Update on Sony and The Interview

In an about face, after Art House Convergence posted a letter to Sony expressing their desire to show the picture, Sony is allowing theatres, mostly Indies, to screen the movie The Interview on Christmas day.  The best guess is that the number of theatres that will offer it is around 200-300.  In addition, Sony is also offering it up on video on demand at the same time.  While this normally cuts into the box office numbers, given that the chains are not showing it, offering it on VOD at the same time it is being released into theatres likely won’t hurt ticket sales.  In fact, reports are that the web site of the Alamo Drafthouse, one of the Indie chains that is showing it in Dallas and other cities, was unavailable earlier today.  Not because of an attack, but rather because ticket buyers were swamping the web sites.

If ticket sales go well and there are no incidents, then the chains might start showing it early next year.  Likely, this is due to the challenges of scheduling screens and potentially bumping showings off screens that have already been scheduled.

Tim League, founder of Alamo Drafthouse, said their first move, after deciding to screen the movie, was to contact local police to plan for this.  Plans include training for all managers and staff, which seems like a good idea in any case.

Sony is still trying to contain the damage and is threatening to sue Twitter for not suspending the accounts of users who are tweeting damaging emails.  I am not sure if Twitter is scared or not, but so far, they have not suspended the account in question.

On the other side of the planet, North Korea has had three separate Internet outages in the last two days – two short ones and one 9 hour long one.  Who is responsible for these outages is unknown, but it appears likely the work of independent hackers.




Facebooktwitterredditlinkedinmailby feather

New attack on ATMs

Krebs on Security is reporting a new method of extracting money from bank accounts.  So far, this has been reported as being accomplished in eastern Europe and Russia, but there is certainly no reason why this cannot be accomplished in the U.S.

The group starts by sending spear phishing emails to bank employees that look like they are from bank regulators.  The emails contain infected Microsoft Office documents that take advantage of recently patched Office flaws (with the assumption that it takes the banks a while after the patch is out to apply the patch).  Once inside, the malware now looks like an insider and can gain access to additional resources such as the ATM subnet, downloading malicious software to specific ATMs.

In addition, the gangs “buy” already infected desktops inside the banks and add their malware to them.  This is the classic “buy vs. build” argument.  It’s apparently easier than asking people to install your malware.

In one case, using ATMs that contained multiple bill denominations, the hackers told the ATMs that trays had been swapped and when the ATM thought it was dispensing 10 Ruble notes, it was actually dispensing 5,000 Ruble notes.  So when the ATM thought you were getting 10 – 10 Ruble notes (for 100 Rubles), you actually got 10 – 5,000 Ruble notes or 50,000 Rubles.  Combine this with a stolen ATM card and good luck getting your money back.  Not only does the bank lose 50,000 Rubles, but it has to reimburse the actual card owner for the 100 Rubles deducted from his or her account.

This seems a lot easier than snarfing up all those credit cards and trying to figure out who has money on their card or in their account, worrying about the card being shut off and so on, but these gangs are entrepreneurial and do both – steal credit cards and hack the banks.

Apparently, this gang has stolen millions from the Russian and eastern European banks.

So far, this has not affected U.S. banks, but hopefully the banks are on the alert.

The good news is that there are a number of things that you can do (as the bank) to protect yourself given that you understand this M.O.  The question is whether the banks will take the lead and be proactive or wait until they have lost millions.



Facebooktwitterredditlinkedinmailby feather

North Korea Internet Down

UPDATE:  After a 9 hour outage, North Korea has reappeared on the Internet.  Most folks are saying this does not look like the work of the NSA but rather the work of a hacker, but of course, who knows.

Multiple sources are reporting that all 4 of North Korea’s Internet connections are totally down.

The White House is referring questions to North Korea, who is not saying anything.

If this is the work of the CIA or NSA then one would HOPE that everyone keeps their mouth shut.



Facebooktwitterredditlinkedinmailby feather

Misfortune Cookie bug impacts more than 12 million home and small office routers

While this is not exactly an “Internet Of Things” issue, it points out how long it takes to get things fixed and how the tail of a bug can live on forever.  In the case of the Internet of things, people rarely patch their refrigerator, so that bug will live on until the refrigerator is in a landfill somewhere.

So here is the deal.  Rompager is a piece of software that many device manufacturers use to provide a web interface on some device they sell – in this case an internet router.  The bug, which I will describe in a minute, was introduced in 2002 and the developer found it and patched it in 2005.  This is 2014 – 12 years after the bug was created and 9 years after the bug was patched and Checkpoint Software, the Israeli security firm, found 12 million vulnerable devices in 189 countries still have this buggy software – and likely this is not a complete list.  And they were only looking at routers.

Why is that?  Because device manufacturers don’t bother to update their software unless they have to.  It seems to be working.  People aren’t complaining.  If they upgrade it they might break something, so they leave it alone.

Is it reasonable that the bad guys knew about this bug?  Sure.  They check out patches all the time.  And since your internet router is the “responsibility” of your internet provider, unlike your laptop, you don’t worry about patching it.  In fact, in many cases, your internet provider won’t let you into your router to see if it needs to be patched.

Is it reasonable that the spy guys knew about it?  Sure.  See the paragraph above!

The bug.  Due to this bug, an attacker can send a cookie to your router and make it think the attacker is an administrator on your router and basically do whatever it wants.  The bad news is that even if you turn off web administration from the outside for your router, the router still listens for update requests from your internet provider and this bug will still allow a hacker in.

The only way to stop this is to  upgrade the buggy firmware on your router.

For more details and a list of suspected affected routers, see this article from Security Week




Facebooktwitterredditlinkedinmailby feather

CERT Alert on the Sony Malware

The U.S. CERT, part of the Department of Homeland Security,  has released an alert describing the malware that took Sony apart pretty effectively.   Without going into a lot of detail, here is the high level overview:

  • The malware takes advantage of Windows SMB (server message block) protocols that are common to all versions of windows
  • The malware worms its way through the target’s network using brute force guessing of Windows share passwords.  It reports back home every 5 minutes with its successes and asks for new instructions
  • It has a listening component that listens on specific ports on the infected machine (probably for commands)
  • It has a backdoor component that handles file transfer, system survey, proxying and can execute arbitrary commands.  It can even open ports on the victim’s host firewall (one reason I don’t like software based firewalls)
  • The malware has a proxy tool that allows it to listen on a particular port and perform a variety of administrative functions for the malware
  • It contains a module to overwrite data on up to 4 disk drives and if the user has local admin privileges, it also overwrites the master boot record so the computer will not boot.
  • It has a network propagation wiper that allows it to worm its way through the network using built in network shares, drop the malware on the new machine and start destroying that machine.

As you can tell from this very brief description, this is a pretty sophisticated piece of software that someone spent a fair amount of time constructing.

Based on what is described in the alert, this malware would do a pretty good job of laying waste to any network it was found on.

The wiper part is what does the actual damage.  The rest is for recon and control.  By overwriting the disk, you make recovery, for all reasonable situations, impossible and the only option left is to rebuild the system from scratch.  This is why Sony told employees not to turn on their computers and not to connect to the company Wi-Fi.

There were reports in the media of security experts (like Kevin Mandia of Mandiant)  saying that there was nothing Sony could have done to protect itself.  Given this analysis and the assumption that someone did something to get it started inside the Sony network (like clicking on a malicious link), I tend to agree with him.

They probably should have seen the data going out. 50 or 100 terabytes of outbound traffic is a lot, even for Sony.  But if these guys were in there for 6 months, then even that might not be obvious.  And, Sony may not do outbound traffic analysis.


Facebooktwitterredditlinkedinmailby feather

Hackers hit Second OPM Background Investigations Contractor

According to Washington Technology, hackers have gone after Keypoint Systems, a contractor for The Office of Personnel Management that does background investigations for security clearances.  If anyone has ever had a Department of Defense or other government security clearance, the information that you provide is extremely detailed.  For example, for the DoD, the SF-86 form can be well over 100 pages when completed.  OPM is notifying almost 50,000 people that their information may have been taken.  May have because they don’t really know.  I assume they don’t know because Keypoint did not have sufficient controls in place to tell what the hackers took.  OPM says thay Keypoint is adding more controls as a result of the breach, but beyond that, they are saying very little.

Curiously, USIS, the contractor that OPM used to use and most famous for having performed Edward Snowden’s background investigation, was hacked this year also and the OPM cancelled their contract, causing them to lay off 3,000 employees.  The fact that OPM is handling these two breaches very differently will no doubt get some attention on Capitol Hill.

It is more than a  little disconcerting that two different contractors who handle security clearance investigations for the government this year were hacked.  It says something about the (lack of) security requirements in the contracts that OPM is issuing for vendors.

They are the government so they can get away with a lot more than you or I can.

While it is fun to beat up the government, it is, unfortunately, like taking advantage of someone who is not very good at what they do.

The lesson to be learned here is that you should review whether or not you are effectively vetting the security of subcontractors and vendors that you use.  Do your contracts have specifics regarding security practices, policies and technology?  If what happened to Keypoint and USIS happened to you, it would likely have a large effect on your business.  USIS had to shut down an entire division.



Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed