So Who Hacked Sony? Four Theories

little kim plays computerThe official narrative holds that agents of the North Korean government infiltrated Sony Pictures’ corporate network and used that attack as leverage to stop the release of a Seth Rogen film. While that might make a good Seth Rogen movie, it hardly seems plausible given what is currently known.

You don’t have to be a conspiracy theorist to take a skeptical view of the official narrative. Yet only the most conspiratorial would claim the attack was fabricated. Somebody infiltrated the Sony network. The question remains: Who done it?

Over at New York Magazine, Margaret Hartmann offers four alternative culprits:

  1. A disgruntled former employee. There are many ways to make money from this intrusion but the attacker(s) chose instead to embarrass the company.
  2. Hacktivists. This was a high profile breach largely because the intruders contacted and taunted Sony executives in the press. Their behavior more closely resembles Anonymous or LulzSec than a nation state.
  3. The Chinese. The cybersecurity firm Mandiant has been hired to investigate the breach. They’ve investigated so many Chinese attacks that they’ve become the firm’s specialty.
  4. Everybody. There’s overlap in all these theories and it’s possible the answer is D.) All of the above.

Regular readers know Your JoeDog subscribes to “All of the above” or as he put it, “everybody and his sister.” For a successful attack on a corporate network to generate maximum LULZ, bragging must occur. It’s very likely somebody breached the network and provided details that enabled successive visitors to play inside the breach.

 

 

Posted in Security, Tech Media | Leave a comment



Pyongyang Responds

lil-kimIn response to Washington’s allegation that it was behind the Sony Pictures cyberattack, Pyongyang demanded a joint inquiry into the matter. North Korea claims it can prove it was not involved.

If the US has the goods, then it should welcome this offer. Does anybody think they have the goods? Your JoeDog does not. The information they’ve revealed thus far is weak and void of detail. Apparently the good stuff is classified. We’re supposed to take them at their word.

Your JoeDog has a hard time taking governments at their word. He never bought the case against Saddam Hussein and thus far he remains unconvinced on this one. If North Korea was involved, then declassify the evidence and display it to the public. If not, then Your JoeDog will continue to call bullshit.

Here’s what we know:

  • On November 21st, the perpetrators contacted Sony executives and demanded ransom. The group called itself “God’sApstls.” There was no mention of the supposedly offensive Seth Rogen film.
  • Soon after that, we learned about the Guardians of Peace. Images of hacked Sony Computers appeared on the Internet in which a splash screen exclaimed, “Hacked by #GOP
  • On December 1st, a representative of the GOP contacted CSO. The group claimed it had no ties to North Korea and no aims to stop The Interview as Sony suggested.
  • On December 9th, Joe Demarest, assistant director with the Federal Bureau of Investigation’s cyber division, told a conference there was no attribution to North Korea. This means they couldn’t find a trail of crumbs back to the attackers.
  • Yesterday, the FBI announced that Pyongyang was behind the attack. It staked its claim based on a code signature and IP addresses it claims were hard coded inside the malware.

So somehow we’ve gone from a ransom note by God’sApstls to a cyberattack from Pyongyang. Are we supposed to think North Korea was demanding ransom and taunting Sony before it got around to the movie it found so offensive? Certainly North Korea is a strange place, but that doesn’t make sense even for them….

 

Posted in Security | Leave a comment



BREAKING: The FBI Makes A Claim

The FBI disagrees with Your JoeDog. As of a few minutes ago, the Times published an article in which the FBI accuses North Korea of organizing the cyber attack on Sony Pictures.

Okay, what do they got?

The bureau said that there were significant “similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks” to previous attacks by the North Koreans. It also said that there were classified elements of the evidence against the North that it could not reveal.

This is not unexpected. Cyber attackers around the world share code, tools and ideas. I wouldn’t be surprised if this toolkit contains signatures that match those used by the CIA, Iran, Israel or Anonymous.

What else do you got?

“The F.B.I. also observed significant overlap between the infrastructure used in this attack and other malicious cyberactivity the U.S. government has previously linked directly to North Korea,” the bureau said. “For example, the F.B.I. discovered that several Internet protocol addresses associated with known North Korean infrastructure communicated with I.P. addresses that were hardcoded into the data deletion malware used in this attack.”

The wording here is curious: “known North Korean infrastructure.” What does that mean? Are they in North Korea’s one known block of public IP addresses or are these Class C addresses the FBI has seen before? Kim Hak Uhr codes at a workstation with a 192.168.0.4 address so it must be North Korea!!1!1!

So we have a similarities of code, unknown IP addresses and evidence the FBI can’t reveal because s3cr37s! That’s pretty scant. I remain skeptical, very skeptical.

 

Posted in Security | Leave a comment



CTR Is Hard

Sproxy is a word Your JoeDog invented to describe his [S]iege [Proxy]. At the time of this writing, this site has the top three positions for ‘sproxy’ on Google. In the past week, nine hundred people typed ‘sproxy’ into the Google machine. Of those nine hundred, only 110 clicked a link to this site. That’s a 12.22% click-through rate for a made-up word that describes an esoteric piece of software that exists right on this very site. Let’s just say that falls a little below expectation….

 

 

 

Posted in Applications, Siege, Technology | Leave a comment



No, North Korea Is Not Responsible For The Sony Pictures Attack

Hacky Hack HackYour JoeDog is skeptical — very skeptical.

Unnamed US intelligence agents claim North Korea was “centrally involved” in the Sony Pictures cyber break-in. A leading “expert” is ninety percent certain North Korea was behind the attack. Well, Your JoeDog is one-hundred percent certain they weren’t.

Remember Stuxnet? It was a worm that infiltrated Iran’s nuclear facilities and attacked their centrifuges. It was certainly developed by a nation state. We still don’t know which one. Israel? They’re on the short list. The United States is, too.

That’s how nations roll when they commit cyber attacks. They don’t send emails which berate a target over its lax security. Nor do they send ransome requests. They certainly don’t give themselves nicknames like Guardians Of Peace. If North Korea would have infiltrated Sony they would have kept it on the downlow. Their message would have been implicit.

The initial interaction between the attackers and Sony was all about money. “Pay the damage,” they implored, “or Sony Pictures will be bombarded as a whole.” There was no mention of Seth Rogen’s film. There was nothing political in that message. The group that claimed responsibility was called “God’sApstls.” The “Guardians of Peace” surfaced later, after depictions of a splash screen on Sony computers surfaced on the Internets. It read, in part, “Hacked by #GOP”

In a December 1st email to CSO, a GOP representative claimed the group had no ties to North Korea:

“We are an international organization including famous figures in the politics and society from several nations such as United States, United Kingdom and France. We are not under direction of any state.

“Our aim is not at the film The Interview as Sony Pictures suggests. But it is widely reported as if our activity is related to The Interview. This shows how dangerous film The Interviewis. The Interview is very dangerous enough to cause a massive hack attack. Sony Pictures produced the film harming the regional peace and security and violating human rights for money.

“The news with The Interview fully acquaints us with the crimes of Sony Pictures. Like this, their activity is contrary to our philosophy. We struggle to fight against such greed of Sony Pictures.”

Distancing yourself from the country you represent is a funny way to promote its interests….

Personally, I wouldn’t be surprised if everybody and his sister has been inside Sony’s network. Compromising a system is only half the fun. Bragging about it is the other half. Could NK agents have caught wind of the break-in along with enough details to gain entry themselves? Sure. They may even exchanged Bitcoins for details. Maybe they were inside Sony but they didn’t orchestrate the attack and they certainly weren’t the ones who sent those emails.

 

Posted in Security | Leave a comment



Nerd Splaining Large Numbers

Holy shit — the Economist really outdid itself. What now? In this post, they explained why Gangnam Style will break YouTube’s view counter. They used 3726 characters and 612 words to explain that computer integers don’t go on forever. When the Gangnam Style counter reaches 2,147,483,647 it will stop counting. Why?

Integers are stored in a series of ones and zeroes. On a 32-bit platform, you can only store value in 32 consecutive ones or zeros. Go to this binary to decimal calculator and put 32 ones in the binary field. Press “Calculate” and you’ll get this answer: 4294967295.

But the Gangnam Style counter is maxed at half of that? How come? That’s because computers use positive and negative numbers. The range falls above and below zero, i.e., from -2,147,483,648 to 2,147,483,647. Gangnam Style is approaching the upper bound.

If YouTube switched to 64-bit architecture they could capture up to 9 quintilian views.

Remember kids, there are 10 kinds of people in this world. Those who understand binary numbers and those who don’t.

[Economist: Wordy Word Words on Computer Integers]

 

Posted in Programming, Tech Media, Technology | Leave a comment



Nobody Ever Typed ‘-1966631820′ Into The Internet

Your JoeDog was debugging C code. Not just any C code, but C code that was last updated in 2001 by a man who’s now retired. Or maybe he’s dead — the point is he can’t be consulted.

Well, sir, this code was inserting 4 billion and change into a field that expected 1 or 0. The insert was based on a result from a previous query. Your JoeDog debugged that variable and determined it was -1966631820. Hoping that number would shed light on his problem, he plugged it into the Internets.

As of 13:22:05 EST, no human has ever typed that into the Internets. Sensing an opportunity to monopolize a keyword, Your JoeDog typey-typed and added this: -1966631820

UPDATE: Couple things. 1.) A JoeDogger says that Google excludes from its results parameters that are prefaced with a minus sign. 2.) Your JoeDog removed the minus and tried again. A minute after publication, he had captured the number one spot on Google for the keyword ‘1966631820’

 

Posted in On The Job | Leave a comment



In Praise of Default Values

Your JoeDog likes options. He feels that if a program takes a variable value, that value should be configuarable. A programmer can spend a great deal of time selecting the perfect socket timeout, but unless the user works in the same environment it’s not necessarily perfect for them.

On the occasions when Your JoeDog uses Windows, he finds himself struggling to make the software do his bidding. It takes time to add another text field to a Windows GUI, so developers tend to limit the number of configurable options.

At the same time, he hates complicated software. You shouldn’t need a computer science PhD in order to configure scheduling software. Yet it’s impossible to use Tivoli’s workload scheduler and not feel completely overwhelmed. It can take days to set up.

These notions don’t have to be mutually exclusive. Software can be extremely flexible and simple to use. Your JoeDog achieves this notion in his own software with a novel concept known as the “default value.” If you don’t set a value, you get the default. If you require more precision, you can change those settings.

Generally speaking, software users don’t care about every configurable value. They have a subset of values they want to change. If everything has a default that doesn’t need to be set for the software to function, then the documentation becomes less overwhelming. If all you want to do is change one setting, then you can search the docs for just that configuration.

Your JoeDog does enough GUI programming that he can speak to the notion he mentioned above. It takes time to add labels and text fields to a program. Those GUI elements also take valuable screen real estate. As a result, many programmers limit the flexibility of their programs.

Here’s a thought: why not make the program configurable with a combination of a GUI and a configuration file? You can place the frequently changed stuff inside the GUI and the more obscure features inside the file. Trust me, the users who really want to change something will discover how to do that if you let them.

Keep it simple but make it flexible and your users will be appreciative … until you blog about it.

 

 

Posted in Programming | Leave a comment



Fido 1.1.5 SIGHUP and Reload

Good morning, JoeDoggers. Let’s bask in the glow of Your Fido this morning; he’s all grown up and ready for love. What does that mean? Well, it means it now behaves like a contemporary modern daemon. Starting with version 1.1.5, if you send it SIGHUP, it will reload its configuration file.

Really? It’s been out since 2011 and you’re only adding that feature now?

Hey, what do you want from me? It’s free, isn’t it?

Here’s how it works: if you change fido’s configuration file, you can send it SIGHUP to reload its key = value pairs. There’s just one thing it won’t reload: its filenames.

Remember, a fido configuration file is divided into two parts; it contains global settings and file settings. The file settings are distinguished by a filename followed by two brackets like this: {}. Here’s an example:

/usr/local/var/my.log {
 # key = value pairs go here.
}

So if you change /usr/local/var/my.log to anything else, you’ll have to restart fido. If you change any other values, then you can just send it SIGHUP.

So how do I send it SIGHUP?

There’s several ways of doing this.

1.) You can look for the process ID (PID) with the ps command and send it SIGHUP (which is signal number 1):

# ps -aef | grep fido
root 31952 1 0 09:21 ? 00:00:00 /usr/sbin/fido -f /etc/fido/fido.conf
# kill -1 31952

2.) Check your system documentation. Some kill commands support name values such as this:

# ps -aef | grep fido
root 31952 1 0 09:21 ? 00:00:00 /usr/sbin/fido -f /etc/fido/fido.conf
Pom # kill -HUP 31952

3.) We can eliminate the ps command by using fido’s pid file like this:

# kill -1 $(cat /var/run/fido.pid)

You can verify a successful config reload by looking at /var/log/messages.

 [Download: Fido]

 

Posted in Applications, Fido, Release | Leave a comment



A Cyber Pearl Harbor

Earlier this year, Home Depot fell victim to one of the worst known cyber attacks. Its systems were infiltrated and attackers stole personal information from millions of customers. The company suffered little from the attack; its stock is now at an all-time high. In the past year alone, there have been many high profile cyber attacks that have been met with little more than a shrug.

Leon Panetta, a former US Secretary of Defense, once claimed it would take a cyber “Pearl Harbor” before Americans were willing to do what was necessary to fix their computer infrastructure vulnerabilities. We haven’t faced such a catastrophe but, as the New York Times discovers, people are starting to realize that more attention must be paid to these sorts of threats. Your JoeDog has seen this new attitude first hand. His company now has more security analysts than systems analysts.

[NY Times: Hacked vs. Hackers]

Posted in Security | Leave a comment



Recent Comments

  • Tim: For those who enjoy playing at home and are extra OCD … they’ll spot something wrong with this....
  • roshni: Hi jeff, I need your help regarding running urls in a file containing post directives. Could you please send...
  • Alle: In seige, what does the pink result mean?
  • Windows User: Nice collection of Perl modules. Thanks for sharing.
  • Jeff Fulmer: No idea. What do you see in the webserver’s logs?