claims. All of the information that we think we know about Lab 110 and North Korea's cyber warfare capabilities in general came from North Korean defectors. Unfortunately, there's no way to judge how much of that is even accurate.

The 2009 Independence Day Attacks

The NIS claimed that it had intercepted a document from the North Korean government which ordered Lab 110 to "destroy the South Korean puppet communications networks in an instant". 

What actually happened was that someone launched a weak DDoS attack using ancient malware (MyDoom) that had next to no impact at all. An interesting side point is that the MyDoom malware is believed to be Russian in origin according to Kaspersky Lab. That kind of gross exaggeration suggests that the NIS may be just a tad over-zealous in its assessments of the North.

The 2013 Dark Seoul Attacks

I looked at four reports issued by four different cyber security companies on Dark Seoul. Of the four, McAfee implied that it was the North Korean government. Symantec's report said that the South Korean press blamed North Korea. Kaspersky said it couldn't say, and Sophos gave reasons why it probably wasn't North Korea.

"What's curious is that the malware is not particularly sophisticated. Sophos products have been able to detect the malware for nearly a year, and the various commands embedded in the malicious code have not been obfuscated. For this reason, it's hard to jump to the immediate conclusion that this was necessarily evidence of a "cyberwarfare" attack coming from North Korea."

“So, is this an isolated incident or part of a bigger cyberwar campaign? Honestly speaking, we don-t know.”

“While nation-state attribution is difficult, South Korean media reports have pointed to an investigation which concluded the attackers were working on behalf of North Korea.”

"Who conducted these attacks is still unclear, but our research gives some further insight into the likely source. The clues left behind confirm that the two groups claiming responsibility were a fabrication to throw investigators off the trail and to mask the true source."

The 2014 Sony Attack

Attribution to North Korea for the Sony attack is built on flimsy, fraudulent, or non-existent intelligence. Pick two.

The private sector reports relied upon the Dark Seoul and Independence Day attacks, which conflicted with each other and failed to give direct attribution to North Korea. In the meantime,  no one at the FBI, NSA, ODNI (Office of the Director of National Intelligence), or EOP (Executive Office of the President) can answer the most fundamental questions associated criminal investigations. 
- They don't know who actually attacked Sony. 
- They don't know how they did it. 
- They don't know why they did it. 

By their own admission, the entire U.S. intelligence apparatus is dealing with a black hole when it comes to North Korea. Before 2010, the NSA has primarily relied upon South Korea's NIS whose leadership has been charged with acts of fraud. Even after 2010, when the NSA supposedly had direct access to computers in NK, they missed pretty much everything of importance. 

The RGB has been built up by Western analysts to be a cyber warfare superpower yet nothing about the Sony attack was sophisticated. The RGB most likely didn't use its own people based upon linguistic analysis, but why hire out? Certainly not because they couldn't do it themselves, and obviously not for plausible deniability. Kim's juvenile threats before the film's release made it easy to paint him as the culprit. 

The answer to this riddle must lie somewhere in the political realm. For whatever reason, someone in a leadership position in the Intelligence Community or the EOP saw the Sony attack as an opportunity to score a win against North Korea after a miserable multi-year run of intelligence failures. Unfortunately, the President and the Directors of both the FBI and the NSA have staked their professional reputations on that stupid political act, and I predict that it will backfire in a spectacular way. 

Friday, January 16, 2015

Mercenary Hacker Crews Offering Espionage-as-a-Service Are On The Rise

We published our new report on Espionage-as-a-Service today. Here's a copy of the press release along with a link to the report itself.

MCLEAN, Va.Jan. 16, 2015 /PRNewswire/ -- Although the Sony attack was loud, damaging and hugely embarrassing to the company, the bigger threat is from mercenary hacker crews who steal billions of dollars of valuable technology secrets every year from U.S. companies on behalf of paying clients according to Jeffrey Carr, President and CEO of Taia Global, Inc.
"These mercenary hacker groups range from small groups with little funding to specialty shops run by ex-government spooks to highly financed criminal groups who use similar if not identical tactics to nation state actors," according to Carr, the author of a new report on the subject. "That they are rarely discovered is due in part to their skill level and in part to being mis-identified as a state actor instead of a non-state actor if they are discovered. The low risk of discovery, frequent misattribution to a nation state, and growing demand of their services ensures that the EaaS threat actor will flourish in the coming 12 to 24 months."
The FBI filed a criminal complaint last summer and a federal grand jury subsequently indicted Su Bin, the President of Lode-Tech. Bin was charged with 5 counts of conspiracy on a cyber espionage campaign that was in operation from at least 2010 until 2014. The hacker crew that he hired wasn't named and is presumed to still be active.  Stolen technologies included information about the F-35, F-22, and C-17 aircraft, and according to the criminal complaint, the hackers claimed that they were in a position to breach the network of Brahmos Aerospace, a joint venture between the Indian government and a Russian joint stock company.
"This report reveals details on EaaS operations culled from court documents, published papers, and personal interviews that I've had with Russian and Chinese hackers," said Carr. "It also helps companies understand how to defend against this new type of threat actor."
Mercenary hacker groups are small, skillful, well-paid and have no nation-state affiliation. Instead, they are hackers for hire, whether it's a Chinese millionaire like Su Bin, a Russian oligarch or a western business competitor of the company being targeted.  The aerospace industry is among the hardest hit, but any company who is investing in high value research and development can be a target. Taia Global's report "The TRIES Framework: Counter-Reconnaissance against EaaS Threat Actors" is available for download atTaiaGlobal.com or by calling Mr. Jeffrey Carr at (855-777-8242).

Wednesday, January 14, 2015

A Ukraine Anti-Corruption Policeman's Appeal For Justice

"I don’t really know, if I have any possibility to appeal to Nation again, if I will be alive, I don’t know, but I beg you to take a chance to change the situation in the country." - Lt. Col. Eogor Bodrov, Ukraine Ministry of Internal Affairs
Three days ago I wrote a blog post about a hacker who was trying to get his friend and former colleague, Lt. Col. Iegor Bodrov of the Ministry of Internal Affairs, released from prison after being put there by a corrupt Prosecutor and his deputies. This case has had no coverage in Ukraine itself so I'm asking that you share this message from Lt. Col. Bodrov via your own social networks and hopefully a journalist will pick it up.

Below is an English transcript of Bodrov's message to the people of Ukraine delivered via a video posting on YouTube.


WHERE IS the position of TRUTH in UKRAINE
( At the very beginning -- on the black background )

In the continuation of my story that I have cited before regarding persecution of me and my family from the side of the high rank top officials of the General Prosecutors Office of Ukraine, I would like to declare that one of the scenarios that I had predicted earlier took place. At the moment I am captured under arrest without a warrant after illegal detention and putting me to the cell due to the unjust decision of the judge of Pechersk district court that caused the violation of clauses of the Criminal Procedural Code of Ukraine.

Sunday, January 11, 2015

Hacker Aids Ukrainian Intelligence Colonel Arrested For Fighting Corruption

UPDATE 27JAN2015: Graham Stack of BusinessNewEurope has also written about corrupt practices at the Ukraine Prosecutor's Office. Please read their investigation and share the link.


Ukraine's revolution isn't easy to understand. Some Russians who live there want the old pro-Russian regime back and have aligned themselves with the Putin government. Most Ukrainians want their independence support new leadership that isn't so attached to the Russian government. And then there are Russians with friends and family in Ukraine who are anti-Putin and support the goals of the Euromaidan revolution. However, the one thing that the old regime and the new regime have in common is corruption.

Just how corrupt became clear when Lt. Col. Iegor Bodrov, the Chief of the department for the combating of organized crime at Ukraine's Ministry of Internal Affairs, was arrested after he tried to expose how the Prosecutor General of Ukraine Vitaliy Yarema together with accomplices Deputies Anatoliy Danilenko and Nikolay Gerasimyuk paid bribes and laundered money for their own gain.

Bodrov was arrested on November 25, 2014 under the charge of aiding and abetting terrorists - the "DNR" - Donetskaya Narodnaya Respublika (Donetsk Peoples Republic) and "LNR" Luganskaya Narodnaya Respublika (Luhansk Peoples Republic). His arrest was based solely on the questionable testimony of one man, an SBU (State Security Service) officer.

Ten days prior to his arrest, an RGD-5 fragmentation grenade was planted in the personal car of Bodrov's spouse which put her and their three children at risk (letters describing what happened are above). Despite Bodrov reporting the incident and asking for an investigation, nothing was done.

Although Bodrov remains in prison, the evidence that he has gathered about corruption in high places has been made public by a friend and former contractor - a hacker who goes by the alias "Yama Tough".
Bribe-taking in the amount of USD 5 mln. by the Prosecutor General of Ukraine – Mr. Yarema Vitaliy in accomplice with his Deputies.

The money laundering in the amount of USD 2 mln. by means of procurement of real estate in France (Paris) , Croatia and Ukraine. (Source: http://imgur.com/a/qWrsV)

Money laundering and further offshore transfer of USD 4 mln. of Mr. Yarema son (student) through accommodation of credit in favor of the offshore company (Kup-X LLC) against the security of cash deposit with the Avant Bank. Tax evasion on passive income arising from cash deposit. (Source: http://imgur.com/a/MEMPP)

Additional evidence points to: The cancellation of criminal case by Vitaliy Yarema on request of his son that caused about USD 1 mln. damages. Concealment (cover-up) of fact of extortion by public officers in the amount of USD 20 thousand (the email from son to VY). (Source: http://imgur.com/a/NHBPN) Misappropriation of 140 hectare of land by the Deputy of Vitaliy Yarema – Anatoliy Danilenko for the property of his son with aiding of the Deputy of the Supreme Court of Ukraine. (Source: Evidence archives in .rar format - https://mega.co.nz/#!8pdDyTAI!sXFASGkpabaNQWxnloqzwwJSAHqiJklB3l7OHCSRwUo)

Bodrov remains in prison
As of this writing, Lt. Col. Bodrov remains in prison for merely doing his job - rooting out corruption. His application for release has not been heard and no investigations into his charges have been initiated. 

Wednesday, January 7, 2015

FBI Director Comey's Single Point Of Failure on Sony

FBI Director Comey laid his entire agency's credibility on the line today at an FBI sanctioned cybersecurity event in New York City where he provided new information on the Sony hack:
“In nearly every case, [the Sony hackers known as the Guardians of Peace] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy,” Comey said. “Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using…were exclusively used by the North Koreans.”
This sounded remarkably similar to the mistake made by the alleged North Korean hackers in the Dark Seoul attack of March 2013:
“SEOUL - A technical blunder by a hacker appears to have reinforced what South Korea has long suspected: North Korea has been behind several hacking attacks on South Korea in recent years.... The hacker exposed the IP address (175.45.178.xx) for up to several minutes due to technical problems in a communication network, giving South Korea a rare clue into tracing the origin of the hacking attack that took place on March 20, according to South Korean officials.”
The evidence that the FBI believes it has against the DPRK in the Sony attack stems from the data that it received on the Dark Seoul attack last year from the private sector. The FBI, the NSA, and the private security companies upon which they rely for information believe that any attack linked to a North Korean IP address must be one that is government sanctioned since North Korea maintains such tight control over its Internet and Intranet. That is the FBI's single point of failure because while that might have been true prior to 2009, it isn't true any longer.

Access to those blocks is relatively easy if you go in through China, Thailand, Japan, Germany or other countries where North Korea has strategic connections. For example, in 2007 Korea Central News Agency established a server in Japan to bypass blocking efforts by South Korea's Ministry of Unification. North Korea's Uriminzokkiri news website runs on a Chinese server. The Korea Computing Center maintains offices in Beijing and Dalian. The Gwang Myong IT Center, which is a spin-off from Korea Computer Center with offices in China sells network security solutions like anti-virus and data encryption to international clients including financial institutions in Japan.

North Korea has a growing IT and animation sector according to Dutch business consultant Paul Tjia. "NK firms have quietly developed software for banks in the Middle East, applications for cell phone makers in Japan and South Korea and even video games for Nintendo and Playstation".

However the easiest way to compromise a node on North Korea's Internet is to go through its ISP - Star Joint Venture. Star JV is a joint venture between North Korea Post and Telecommunications Corporation and another joint venture - Loxley Pacific (Loxpac). Loxpac is a joint venture with Charring Thai Wire Beta, Loxley, Teltech (Finland), and Jarungthai (Taiwan).

I explored the Loxley connection as soon as this story broke, knowing that the FBI and the NSA was most likely relying on the myth of a "closed" North Korean Internet to base their attribution findings upon. Loxley is owned by one of Thailand's most well-connected families and just 4 kilometers away is the five star St. Regis hotel where one of the hackers first dumped Sony's files over the hotel's WiFi. It would be a simple matter to gain access to Loxley's or Loxpac's network via an insider or through a spear phishing attack and then browse through NK's intranet with trusted Loxpac credentials.

Once there, how hard would it be to compromise a server? According to HP's North Korea Security Briefing (August 2014) it would be like stealing candy from a baby. HP scanned the IP blocks involved in the Dark Seoul attacks (175.45.178.xx and 175.45.179.xx) and detected "dated technology that is potentially susceptible to multiple vulnerabilities and consistently showed the same open ports and active devices on scanned hosts." Apparently the North Korean government worries more about controlling Internet access among its population then it does about hardening its Internet-facing systems. Did the FBI's Red Team rule that out? Did they even consider it?

It simply isn't enough for the FBI director to say "We know who hacked Sony. It was the North Koreans" in a protected environment where no questions were permitted (I never allow that at Suits and Spooks events). The necessity of proof always lies with the person who lays the charges. As of today, the U.S. government is in the uniquely embarrassing position of being tricked by a hacker crew into charging another foreign government with a crime it didn't commit. I predict that these hackers, and others, will escalate their attacks until the U.S. figures out what it's doing wrong in incident attribution and fixes it.


Tuesday, January 6, 2015

A Critical Review of Tom Rid and Ben Buchanan's "Attributing Cyber Attacks"

Thomas Rid and Ben Buchanan recently tackled the problem of attribution in cyber attacks in "Attributing Cyber Attacks", an academic paper published by Taylor & Francis. I don't know Ben Buchanan but I do know Tom Rid to be a very bright and honest individual. I believe that this paper is his and Ben's best effort. Unfortunately, they only managed to serve up the same flawed recipe for attribution that information security companies have been using for the past 15 years.

Somehow, the authors completely missed the fact that the U.S. Department of Justice has only brought one indictment in an APT case and zero successful prosecutions of any APT actors - ever. Granted, I'm not a college-trained thinker but in every other area you have to demonstrate proof of your prowess. Someone who's successful at fishing brings back fish, not fish stories. Unfortunately, Rid and Buchanan want you to believe that there's some middle ground between the captured fish and the fish that got away. Coincidently, cybersecurity companies who sell their attribution fish stories to customers want them to believe the same thing - that getting close to catching the fish is the same as hooking it. In their case, of course, the real fish that they're trying to hook isn't the APT actor, it's the customer.
"Attribution is what state's make of it."
One of the authors' main points is that attribution is what states make of it, and that's certainly true. A government will determine who it believes to be responsible regardless of the evidence. Multiple intelligence failures going back to the Gulf of Tonkin incident and before are a testament to that fact. And the finding that North Korea was responsible for the Sony attack in spite of evidence to the contrary may be the latest example - time will tell. But as citizens who pay the price for what our State leaders decide to do, we shouldn't tolerate being spoken to like children; i.e. "It's North Korea because I said it's North Korea, young man. Now go to your room!"
The ultimate goal of attribution is identifying an organization or government, not individuals.
That statement is shockingly wrong. Attribution must be able to differentiate between state and non-state actors because blaming a nation state for the actions of a group of malicious hackers can have negative consequences that far exceed anyone's expectations. If you can't tell the difference between a hacktivist group and a foreign intelligence service, you're in the wrong field. If you believe that the ability to differentiate between the two doesn't matter, you're a menace to society.

In fact, cyber security professionals in the private and government sector have been making assumptions about this since the early 2000's - the principal one being that if a cyber attack is against a bank, then it must be Eastern European hackers in it for the money. And if the cyber attack is against an aerospace company (for example), then it must be a nation state because there's no money in stealing intellectual property.

Actually, there's a lot of money to be made in stealing and reselling intellectual property and its done all over the world. The myth that only governments engaged in acts of cyber espionage from the early 2000's was the genesis of today's APT threat actor business model where each company creates their own "threat actors" and names them using different conventions. No one knows if there are real people in each group or if they're just a figment of some analyst's imagination. In reality, they are merely groupings of technical indicators that were repeatedly observed in different cyber attacks that companies had some insight into. There's no source validation, no central repository, no proven connection to groups past or present, and no way of tracking individual group members (assuming that you did discover one or two) over time.

To make matters worse, the attribution methodology itself includes mistranslation and errors of fact and even something dubbed "hat-tribution" instead of in-country confirmation of data, arrests of suspects and convictions. And that's by two companies with former military and law enforcement officers in their leadership who should know better.

The authors, to their credit, dedicate one paragraph of their 34 page paper to mentioning the danger of cognitive and political biases. Ironically, the example they choose to use has to do with the Saudi Aramco attack and the danger of blaming it on a Shia activist. In fact, it was a Shia activist employee that was responsible for that attack. A better example would have been pointing out how many years Mandiant insisted that every APT attack that targeted IP was in fact an attack by the Chinese government. Not only did the authors not mention that multi-year long error but neither has Mandiant's Richard Bejtlich who promised this author that the company was going to address that during a phone call in 2013. I should note here that Richard Bejtlich is also a new Ph.D. student studying under Tom Rid. Perhaps Tom could ask Richard to honor his commitment to explain how Mandiant refused to see what its critics had seen during those years of heavy APT marketing.

Part II of the paper focuses on the nitty-gritty of forensics, which is interesting but unfortunate because the investigator is simply looking at what the attacker wants him to see.

Part III of the paper is about how nation states sell the illusion that they know who did it. Why the authors felt the need to include this section is beyond me. Selling a faulty analysis to the United Nations about WMDs in Iraq is something that the U.S. government is well-known for and frankly ridiculed for. Part III also includes numerous examples of how actors known only by names given to them by a security company (Kaspersky's Careto, DuQu and Flame for example) responded to the reports being made public. That's nice but at the end of the day, Kaspersky Lab didn't identify the specific individuals involved hence no attribution was made.
Our analysis of the practice of attribution calls into question several commonly held positions in the debate on cyber security. One is that offenders from criminals to spies to saboteurs can cover their traces, stay anonymous online, and hide behind the attribution problem. But attribution is not just possible; it has been happening successfully for a long time. Attackers cannot assume that they can cause serious harm and damage under the veil of anonymity and get away with it.
The above quote comes from Rid and Buchanan's conclusion with my emphasis added. If attribution has been happening successfully for a long time, where are the arrests and convictions? The only successes that the FBI and international law enforcement have had has been against low level hacktivists associated with Anonymous or LulzSec or in the area of financial crime. Today, the FBI and the NSA is certain that North Korea attacked Sony in spite of a mountain of evidence that suggests otherwise. One of the authors of this paper, Tom Rid, called the U.S. government's call on Sony "as good as it gets" on Twitter. That he believes that to be true is the most damning part of this review.


"Responsible Attribution: A Prerequisite for Accountability" by Jeffrey Carr - a NATO Cooperative Cyber Defense Centre of Excellence paper,  Tallinn, Estonia. 

Monday, January 5, 2015

Sony, the NSA, and the Next Big Intelligence Failure

"(T)ranslation and analytical errors made by the American SIGINT analysts—errors that convinced the naval task force and national authorities that the North had ordered a second attack on August 4, and thus led Maddox's crew to interpret its radar contacts and other information as confirmation that the ship was again under attack." 
"Subsequent SIGINT reporting and faulty analysis that day further reinforced earlier false impressions. The after-action reports from the participants in the Gulf arrived in Washington several hours after the report of the second incident. By then, early news accounts had already solidified some opinions, and the Johnson Administration had decided to launch retaliatory strikes."
I was 10 years old when this event happened. By the time I turned 18 in 1972 the war was winding down. I had no idea until a few days ago that the thousands of lives lost and hundreds of billions of dollars spent was largely the result of bad signals intelligence (SIGINT) analysis.
The Intelligence Community, because of a lack of analytical imagination, failed even to consider the possibility that Saddam Hussein would decide to destroy his chemical and biological weapons and to halt work on his nuclear program after the first Gulf War. 
In the case of Iraq, collectors of intelligence absorbed the prevailing analytic consensus and tended to reject or ignore contrary information. The result was “tunnel vision” focusing on the Intelligence Community’s existing assumptions.  (WMD Commission)
The Godzilla of all intelligence fuck-ups was the Iraq war. Costs are projected to hit $4 Trillion and the number of lives impacted can't be accurately assessed today. Appendix B of the WMD Commission report is so damning that I couldn't read it all in one sitting without becoming enraged.

This is why President Obama's decision to sanction North Korea over the Sony attack in spite of so much conflicting evidence must not be allowed to go unchallenged. Had this not been Sony but a company that supports our critical infrastructure, the same un-proven assumptions being made about North Korea could easily have led the White House to take even more severe steps against a rogue government that has nuclear weapons! The Gulf of Tonkin, the WMD fiasco, and a dozen other intelligence failures that have been made public proves that we must be skeptical and as tax payers demand more and better analysis; even oversight since some of our best minds are in the private sector, not the public sector.

To that end, I've done two things to facilitate that end:

  1. I've created a White House petition which needs 100,000 signatures in 30 days before the President must address it. It asks that the White House release the evidence that it has against North Korea for review by independent experts. When it comes to cyberspace, the best minds are outside of government, not inside. 
  2. I've asked Danny Yadron from the Wall Street Journal to moderate a panel of experts to discuss the publicly available evidence at Suits and Spooks DC. The panel will include Marc Rogers (CloudFlare), Kurt Stammberger (Norse), Roel Schouwenberg (Kaspersky), myself, and hopefully someone from CrowdStrike or FireEye although so far neither company has offered to send anyone.
Please sign the petition and help spread the word, and please be part of the debate at Suits and Spooks DC on Feb 4-5, 2015. It's at the Ritz Carlton Pentagon City. Here's how to register.

Friday, January 2, 2015

The Stakes Are High In The Sony Attack Attribution Gamble

“The FBI has concluded the government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment. Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector,” a spokeswoman said in a statement. “There is no credible information to indicate that any other individual is responsible for this cyber incident.” (Politico 29 DEC 2014)
“The administration stands by the FBI assessment,’’ (Wall Street Journal 30 DEC 2014)
I've been researching nation state and non-state cyber attacks since 2008 and I've never seen anything like the firestorm around the government's attribution of the Sony (NYSE: SNE) breach. In spite of mounting evidence to the contrary, neither the FBI nor the White House are showing any evidence that they'll back down from their statements assigning responsibility for the breach to the government of North Korea along with the President's promise of a proportionate response at a time and in a manner of his own choosing.

The stakes are high because if the White House is wrong, it means that a group of hackers comparable to LulzSec successfully mounted a false flag operation which pointed responsibility at North Korea. No other hacker group until today could make that claim but many will be inspired to try. And the technique is easy enough to copy because our entire cyber attribution mechanism is inherently flawed. In order to convey just how flawed it is, here is FireEye COO Kevin Mandia on the topic of insiders:
"Every time we respond to an incident, it's way more likely than not someone assumes it's an insider." Mandia said in an interview. "Well, over 99 percent of the time, there is no insider involvement."
Now compare that assessment with two studies, one of which was conducted with the help of the U.S. Secret Service:
"Ponemon Institute's Survey on Data Security Breaches, reveals that sixty-nine percent of companies reporting serious data leaks responded that their data security breaches were the result of either malicious employee activities or non-malicious employee error. " 
"A 2008 study by the U.S. Secret Service and Carnegie Mellon involving over 400 incidents in the Information and Telecommunications sector showed 27% were perpetrated by insiders."
That Kevin Mandia doesn't see any insiders when the evidence clearly shows otherwise is key to understanding the stakes in the Sony - DPRK attribution mess. Mandia and the company he founded in 2004 (Mandiant) are responsible for two of the rarest events in InfoSec: a DOJ indictment against 5 Chinese PLA soldiers for multiple acts of data theft in 2013 and the White House finding of responsibility against North Korea on the Sony case last month.

Mandiant's style of attribution is founded on the early 2000-era bias that only state actors are interested in IP theft since there's no money in it. Starting with that bias, Mandiant, McAfee, Symantec, and other early infused companies began collecting technical indicators from their investigations, grouping them by target category or other characteristics that they shared and naming them. Mandiant used the name APT and numbered them: APT1, APT2, APT3, etc. CrowdStrike used the name Panda and came up with variations:

Every InfoSec company has its own naming convention, which would be fine if there was a central repository, required source validation or any kind of oversight. There isn't, of course. No one knows if any of these groups are real. Attribution stops at the naming convention, not at the discovery, prosecution and conviction of an actual person. Companies simply make up their own designations and sell their proprietary intelligence to their customers and the federal government, including the FBI who then add it to their own classified database. You can see it for yourself by searching the Wikileaks database such as here, here, and here.

When you invent a name for a collection of indicators and call it an "adversary", that isn't attribution. It's masturbation. It's also a ticking time bomb waiting to explode when the White House doesn't know enough or care enough to question its intelligence sources and methods. If a hacker group can fool the U.S. government into charging another nation state before they have concrete evidence in place, then what's to stop a more adversarial group from using the same tactics to create an incident that could lead to the next war? It certainly won't be our SIGINT capabilities.

One More Prediction
Should this blog post get wide circulation, expect to see more tweets like this one from Mandiant's Richard Bejtlich that deliberately misrepresented an old Forbes post of mine when everyone was speculating about Stuxnet. Personal attacks are the surest way to know that you've hit close to home.