Sony Sortie’s Smoking Gun Still Missing

Recent research from security firm Cloudmark has raised doubt about the purported connection between North Korea and last November’s intrusion on Sony Pictures Entertainment’s computer networks.

The FBI last week continued to press its case that North Korea was behind the cyberattack, which flooded the Net with intellectual property, confidential correspondence, and employee data stolen from the company.

Although the bureau failed to persuade some folks that Pyongyang was behind the Sony attack, President Obama wasn’t among them. He imposed sanctions on North Korea in retaliation.

Evidence linking the country to the Sony raid has been dribbling from the FBI since the incident occurred, but Director James Comey last week revealed at a Fordham Law School cybersecurity forum what appeared to be the smoking gun.

For the most part, the Sony attackers hid their activity behind proxy servers, he explained, but occasionally they slipped up, and the FBI was able to trace them to their point of origin: a block of IP addresses allocated to North Korea.

Since the government has such tight control over those IP addresses, the FBI reasoned, the Sony hackers must have been operating with its approval.

Wormy IP Address

However, some activity emanating from those North Korean IP addresses suggests that they may have been hacked, Cloudmark threat researcher Andrew Conway reported late last week.

Cloudmark discovered that one of North Korea’s IP addresses — — has been spitting out spam to the Net, which is a common sign of an infected machine, he explained. When the company cross-checked the IP address with Spamhaus, which tracks spam activity on the Web, it found the address was listed as infected with the Wapomi worm, which is transmitted by USB drives and file server shares.

“This malware includes a software downloader that gives the criminal controlling it the ability to download and run any sort of malware on the victim’s machine,” said Conway.

“It’s not clear if this is one of the IP addresses that the FBI regards as ‘known North Korean infrastructure,'” he acknowledged. “However, unless the FBI releases more specific details of their case against North Korea, including email headers and mail server logs, some experts will continue to question if they are in fact correct.”

The New DDoS

In addition to the attack on Sony Pictures Entertainment, hackers assaulted Sony’s Playstation Network and Microsoft’s Xbox network by launching Distributed Denial of Service attacks.

Traditionally, DDoS attacks marshal thousands of computers to send a barrage of traffic that forces a website offline. In the Sony case, the hackers used compromised home routers, but the idea is the same. That tactic is an idea whose time may be passing, however.

“Flooding network connections can be difficult to do, because you have to recruit a lot of bots,” said Steve Pao, general manager for security business at Barracuda.

In addition, “the service providers have become pretty good at identifying anomalous traffic volumes,” he told TechNewsWorld.

So hackers have turned to other techniques for launching DDoS attacks.

“Today, most denial of service is application layer denial of service, because it makes it easier to launch a denial of service attack with fewer resources,” Pao explained.

More Bang per Bit

A DDoS application attacker wants to send the least amount of information that will consume a lot of resources in response. The typical search box on a website works well for that purpose.

“It takes very little traffic to launch a search on a website,” Pao noted, “but it takes a tremendous amount of resources for a website to return search results against its dynamic content.”

Another trick used by attackers is to load up a shopping cart with items — US$10,000 in goods, for instance — and then abandon it, but save the session ID. Then they can log in with multiple clients that all use the same session ID, forcing the website to retrieve the items for the cart numerous times simultaneously.

“You’re looking for behaviors where it doesn’t take very much traffic on the client side, but it takes a lot of processing on the server side,” Pao said.

Gogo Boo-Boo

Digital certificates are used by websites to authenticate themselves to a browser. They’ve also been the target of hackers with mischief in mind. It’s rare, though, that a legitimate service provider would deliberately fake certificates for its own gain — as the in-flight broadband provider Gogo did last week.

The practice was discovered by a Google employee who tried to use Gogo to access her YouTube account. She noticed that the certificate she received, rather than being signed by a recognized certificate authority, was signed by Gogo.

Gogo uses the certificates as a reminder that it doesn’t want its service to be used for bandwidth- intensive applications while in flight, it said — but that explanation didn’t get rave reviews in security circles.

“It is increasingly difficult for both end users and businesses to understand if secure communications can be trusted,” said Kevin Bocek, vice president for security strategy and threat intelligence at Venafi.

“It’s best if business providers like Gogo don’t complicate the matter by creating more confusion and risk with what looks like malicious certificates that could be used to spoof and monitor private communications,” he told TechNewsWorld.

Last year, more than 6,000 forged Facebook certificates were discovered by Carnegie Mellon University — some of them actively used by malicious software, Bocek added.

“Forged, compromised, and misused certificates and keys are a major threat that enterprises are only starting to grapple with,” he said. “It’s clear, however, that bad guys know how to use them against us.”

Frozen Keyboards

Reports that the NSA has been running massive surveillance campaigns against citizens everywhere — including the United States — are having a chilling effect not only on the domestic tech sector but also outside the tech sector.

