back to article Researchers say they've cracked the secret of the Sony Pictures hack

Damballa researchers Willis McDonald and Loucif Kharouni say the attackers who flayed Sony Pictures with disk-cleansing malware may have stayed hidden using newly-uncovered anti-forensics tools. The pair found the updated weaponry in the latest version of the Destover malware, best known as the malware that in November last …

  1. Anonymous Coward
    Anonymous Coward

    So, they planned the hack by playing Uplink?

  2. Yet Another Anonymous coward Silver badge

    Let me get this straight

    The world's most backward country executed the world's most advanced cyber attack and chose as its target the American subsidiary of a Japanese entertainment company?

    Or perhaps they have secretly infiltrated every other military and government computer system in the west and are actually running everything ?

    1. Mark 85

      Re: Let me get this straight

      You got it. Perfectly logical... for some value of logical and maybe in an alternate universe or two.

      1. h4rm0ny

        Re: Let me get this straight

        Well, not saying you're wrong but as a counter-argument, I have noticed that the fewer people involved in wielding power, the more erratic and unpredictable the wielding of that power is. Which is fairly obvious the more you think about it.

        And North Korea is ruled by just one unchallenged dictator.

        1. hapticz

          Re: Let me get this straight

          one great 'leader' and a supporting legion of old military goons who can't get past the 44th parallel if they tried. this sad country isn't 'backwards', it is simply a product of old farts who wont let go of the past. asian cultures high regard for 'elders' has brought millions of post Korean War children into a mind boggling alter universe of perspective and indoctrinations. perhaps the past teachings of the 'flat earth religions' comes to mind? while the priests languished comfortably on the sweat, blood and efforts of the 'faithful', the faithful eventually gained access to the printed word, real knowledge and realized they actually were being 'tended' like sheep. the cryptic secrecy used to contain any society or population is a key element of control. secret guns, secret weapons, any secrets that maintain a carefully structured class that, like most animals, always seeks greater territory and breeding access to expand it's own realm. language barriers offer some of the greatest opportunities for tyrants to instill fear and natural paranoia. stay tuned, the world gets more interesting as more people elbow each other in crowded places.

    2. Anonymous Coward
      Anonymous Coward

      Re: Let me get this straight

      "Or perhaps they have secretly infiltrated every other military and government computer system in the west and are actually running everything ?" -- Yet Another Anonymous coward

      That certainly might explain where all the surveillance legislation is coming from ...

      1. John Sanders
        Big Brother

        Re: Let me get this straight

        """That certainly might explain where all the surveillance legislation is coming from ..."""

        Oh no, that comes straight from Politician's stupidity.

        As if getting rid of encryption legally would stop/prevent the bad guys from using it.

        1. Turbo Beholder
          Trollface

          Re: Let me get this straight

          > As if getting rid of encryption legally would stop/prevent the bad guys from using it.

          "I guess we just miscalculated who the army sees as 'the enemy' is all." (M.Y.T.H Inc in Action)

    3. Vic

      Re: Let me get this straight

      The world's most backward country executed the world's most advanced cyber attack and chose as its target the American subsidiary of a Japanese entertainment company?

      You missed out "under the noses of the American spooks who had allegedly already infiltrated the Nork networks"...

      Yeah. That rings true.

      Vic.

      1. Anonymous Coward
        Anonymous Coward

        Re: Let me get this straight

        .... Those spooks missed just about every major world event since 1945.

    4. Bumpy Cat

      Re: Let me get this straight

      Just because a country is backward doesn't mean the inhabitants are stupid. The concentrated resources of even a poor country can buy a lot - eg private jets for the dear leader, or several thousand hackers with decent kit. North Korea actually bases some of its military hackers in China, for training, connectivity and deniability reasons.

      Sure, the people are eating grass, but they have lots of guns, nuclear weapons and the boss has the best brandy.

      1. Michael Wojcik Silver badge

        Re: Let me get this straight

        The concentrated resources of even a poor country can buy a lot - eg private jets for the dear leader, or several thousand hackers with decent kit.

        Agreed. This attack did not require developed-world infrastructure, robust international trade, or a happy populace to carry out.

        I'm agnostic on the question of the attackers' identity and sponsorship. I don't find it unlikely that it was North Korea; I don't find it unlikely that it was someone else. And I'm not sure it matters very much.

  3. Steven Roper
    Holmes

    Surprise, surprise!

    "Hackers" erased the logs and altered timestamps? Who'd o' thunkit? Every bloody wannabe script kiddie that ever watched a Hollywood hacker movie from War Games to Swordfish knows you erase the logs and adjust the timestamps when you hack into a system. Are they saying it took an expert security team to figure out the "hackers" were actually doing that?

    Oh, puh-leeeze!

    1. Pascal Monett Silver badge
      Coat

      Hollywood : for once teaching security experts how to do their job.

    2. Anonymous Coward
      Anonymous Coward

      Re: Surprise, surprise!

      Are they saying it took an expert security team to figure out the "hackers" were actually doing that?

      Well, yes, because if that tool does its job (and it appears it did) it eradicates the very evidence you're looking for, which then requires someone to meticulously comb the system for other traces that show up a discrepancy. I need to read up on how they found it, because Sony will not be the last company to be subjected to this, although I suspect that disclosing the "how" will enable the sods who did this to work out a way around it.

      Now, did I just read they used *Windows*?

      /running away laughing maniacally..

    3. Destroy All Monsters Silver badge

      Re: Surprise, surprise!

      That din't happen in "War Games" though.

      "Swordfish" I dunno.

      1. Sir Runcible Spoon

        Re: Surprise, surprise!

        I'd like to know if there is any malware that can intercept and modify/remove syslog alerts as well, although obviously that doesn't affect intermediate systems from registering activity (unless the syslog server is compromised too).

  4. John Tserkezis

    "for ideological and political reasons not for financial gain"

    Ooooh! How retro!

  5. Pen-y-gors

    Welcome back the WORM drive

    Whatever happened to WORM drives? I think that writing your logs to write-once media might provide a handy and non-corruptable audit trail. And I'm sure would be really, really useful for NSA/GCHQ/russian hackers - I'm surprised it's not a requirement of the snoopers charter.

    1. Anonymous Coward
      Anonymous Coward

      Re: Welcome back the WORM drive

      Well, in the *nix world you have the ability to pump syslogs to a standalone machine (which you'd mirror, of course), I suspect Windows may have the same mechanism somewehere.

      Unfortunately, that requires extra money and the realisation that logfiles are actually rather important. For some reason, ledger-keeping accountants don't see that logfiles are IT's equivalent.

      1. Destroy All Monsters Silver badge

        Re: Welcome back the WORM drive

        See "The Cuckoo's Egg"/"Stalking the Wily Hacker" for more on this.

        1. Kevin Johnston

          Re: Welcome back the WORM drive

          Or even go back to the early 80's with the excellent (although now very very dates) series Bird of Prey (http://www.imdb.com/title/tt0168510/.....must learn how to paste links)...actually I must see if I can get a copy of it to re-watch.

          Probably mis-quoting but I am remembering some very sensible and far-seeing lines like 'so he could be changing things even as we are looking for them'

          1. banalyzer

            Re: Welcome back the WORM drive

            http links are inserted as normal bird of prey

            Amazon can sometimes be your friend

      2. Anonymous Coward
        Anonymous Coward

        Re: Welcome back the WORM drive

        I worked somewhere many years ago where work done on a particular system/server required you to log in via the one terminal that was connected to it before you could make any changes. Viewing information (it was an information retrieval system) was possible from a number of terminals linked to a mirror of that server. The information on the retrieval system was updated by backup tapes and therefore a one way transfer. The system sent any keystroke activity and therefore who was logged in, to a dot matrix printer in another room (where the main server was located) which had continuous paper feeding into it. This was hardwired in like a keylogger device nowadays I suppose and couldn't be tampered with. An electronic log was also kept but obviously that was potentially vulnerable to someone being malicious. Access to that room was highly restricted and required security releasing a key from a small keysafe inside a larger keysafe. There was a combination padlock once you had all the keysafes open and only two people knew that combination.

        I was once allowed inside the printer room to see the head of computing change the paper as a witness.

      3. Anonymous Coward
        Anonymous Coward

        Re: Welcome back the WORM drive

        I suspect Windows may have the same mechanism somewehere.

        In general, Windows can be persuaded to do the same things as UNIX can.

        Maybe not as easy or convenient (windows generally uses binary API's, UNIX generally uses ASCII and sockets) and one probably needs to buy a license for MSDN for examples and tools. But, if one wants, one can do.

    2. Anonymous Coward
      Anonymous Coward

      Re: Welcome back the WORM drive

      "Whatever happened to WORM drives?" -- Pen-y-gors

      I wondered this before (in the context of defending backups from crypto-ransomware) --- why isn't some HDD / SDD manufacturer making "almost-WORM" drives where files cannot be deleted or overwritten (or the partitions altered or erased) unless a jumper/switch on the drive case enables it?

      More sophisticated firmware could allow auto-versioning (either by VMS style old version copies, or even just saving diffs). But the simplest case would be rather trivial wouldn't it? Just set the files read-only and, in normal operating mode, ignore commands to perform destructive operations or to remove read-only attributes.

      It wouldn't even have to be at the SATA level. Surely you could have a USB, Firewire or Network connected system that could filter out overwrite, erase and other dangerous commands even if it was full of bog standard disks?

      1. Anonymous Coward
        Anonymous Coward

        Re: Welcome back the WORM drive

        where files cannot be deleted or overwritten

        These exist in tape form: TAPE WORM

        But it's actually easy to do architecturally, where you have the log server in another room, and it accepts only log data, no logins.

        1. Sir Runcible Spoon
          WTF?

          Re: Welcome back the WORM drive

          "and it accepts only log data, no logins."

          Um, so how do you manage the box and view the stored data?

          1. Anonymous Coward
            Anonymous Coward

            Re: Welcome back the WORM drive

            Um, so how do you manage the box and view the stored data?

            0) Talk to ray-ban wearing youthful camo guy with a full-auto boomstick standing in the anteroom

            1) Open door

            2) Sit

            3) Perform console login

        2. annodomini2

          Re: Welcome back the WORM drive

          "... it accepts only log data, no logins."

          DoS, chuck log files at it, till it either gets confused or runs out of space.

          1. Anonymous Coward
            Anonymous Coward

            Re: Welcome back the WORM drive

            DoS, chuck log files at it, till it either gets confused or runs out of space

            ... Way before that happens at least one of the algorithms that looks for "funny" log event patterns would have had a hissy-fit and kicked off an SMS to the on-duty BOFH ...

            One would perhaps deploy a tool to capture and record the normal log-event flow and replay it to the log-server, like one in theory does with security cameras, which is dodgy because how long does one has to watch to get the whole pattern?

            Or one could have a tool that censors certain events, the ones "I made" and just pass on the "normal" stuff. Usually 'syslog' et cetera uses plain UDP so a little bit of packet inspection and Bob's yer Uncle, iptables / nftables could do this.

          2. DaLo

            Re: Welcome back the WORM drive

            Run it air-gapped. Have a CCTV pointing at the screen of your log server, run that through an image processing system to *easily* search for the timestamp of the data you're looking for. Also make sure you send the video up to a cloud service like youtube to ensure you don't run out of space and allow for peer to peer analysis of any intrusions. Reward the successful spotter of the misdeed with a cookie.

      2. Nigel 11

        Re: Welcome back the WORM drive

        Use Tape?

        I haven't seen an LTO<n> cassette for some years, but if they're basically the same as the old ones, there's a physical write-protect tab on the cassette.

        Second stupidest thing ever was doing away with the write-protect switch on disks and disk controllers. Remind me, just how much does a two-pin jumper cost? Stupidest, was doing away with the write-protect switch on firmware and BIOSes.

    3. CAPS LOCK

      Whatever happened to WORM drives?

      Aren't they called DVDs now?

      1. Joe Harrison

        Re: Whatever happened to WORM drives?

        In my day WORM drives for logs were called Oki 9-pin printers

        1. Destroy All Monsters Silver badge
          Thumb Up

          Re: Whatever happened to WORM drives?

          Oki 9-pin printers

          Still in use at the local G4S.

          I remember those from "China Syndrome" ... "EVENT ENDS" etc...

          And the fanfold. Especially the fanfold.

    4. just another employee

      Re: Welcome back the WORM drive

      Still has to be an off-host drive - i.e. using a timestamp from somewhere else....

      I also think a WORM drive is more specifically known as a CD-R ? (or DVD-R) (or BD-R) ??

  6. just another employee

    Off host logging not in place then ?

    Not even an option to keep logs on-host anywhere even vaguely concerned about security.

    You would only consider local logging on systems used purely as throw-away entertainment.

    Oh.....

  7. Nuno trancoso
    Coat

    re: Off host logging not in place then ?

    "local logging on systems used purely as throw-away entertainment"

    We're still talking the IT angle right? Coat, just in case..

  8. Anonymous Coward
    Anonymous Coward

    Karma

    Dear Sony,

    how does it feel to have a rootkit or other malware on YOUR system?

    Do you feel violated, angry and embarrassed?

    Aaah.

  9. Bob Dole (tm)
    Paris Hilton

    Secret?

    I missed the part in the article referenced by the title: which "secret" did these researchers figure out? /sarcasm

    On a more serious note. If erasing logs or changing file date/time stamps is some type of secret sauce that the researchers didn't previously know about then we're in real trouble.

    1. Anonymous Coward
      Anonymous Coward

      Re: Secret?

      We are in real trouble.

  10. Crazy Operations Guy

    Proper Logging systems

    Where I work, we have the logs forwarded to a central logging system where its replicated and made read-only (from there logs are retired onto DVD-R's in one of those automated DVD burning systems). Nor is data actually stored on user's workstations. Rather every document they use is written to a file share or a SharePoint site (Everyone has a 2 TB quota and every SharePoint site has 500 GB per user of each site, has the side effect of knowing who has access to what...). The file servers are also over-spec'ed so there is almost twice as much disk as needed and three times the performance so no one has an excuse to use something else (we got it to match what the VM hosts share).

    Our policy tends to be that if a local machine gets infected, we replace it with a spare, investigate to see if there is a worm or something on it, and then nuke it before putting it back on the network. No one loses any data and we aren't blinded by someone erasing our logs. We also have a program in place to randomly wipe and re-image the machines of users with risky usage patterns whether or not the machine was infected or even showed signs of infection. So if you make a habit of surfing sketchy websites or hang out too much on social media, you shouldn't be surprised that your system gets re-imaged every other week, we have a guy whose machine has yet to last more than 3 days before we rebuild it (CEO's cousin, dude can't stay away from those scam-tastic hook-up sites)

    1. SquidEmperor

      Re: Proper Logging systems

      I've seen how this plays out. They come in through the heating ducts and use a wire system to abseil down to the main archive PC...

    2. fajensen

      Re: Proper Logging systems

      we have a guy whose machine has yet to last more than 3 days before we rebuild it

      I think that you people should consider the many opportunities for a little private enterprise that this guy provides, especially how to launder the money. You know: two birds, one stone. Just saying.

      1. Crazy Operations Guy

        Re: "many opportunities for a little private enterprise that this guy provides"

        What makes you think that we already haven't been milking this guy for as much as we can? He's a pathetic trust-fund man-child with no concept of the value of money, his family pays for everything and he still pulls down $175k... The guy relies entirely on his money to get people to like him, so he is just incredibly unlikable and a colossal asshole.

        His family doesn't mind what we're doing since we keep him from doing incredibly stupid things like his father (Who managed to slam his private jet into an open field, nose-first, by spilling an entire fifth of whiskey into the instrument panel while snorting cocaine off his former porn-actress/escort trophy wife, killing both of them in the process).

        1. Anonymous Coward
          Anonymous Coward

          Re: "many opportunities for a little private enterprise that this guy provides"

          In the old days, one would simply employ a Valet to keep Young Sirs dick-headedness and escapades within socially acceptable (and insurable) bounds (Perhaps one would also employ a Butler - to handle the civilised business; the valet can do the pup crawls and the brothel rounds).

          These days, the BOFH's and PFY's - People well known for their somewhat unique dress code and somewhat alternative social sense & cultural understanding get the job .... ;-)

          Our Culture and Values are circling the drain, that's fer sure! Dark tide is coming!

  11. Asterix the Gaul

    As if we didn't already know it, WINDOWS is a 100% porous O.S, surrounded by a vast network of patches.

    I have used it since the days of DOS,how it ever stood the test of time is beyond me,because MIcrosoft are like game makers, rather than 'fix' the problems, they opt for the cop-out, by releasing another version.

    It's pretty much a fact,that Microsoft created the malware & virus industry single-handedly.

    When WINDOWS disappears, our PC's will be re-born as secure devices as they were meant to be.

    Up to XP, it was easy to by pass the Windows login to gain access.

    1. cray74

      When WINDOWS disappears, our PC's will be re-born as secure devices as they were meant to be.

      Two thoughts occur:

      1) Windows will probably disappear when PCs disappear. Though I suppose malware wouldn't be able to attack what doesn't exist, an interesting security strategy.

      2) The competing OSs with any traction aren't setting records for integral security, but rather appear to depend on security-by-obscurity. Being ignored by malware makers produces a useful result to the consumer, but doesn't mean an operating system is secure.

      1. conscience

        @cray74 RE your link - surely you're not relying on that chart to prove anything other than MS split Windows into versions so that it looked less than Linux/Apple where all versions were lumped together, rather than over 100 MORE bugs for Windows? Try adding up the vulnerabilities for all versions of Windows than try telling me it's more secure than the others! HINT: There's 248 vulnerabilities just between Windows versions in 2014, vs OSX at 147, 127 for iOS and 119 for the Linux kernel. :)

        1. cray74

          surely you're not relying on that chart to prove anything

          Dammit, man, I found a link on the internet that reinforces my preconceived notions! I don't need facts when I have a chart that agrees with my opinions!

          ;)

        2. toughluck

          @conscience:

          Okay, let me try to follow your logic here:

          Distrowatch tracks 272 "popular" Linux distributions. Should I add up these distributions with 119 vulnerabilities in the kernel? Are you suggesting that Linux has 32,368 vulnerabilities (or more)?

          If Microsoft is fixing a vulnerability common to several different versions of the OS, the patch gets ported to all vulnerable code portions, regardless of the version. Again, if Microsoft releases a patch that fixes the same issue on ten different OS versions, does it mean they squashed one bug or ten? What if there's a Linux kernel patch -- does it fix one bug, or does it fix 300?

  12. Roundtuit

    If the hackers were subtle & sensible, they'd have gone to ground as soon as they got in to the network, immediately concealing their activities, going deep, and meddling with the security logs, alarms and alerts. Having done that, they could sit there for an indefinite period waiting for the logs of their initial access to be overwritten or discarded, and quietly watching for any signs of proactive security response. Then they'd have free rein, knowing that their activities were being neither monitored nor logged ...

  13. A.Lizard

    remember speculation

    that Sony was an insider job and other than statements from the corp & politicians, I don't remember this was ever definitive disproven.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like