Schneier on Security: Blog Entries Tagged Sony

Schneier on Security

Blog > Entries by Tag >

Entries Tagged “Sony”

Page 1 of 3

The Rise of Political Doxing

Last week, CIA director John O. Brennan became the latest victim of what's become a popular way to embarrass and harass people on the Internet. A hacker allegedly broke into his AOL account and published e-mails and documents found inside, many of them personal and sensitive.

It's called doxing­ -- sometimes doxxing­ -- from the word "documents." It emerged in the 1990s as a hacker revenge tactic, and has since been as a tool to harass and intimidate people, primarily women, on the Internet. Someone would threaten a woman with physical harm, or try to incite others to harm her, and publish her personal information as a way of saying "I know a lot about you­ -- like where you live and work." Victims of doxing talk about the fear that this tactic instills. It's very effective, by which I mean that it's horrible.

Brennan's doxing was slightly different. Here, the attacker had a more political motive. He wasn't out to intimidate Brennan; he simply wanted to embarrass him. His personal papers were dumped indiscriminately, fodder for an eager press. This doxing was a political act, and we're seeing this kind of thing more and more.

Last year, the government of North Korea did this to Sony. Hackers the FBI believes were working for North Korea broke into the company's networks, stole a huge amount of corporate data, and published it. This included unreleased movies, financial information, company plans, and personal e-mails. The reputational damage to the company was enormous; the company estimated the cost at $41 million.

In July, hackers stole and published sensitive documents from the cyberweapons arms manufacturer Hacking Team. That same month, different hackers did the same thing to the infidelity website Ashley Madison. In 2014, hackers broke into the iCloud accounts of over 100 celebrities and published personal photographs, most containing some nudity. In 2013, Edward Snowden doxed the NSA.

These aren't the first instances of politically motivated doxing, but there's a clear trend. As people realize what an effective attack this can be, and how an individual can use the tactic to do considerable damage to powerful people and institutions, we're going to see a lot more of it.

On the Internet, attack is easier than defense. We're living in a world where a sufficiently skilled and motivated attacker will circumvent network security. Even worse, most Internet security assumes it needs to defend against an opportunistic attacker who will attack the weakest network in order to get­ -- for example­ -- a pile of credit card numbers. The notion of a targeted attacker, who wants Sony or Ashley Madison or John Brennan because of what they stand for, is still new. And it's even harder to defend against.

What this means is that we're going to see more political doxing in the future, against both people and institutions. It's going to be a factor in elections. It's going to be a factor in anti-corporate activism. More people will find their personal information exposed to the world: politicians, corporate executives, celebrities, divisive and outspoken individuals.

Of course they won't all be doxed, but some of them will. Some of them will be doxed directly, like Brennan. Some of them will be inadvertent victims of a doxing attack aimed at a company where their information is stored, like those celebrities with iPhone accounts and every customer of Ashley Madison. Regardless of the method, lots of people will have to face the publication of personal correspondence, documents, and information they would rather be private.

In the end, doxing is a tactic that the powerless can effectively use against the powerful. It can be used for whistleblowing. It can be used as a vehicle for social change. And it can be used to embarrass, harass, and intimidate. Its popularity will rise and fall on this effectiveness, especially in a world where prosecuting the doxers is so difficult.

There's no good solution for this right now. We all have the right to privacy, and we should be free from doxing. But we're not, and those of us who are in the public eye have no choice but to rethink our online data shadows.

This essay previously appeared on Vice Motherboard.

EDITED TO ADD: Slashdot thread.

Posted on November 2, 2015 at 6:47 AMView Comments

Good Article on the Sony Attack

Fortune has a three-part article on the Sony attack by North Korea. There's not a lot of tech here; it's mostly about Sony's internal politics regarding the movie and IT security before the attack, and some about their reaction afterwards.

Despite what I wrote at the time, I now believe that North Korea was responsible for the attack. This is the article that convinced me. It's about the US government's reaction to the attack.

Posted on September 28, 2015 at 6:22 AMView Comments

The Security Risks of Third-Party Data

Most of us get to be thoroughly relieved that our e-mails weren't in the Ashley Madison database. But don't get too comfortable. Whatever secrets you have, even the ones you don't think of as secret, are more likely than you think to get dumped on the Internet. It's not your fault, and there's largely nothing you can do about it.

Welcome to the age of organizational doxing.

Organizational doxing -- stealing data from an organization's network and indiscriminately dumping it all on the Internet -- is an increasingly popular attack against organizations. Because our data is connected to the Internet, and stored in corporate networks, we are all in the potential blast-radius of these attacks. While the risk that any particular bit of data gets published is low, we have to start thinking about what could happen if a larger-scale breach affects us or the people we care about. It's going to get a lot uglier before security improves.

We don't know why anonymous hackers broke into the networks of Avid Life Media, then stole and published 37 million -- so far -- personal records of AshleyMadison.com users. The hackers say it was because of the company's deceptive practices. They expressed indifference to the "cheating dirtbags" who had signed up for the site. The primary target, the hackers said, was the company itself. That philanderers were exposed, marriages were ruined, and people were driven to suicide was apparently a side effect.

Last November, the North Korean government stole and published gigabytes of corporate e-mail from Sony Pictures. This was part of a much larger doxing -- a hack aimed at punishing the company for making a movie parodying the North Korean leader Kim Jong-un. The press focused on Sony's corporate executives, who had sniped at celebrities and made racist jokes about President Obama. But also buried in those e-mails were loves, losses, confidences, and private conversations of thousands of innocent employees. The press didn't bother with those e-mails -- and we know nothing of any personal tragedies that resulted from their friends' searches. They, too, were caught in the blast radius of the larger attack.

The Internet is more than a way for us to get information or connect with our friends. It has become a place for us to store our personal information. Our e-mail is in the cloud. So are our address books and calendars, whether we use Google, Apple, Microsoft, or someone else. We store to-do lists on Remember the Milk and keep our jottings on Evernote. Fitbit and Jawbone store our fitness data. Flickr, Facebook, and iCloud are the repositories for our personal photos. Facebook and Twitter store many of our intimate conversations.

It often feels like everyone is collecting our personal information. Smartphone apps collect our location data. Google can draw a surprisingly intimate portrait of what we're thinking about from our Internet searches. Dating sites (even those less titillating than Ashley Madison), medical-information sites, and travel sites all have detailed portraits of who we are and where we go. Retailers save records of our purchases, and those databases are stored on the Internet. Data brokers have detailed dossiers that can include all of this and more.

Many people don't think about the security implications of this information existing in the first place. They might be aware that it's mined for advertising and other marketing purposes. They might even know that the government can get its hands on such data, with different levels of ease depending on the country. But it doesn't generally occur to people that their personal information might be available to anyone who wants to look.

In reality, all these networks are vulnerable to organizational doxing. Most aren't any more secure than Ashley Madison or Sony were. We could wake up one morning and find detailed information about our Uber rides, our Amazon purchases, our subscriptions to pornographic websites -- anything we do on the Internet -- published and available. It's not likely, but it's certainly possible.

Right now, you can search the Ashley Madison database for any e-mail address, and read that person's details. You can search the Sony data dump and read the personal chatter of people who work for the company. Tempting though it may be, there are many reasons not to search for people you know on Ashley Madison. The one I most want to focus on is context. An e-mail address might be in that database for many reasons, not all of them lascivious. But if you find your spouse or your friend in there, you don't necessarily know the context. It's the same with the Sony employee e-mails, and the data from whatever company is doxed next. You'll be able to read the data, but without the full story, it can be hard to judge the meaning of what you're reading.

Even so, of course people are going to look. Reporters will search for public figures. Individuals will search for people they know. Secrets will be read and passed around. Anguish and embarrassment will result. In some cases, lives will be destroyed.

Privacy isn't about hiding something. It's about being able to control how we present ourselves to the world. It's about maintaining a public face while at the same time being permitted private thoughts and actions. It's about personal dignity.

Organizational doxing is a powerful attack against organizations, and one that will continue because it's so effective. And while the network owners and the hackers might be battling it out for their own reasons, sometimes it's our data that's the prize. Having information we thought private turn out to be public and searchable is what happens when the hackers win. It's a result of the information age that hasn't been fully appreciated, and one that we're still not prepared to face.

This essay previously appeared on the Atlantic.

Posted on September 9, 2015 at 8:42 AMView Comments

Attack Attribution and Cyber Conflict

The vigorous debate after the Sony Pictures breach pitted the Obama administration against many of us in the cybersecurity community who didn't buy Washington's claim that North Korea was the culprit.

What's both amazing -- and perhaps a bit frightening -- about that dispute over who hacked Sony is that it happened in the first place.

But what it highlights is the fact that we're living in a world where we can't easily tell the difference between a couple of guys in a basement apartment and the North Korean government with an estimated $10 billion military budget. And that ambiguity has profound implications for how countries will conduct foreign policy in the Internet age.

Clandestine military operations aren't new. Terrorism can be hard to attribute, especially the murky edges of state-sponsored terrorism. What's different in cyberspace is how easy it is for an attacker to mask his identity -- and the wide variety of people and institutions that can attack anonymously.

In the real world, you can often identify the attacker by the weaponry. In 2006, Israel attacked a Syrian nuclear facility. It was a conventional attack -- military airplanes flew over Syria and bombed the plant -- and there was never any doubt who did it. That shorthand doesn't work in cyberspace.

When the US and Israel attacked an Iranian nuclear facility in 2010, they used a cyberweapon and their involvement was a secret for years. On the Internet, technology broadly disseminates capability. Everyone from lone hackers to criminals to hypothetical cyberterrorists to nations' spies and soldiers are using the same tools and the same tactics. Internet traffic doesn't come with a return address, and it's easy for an attacker to obscure his tracks by routing his attacks through some innocent third party.

And while it now seems that North Korea did indeed attack Sony, the attack it most resembles was conducted by members of the hacker group Anonymous against a company called HBGary Federal in 2011. In the same year, other members of Anonymous threatened NATO, and in 2014, still others announced that they were going to attack ISIS. Regardless of what you think of the group's capabilities, it's a new world when a bunch of hackers can threaten an international military alliance.

Even when a victim does manage to attribute a cyberattack, the process can take a long time. It took the US weeks to publicly blame North Korea for the Sony attacks. That was relatively fast; most of that time was probably spent trying to figure out how to respond. Attacks by China against US companies have taken much longer to attribute.

This delay makes defense policy difficult. Microsoft's Scott Charney makes this point: When you're being physically attacked, you can call on a variety of organizations to defend you -- the police, the military, whoever does antiterrorism security in your country, your lawyers. The legal structure justifying that defense depends on knowing two things: who's attacking you, and why. Unfortunately, when you're being attacked in cyberspace, the two things you often don't know are who's attacking you, and why.

Whose job was it to defend Sony? Was it the US military's, because it believed the attack to have come from North Korea? Was it the FBI, because this wasn't an act of war? Was it Sony's own problem, because it's a private company? What about during those first weeks, when no one knew who the attacker was? These are just a few of the policy questions that we don't have good answers for.

Certainly Sony needs enough security to protect itself regardless of who the attacker was, as do all of us. For the victim of a cyberattack, who the attacker is can be academic. The damage is the same, whether it's a couple of hackers or a nation-state.

In the geopolitical realm, though, attribution is vital. And not only is attribution hard, providing evidence of any attribution is even harder. Because so much of the FBI's evidence was classified—and probably provided by the National Security Agency -- it was not able to explain why it was so sure North Korea did it. As I recently wrote: "The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong-un's sign-off on the plan." Making any of this public would reveal the NSA's "sources and methods," something it regards as a very important secret.

Different types of attribution require different levels of evidence. In the Sony case, we saw the US government was able to generate enough evidence to convince itself. Perhaps it had the additional evidence required to convince North Korea it was sure, and provided that over diplomatic channels. But if the public is expected to support any government retaliatory action, they are going to need sufficient evidence made public to convince them. Today, trust in US intelligence agencies is low, especially after the 2003 Iraqi weapons-of-mass-destruction debacle.

What all of this means is that we are in the middle of an arms race between attackers and those that want to identify them: deception and deception detection. It's an arms race in which the US -- and, by extension, its allies -- has a singular advantage. We spend more money on electronic eavesdropping than the rest of the world combined, we have more technology companies than any other country, and the architecture of the Internet ensures that most of the world's traffic passes through networks the NSA can eavesdrop on.

In 2012, then US Secretary of Defense Leon Panetta said publicly that the US -- presumably the NSA -- has "made significant advances in ... identifying the origins" of cyberattacks. We don't know if this means they have made some fundamental technological advance, or that their espionage is so good that they're monitoring the planning processes. Other US government officials have privately said that they've solved the attribution problem.

We don't know how much of that is real and how much is bluster. It's actually in America's best interest to confidently accuse North Korea, even if it isn't sure, because it sends a strong message to the rest of the world: "Don't think you can hide in cyberspace. If you try anything, we'll know it's you."

Strong attribution leads to deterrence. The detailed NSA capabilities leaked by Edward Snowden help with this, because they bolster an image of an almost-omniscient NSA.

It's not, though -- which brings us back to the arms race. A world where hackers and governments have the same capabilities, where governments can masquerade as hackers or as other governments, and where much of the attribution evidence intelligence agencies collect remains secret, is a dangerous place.

So is a world where countries have secret capabilities for deception and detection deception, and are constantly trying to get the best of each other. This is the world of today, though, and we need to be prepared for it.

This essay previously appeared in the Christian Science Monitor.

Posted on March 9, 2015 at 7:09 AMView Comments

The Security of Data Deletion

Thousands of articles have called the December attack against Sony Pictures a wake-up call to industry. Regardless of whether the attacker was the North Korean government, a disgruntled former employee, or a group of random hackers, the attack showed how vulnerable a large organization can be and how devastating the publication of its private correspondence, proprietary data, and intellectual property can be.

But while companies are supposed to learn that they need to improve their security against attack, there's another equally important but much less discussed lesson here: companies should have an aggressive deletion policy.

One of the social trends of the computerization of our business and social communications tools is the loss of the ephemeral. Things we used to say in person or on the phone we now say in e-mail, by text message, or on social networking platforms. Memos we used to read and then throw away now remain in our digital archives. Big data initiatives mean that we're saving everything we can about our customers on the remote chance that it might be useful later.

Everything is now digital, and storage is cheap­ -- why not save it all?

Sony illustrates the reason why not. The hackers published old e-mails from company executives that caused enormous public embarrassment to the company. They published old e-mails by employees that caused less-newsworthy personal embarrassment to those employees, and these messages are resulting in class-action lawsuits against the company. They published old documents. They published everything they got their hands on.

Saving data, especially e-mail and informal chats, is a liability.

It's also a security risk: the risk of exposure. The exposure could be accidental. It could be the result of data theft, as happened to Sony. Or it could be the result of litigation. Whatever the reason, the best security against these eventualities is not to have the data in the first place.

If Sony had had an aggressive data deletion policy, much of what was leaked couldn't have been stolen and wouldn't have been published.

An organization-wide deletion policy makes sense. Customer data should be deleted as soon as it isn't immediately useful. Internal e-mails can probably be deleted after a few months, IM chats even more quickly, and other documents in one to two years. There are exceptions, of course, but they should be exceptions. Individuals should need to deliberately flag documents and correspondence for longer retention. But unless there are laws requiring an organization to save a particular type of data for a prescribed length of time, deletion should be the norm.

This has always been true, but many organizations have forgotten it in the age of big data. In the wake of the devastating leak of terabytes of sensitive Sony data, I hope we'll all remember it now.

This essay previously appeared on ArsTechnica.com, which has comments from people who strongly object to this idea.

Slashdot thread.

Posted on January 15, 2015 at 6:12 AMView Comments

Further Evidence Pointing to North Korea as Sony Hacker

The FBI has provided more evidence:

Speaking at a Fordham Law School cybersecurity conference Wednesday, Comey said that he has "very high confidence" in the FBI's attribution of the attack to North Korea. And he named several of the sources of his evidence, including a "behavioral analysis unit" of FBI experts trained to psychologically analyze foes based on their writings and actions. He also said that the FBI compared the Sony attack with their own "red team" simulations to determine how the attack could have occurred. And perhaps most importantly, Comey now says that the hackers in the attack failed on multiple occasions to use the proxy servers that bounce their Internet connection through an obfuscating computer somewhere else in the world, revealing IP addresses that tied them to North Koreans.

"In nearly every case, [the Sony hackers known as the Guardians of Peace] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy," Comey said. "Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using...were exclusively used by the North Koreans."

"They shut it off very quickly once they saw the mistake," he added. "But not before we saw where it was coming from."

Here's the full text of the FBI director's remarks. More news stories. Commentary from Just Security. Slashdot thread. Hacker News thread.

EDITED TO ADD (1/10): Marc Rogers responds. Here's a piece:

First, they are saying that these guys, who so were careful to route themselves through multiple public proxies in order to hide their connections, got sloppy and connected directly. It's a rookie mistake that every hacker dreads. Many of us "hackers" even set up our systems to make this sort of slip-up impossible. So, while its definitely plausible, it feels very unlikely for professional or state-sponsored hackers in my books. Hackers who take this much care when hiding their connections have usually developed a methodology based around using these kinds of connections to hide their origin. It becomes such common practice that it's almost a reflex. Why? Because their freedom depends on it.

However, even if we take that to one side and accept that these emails came from North Korean IP addresses, what are those addresses? If they are addresses in the North Korean IP ranges then why don't they share them? If they are North Korean servers, then say so! What about the possibility that this attacker who has shown ability and willingness to bounce their connections all over the world is simply bouncing their messages off of North Korean infrastructure?

Finally, how do they even know these emails came from the attackers? From what I saw, the messages with actual incriminating content were dumped to pastebin and not sent via email. Perhaps there are messages with incriminating content -- and by this I mean links to things only the attackers had access to -- which they haven't shared with us? Because from where I am sitting, it's highly possible that someone other than the attacker could have joined in the fun by sending threatening messages as GOP, as we have already seen happen once in this case.

EDITED TO ADD (1/12): The NSA admits involvement.

Posted on January 9, 2015 at 6:24 AMView Comments

Attack Attribution in Cyberspace

When you're attacked by a missile, you can follow its trajectory back to where it was launched from. When you're attacked in cyberspace, figuring out who did it is much harder. The reality of international aggression in cyberspace will change how we approach defense.

Many of us in the computer-security field are skeptical of the US government's claim that it has positively identified North Korea as the perpetrator of the massive Sony hack in November 2014. The FBI's evidence is circumstantial and not very convincing. The attackers never mentioned the movie that became the centerpiece of the hack until the press did. More likely, the culprits are random hackers who have loved to hate Sony for over a decade, or possibly a disgruntled insider.

On the other hand, most people believe that the FBI would not sound so sure unless it was convinced. And President Obama would not have imposed sanctions against North Korea if he weren't convinced. This implies that there's classified evidence as well. A couple of weeks ago, I wrote for the Atlantic, "The NSA has been trying to eavesdrop on North Korea's government communications since the Korean War, and it's reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un's sign-off on the plan. On the other hand, maybe not. I could have written the same thing about Iraq's weapons-of-mass-destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that."

The NSA is extremely reluctant to reveal its intelligence capabilities -- or what it refers to as "sources and methods" -- against North Korea simply to convince all of us of its conclusion, because by revealing them, it tips North Korea off to its insecurities. At the same time, we rightly have reason to be skeptical of the government's unequivocal attribution of the attack without seeing the evidence. Iraq's mythical weapons of mass destruction is only the most recent example of a major intelligence failure. American history is littered with examples of claimed secret intelligence pointing us toward aggression against other countries, only for us to learn later that the evidence was wrong.

Cyberspace exacerbates this in two ways. First, it is very difficult to attribute attacks in cyberspace. Packets don't come with return addresses, and you can never be sure that what you think is the originating computer hasn't itself been hacked. Even worse, it's hard to tell the difference between attacks carried out by a couple of lone hackers and ones where a nation-state military is responsible. When we do know who did it, it's usually because a lone hacker admitted it or because there was a months-long forensic investigation.

Second, in cyberspace, it is much easier to attack than to defend. The primary defense we have against military attacks in cyberspace is counterattack and the threat of counterattack that leads to deterrence.

What this all means is that it's in the US's best interest to claim omniscient powers of attribution. More than anything else, those in charge want to signal to other countries that they cannot get away with attacking the US: If they try something, we will know. And we will retaliate, swiftly and effectively. This is also why the US has been cagey about whether it caused North Korea's Internet outage in late December.

It can be an effective bluff, but only if you get away with it. Otherwise, you lose credibility. The FBI is already starting to equivocate, saying others might have been involved in the attack, possibly hired by North Korea. If the real attackers surface and can demonstrate that they acted independently, it will be obvious that the FBI and NSA were overconfident in their attribution. Already, the FBI has lost significant credibility.

The only way out of this, with respect to the Sony hack and any other incident of cyber-aggression in which we're expected to support retaliatory action, is for the government to be much more forthcoming about its evidence. The secrecy of the NSA's sources and methods is going to have to take a backseat to the public's right to know. And in cyberspace, we're going to have to accept the uncomfortable fact that there's a lot we don't know.

This essay previously appeared in Time.

Posted on January 8, 2015 at 6:34 AMView Comments

Attributing the Sony Attack

No one has admitted taking down North Korea's Internet. It could have been an act of retaliation by the US government, but it could just as well have been an ordinary DDoS attack. The follow-on attack against Sony PlayStation definitely seems to be the work of hackers unaffiliated with a government.

Not knowing who did what isn't new. It's called the "attribution problem," and it plagues Internet security. But as governments increasingly get involved in cyberspace attacks, it has policy implications as well. Last year, I wrote:

Ordinarily, you could determine who the attacker was by the weaponry. When you saw a tank driving down your street, you knew the military was involved because only the military could afford tanks. Cyberspace is different. In cyberspace, technology is broadly spreading its capability, and everyone is using the same weaponry: hackers, criminals, politically motivated hacktivists, national spies, militaries, even the potential cyberterrorist. They are all exploiting the same vulnerabilities, using the same sort of hacking tools, engaging in the same attack tactics, and leaving the same traces behind. They all eavesdrop or steal data. They all engage in denial-of-service attacks. They all probe cyberdefences and do their best to cover their tracks.

Despite this, knowing the attacker is vitally important. As members of society, we have several different types of organizations that can defend us from an attack. We can call the police or the military. We can call on our national anti-terrorist agency and our corporate lawyers. Or we can defend ourselves with a variety of commercial products and services. Depending on the situation, all of these are reasonable choices.

The legal regime in which any defense operates depends on two things: who is attacking you and why. Unfortunately, when you are being attacked in cyberspace, the two things you often do not know are who is attacking you and why. It is not that everything can be defined as cyberwar; it is that we are increasingly seeing warlike tactics used in broader cyberconflicts. This makes defence and national cyberdefence policy difficult.

In 2007, the Israeli Air Force bombed and destroyed the al-Kibar nuclear facility in Syria. The Syrian government immediately knew who did it, because airplanes are hard to disguise. In 2010, the US and Israel jointly damaged Iran's Natanz nuclear facility. But this time they used a cyberweapon, Stuxnet, and no one knew who did it until details were leaked years later. China routinely denies its cyberespionage activities. And a 2009 cyberattack against the United States and South Korea was blamed on North Korea even though it may have originated from either London or Miami.

When it's possible to identify the origins of cyberattacks­ -- like forensic experts were able to do with many of the Chinese attacks against US networks­ -- it's as a result of months of detailed analysis and investigation. That kind of time frame doesn't help at the moment of attack, when you have to decide within milliseconds how your network is going to react and within days how your country is going to react. This, in part, explains the relative disarray within the Obama administration over what to do about North Korea. Officials in the US government and international institutions simply don't have the legal or even the conceptual framework to deal with these types of scenarios.

The blurring of lines between individual actors and national governments has been happening more and more in cyberspace. What has been called the first cyberwar, Russia vs. Estonia in 2007, was partly the work of a 20-year-old ethnic Russian living in Tallinn, and partly the work of a pro-Kremlin youth group associated with the Russian government. Many of the Chinese hackers targeting Western networks seem to be unaffiliated with the Chinese government. And in 2011, the hacker group Anonymous threatened NATO.

It's a strange future we live in when we can't tell the difference between random hackers and major governments, or when those same random hackers can credibly threaten international military organizations.

This is why people around the world should care about the Sony hack. In this future, we're going to see an even greater blurring of traditional lines between police, military, and private actions as technology broadly distributes attack capabilities across a variety of actors. This attribution difficulty is here to stay, at least for the foreseeable future.

If North Korea is responsible for the cyberattack, how is the situation different than a North Korean agent breaking into Sony's office, photocopying a lot of papers, and making them available to the public? Is Chinese corporate espionage a problem for governments to solve, or should we let corporations defend themselves? Should the National Security Agency defend US corporate networks, or only US military networks? How much should we allow organizations like the NSA to insist that we trust them without proof when they claim to have classified evidence that they don't want to disclose? How should we react to one government imposing sanctions on another based on this secret evidence? More importantly, when we don't know who is launching an attack or why, who is in charge of the response and under what legal system should those in charge operate?

We need to figure all of this out. We need national guidelines to determine when the military should get involved and when it's a police matter, as well as what sorts of proportional responses are available in each instance. We need international agreements defining what counts as cyberwar and what does not. And, most of all right now, we need to tone down all the cyberwar rhetoric. Breaking into the offices of a company and photocopying their paperwork is not an act of war, no matter who did it. Neither is doing the same thing over the Internet. Let's save the big words for when it matters.

This essay previously appeared on TheAtlantic.com.

Jack Goldsmith responded to this essay.

Posted on January 7, 2015 at 11:16 AMView Comments

More Data on Attributing the Sony Attack

An analysis of the timestamps on some of the leaked documents shows that they were downloaded at USB 2.0 speeds -- which implies an insider.

Our Gotnews.com investigation into the data that has been released by the "hackers" shows that someone at Sony was copying 182GB at minimum the night of the 21st -- the very same day that Sony Pictures' head of corporate communications, Charles Sipkins, publicly resigned from a $600,000 job. This could be a coincidence but it seems unlikely. Sipkins's former client was NewsCorp and Sipkins was officially fired by Pascal's husband over a snub by the Hollywood Reporter.

Two days later a malware bomb occurred.

We are left with several conclusions about the malware incident:

  1. The "hackers" did this leak physically at a Sony LAN workstation. Remember Sony's internal security is hard on the outside squishy in the center and so it wouldn't be difficult for an insider to harm Sony by downloading the material in much the same way Bradley Manning or Edward Snowden did at their respective posts.

  2. If the "hackers" already had copies, then it's possible they made a local copy the night of the 21st to prepare for publishing them as a link in the malware screens on the 24th.

Sony CEO Michael Lynton's released emails go up to November 21, 2014. Lynton got the "God'sApstls" email demand for money on the 21st at 12:44pm.

Other evidence implies insiders as well:

Working on the premise that it would take an insider with detailed knowledge of the Sony systems in order to gain access and navigate the breadth of the network to selectively exfiltrate the most sensitive of data, researchers from Norse Corporation are focusing on this group based in part on leaked human resources documents that included data on a series of layoffs at Sony that took place in the Spring of 2014.

The researchers tracked the activities of the ex-employee on underground forums where individuals in the U.S., Europe and Asia may have communicated prior to the attack.

The investigators believe the disgruntled former employee or employees may have joined forces with pro-piracy hacktivists, who have long resented the Sony's anti-piracy stance, to infiltrate the company's networks.

I have been skeptical of the insider theory. It requires us to postulate the existence of a single person who has both insider knowledge and the requisite hacking skill. And since I don't believe that insider knowledge was required, it seemed unlikely that the hackers had it. But these results point in that direction.

Pointing in a completely different direction, a linguistic analysis of the grammatical errors in the hacker communications implies that they are Russian speakers:

Taia Global, Inc. has examined the written evidence left by the attackers in an attempt to scientifically determine nationality through Native Language Identification (NLI). We tested for Korean, Mandarin Chinese, Russian, and German using an analysis of L1 interference. Our preliminary results show that Sony's attackers were most likely Russian, possibly but not likely Korean and definitely not Mandarin Chinese or German.

The FBI still blames North Korea:

The FBI said Monday it was standing behind its assessment, adding that evidence doesn't support any other explanations.

"The FBI has concluded the government of North Korea is responsible for the theft and destruction of data on the network of Sony Pictures Entertainment. Attribution to North Korea is based on intelligence from the FBI, the U.S. intelligence community, DHS, foreign partners and the private sector," a spokeswoman said in a statement. "There is no credible information to indicate that any other individual is responsible for this cyber incident."

Although it is now thinking that the North Koreans hired outside hackers:

U.S. investigators believe that North Korea likely hired hackers from outside the country to help with last month's massive cyberattack against Sony Pictures, an official close to the investigation said on Monday.

As North Korea lacks the capability to conduct some elements of the sophisticated campaign by itself, the official said, U.S. investigators are looking at the possibility that Pyongyang "contracted out" some of the cyber work.

This is nonsense. North Korea has had extensive offensive cyber capabilities for years. And it has extensive support from China.

Even so, lots of security experts don't believe that it's North Korea. Marc Rogers picks the FBI's evidence apart pretty well.

So in conclusion, there is NOTHING here that directly implicates the North Koreans. In fact, what we have is one single set of evidence that has been stretched out into 3 separate sections, each section being cited as evidence that the other section is clear proof of North Korean involvement. As soon as you discredit one of these pieces of evidence, the whole house of cards will come tumbling down.

But, as I wrote earlier this month:

Tellingly, the FBI's press release says that the bureau's conclusion is only based "in part" on these clues. This leaves open the possibility that the government has classified evidence that North Korea is behind the attack. The NSA has been trying to eavesdrop on North Korea's government communications since the Korean War, and it's reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un's sign-off on the plan.

On the other hand, maybe not. I could have written the same thing about Iraq's weapons of mass destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that.

I also wrote that bluffing about this is a smart strategy for the US government:

...from a diplomatic perspective, it's a smart strategy for the US to be overconfident in assigning blame for the cyberattacks. Beyond the politics of this particular attack, the long-term US interest is to discourage other nations from engaging in similar behavior. If the North Korean government continues denying its involvement, no matter what the truth is, and the real attackers have gone underground, then the US decision to claim omnipotent powers of attribution serves as a warning to others that they will get caught if they try something like this.

Of course, this strategy completely backfires if the attackers can be definitely shown to be not from North Korea. Stay tuned for more.

EDITED TO ADD (12/31): Lots of people in the comments are doubting the USB claim.

Posted on December 31, 2014 at 7:52 AMView Comments

Did North Korea Really Attack Sony?

I am deeply skeptical of the FBI's announcement on Friday that North Korea was behind last month's Sony hack. The agency's evidence is tenuous, and I have a hard time believing it. But I also have trouble believing that the US government would make the accusation this formally if officials didn't believe it.

Clues in the hackers' attack code seem to point in all directions at once. The FBI points to reused code from previous attacks associated with North Korea, as well as similarities in the networks used to launch the attacks. Korean language in the code also suggests a Korean origin, though not necessarily a North Korean one, since North Koreans use a unique dialect. However you read it, this sort of evidence is circumstantial at best. It's easy to fake, and it's even easier to interpret it incorrectly. In general, it's a situation that rapidly devolves into storytelling, where analysts pick bits and pieces of the "evidence" to suit the narrative they already have worked out in their heads.

In reality, there are several possibilities to consider:

  • This is an official North Korean military operation. We know that North Korea has extensive cyberattack capabilities.

  • This is the work of independent North Korean nationals. Many politically motivated hacking incidents in the past have not been government-controlled. There's nothing special or sophisticated about this hack that would indicate a government operation. In fact, reusing old attack code is a sign of a more conventional hacker being behind this.

  • This is the work of hackers who had no idea that there was a North Korean connection to Sony until they read about it in the media. Sony, after all, is a company that hackers have loved to hate for a decade. The most compelling evidence for this scenario is that the explicit North Korean connection -- threats about the movie The Interview -- were only made by the hackers after the media picked up on the possible links between the film release and the cyberattack. There is still the very real possibility that the hackers are in it just for the lulz, and that this international geopolitical angle simply makes the whole thing funnier.

  • It could have been an insider -- Sony's Snowden -- who orchestrated the breach. I doubt this theory, because an insider wouldn't need all the hacker tools that were used. I've also seen speculation that the culprit was a disgruntled ex-employee. It's possible, but that employee or ex-employee would have also had to possess the requisite hacking skills, which seems unlikely.

  • The initial attack was not a North Korean government operation, but was co-opted by the government. There's no reason to believe that the hackers who initially stole the information from Sony are the same ones who threatened the company over the movie. Maybe there are several attackers working independently. Maybe the independent North Korean hackers turned their work over to the government when the job got too big to handle. Maybe the North Koreans hacked the hackers.

I'm sure there are other possibilities that I haven't thought of, and it wouldn't surprise me if what's really going on isn't even on my list. North Korea's offer to help with the investigation doesn't clear matters up at all.

Tellingly, the FBI's press release says that the bureau's conclusion is only based "in part" on these clues. This leaves open the possibility that the government has classified evidence that North Korea is behind the attack. The NSA has been trying to eavesdrop on North Korea's government communications since the Korean War, and it's reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un's sign-off on the plan.

On the other hand, maybe not. I could have written the same thing about Iraq's weapons of mass destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that.

Allan Friedman, a research scientist at George Washington University's Cyber Security Policy Research Institute, told me that, from a diplomatic perspective, it's a smart strategy for the US to be overconfident in assigning blame for the cyberattacks. Beyond the politics of this particular attack, the long-term US interest is to discourage other nations from engaging in similar behavior. If the North Korean government continues denying its involvement, no matter what the truth is, and the real attackers have gone underground, then the US decision to claim omnipotent powers of attribution serves as a warning to others that they will get caught if they try something like this.

Sony also has a vested interest in the hack being the work of North Korea. The company is going to be on the receiving end of a dozen or more lawsuits -- from employees, ex-employees, investors, partners, and so on. Harvard Law professor Jonathan Zittrain opined that having this attack characterized as an act of terrorism or war, or the work of a foreign power, might earn the company some degree of immunity from these lawsuits.

I worry that this case echoes the "we have evidence -- trust us" story that the Bush administration told in the run-up to the Iraq invasion. Identifying the origin of a cyberattack is very difficult, and when it is possible, the process of attributing responsibility can take months. While I am confident that there will be no US military retribution because of this, I think the best response is to calm down and be skeptical of tidy explanations until more is known.

This essay originally appeared on The Atlantic.

Lots more doubters. And Ed Felten has also written about the Sony breach.

EDITED TO ADD (12/24): Nicholas Weaver analyzes how the NSA could determine if North Korea was behind the Sony hack. And Jack Goldsmith discusses the US government's legal and policy confusion surrounding the attack.

EDITED TO ADD: Slashdot thread. Hacker News thread.

EDITED TO ADD (1/14): Interesting article by DEFCON's director of security operations.

Posted on December 24, 2014 at 6:27 AMView Comments

1 2 3 Next→

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.