For example, the PEN American Center last week released a survey of writers around the globe that found 75 percent of them who lived in “free” countries were “worried” or “somewhat worried” by the level of surveillance in their countries. What’s more, more than a third (34 percent) admitted to self-censorship.

Writers may be overreacting to the NSA’s actions.

“These writers seem to be under the impression that human beings were reading emails and monitoring communications,” said Scott Borg, CEO and chief economist at the U.S. Cyber Consequences Unit.

“That was not the case. There was extensive computer monitoring of these communications, but remarkably little human monitoring,” he told TechNewsWorld. “They were doing less with their scanning than Google does with its scanning of email.”

Breach Diary

  • Jan. 5. The Wall Street Journal reports Morgan Stanley fired Galen Marsh, a financial advisor it accused of stealing account data on about 350,000 clients and posting some of that information for sale on the Net.
  • Jan. 6. Rep. Elijah Cummings, D-Md., requests information from KeyPoint Government Solutions related to data breach at the contractor, which exposed personally identifiable information of nearly 50,000 federal employees.
  • Jan. 6. Moonpig, a greeting card company in the UK, suspends mobile services after security researcher reports authentication flaw that places at risk account information of at least 1.5 million mobile users.
  • Jan. 7. FBI Director James Comey, speaking at a cybersecurity conference at Fordham Law School, says he has “very high confidence” that North Korea was behind the attack on Sony Pictures Entertainment, citing several occasions when the attackers failed to cover their tracks with proxy servers, exposing IP addresses tied to Pyongyang.
  • Jan. 7. Zappos agrees to pay $106,000 to nine states for 2012 data breach that put at risk sensitive data of 24 million customers.
  • Jan. 8. Eset releases Windows exploitation report for 2014. Among its findings: Microsoft fixed twice as many vulnerabilities across its product lines in 2014 than in 2013.
  • Jan. 9. German tech news site Heise reports flaw in the search software included with Apple’s OS X Yosemite, which allows private details of Apple Mail users to be viewed by unauthorized parties.
  • Jan. 9. Bitstamp, a bitcoin exchange, restores service after being shut down for a week following breach resulting in theft of $5 million in bitcoin.
  • Jan. 9. Brian Krebs reports Lizard Squad, which shutdown Sony’s and Microsoft’s gaming networks over the holidays, used a global network of hacked home routers to mount those attacks.

Upcoming Security Events

  • Jan. 19. B-Sides Columbus. Doctors Hospital West, 5100 W Broad St., Columbus, Ohio. Fee: $20.
  • Jan. 22. Babarians at the Gate: Data Protection at Massive Scale. 2 p.m. ET. Black Hat webcast sponsored by PhishMe. Free with registration.
  • Jan. 29. From The Front Lines: Insights From Network Ops On The Global Threat Landscape. 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Feb. 4-5. Suits and Spooks. The Ritz-Carlton, Pentagon City, 1250 South Hayes Street, Arlington, Virginia. Registration: $675.
  • Feb. 6-7. B-Sides Huntsville. Dynetics, 1004 Explorer Blvd., Huntsville, Alabama. Free.
  • Feb. 7-8. #Disastertech Hackathon. Ernest N. Morial Convention Center, New Orleans. Registration: free, but limited to 50.
  • Feb. 10-12. International Disaster Conference and Exposition (IDCE). Ernest N. Morial Convention Center, New Orleans. Registration: government, nonprofit, academia, $150; private sector, $450.
  • Feb. 11. SecureWorld Charlotte. Harris Conference Center, Charlotte, North Carolina. Open sessions pass: $25; conference pass: $165; SecureWorld plus training: $545.
  • Feb. 19. Third Annual 2015 PHI Protection Network Conference. The DoubleTree – Anaheim-Orange County, 100 The City Drive, Orange, California. Registration: before Jan. 2, $199; after Jan. 1, $249.
  • Feb. 21. B-Sides Tampa. The Museum of Science and Industry, 4801 E. Fowler Ave., Tampa, Florida. Free.
  • Feb. 21. B-Sides Indianapolis. DeveloperTown5255 Winthrop Ave., Indianapolis, Indiana. Fee: $10.
  • March 4-5. SecureWorld Boston. Hynes Convention Center. Open sessions pass: $25; conference pass: $175; SecureWorld plus training: $545.
  • March 18-19. SecureWorld Philadelphia. DoubleTree by Hilton Hotel, Valley Forge, Pennsylvania. Open sessions pass: $25; conference pass: $295; SecureWorld plus training: $695.
  • March 24-27. Black Hat Asia 2015. Marina Bay Sands, Singapore. Registration: before Jan. 24, $999; before March 21, $1,200; after March 20, $1,400.
  • April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels