The Next Phase In The Sony Hack – Lawyering Up

UPDATE: Brian Krebs, the security blogger that has broken a lot of breach stories was one of the journalists that received a letter from David Boies firm.  Today he writes about it and other than the comment about hell freezing over first, he suggests, for the most part, Sony does not have much of a leg to stand on.  Here is a link to his post.

USA Today is reporting that media outlets received warnings or threats from Sony attorney David Boies telling them to destroy any leaked documents that they have, that they will be held liable for damages and that

leaked e-mails, documents and other files amount to “stolen information” and that Sony “does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the Stolen Information.”

From Sony’s standpoint, this makes perfect sense in that this attack is a P.R. disaster for them and if they can scare the media into stopping reporting on the details, it will sooner fade into the dust.

But, as an example of how that can backfire, those exact letters have now been published.  Did Sony expect those letters to remain private?  Do they care?  Not clear.

The GOP released some more content over the weekend and some of the sites to which it was posted have already taken the new content down.  But not all of them.

Personally, I do not think the tactic will work.  First of all, a lot of media just reports what other media says.  That is protected speech and I do not think the courts will allow Sony to kill that.

Secondly, it is news even if Sony doesn’t like it.  It might cause some outlets to tone down what they say, but only time will tell.

Third, it may force the GOP to “up the ante”.  Since it is not clear what they have taken, if Sony is heavy handed, it could turn into a full out nuclear war.  For example, i saw a report that the hackers have a script from the breach.  What if they have 5 or 10 or 20.  What if they publish all the scripts that they have.  What if they post their content on eastern European or Russian sites.

One thing that Sony and Mr. Boies should consider – and I suspect that they are – is that they have to follow the rules of US law.  The hackers do not.  That gives the hackers a decided edge.

Last thought – After all the dust settles, there will likely be lawsuits – possibly by some folks with really deep pockets.  And, there will be government investigations and possible fines.  Does it make sense for Sony to attempt to shut the secondary leaks (the media) down?  Absolutely.  Will it work?  Only time will tell.

Mitch

Facebooktwitterredditlinkedinmailby feather

Turkey Pipeline Blast – Was It A Cyber Attack

Bloomberg has been busy lately with cyber reporting.  On December 10th, 2014, they reported that the attack on the Turkish BTC pipeline in 2008 was likely a cyber attack.

The Department of Energy’s Idaho National Laboratory caused a 1 megawatt generator to blow up to prove a point a couple of years before this, so from a possibility standpoint, this is not news.  What is news is that terrorists are moving from possibility to actuality.

The pipeline had sensors and cameras to monitor all 1,100 miles of pipe but curiously, neither the cameras nor the sensors detected the blast.  The pipeline operator found out about the blast and fire when a civilian called the control center on their phone.

The Turkish government blamed a malfunction (kind of like Sony saying they were investigating an IT incident a couple of weeks ago).  A group of Kurdish separatists claimed credit.  BP said there was a fire (true, but kind of missing an important point).

According to 4 different sources, the hackers shut down alarms, cut off communications and over pressurized the pipeline until it exploded and caught fire.  Apparently, the chief suspect is Russia.

The NSA had been warning for years that bad guys could blow up infrastructure from afar.  Admiral Rogers, the current NSA boss, in fact, stated in testimony before Congress last month that it was no longer a question of if, but rather when.  I guess the when was 6 years ago.  The NSA did investigate at the time, so like with the Sands attack I reported about yesterday, the NSA is being a tad bit coy with what they do know.

The good news is that the pipeline was repaired in only a couple of weeks.

The article has more details on the attack.

The point of entry was the wireless security cameras themselves.  The software had a vulnerability and the cameras were not isolated from the rest of the control or alarm system.  Bad boys and girls.

The blast spilled 30,000 barrels of oil and cost BP $5 million dollars a day in transit tariffs.  The Republic of Azerbaijan lost $1 billion in export revenue while the pipeline was down.  Assuming the pipeline was running at capacity, that revenue was lost for good.

For any organization that has industrial control systems (this is not just the local water company – this includes security cameras, alarm systems, HVAC controllers, elevator controllers and other physical plant equipment – just to name a few possibilities) now would be a good time to be worried and make some changes.

Mitch

 

 

 

Facebooktwitterredditlinkedinmailby feather

Was Sony The First (Hint: No)?

While The Sony hack/attack continues to capture the media’s attention with new data releases which create drama – who got caught saying what when – Bloomberg is reporting that something very similar to that happened to the Sands empire in February of this year.

Some of you are familiar with Admiral Rogers testimony (head of the NSA) last month before Congress about hackers taking down critical US infrastructure in the future – not if, but when.  Guess what.  The NSA knew all about the Sands attack from the beginning.  What Rogers didn’t say was that it had already happened.

