North Korea is capable of pwning Sony. Whether it did is another matter Researchers think they have figured out how Sony was hacked. Long story short: the hackers knew what they were doing and covered their tracks with some clever, but really basic, tricks. I'm not particularly surprised by this, but I am surprised that others are surprised by it. The Register commenter Yet Another Anonymous …
Not based on tech at all, but one to one "social engineering". State actors can take this past the level of email spear phising to a "honey trap" physically dating someone useful inside the target. Maybe replacing their phone or mouse with a Trojan equipped duplicate.
Or a USB stick with "nice photos" or video that has HID driver based malware.
Someone I believe even posted a "free" mouse to someone that installed key logger etc.
This Christmas? Beware Geeks bearing gifts.
"That all said, I absolutely believe North Korea has the capability to do this."
Agreed. Dunno about North Korea, but many developing countries have programmes to send their brightest students to Western universities for a start.
"Anyone who has the resources to hire a full-time research team and a pair of decent developers can build credible offensive hacking capabilities. This means that most 50-individual companies on the planet theoretically have the resources to build both malware and network-based deployment capabilities."
I'd actually put that at less than 50. A team of a dozen developers/testers can produce some very sophisticated software. Add admin, sales and managers to get to 20-ish. That figure is based on my own experience.
They've reversed the polarity on the tachyon inverter and suddenly used the thermostat to overwrite the hidden sectors on the tablet that controls the nuclear reactor. Oh noes!
Trevor, you've done it now mate, releasing closely guarded details like that can only lead to you being picked up for terrist activities.
"Anyone who has the resources to hire a full-time research team and a pair of decent developers can build credible offensive hacking capabilities. This means that most 50-individual companies on the planet theoretically have the resources to build both malware and network-based deployment capabilities.
....
Someone who has actually spent time penetrating other systems and had to think about these things just might. These people are not cheap, and there aren't many of them."
Well, which is it?
Attacking is easier than defending. It is easy to train attackers. It is not so easy to find attackers who have flipped over and trained to defend.
A good defender needs experience attacking. A good attacker does not need experience defending, though they could do with studying the shelfware.
> A good defender needs experience attacking.
Not really. He needs experience in thinking things through (a mathematical mind can help a lot), minimizing what is confusingly called "attack surface" and needs to have an array of goodies at his disposal to perform defense-in-depth (as well as the minions to implement said defense and man the seats; generally forgotten, after all, if the CEO can install PowerDVD in 15 minutes, how hard it can it be for the lone IT guy to secure the network? Did I mention the balls to implement a security policy?).
An attacker needs to think messily (a mathematical mind may well be a hindrance) and can feel around the edges and edge cases. If there is no risk getting caught (state actors etc.), he can try to pry a bit harder. If there are several attackers working in concert, interference can be run (an "Israeli art student" attack, eh?), parallel attacks can be had and the time of attack can be compressed, all of which is very useful.
"Not really. He needs experience in thinking things through (a mathematical mind can help a lot), minimizing what is confusingly called "attack surface" and needs to have an array of goodies at his disposal to perform defense-in-depth"
Exactly.
A lot of companies don't put any thought into security at all. Just tick the box "yes, we have anti virus software" and then move on. It's absurd, because I consider it a good day if AV catches 40% of threats at my gateway.
You don't even need to spend anything to acheive defense in depth, it's possible to do with no spend. How do you threats come in?
Via email? Stick in a copy of Xeams for anti spam and then drop every email with an executable file attached. (and especially executable files in a zip file) Need to receive .exe files via email? No problem, stick an obscure word on a whitelist and then tell people sending legitimate .exe files attached to emails to include it. </end email virus problem>
Via USB stick or similar? Block auto run via GPO.
Want to harden the desktop to the point of invulnerability? No problem. Stick in a Software Restriction Policy via GPO preventing any defined formats (.exe, .bat, .vbs, .etc) from running outside of %program files% and the required network shares. Good luck infecting a computer secured this way, even if somebody has a virus they can't open the bugger. Group Policy & SRP's are of course inbuilt to windows and free.
Worried about Macro based attacks in MS Office? Set a group policy for office setting Macro security to medium. (requiring people to enable macros for each document)
Worried about people embedding a flash file a word document? Use Microsoft's (free!) Enhanced Mitigation Experiance Toolkit to prevent flash running from within certain programs.
Virtually everything you need to harden a network to the point of complete invulnerability is available free of charge.
I disagree. You're making a classic mistake thinking that defense is essentially a checkbox-following procedure of "doing the right things". It's not. You need to think messily. You need to think of new and innovative ways to break your own design.
The stuff that shelfware exists to solve is only a small part of the problem. It is nothing more than the beginning. Good defense, like great offense, requires totally orthogonal thinking. And yes, it will and does require implementing things that don't exist as off-the-shelf products. Open source or not.
I'll mark you down as completely ignorant then.
The only way you can be completely invulnerable is for your network to be completely unusable. If you had a single external facing web site, with whatever firewalls (free or not) all an attacker needs is an exploit against that web server, and he's inside your network. You can safely assume that there are exploits against every popular web server - because there are patches released now and then that fix serious vulnerabilities and certainly no reason to assume the most recent patches fixed the very last security hole. Even if you use further layers of security like running it chroot'ed inside a VM, there have been exploits that allow both breaking out of a chroot jail and breaking out of a VM to the host OS and there may be again (if you were a bad guy and discovered such a valuable exploit, you'd certainly be very careful about where and how you use such power to avoid having it eventually become known by the vendor and fixed)
If that web server is the only server you have that's not too bad, all your hacker can really do is maybe put up pro-ISIS messages on your site - there is nowhere else for him to go in your network of a single server. But in the real world you don't have such networks. With multiple servers, for maximum protection, you could firewall them all off individually from each other, creating essentially a firewalled network per server, with the only communication between servers being that which is ABSOLUTELY necessary for the servers to fulfill their purpose. Even that's not foolproof, if you can use your HTTP attack to gain a foothold on the inside, and then attack another server via a different exploit on whatever communication pathway is allowed between them. Not to mention how it would be a bitch to admin if you aren't allowing SSH or Remote Desktop through those per-server firewalls because those protocols aren't 'absolutely necessary for the servers to function' :)
You can do so if you like. Which would ignore that sane orginisations run their websites on an external web host such as 1&1, which eliminates that as an attack source.
It's also trivially easy to secure Remote Desktop, and I think anybody incapable of doing so is in the wrong job. Outside of the network our firewall includes a VPN client, which you can secure via 2FA, for the princely sum of £1 per month per user if you use phonefactor authentication.
This is technically a weakness, but the prospect of somebody getting my username, password, the VPN client with the correct certs etc, the correct connection address, physically stealing my mobile from me without noticing, and then guessing the PIN does not cause me to lose a great deal of sleep at night.
I maintain that with some thought as to where your attack vectors and what you can do to mitigate against those type of attacks you can reduce the attack surface on most networks to the point it's pretty much impossible to breach despite the best efforts of the users.
Sure, you can secure remote desktop. Until an exploit is found in it - which have been in the past and may still be some yet undiscovered. How exactly do you secure it if any IP able to connect to it as able to leverage that connection to Administrator level access without a password?
By not allowing any external IP's connect to it.
Taking my example above you'd have to connect via a VPN client requiring:-
1) A correctly configured VPN client with the right certificates and config.
2) The username and password of a user with an account.
3) The users mobile phone or token for multifactor auth.
4) the users remote PIN for the login.
At this point then you'd be connected to a subnet with limited access, which you could use as a springboard to launch attacks, assuming that the IPS doesn't detect the abnormality and terminate the connection. I think you'll agree that this particular avenue of attack is not likely to a particularly fruitful one.
This setup costs £1 per user, per month to run with no upfront costs apart from the firewall, which we owned anyway.
As can I, mostly depreciated ones PPTP ones that should have been taken out and shot a decade ago. ;)
Seriously though Trevor, your arguing against somebody who implemented a set of network security measures along the lines you been advocating in recent months the better part of a decade ago.
I'm not really sure where or why you are disagreeing with my original post, that you can achieve an exceedingly high level of security (including internal mitigation measures) with freely available tools and an intelligent approach to considering threat avenues on your network. The Enhanced Mitigation Toolkit I mentioned in my original post is not exactly a perimeter tool, is it?
