The Sony Hack: You Can’t Keep the Barbarians Outside the Gate

Digital Detectives: The Sony Hack: You Can’t Keep the Barbarians Outside the Gate – 1/21/2015

 

Advertiser: Welcome to Digital Detectives, reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches. Not theory, but practical information that you could use in your law practice. Right here on the Legal Talk Network.

 

Sharon D. Nelson: Welcome to the 52nd edition of Digital Detectives, we’re glad to have you with us. I’m Sharon Nelson, president of Sensei Enterprises.

 

John W. Simek: And I’m John Simek, vice president of Sensei. Today, Sharon and I are tackling a subject that has evolved rapidly over the past several weeks. The topic is, The Sony Hack: You Can’t Keep the Barbarians Outside the Gate. Sharon, do you want to start us off?

 

Sharon D. Nelson: Sure thing, John. I think we have to go back in time a little bit and provide our listeners with a little history. You and I just made a trip to Spain where we went to Toledo which was formerly the capital of Spain, and it was fascinating to see that it was located high on a mountaintop; a very steep mountain. And largely – not entirely, but largely surrounded by a river and very easy to defend. So in the digital world moving forward, I guess in the 1990’s which was our olden times of cyber security, we tried to do the same kind of thing. We thought we could build that kind of mountain and just sort of surround ourselves with the equivalence of rivers and moats with antivirus software. And it actually worked fairly well for a while, and then it stopped working because the bad guys had moved onto other attack vectors. John, maybe you could explain how we moved from anti-virus software to anti-malware enterprise suites that had the power of heuristics included.

 

John W. Simek: Like you said in the olden days in the 1990’s, 1980’s, you had anti-virus software because that’s all you really ever had to deal with; viruses, trojans, those kinds of things. Then the attack vectors changed, we started to get phishing attacks. We started to get spyware attacks and malware and drive by downloads and browsers and all that. So now you had your anti-virus software, you had your anti-phishing software, you had your anti-spyware software, you had your anti-everything software. You had all these separate products, so what happened is that the security companies, the security vendors, the semantics of the world and the webroots and the trend micros and those kinds of folks; they began to develop and mature their product line so that it included all of those features and functions into a single product instead of having one from one company and one from another company and a third one from somebody else. So we ended up with what’s called internet suites or enterprise suites today that include anti-malware, generality, functionality, firewall capability, intrusion detection; those types of features. The packages now, the suites, they monitor traffic both inbound to your network as well as outbound from your machine, and that’s in case your machine actually gets infected and starts sending data out without your knowledge. So the security suites now watch for that and they basically have built in heuristics. So they’re looking for characteristics and things that are happening to the network traffic into the computer activity that would be indicative of some sort of infection. And they really don’t care what that infection is, it’s bad stuff at the end of the day. So you could think of it as if it looks like a duck and walks like a duck, it must be a duck. Well, if it acts like malware and sends data like malware, it must be malware. So they pop up these messages and say this particular application is doing something that it probably shouldn’t. Do you want to allow it? We’ve blocked it for now, yes or no. So those are the kinds of things and features, so it’s actually a good thing that we’re now dealing with internet suites and that it has all of this great robust functionality. And the other good thing is, if you recall Sharon back in the older days, a lot of folks were a little apprehensive of anti-virus software because of the resources. It would bog down your machines like crazy and they just didn’t want to have it, so they would turn it off so that they could actually get some work done. We don’t see that really all that much today even with the internet suites, even with the added functionality that all the software is doing for us; it really doesn’t bog the machine down at all, you don’t feel it.

 

Sharon D. Nelson: Yeah, it’s a pretty amazing development and it’s still working pretty well. They can stop most of the barbarians at the gates, but as we’ve come to realize, if you’re attacked by a sophisticated and determined hacker who’s specifically targeting you, the likelihood is that the hacker is going to get past the gate. And that’s how we’ve come to this new theory of the old mantra was keeping them out, and now a new mantra is okay, let’s try to keep them out but the new mantra is detect and respond. So now, assume they’re in, and increasingly the detect and respond mantra can mean different things because sometimes you don’t want to shut the attack down right away because sometimes you want to watch the intruder and you want to learn what data may be compromised, what accesses and credentials may be compromised, and perhaps you’re trying to get clues to the identity of the hacker. So at this point, you’ve probably called in some digital forensic experts and the FBI. It’s not a fun time; there’s a reason they call that the upchuck hour. But by and large, you’re now going to be taking orders rather than giving them because the experts from both the digital forensic side in law enforcement now more than you do about how to proceed. So, john, talk a little bit about the data loss prevention and intrusion detection system software.

 

John W. Simek: Just like the security suites, there are products that are available that watch what’s going on, and it maybe totally valids stuff. But data loss prevention software takes a look at even content of information that’s being sent. So you may have an employee, for example, that’s sending information to their Gmail account, or whatever, and perhaps they’re the one that shouldn’t be doing that. Or they’ve connected a device up to the network and now they’re copying all of this data up to this flash drive, and it’s quite a large amount of volume that happens within a short amount of time. So DLP software is watching those things and saying wait a minute, why is this one person doing that when they really shouldn’t be doing that? Intrusion detection watches it from the outside in. So has someone come in and taken a look at it? Do we have credentials being used from the exterior that are also being used, let’s say at the same time, interior. So it takes a look at those kinds of things that are there. But probably a bigger growth area that we’re seeing, is called SIEM products, and that’s spelled S-I-E-M, which is security, information and event management. And what these products do is they aggregate and hey try to correlate all of the logging that’s occurring between all the network devices. So you’ve got logging, let’s say happening on your server, and a logging happening on your router, and then one happening on your firewall and your database has logging enabled. And it has this massive amounts of data that’s going through, and it would be crazy for a human being to sit there, because it’s after the fact as well, taking a look at what all of those logs are. So the software correlates all of that data together and sees what’s happening and tries to draw what normal activity is, and what is not normal. And when it runs across something that’s not normal, you can configure it to do a couple of different things. Maybe just alert somebody, but it can actually take action. So it can actually manage your events. So if there’s data being attacked or data becoming compromised or being lifted or whatever it is, it can actually shut down those ports or shut down that connection automatically and do all of that stuff, So we’re seeing more of a move that way just because we have all of this massive amounts of data, and it’s almost a real time, if you will, activity that’s occurring there to watch what’s happening and try to protect the assets of the corporations.

 

Sharon D. Nelson: How expensive is this stuff, John? Are we now talking about software that’s only really going to be used by large law firms and large businesses?

 

John W. Simek: The DLP stuff and the IDS software, you can get into that game for as low as several hundred dollars up to a few thousand. SIEM products tend to start at several thousand, two to three thousand dollars and go up from there; just because they are very powerful. And certainly the more expensive SIEM products are the ones that can support a lot more manufacturer’s devices, a lot of different logging systems, that kind of stuff.

 

Sharon D. Nelson: So I’m guessing that what’s happening with this new software that were it’s been implemented, you could probably stop most of the bad guys at the gate, would you agree with that John?

 

John W. Simek: Yeah, most of the relatively unsophisticated as you said.

 

Sharon D. Nelson: Well that’s what I mean, the script kiddies, the cyber criminals which constitutes 60% of the attackers. Most of them are not all that sophisticated. They tend to be people who take advantage of well-known attack vectors and well-known vulnerabilities. So what they are doing really is not sophisticated at these advanced, persistent threats – which is kind of a term that people laugh at because they’re usually not, even when they call it that. But the real advanced persistent threats tends to come from state sponsored hackers as a rule. So let’s talk about a current example of an attack that has certainly been in the news; in fact everyday. John, can you explain what we know about the Sony attack, how Sony was attacked, and why we first believed North Korea was behind it, and now we’re coming around to the view that maybe it was an inside job.

 

John W. Simek: Yeah, there’s a lot of information that’s been coming out recently about the attack. There was a synopsis of what may have occurred is a blog post that Bruce Schneider – a noted security professional – had posted up there, and he posts several different possibilities as to what may have happened. i think if the listeners aren’t aware of it, they should be aware of it, that Sony’s network was infiltrated. And a lot of their data, as well as their corporate data, human resources stuff, a lot of internal information as well as films and all those types of things, corporate email, all of that stuff was lifted. It was terrabytes-worth of information that was taken from Sony in a very short window, a very short period of time. But Bruce Schneider, the possibilities that he put out there, is that one, it was an official North Korean military operation, because we already know that North Korea has extensive cyber-tech capability. Or it may have been the work of North Korean nationals, some of which are politically motivated. But there was nothing really special or sophisticated about the particular hack that would indicate that it would raise to the level of a government attack. In fact, as he stated, there’s proof that they were reusing old attack code; and normally that’s the sign of a conventional hacker being behind it. Another possibility is the work of hackers who had no idea there was a North Korean connection until they read about it in the media; and I think that was kind of funny. In other words, Sony got hacked, then they said wait a minute, we’ve got this movie called The Interview, that’s about North Korea coming up. Oh yeah, we’ll take credit for that. So I thought that was an interesting proposition and that could be true. It could’ve been an insider, such as Sony’s Snowden, who orchestrated it, the latest discussions are about whether or not it was from a disgruntled ex employee – and that’s a possibility and we’ll talk a little more detail about that in a little bit. Or another possibility’s initial attack was not a North Korean government, but was co-opted by the government. In other words, somebody did it, and the North Koreans said this is a great idea, let’s jump on this bandwagon. I think the most telling thing that Bruce puts out there is because of all the information that we’ve heard over the last several weeks, we’re not really sure any one of these stories could be the explanation of what occurred. But the FBI was still insistent that North Korea was involved, North Korea’s responsible for this data breach at Sony. But that’s about it. The one interesting thing that Bruce points out is that perhaps that’s because the FBI has some classified information that it doesn’t want to let out. And that could be true. So they have something that they don’t want anybody to know that they had the capability to. I mean let’s face it, all the way back from the Korean war, the United States has been trying to infiltrate the communications of North Korea. And maybe they’ve been successful in doing that and they don’t want the world to know that they have that capability.

 

Sharon D. Nelson: Either that, John, or they’re flat wrong and they’re never going to admit it. It could be either, it’s roll the dice, it could come up as any number at all. You can’t believe anything the government says anymore, so you really don’t know. They may know something and they may be holding an Ace in their sleep and you just don’t know.

 

John W. Simek: That’s true, but that brings another good question to mind is that once you’ve detected the attack that’s occurring, and you mentioned something recently about this you may want to watch it, but what are your thoughts about how Sony responded to it?

 

Sharon D. Nelson: I know a lot of people came down hard on Sony but I’m not going to do that. I think they were genuinely scared that an act of terrorism would be committed against a theatre showing The Interview, I could empathize with that, and after their partners, the movie theatres starting bailing out on showing the movie. I think that tied their hands a bit, and now they had to deal with appeasing partners who were frightened and obviously it didn’t look like Sony’s security was very good. And there came those rowdy Americans, all fired up about their rights; you’ve got to love us when we get riled up and we got riled up real good. So the pushback was enormous; it came from the top, it came from the president, it came from the press and it came from the public. I was glad to see it, number one, and I was glad Sony listened and reevaluated its response and released the film. But I am reluctant to be too critical because a theatre full of dead people would’ve been a PR nightmare. And I know at one point they thought that was at least a possibility. And I think that’s what they first reacted to, was that. They did end up doing the right thing in the end and I’m happy for that.

 

John W. Simek: This is normally the spot in our show where we hear words from our sponsors. This potentially represents a unique opportunity for you. Digital Detectives is seeking sponsors. You can hear your advertisement right here. If you’re interested, contact the team at Legal Talk Network at [email protected].

 

Sharon D. Nelson: Welcome back to the Digital Detectives on the Legal Talk Network. Today our topic is, The Sony Hack: You Can’t Keep the Barbarians Outside the Gate. Obviously we had decided that is true, you can not keep them outside the gate, so let’s press onward. The Sony attack was called an act of cyber war by a lot of people in the press; and it was called cyber vandalism by president Obama. Here’s my take on that: God forbid we get a true cyber warfare attack; and a true cyber warfare attack is, by definition, one that has military objectives. And that generally means crippling essential infrastructure of a country, and it might often involve the loss of human life; hospitals, et etcetera being impacted, or trains not running correctly, who knows. The Sony attack, I think people just whipped it up and labelled it cyber warfare probably to get headlines that were self-serving. And I think that the president was right when he used a more correct term here of cyber vandalism, which is more like what this was. The followup question to the recent series of events is, John, did you see any evidence that the United States was behind North Korea’s recent internet adage, or did that seem more like a hacktivist attack to you? Of course they claimed that they were behind it, but they would make that claim as a need to agree action no matter what.

 

John W. Simek: The information that I’ve read and seen essentially says that the North Korean’s internet infrastructure is fairly weak, if you will. It’s really limited to the more elite, the military, and those that are in power within the country. The common people don’t use the internet in North Korea like we do here in this country. So it’s not as widespread; there’s certainly a lot of censorship that’s going on, a lot of control of the information that goes on there. So was it a hacktivist attack? Maybe, maybe it was somebody who was just trying to flex their muscles and put a denial of service attack upon North Korea’s internet. but I don’t think there’s any evidence that the U.S. was involved at all in that attack and that it was really their internet infrastructure couldn’t hold up to anything – certainly not anything that major corporations in this country could hold up to. So it’s kind of fragile,and I think that’s why it buckled and then was slow in coming back.

 

Sharon D. Nelson: Well that might have been, but it was interesting, of course, that the president said that we would respond in our own time in a measured way, I think that kind of led into maybe the U.S. did this in a measured way; but it didn’t seem to me to have our fingerprints, you know what I mean?

 

John W. Simek: And you’ve heard the recent news too, though that did the FBI really get this right, was it North Korea? But the other security companies now have been researching the data and looking at it all the way back from pre-Thanksgiving going through this. And one of the bigger news came from a company called Norse Security and they actually had a debriefing with the FBI yesterday so it’s really recent news. But what they discovered was that this whole deal where I believe it’s going to start going down this road, is you’ve got an insider at Sony that was responsible. What they did was looked at HR data and they looked at how many people and who was fired in the April-May time period in Spring of 2014 and who would’ve had the tools and the skills in order to pull this off. So they started from the premise that it really did happen from the inside, just because the data breach was so short, so fast, and they got so much data so quickly. So it implied a lot of inside knowledge. When they looked at that data, they came down to one person. And that’s why all the news reports now are pointing to this one individual, an ex employee that had a very technical background. They then went and looked at other sources of that person in communications across the internet. And they found access to IRC’s internet relay chat forums, other sites, and they were able to capture communications from this ex employee with other individuals that were associated with underground hacking and hacktivists. So now the story’s comng around to maybe it wasn’t really North Korea. Maybe it was this disgruntled ex employee that is out there and began to associate themselves with other known hackers from Europe and Asia. So that is one thing that occurred, but there was another company which I thought was interesting because the Guardians of Peace, and don’t you love that phrase? These are the Guardians of Peace.

 

Sharon D. Nelson: There could not be a name more dripping with irony than Guardians of Peace.

 

John W. Simek: Yeah, they’re the ones that are responsible for this hack, and we’re guarding your peace. But apparently, there was another security company that took a look at all of that information and that communications that was coming from the Guardians of Peace, because they claimed to be North Korea. And when they ran these different linguistic analysis of their online communications, it actually suggested that the people responsible for the communications were of Russian descent, and not North Korea and certainly not Native English speakers or German or any of those types of things. So we have all these conflicted pieces of information now, but it seems like it’s really beginning to steer towards this ex Sony employee and her involvement in this. They also identified potentially six people, so her and five other people that were involved in this. So as time goes on, we’re going to get more information on it.

 

Sharon D. Nelson: Do you think this might be one of those situations when they didn’t appropriately close doors when they had somebody who was fired and they didn’t take the proper measures to lock her out?

 

John W. Simek: I don’t think it’s so much that, and let me look at one of my notes here. One of the things that I thought was really interesting was that the Norse researchers, the ones that I talked about earlier that found all of these things, When they analyzed the malware that was used, the malware was very specific in target. So it was targetting and it was precompiled with the IP addresses for exchange in active directory service within Sony. Now that’s insider information. Normally what happens when someone infiltrates a network, they gain access to, they pass the firewall, they get some users’ logon credentials; whether it’s through phishing or however they get there. But they don’t have any knowledge of the landscape and the infrastructure. And so they begin doing what’s called a horizontal move across this network, looking for where are the servers, where’s this, where’s that resource, do we have other routers here; and that takes months to map all of that stuff out. But from when this attack started and its malware was deposited, it already knew where it was going. So that’s another piece of information that points back to an insider. Because this malware even had usernames, passwords and digital certificates embedded within it in order to quickly gain access to the resources.

 

Sharon D. Nelson: Pretty amazing stuff, isn’t it?

 

John W. Simek: Well if you have a very technical individual, and I don’t know what her position was, but whether you’re a network architect or whether it’s just admin or whatever, a lot of folks don’t think to change administrator passwords, change the router passwords, change the login credentials for active directory or any of those kinds of things. So maybe to answer your question, maybe that was what happened, that they didn’t go and change the stuff, but maybe they didn’t think they really had a problem or that they had to.

 

Sharon D. Nelson: I think the whole turnaround from it’s North Korea, definitely North Korea, we know it’s North Korea, to maybe it’s not; that to me is fascinating because that’s one of the dangers of escalating to a cyber warfare level when it’s automated and you don’t really know the source. In that vain, why don’t you tell our listeners about MonsterMind, John. If that doesn’t scare them, nothing will.

 

John W. Simek: First off, the great disclaimer is we really don’t know if MonsterMind really exists; but MonsterMind was a revelation from the Snowden documents that were released. Basically it’s the NSA’s ability to create a cyber defense system that instantly and autonomously neutralizes foreign cyber attacks against the U.S.. But it can also be used to launch retaliatory attacks. So when Snowden was – this was just right in development, at least the documents that he released say the MonsterMind was in development and that it was being talked about, begin to be programmed, and whatever it is. But basically what it does is it scours massive repositories of metadata and analyzes them to see what’s different from normal traffic. It’s similar from the SIEM things I was talking about, those different anomalies, but on a much larger scale. And then the system would go out and just shut things down or attack back. It’s kind of like, if you remember the movie, WarGames with the WOPR and how the thermonuclear war it was programmed to automatically launch counterstrikes with the nuclear missiles and those kinds of things. It’s that same kind of thing but from a cyber attack perspective.

 

Sharon D. Nelson: But of course as anybody who saw that film would know, the WOPR was responding to a non existent attack, he was just responding to a game, global thermonuclear war being played by a teenager. And that’s one of the concerns with any kind of technology like this. And I think that if I read the piece correctly about the revelations by Snowden, MonsterMind was being developed to detect and terminate the threat, but it hadn’t extended to the point yet where it was going to go on attack without human intervention. But that was clearly the direction that Snowden thought it was ultimately going to head, and that would take out the human element and that would scare me because here we are, in a position where we say, okay, this attack came from North Korea. We may be wrong, but MonsterMind could, theoretically, without human intervention, pose a counterattack because we don’t think we have time enough and they want to take out what they think is the human error factor. But the machines are only as good as their programmers and so the machines can make a mistake too. And if it looks like an attack came from one place and it really came from another, the machine might well make a cyber warfare error if it is capable of returning an attack. And just the thought of that is paralyzingly frightening.

 

John W. Simek: Well that’s exactly what Edward Snowden said; he actually had an online interview with Wired magazine, and he had two main concerns about the MonsterMind project. One was exactly what you’re talking about, he says that an attack from a foreign adversary is likely to be routed through proxies so it looks like it comes from somebody else but it’s not really the originator. So if you automate these things, you’re actually going to attack the innocent party, the wrong person.

 

Sharon D. Nelson: And in order to discover whether you’re being attacked, you’re coming through ridiculous amounts of data; you’ve got censors on the internet backbone, and what ever happened to the Fourth Amendment? It’s becoming a quaint footnote in history, and that bothers me a lot too.

 

John W. Simek: That was his second concern.

 

Sharon D. Nelson: Yeah, I think we read the same article, dear.

 

John W. Simek: Or listened to his interview. So any other closing thoughts, Sharon?

 

Sharon D. Nelson: It’s a scary game we’re playing and it does scare me because I don’t think it’s well thought out on the side of any state government; it doesn’t matter who it is. I think that we’re playing with something that is fire, and it’s very dangerous. So it makes me think of the Chinese proverb, or maybe it’s a curse, may you live in interesting times. We do indeed live in interesting times and I don’t think we have any magic bullets for what’s happening to all of our data right now and the threats that it presents.

 

John W. Simek: Well said. Well that does it for this edition of Digital Detectives; and remember, you can subscribe to all of the editions of this podcasts at LegalTalkNetwork.com, or in iTunes. if you enjoyed this podcast, please review us on iTunes.

 

Sharon D. Nelson: And you could find out more about Sensei’s digital forensics, technology and security services at www.senseient.com. We’ll see you next time on Digital Detectives.

 

Advertiser: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on LegalTalkNetwork.com and in iTunes.

[End of Transcript]