I don't think it was North Korea that pwned Sony.

22 December 2014

EDIT: 2014/12/23: Added reference to, a link to, and a local copy of the United Nations' Committee Against Torture report.

I would have written about this earlier in the week when it was trendy, but not having a working laptop (and my day job keeping me too busy lately to write) prevented it. So, here it is:

Unless you've been completely disconnected from the media for the past month (which is entirely possible, it's the holiday season), you've probably heard about the multinational media corporation Sony getting hacked so badly that you'd think it was the climax of a William Gibson story. As near as anybody can tell the entire Sony corporate network, in every last office and studio around the world doesn't belong to them anymore. A crew calling itself the GoP - Guardians of Peace - took credit for the compromise. From what we know of the record-breaking incident it probably took years to set up and may have been an inside job simply due to the fact that an astounding amount of data has been leaked online, possibly in the low terabyte range. From scans of famous actors' passports to executives' e-mail spools, to crypto material already being used to sign malware to make it more difficult to detect, more and more sensitive internal documents are winding up free for the downloading on the public Net.

The US government accused North Korea publically of the hack and are calling it an act of war. This was immediately parroted by the New York Times and NBC.

I don't think North Korea did it.

I think they're lying, and the public accusation that North Korea did it is jetwash. Bollocks. Bullshit. In the words of one of Eclipse Phase's more notorious world building devices, the MRGCNN, LLLLLIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEESSSSSSSSSSSSSSSSSSSSSSSSSSSS!!!!!

Beneath the cut are my reasons for saying this. Firstly, Sony's infosec historically sucks. Many of us in the infosec community have thought this for years due to the fact that we were in a position to hear about each and every one of them through our respective grapevines. Jericho, who runs attrition.org dutifully recorded each and every one of them, all several dozen (I stopped counting at 37). Without breaking any confidences or violating any NDAs I may or may not have signed in the past word has it that Sony's information security posture has never been very good, and has been getting steadily worse the whole time. There's even a word for it: "Sownage," as in "As thoroughly owned as Sony is" which dates back years. This is why many of us shrugged and said "Sony again?" before getting up to source another cup of coffee.

Secondly, it's trendy to blame state based actors just like it was trendy ten years ago to blame zero days if and when you got popped. Let me explain:

Fifteen or twenty years ago a lot of outfits on the Net just stood up machines without doing much in the way of due dilligence. Rarely did they harden any machines they put online, and sometimes the SA's (system admins) would install the latest patches, though usually more for reasons of stability than security. When machines were compromised management and the SA's would check the backups, reformat the machine, reinstall everything, restore from backups (if there were any) and go about their business because there wasn't a whole lot riding on any one box yet. There were some noteworthy exceptions, to be sure, but that was pretty much how things happened back then. Come century twenty-one when Big Money got into the Net and the bottom line was the prime mover behind networked resources, life got even more interesting for SA's. If a box got popped chances are the SA would get fired for letting that happen. After all, it was the system admin's job to keep machines up and running and uncompromised. Then, somewhen between 2002 and 2003 (I don't remember anymore, nor do I feel like grepping tens of gigs of mailing list archives to find it) the term zero day, which refers to a security vulnerability that someone didn't find and report to the manufacturer or maintainer but instead sat on for some period of time and exploited only rarely became a buzzword. By definition, if between one and three people on the entire planet are sitting on a vulnerability and nobody else knows about it your ability to defend against it is limited at best. If somebody's machines were compromisd with a zero day, and they discovered that they'd been compromised at all (which isn't a sure thing by any means) there was absolutely nothing they could do about it despite your best efforts. And so it came to pass that, if your ass was on the line because your boxen were pwned you could claim to your boss, and your boss' boss, and so on up the food chain that you had done due dilligence but it had done no good because the attacker had exploited a vulnerability that absolutely nobody else knew about, and you were in contact with the vendor to warn them about what you found in the hacked box and they'd patch it in the next release.

Usually, they hadn't done their due dilligence. They hadn't hardened their boxen. They hadn't patched their machines. Those SA's would have been fired, do not pass go, do not collect $200us. But just the same they reformatted the pwned machines, reinstalled everything, restored from backup (when there were backups), maybe they installed the latest and greatest patches and the appliations the servers exist for and business went on as usual. They still didn't bother really hardening their machines even though there are dozens upon dozens of how-to guides and formal procedural documents on the Net that describe in the most minute of detail how to go about it. To this day people still look at you funny when you tell them that you locked down a machine using the NSA Security Configuration Guidelines (say what you will about No Such Agency but their Windows hardening how-to is the most comprehensive and useful one I've ever used) or the CIS Benchmarks because why would you ever do something so useless?

To be honest there were times when asses were not saved or investigations were done. Sometimes even perpetrators were found, charges were filed, and convictions were gotten. However, I must state for the record that for every hack you (or even any of us in the infosec community) heard about, there were n more (where n is greater than 1) hacks that you didn't, and for every hacking related court case anybody heard about in the news there were m that didn't get reported on for whatever reason. Additionally, blaming a vulnerability that nobody knew existed (whether or not one existed) was a great way to save your job. I am not the only person who thinks this way, and I have a strong suspicion that he's seen it more times than I have while on the job.

Another thing to mention is that actually figuring out where something came from on the Net is hard. Sometimes it can't be done. Many years ago there were rumors of exotic pieces of software that could spoof your IP address, or put arbitrary IP addresses on your outbound traffic so that it looked like it was coming from cia.gov or something. As described by those tales and rumors told on IRC that is not possible; IP routing ensures that. However, what is possible is software which routes traffic through multiple systems that makes it harder figure out where a given stream is originating from. Tor comes immediately to mind, followed by sketchy VPN providers who take whatever form of payment you want to send them and are based in jurisdictions where they can freely ignore subpoenas and summons. There is GRE tunneling over IPsec, which is great for making your network traffic look like it's coming from someplace else entirely. There are misconfigured proxy servers all over the Net that are trivial to set up exploitably and somewhat trickier to set up safely, and are emminently abuseable by anybody who has five minutes to spare; I'm told by friends of mine who are public school teachers that they're quite popular for evading in-school net.filters with middle school students. There is BGP hijacking, which can be used to reroute traffic for potentially vast swaths of IP network space to arbitrary networks (despite the report I've linked to this technique has been known about since the late 1990's). While some of these techniques are somewhat esoteric, none are particulary difficult to initiate if you spend ten minutes searching the web. It stands to reason that if a state based actor was going to make a run on a multinational corporation and show off their hacking prowess, they would at least take a few precautions that they could Google ahead of time to prevent an international fucking incident.

It's also de rigeur to point the finger. (thanks to @thegrugq) Case in point, back in 1998 a small cadre' of systems crackers went on a rampage that resulted in the compromise of networks run by MIT's Plasma Science and Fusion Center, an ISP in Northern California, multiple unclassified networks run by the Department of Defense, and was touted as the first salvo of cyberspace war... except that it wasn't. It was a small group of teens taught by a hacker who ran under the handle The Analyzer who got off with a slap on the wrist and a C-level position. The after-pwnage analysis is a skull-fracturing case of facepalm.

Additionally, and here's where I dial the cynicism up to eleven, I had a conversation with some colleagues of mine in which I said that the CIA Torture Report (local copy) started getting people really pissed at the US government. I said that it reiterated something that has been known for decades, which is that torture is worthless for getting actionable intel, that it reinforces the perception of the US as a country of violent barbarians, and that it is a document that will further internally destabilize this country. That report got enough people angry (some of whom are in positions of influence) that they're starting to stand up and call for reforms, oversight, and even charges to be brought against personnel. This report (local mirror) researched and published by the United Nations didn't really get any press coverage at all is even more damning because it lays out all of the justifications of torture that we are in a position to know about because they're unclassified. In fact, there are organizations making the claim that human experimentation was done in Guantanamo Bay in violation of the Nuremberg Code. I also said to my colleagues that something would happen within seven days of the publication of the report to deflect all attention from it. Hands were shook.

The Executive Summary of the report came out on 9 December 2014. On the same day the FBI made a point of saying that North Korea was not involved. North Korea was officially fingered as the culprit three days later by Chairman of the House Intelligence Committe Mike Rogers in a statement published by Time Magazine on 12 December 2014 and backed up by White House National Security Council spokesperson Mark Stroh on 21 December 2014.

Special thanks to Risk Based Security for their timeline of the Sony hack. I'm buying the first round, should ever we meet.

So, enough of me ranting like the infosec burnout that I am. Let's summarize:

It is my considered professional opinion that there are multiple factors at play here, ranging from politics being used to manipulate public opinion as well as the political process to massive internal failures of IT security protocol and process. The only prime mover behind this shitstorm is that Sony got hacked. Multiple factions are falling all over themselves to take full advantage of Sony getting hacked. As we say inside the Beltway, "never let a good crisis go to waste," and true to form everybody who is anybody within the first couple of blast radii (so to speak) are have this particular crisis by the throat and are using it to full advantage.

Am I saying that the Sony hack is one of the worst in history? Yes. I would go so far as saying that this is comparable to the climax of William Gibson's Neuromancer, when the whole of Tessier-Ashpool's vast network has been compromised by Case. This is hardcore, Wu-Tang cyberpunk from start to finish.

Am I skeptical of many of the claims made about the Sony hack? Yes. I've seen the same patterns play out over and over and over again throughout my career and I am not the only person saying this (and I'll cough up links if I need to). Down to the "Blame big, bad, scary hackers who know things we never will!" to save their own asses.

Am I saying that there are political reasons for pointing the fingers at North Korea to deflect attention from something else? You're damned right.