Was Sony The First (Hint: No)?

While The Sony hack/attack continues to capture the media’s attention with new data releases which create drama – who got caught saying what when – Bloomberg is reporting that something very similar to that happened to the Sands empire in February of this year.

Some of you are familiar with Admiral Rogers testimony (head of the NSA) last month before Congress about hackers taking down critical US infrastructure in the future – not if, but when.  Guess what.  The NSA knew all about the Sands attack from the beginning.  What Rogers didn’t say was that it had already happened.

Bloomberg reported: “But early on the chilly morning of Feb. 10, just above the casino floor, the offices of the world’s largest gaming company were gripped by chaos. Computers were flatlining, e-mail was down, most phones didn’t work, and several of the technology systems that help run the $14 billion operation had sputtered to a halt”

The engineers at the Sands figured out what was going on within an hour – that they were under attack and that computer hard drives were getting wiped.

Hundreds of people were calling IT that their computers were dead.

Like a scene out of a movie (sorry Sony – this is not your script), Sands engineers ran across the casino floors of the Sands Vegas properties unplugging network cables of as many working computers as they could.  It didn’t matter if the computer controlled slot machines or was used by pit bosses – it got unplugged.

Unlike the Sony attack – at least as reported by Bloomberg – the attackers didn’t steal data and we certainly have not seen any data publicly released.  The attackers were angry at Sheldon Adelson, CEO of Sands, for pro-Israel, anti-Iran comments he made at a panel discussion at Yeshiva University in New York late last year.

While the Sands  organization understood physical security – both of the casinos and Adelson’s family – very well, they really didn’t get cyber security at the same level.

Even though the Sands organization was able to keep the details quiet for 10 months, they are starting to come out now.  The attackers started their attack at a smaller Sands casino in Pennsylvania, got in and used that as a path toward Vegas.

Early in the morning of February 10, 2014, the attackers launched their attack, wiping thousands of computers and servers.  By early afternoon, security engineers at the Sands saw from logs that the attackers were compressing large batches of sensitive files — likely in preparation for uploading them.

The President of Sands, Michael Leven, made the decision to pull the plug – like Sony did – and disconnect the hospitality chain from the internet.

Luckily for Sands, they used an IBM mainframe for certain functions.  The door key cards still worked, the elevators worked.  The company’s web sites, hosted by a third party, were still working, although the attackers did attempt to take those servers down the following day and did compromise them.

Since the Sands was working to do damage control,  it said only that their web site had been vandalized and that some other systems were not working.

The hackers, getting upset that they were not getting the effect that they wanted, posted a video on You Tube explaining what they had done.  While the video was removed after a few hours, the attack was no longer a secret.

So what does a company do?  One thought is to hack back.  The challenge is to figure out where.  More than likely, the attacks are coming from compromised computers all over the world (the Initial attacks on Sony came from a hotel in Thailand – are we going to blow up Thailand?).  What if the attacks are coming from – or seem to be – from a farm house in Iowa.  Are we going to send S.W.A.T. in after Ma and Pa?  You might speculate.  You might eventually have evidence.  But in the U.S. if you get caught hacking in to other people’s computers (unless you are the CIA or NSA), you will go to jail.  That is the law.

There are no easy answers unfortunately.  BUT, what is clear is that companies need to start making contingency plans because this problem is not going away.

And, as news of the Sony and Sands attacks go mainstream – maybe with others following it – attackers will only amp it up and go after more people.

To paraphrase the Boy Scouts – BE PREPARED!





Sony Lesson: There Is No Such Thing As Private Email

One of the items that got leaked in the Sony hack was the mailbox of Amy Pascal, the Co-Chairman of Sony Pictures Entertainment.  Here are some excepts from a Washington Times article.

Among the leaked conversations int the email are a conversation between Pascal and producer Scott Rudin.  The conversation goes something like this:

Rudin: Angelina Jolie is a “minimally talented spoiled brat” from “Crazyland, … YOU BETTER SHUT ANGIE DOWN (referring to a project that Jolie wanted to do that would have impacted Rudin.

Pascal: “Do not [expletive] threaten me,”

Rudin: “What the hell are you talking about? Who’s threatening you? Let me remind you I brought this material to you and I can off her from it in a phone call,” Mr. Rudin writes of Ms. Jolie playing “Cleopatra,” the New York Post reported. “Don’t for one second even think about trying this [expletive] with me.”

There are other conversations – for example racist comments about President Obama.

Now here is the thing – and the I.T. guys have known this for years.  If you write stuff in email that you DON’T want to become public, it sometimes does become public.  You just can’t stop it.

Apparently, there are a bunch of other emails that are not terribly flattering as well.

There is talk on the street about Pascal losing her job.

I know that email is very convenient and if you use the right kind of encryption, you reduce the odds of it going public – but you don’t eliminate it.  It’s just not a good plan to put stuff like that in written form.  And if you do, you better cross your fingers.



The Year Of The Crypto Bug

I am going to name 2014 as the Year Of The Crypto Bug.

Does it seem to you that this year or so has revealed more than it’s share of cryptography oopsies?  It does to me.  So I started looking at what was found this year.  In some sense, this is good news, but in another sense, how many more have not been found yet?

I haven’t looked at history, so maybe this is normal.  MAYBE, this is the year of the crypto bug.

Many of the bugs listed below are major – like 10 out of 10 – kind of bugs and many are also ones that you don’t have the ability to patch.

  • Microsoft SChannel – SChannel is part of Microsoft’s implementation of SSL and TLS, that we all use for shopping and banking.  The bug patch was rated critical; Microsoft said that a remote, unauthenticated attacker could execute arbitrary code.  The bug, nicknamed Winshock, had been around for 19 years.
  • Heartbleed – The heartbleed bug got a lot of attention in the press when it was first announced.  Heartbleed affected OpenSSL, again attacking the security that we use for banking and shopping, but it also affects the “Internet of things” like web cams, alarm systems, elevators and HVAC controllers.  Many of these use OpenSSL because it is free.  Worse yet, when was the last time you patched your refrigerator?  So, it is likely that this bug will persist for years if not decades.  Some people rated this an 11 on a 1 to 10 scale
  • POODLEPOODLE is another attack on SSL – that old staple.  In this case, really old.  It is an attack that allows an attacker to convince a site to use an 18 old version of SSL, which has some security weaknesses.  The solution is to get rid of this version of SSL, which Firefox did several weeks ago, Google will do this month and Microsoft will do in a couple of months.
  • Son of POODLE – This new variant of the POODLE attack above is more effective than the original one.  It does not require you to force the browser or web site to use an obsolete version of SSL – it works fine with TLS – and it is far simpler to accomplish.  A number of high profile web sites fall victim to this bug.  The linked article has a pointer to Qualys free test to see if your site is vulnerable.
  • Whatsapp – This is really more of a design flaw than a bug, but it still puts content at risk.  According to some researchers in Utrecht, Netherlands, the Whatsapp development team made some decisions that weakens the protections offered by the encryption they provide.  They said that you should assume all messages are compromised (which is a bit strong in my opinion).  On the other hand, the CEO of Whatsapp said the story is overblown and don’t worry your pretty little heads.  One might conclude that they knew their crypto was weak and chose not to fix it or weakened it on purpose for nefarious reasons.
  • Mozilla NNS Crypto LibraryThis bug allows a hacker to fake or forge SSL certificates, allowing an attacker to create a website that looks real down to the SSL padlock.  Intel called this the BERserk attack because it compromises the Basic Encoding Rules of the protocol.  Cute.
  • Apple Triple HandshakeThis bug, affecting iOS 7.1 and earlier for phones and OSx 10.8 and 10.9 on Macs, allows an attacker to reuse credentials that you have already used to authenticate yourself to, say, your bank.  This requires that the attacker be able to eavesdrop in the middle of your conversation, like at a public WiFi.  Doing anything sensitive on a public WiFi is not a good idea anyway, so this just reinforces it.
  • Apple GoTo Fail bug –  This bug, which also affected a variety of Mac OSx and iOS versions, allowed an attacker to present a fake encryption key which the Apple OSes accepted because of a bug.  This would allow the attacker to decrypt ALL traffic. Apple took a lot of heat about the way they handled this particular bug.  This bug was named the GoTo Fail bug because it was caused by a developer adding 9 extra characters (GoTo Fail) in a module.  This points out that while some bugs are very difficult to detect, a simple code review by someone other than the developer would have likely found this bug before it was released.
  • GnuTLS bugThis bug, like the OpenSSL crypto bug, will be found on millions of computers (it is used by several distributions of Linux like Ubuntu, Red Hat and Debian).  The bug allows an attacker to easily bypass the SSL or TLS encryption on web sites.  Again, this software is used in lots of “Internet of Things” kind of devices like web cams and alarm systems.

Analysis Of The Sony Breach

Risk Based Security is doing a play by play of the Sony breach.  Visit their website for a detailed analysis of what was stolen.

I am going to just pick one little part of it, which is scary in and of itself.  The fact that they found over a million unredacted socials is a business process problem.  One that will likely lead to a number of lawsuits.