Bloomberg reported: “But early on the chilly morning of Feb. 10, just above the casino floor, the offices of the world’s largest gaming company were gripped by chaos. Computers were flatlining, e-mail was down, most phones didn’t work, and several of the technology systems that help run the $14 billion operation had sputtered to a halt”

The engineers at the Sands figured out what was going on within an hour – that they were under attack and that computer hard drives were getting wiped.

Hundreds of people were calling IT that their computers were dead.

Like a scene out of a movie (sorry Sony – this is not your script), Sands engineers ran across the casino floors of the Sands Vegas properties unplugging network cables of as many working computers as they could.  It didn’t matter if the computer controlled slot machines or was used by pit bosses – it got unplugged.

Unlike the Sony attack – at least as reported by Bloomberg – the attackers didn’t steal data and we certainly have not seen any data publicly released.  The attackers were angry at Sheldon Adelson, CEO of Sands, for pro-Israel, anti-Iran comments he made at a panel discussion at Yeshiva University in New York late last year.

While the Sands  organization understood physical security – both of the casinos and Adelson’s family – very well, they really didn’t get cyber security at the same level.

Even though the Sands organization was able to keep the details quiet for 10 months, they are starting to come out now.  The attackers started their attack at a smaller Sands casino in Pennsylvania, got in and used that as a path toward Vegas.

Early in the morning of February 10, 2014, the attackers launched their attack, wiping thousands of computers and servers.  By early afternoon, security engineers at the Sands saw from logs that the attackers were compressing large batches of sensitive files — likely in preparation for uploading them.

The President of Sands, Michael Leven, made the decision to pull the plug – like Sony did – and disconnect the hospitality chain from the internet.

Luckily for Sands, they used an IBM mainframe for certain functions.  The door key cards still worked, the elevators worked.  The company’s web sites, hosted by a third party, were still working, although the attackers did attempt to take those servers down the following day and did compromise them.

Since the Sands was working to do damage control,  it said only that their web site had been vandalized and that some other systems were not working.

The hackers, getting upset that they were not getting the effect that they wanted, posted a video on You Tube explaining what they had done.  While the video was removed after a few hours, the attack was no longer a secret.

So what does a company do?  One thought is to hack back.  The challenge is to figure out where.  More than likely, the attacks are coming from compromised computers all over the world (the Initial attacks on Sony came from a hotel in Thailand – are we going to blow up Thailand?).  What if the attacks are coming from – or seem to be – from a farm house in Iowa.  Are we going to send S.W.A.T. in after Ma and Pa?  You might speculate.  You might eventually have evidence.  But in the U.S. if you get caught hacking in to other people’s computers (unless you are the CIA or NSA), you will go to jail.  That is the law.

There are no easy answers unfortunately.  BUT, what is clear is that companies need to start making contingency plans because this problem is not going away.

And, as news of the Sony and Sands attacks go mainstream – maybe with others following it – attackers will only amp it up and go after more people.

To paraphrase the Boy Scouts – BE PREPARED!

 

Mitch

 

 

Facebooktwitterredditlinkedinmailby feather

Sony Lesson: There Is No Such Thing As Private Email

One of the items that got leaked in the Sony hack was the mailbox of Amy Pascal, the Co-Chairman of Sony Pictures Entertainment.  Here are some excepts from a Washington Times article.

Among the leaked conversations int the email are a conversation between Pascal and producer Scott Rudin.  The conversation goes something like this:

Rudin: Angelina Jolie is a “minimally talented spoiled brat” from “Crazyland, … YOU BETTER SHUT ANGIE DOWN (referring to a project that Jolie wanted to do that would have impacted Rudin.

Pascal: “Do not [expletive] threaten me,”

Rudin: “What the hell are you talking about? Who’s threatening you? Let me remind you I brought this material to you and I can off her from it in a phone call,” Mr. Rudin writes of Ms. Jolie playing “Cleopatra,” the New York Post reported. “Don’t for one second even think about trying this [expletive] with me.”

There are other conversations – for example racist comments about President Obama.

Now here is the thing – and the I.T. guys have known this for years.  If you write stuff in email that you DON’T want to become public, it sometimes does become public.  You just can’t stop it.

Apparently, there are a bunch of other emails that are not terribly flattering as well.

There is talk on the street about Pascal losing her job.

I know that email is very convenient and if you use the right kind of encryption, you reduce the odds of it going public – but you don’t eliminate it.  It’s just not a good plan to put stuff like that in written form.  And if you do, you better cross your fingers.

Mitch

 

Facebooktwitterredditlinkedinmailby feather

The Year Of The Crypto Bug

I am going to name 2014 as the Year Of The Crypto Bug.

Does it seem to you that this year or so has revealed more than it’s share of cryptography oopsies?  It does to me.  So I started looking at what was found this year.  In some sense, this is good news, but in another sense, how many more have not been found yet?

I haven’t looked at history, so maybe this is normal.  MAYBE, this is the year of the crypto bug.

Many of the bugs listed below are major – like 10 out of 10 – kind of bugs and many are also ones that you don’t have the ability to patch.

  • Microsoft SChannel – SChannel is part of Microsoft’s implementation of SSL and TLS, that we all use for shopping and banking.  The bug patch was rated critical; Microsoft said that a remote, unauthenticated attacker could execute arbitrary code.  The bug, nicknamed Winshock, had been around for 19 years.
  • Heartbleed – The heartbleed bug got a lot of attention in the press when it was first announced.  Heartbleed affected OpenSSL, again attacking the security that we use for banking and shopping, but it also affects the “Internet of things” like web cams, alarm systems, elevators and HVAC controllers.  Many of these use OpenSSL because it is free.  Worse yet, when was the last time you patched your refrigerator?  So, it is likely that this bug will persist for years if not decades.  Some people rated this an 11 on a 1 to 10 scale
  • POODLEPOODLE is another attack on SSL – that old staple.  In this case, really old.  It is an attack that allows an attacker to convince a site to use an 18 old version of SSL, which has some security weaknesses.  The solution is to get rid of this version of SSL, which Firefox did several weeks ago, Google will do this month and Microsoft will do in a couple of months.
  • Son of POODLE – This new variant of the POODLE attack above is more effective than the original one.  It does not require you to force the browser or web site to use an obsolete version of SSL – it works fine with TLS – and it is far simpler to accomplish.  A number of high profile web sites fall victim to this bug.  The linked article has a pointer to Qualys free test to see if your site is vulnerable.
  • Whatsapp – This is really more of a design flaw than a bug, but it still puts content at risk.  According to some researchers in Utrecht, Netherlands, the Whatsapp development team made some decisions that weakens the protections offered by the encryption they provide.  They said that you should assume all messages are compromised (which is a bit strong in my opinion).  On the other hand, the CEO of Whatsapp said the story is overblown and don’t worry your pretty little heads.  One might conclude that they knew their crypto was weak and chose not to fix it or weakened it on purpose for nefarious reasons.
  • Mozilla NNS Crypto LibraryThis bug allows a hacker to fake or forge SSL certificates, allowing an attacker to create a website that looks real down to the SSL padlock.  Intel called this the BERserk attack because it compromises the Basic Encoding Rules of the protocol.  Cute.
  • Apple Triple HandshakeThis bug, affecting iOS 7.1 and earlier for phones and OSx 10.8 and 10.9 on Macs, allows an attacker to reuse credentials that you have already used to authenticate yourself to, say, your bank.  This requires that the attacker be able to eavesdrop in the middle of your conversation, like at a public WiFi.  Doing anything sensitive on a public WiFi is not a good idea anyway, so this just reinforces it.
  • Apple GoTo Fail bug –  This bug, which also affected a variety of Mac OSx and iOS versions, allowed an attacker to present a fake encryption key which the Apple OSes accepted because of a bug.  This would allow the attacker to decrypt ALL traffic. Apple took a lot of heat about the way they handled this particular bug.  This bug was named the GoTo Fail bug because it was caused by a developer adding 9 extra characters (GoTo Fail) in a module.  This points out that while some bugs are very difficult to detect, a simple code review by someone other than the developer would have likely found this bug before it was released.
  • GnuTLS bugThis bug, like the OpenSSL crypto bug, will be found on millions of computers (it is used by several distributions of Linux like Ubuntu, Red Hat and Debian).  The bug allows an attacker to easily bypass the SSL or TLS encryption on web sites.  Again, this software is used in lots of “Internet of Things” kind of devices like web cams and alarm systems.
Facebooktwitterredditlinkedinmailby feather

Analysis Of The Sony Breach

Risk Based Security is doing a play by play of the Sony breach.  Visit their website for a detailed analysis of what was stolen.

I am going to just pick one little part of it, which is scary in and of itself.  The fact that they found over a million unredacted socials is a business process problem.  One that will likely lead to a number of lawsuits.

Utilizing the enterprise solution, Sensitive Data Manager, Identity Finder discovered:
  • 601 files containing SSNs
    – 75 Acrobat PDFs
    – 523 Excel spreadsheets
    – 3 Word documents
  • 47,426 unique SSNs
    – 15,232 SSNs belonged to current or former Sony employees
    – 3,253 SSNs appeared more than 100 times
    – 18 files contained between 10,860 and 22,533 SSNs each.
  • 1,123,798 copies of compromised SSNs
“The most concerning finding in our analysis is the sheer number of duplicate copies of Social Security numbers that existed inside the files. In this instance, some SSNs appeared in more than 400 different locations, giving hackers more opportunities to wreak havoc,” said Todd Feinman, President and CEO, Identity Finder. “As we have seen from the myriad data breaches this year, every organization is vulnerable to an attack. Security technologies are an important shield, but minimizing the target and reducing the footprint of sensitive data is more critical than ever.”

 

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed