Updating the Sony hack: FBI story not selling to crypto experts

sony-hacked-again

***

Here in a nutshell is how things stand a week after my original comments on the hack and Sony’s culpability:

  • Sony Pictures chair Michael Lynton has even more pointedly dodged any responsibility for the damage caused on November 24.
  • FBI director James Comey insists more than ever that North Korea engineered the hack.
  • A high-profile crypto expert, Marc Rogers, has just published a detailed critique of the claims made by the FBI and Sony.

Lynton’s lapses. In an interview last week for ABC News, Chairman Lynton said the following:

“We are the canary in the coal mine, that’s for sure. There’s no playbook for this, so you are in essence trying to look at the situation as it unfolds and make decisions without being able to refer to a lot of you’ve had in the past or other peoples’ experiences. You’re on completely new ground.”

Talk about revisionist history. In case you haven’t read my previous post, I lay out the michael-lynton-sony-2sordid 10-year history of Sony’s experiences in the so-called “coal mine.” Needless to say, Lynton has a vested interest in getting the audience to believe the November 24 attack came out of the blue. That makes him look less like a failed leader, and probably prevents him sinking even further into legal liability. Here are three highlights of the backstory he conveniently overlooks:

  • Sony Pictures itself (not the parent company) was hacked – with many of the same awful results – in the summer of 2011. No, November 24 didn’t happen without any “playbook.”
  • IT consultants hired by Sony Pictures in the summer of 2014 warned of numerous security vulnerabilities in their netwok, which management apparenty ignored.
  • Sony Corp’s fight with the hacker community began all the way back in 2005, with the Sony rootkit scandal, which produced years of conflict and plenty of guideposts to refer to, if the Lynton squad had been paying attention.

Director Comey’s “new evidence”. Apparently feeling the need to shore up the FBI’s credibility, Comey said this last week:

comey-fbi-1

“There is not much in this life that I have high confidence about—I have very high confidence about this attribution as does the entire intelligence community.”

His remarks were, however, almost devoid of what you would call “evidence,” new or old. His main substantative argument is that the Sony hackers “got sloppy,” meaning the agency nerds were able to track the hackers’ path despite their attempts to hide it. The FBI’s approach still doesn’t sit well with outside experts.

Marc Rogers, doubting Thomas. A high-profile member of the security community, Marc marc-rogerRogers, has spelled out his own serious doubts about the FBI’s theory on his blog (Rogers is, among other things, head of security for DEF CON). Rogers’ single biggest issue is, unsurprisingly, that the FBI makes a lot of claims without providing the evidence behind them. For example, they cite “other attacks” from North Korea, but make no attempt to describe or identify them.

One of the most persuasive arguments I read in Rogers’ post has to do with the widely reported claim that the hackers “got sloppy”…

“First, they are saying that these guys, who so were careful to route themselves through multiple public proxies in order to hide their connections, got sloppy and connected directly. It’s a rookie mistake that every hacker dreads. Many of us “hackers” even set up our systems to make this sort of slip-up impossible. So, while its definitely plausible, it feels very unlikely for professional or state-sponsored hackers in my books. Hackers who take this much care when hiding their connections have usually developed a methodology based around using these kinds of connections to hide their origin. It becomes such common practice that it’s almost a reflex. Why? Because their freedom depends on it.”

numeric-ip-v4Echoing what Bruce Schneier has been saying recently, Rogers reminds us that, whatever case you’re trying to prove, attribution for an attack is always going to be extremely difficult. Rogers adds a couple of other useful observations. For one thing, if North Korean numeric IP addresses were involved, why not just disclose them? That’s certainly not going to put national security at risk. Then there’s the really big hole in this story: the vector. Rogers describes Comey’s admission that, as of last week, the FBI still didn’t know how the attackers actually entered the Sony network as “a HUGE bombshell.” If they don’t know the vector, they’ve got a long way to go in deciphering the details.

So what would make the skeptical security experts less skeptical? Rogers has a wishlist:

  • Evidence of direct symmetrical connections – i.e. either data connections or control connections that were not routed from a proxy. Not asymmetric connections such as an email moving from server to server.
  • Connections that were routed through proxies supported by logs from every single proxy involved.
  • Comprehensive forensic evidence from a “staging system” used by the attackers to control or deploy their attacks.
  • Evidence of highly specific code, which can then be tied to an individual or individuals.
  • Evidence of a highly specific vulnerability or 0day [zero-day vulnerability] that can be traced.
  • Details (not just hints) about highly specific tools used by the attackers, which can be linked back to the attackers.
  • The attacker’s laptop with tools, code and logs intact.
  • A confession [smiley in original].

D.E.