This post has been deleted by its author
Militaries already have the people-power, contracted, and costs covered. Then, the training and they're off on their merry way. I think if the Asian countries were to join technology forces, it might be time to circle the wagons.
Time will tell who breached Sony. Was it NK? Probably not, but who can tell what a sociopath like Kim Jong-Un would really do? So the mystery remains for now...
Even if everyone could hack anywhere one would need to have a motive, and that, or the rewards, need to be great enough to override the risks of being caught or blamed.
I don't see North Korea having the motive. I don't see what they actually gained, or could possibly have gained, from such a hack. This poorly rated film was no worse than what North Korea and her leader has slung at them every day.
It still looks more likely to me that it was script kiddies doing what script kiddies do, perhaps a western false flag to get crap thrown at North Korea.
Government anything is typically late, over-budget and doesn't work. Unless that government project is about oppressing their own citizens. Then it's delivered early, under-budget and is creepily efficient.
They can never make something that lets you renew your driver's license quickly, or distribute smart cards so we can all vote online, but damned if they don't get license plate recognition and automated speed fines working in a matter of weeks after it's legalized.
If that is not a Star Trek reference than I do not know what is. James Doohan would have very happily delivered that line.
I think it's a combination of Star Trek and Doctor Who.
Jon Pertwee once ad-libbed "reverse the polarity of the neutron flow" and it became a bit of a catch phrase for the Time Lord, but "tachyon inverter" certainly smells more Trekkie to me, although more TNG than TOS.
I'm actually really disappointed noone got the scope of the reference. Yes, it was a TNG joke. The Enterprise-D didn't have a tachyon generator, let alone a tachyon "inverter". (And a reversed polarity inverter should just be a normal generator.) The Enterprise-D consistently had to monkey with the main deflector to produce tachyons in anything other than very small quantities, and having at any point something that "inverts" the operation of the main deflector would be a very bad thing for that ship.
It's worth noting, however, that the Defiant regularly produced both Tachyons and Chronitons without having to involve the main deflector. Presumably the Enterprise's need to send some red shirt to get melted by a plasma leak in the Jefferies tubes every time a tachyonic something or other was required meant that generators for those were added as standard equipment. </giant nerd>
That said, hat tip to Alister for picking up on the "reverse the polarity of the neutron flow" which was indeed front of mind when I started crafting the sentence.
I can't believe this has come up again.
Hacking TB of data, - it would have taken them months and several at that to grab all that data.
Don't tell me nobody would have noticed that.
Also last time I checked North Korea isn't on the list of countries with the fastest broadband.
It's obvious the Director of the FBI is lying through his teeth as he is the one who pointed the accusing finger.
North Korea isn't exactly a den of activity when comes to hackers either.
"Hacking TB of data, - it would have taken them months and several at that to grab all that data."
The North Koreans are smart, they must have figured out how to compress the TB data down to MB. They also probably found out that they maybe caught in mid download, so they decided to do a second hack to the cloud and move the data there.
In all fairness, the advanced folks are only able to compress a 1Gb file down to about 100Mb, so this is not likely. I am also guessing that North Korea does not have massive amounts of disk space either.
«So, yes, Sony's breach absolutely could have been the work of the North Koreans. It is even a logical target if their goal is to train their hacking team against a live target. North Korea has no love for Japan or the US, so taking on what was once an iconic corporation in those countries might have some symbolism.
More to the point, Sony was soft. It wasn't expecting an attack, it wasn't particularly well defended, and it didn't have the resources (that larger, more profitable corporations have or are developing) to react in real time.»
Indeed ! And by the same logic, what better perpetrator to point to when one's inadequate defences have been penetrated - whether by outside actors or disgruntled employees, current and/or former - than North Korea, the political entity about which «we» know next to nothing, but all love to hate ? All brain activity is then shorted out by overwhelming waves of outrage - How dare they ?!! - and (almost) nobody pauses to ask obvious questions about how this could occur or who had the greatest motivation to carry out this attack....
If North Korea didn't exist, «we» should be forced to invent it (or switch to another automatic target for our outrage - there is no lack of candidates)....
Henri
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