Utilizing the enterprise solution, Sensitive Data Manager, Identity Finder discovered:
  • 601 files containing SSNs
    – 75 Acrobat PDFs
    – 523 Excel spreadsheets
    – 3 Word documents
  • 47,426 unique SSNs
    – 15,232 SSNs belonged to current or former Sony employees
    – 3,253 SSNs appeared more than 100 times
    – 18 files contained between 10,860 and 22,533 SSNs each.
  • 1,123,798 copies of compromised SSNs
“The most concerning finding in our analysis is the sheer number of duplicate copies of Social Security numbers that existed inside the files. In this instance, some SSNs appeared in more than 400 different locations, giving hackers more opportunities to wreak havoc,” said Todd Feinman, President and CEO, Identity Finder. “As we have seen from the myriad data breaches this year, every organization is vulnerable to an attack. Security technologies are an important shield, but minimizing the target and reducing the footprint of sensitive data is more critical than ever.”


Charge Anywhere Hackers Were Inside For Almost 5 Years

Charge Anywhere is a provider of credit card payment services for merchants.  This week they announced that there were hackers found inside their network.

The sad thing about it is that they admitted that the bad guys had been inside their network since November 2009.  That is almost 5 years.

They said that they only found evidence of the bad guys trafficking in stolen cards between August 17, 2014 and September 24, 2014.  That doesn’t mean that these guys hadn’t been stealing data for years.

Now here is the hard part.  Unlike the Target or Home Depot breaches, a consumer has no way to know if some store that you went to used Charge Anywhere as their credit card processor.

What they say is watch your credit card and bank statements for unauthorized transactions — making their poor security hygiene your problem.  Given all the stuff going on, you should be doing this anyway, but still….

Assuming your card is misused, you are likely going to blame the merchant that you shopped with and not their credit card processor, so Charge Anywhere kind of gets a get out of jail free card.

Using cash is looking better all the time.


Sony – How Do You Deal With The Personal Threat

The Sony attack is breaking new ground (unfortunately).  Part of what the hacker group GOP is doing in creating fear, uncertainty and doubt.  They sent out an email to all Sony employees that read, in part  (From The Verge):

I am the head of GOP who made you worry.
Removing Sony Pictures on earth is a very tiny work for our group which is a worldwide organization. And what we have done so far is only a small part of our further plan. It’s your false if you if you think this crisis will be over after some time. All hope will leave you and Sony Pictures will collapse. This situation is only due to Sony Pictures. Sony Pictures is responsible for whatever the result is. Sony Pictures clings to what is good to nobody from the beginning. It’s silly to expect in Sony Pictures to take off us. Sony Pictures makes only useless efforts. One beside you can be our member.
Many things beyond imagination will happen at many places of the world. Our agents find themselves act in necessary places. Please sign your name to object the false of the company at the email address below if you don’t want to suffer damage. If you don’t, not only you but your family will be in danger.

Sony is working with the FBI on this, but if I was an employee I would be concerned about what will these hackers do to make Sony employees suffer.

Michael Lynton, the CEO of Sony Pictures sent out an email to employees saying that they are working with the FBI, but given neither Sony nor the FBI were able to stop the attack in the first place nor find the attackers after the attack and also given that the attackers did not give any clue how they were going to make employees suffer, Mr. Lynton’s email does not give me the warm fuzzies that I should feel safe.

This is a whole new level of attack – if you can panic a company’s employees, some will leave and many will be distracted.  That kind of situation can put a company in a downward spiral.

Also, there have been reports that Sony executives received threatening emails prior to the attack starting.

Given that for many executives, their assistants read their emails, this situation brings into question how well trained the executive team is to deal with these type of threats.  I have no idea what happened at Sony.  The response could be anywhere from printing it out and putting on the executive’s reading stack to mashing the big red 911 button and rolling down the steel storm shutters.  How a company deals with this situation is up to the company, but there should be a plan in place that everyone – from the executive team to legal to security to whoever else needs to be in the loop – knows about in advance.  No different than having a plan for dealing with someone phoning in a bomb threat in the physical world.

For all we know, the initial threat could have come in with a link that someone clicked on that launched the attack.  Scary, but possible.

The company also needs to have a plan for how they are going to deal with employee concerns.  i don’t know if Sony had a plan (remember, this is somewhat old hat to them what with previous attacks and bomb threats), but what became public (the CEO saying that they are working with the FBI and thanking people for sticking it out) is kind of weak.

The longer this goes on, the more stressful it becomes for employees – which is how the attackers wear down the company.


Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed