Cyber Security became a big story over the Christmas period, in particular regarding two major problems at Sony. The second hack was a distributed denial of service attack by a group calling itself ‘LizardSquad’ on the Sony PlayStation and Xbox Live networks which prevented millions of young (and some not-so-young) users from playing on-line computer games during the holiday season. There is a good article on the details of that attack written by investigative journalist Brian Krebs here.
The primary Sony hack had much greater political consequences. The FBI director James Comey has presented his firm conclusions at a Fordham Law School cybersecurity conference that he has “very high confidence” in the FBI’s attribution of the attack to North Korea. And he named several of the sources of his evidence, including a “behavioural analysis unit” of FBI experts trained to psychologically analyse foes based on their writings and actions. He also said that the FBI compared the Sony attack with their own “red team” simulations to determine how the attack could have occurred. Perhaps most importantly, Comey now says that the hackers in the attack failed on multiple occasions to use the proxy servers that bounce their Internet connection through an obfuscating computer somewhere else in the world, revealing IP addresses that tied them to North Koreans. The FBI story is covered by Wired here.
Unfortunately the confidence displayed by the US intelligence services is all very reminiscent of the Iraqi weapons of mass destruction that turned out to have a no more credible source than some bloke in the pub. What about the possibility that this attacker who has shown ability and willingness to bounce their connections all over the world is simply bouncing their messages off the North Korean IP infrastructure? It’s also quite possible that someone other than the real attacker joined the party and sent threatening messages as GOP (Guardians of Peace). Unlike tracking a missile trajectory to its source, attributing attacks in cyberspace is extremely hard. Thomas Rid and Ben Buchanon have written an article on this subject. It is much easier to launch cyber-attacks than to defend against them, and unless you are a government retaliation is illegal.
There are many theories regarding not just the source of the Sony attack, but also the methods used to obtain and publish confidential emails. One entirely credible notion is that some Sony staff including executives had very weak passwords. I’ve written a T&VS article of my own to explain how hackers not only use weak passwords to start an attack, but also target the file storing all the user passwords in the database and how that can lead to a massive data breach. The article will provide you with an insight that few non-experts have, and assist you in understanding if your enterprise is getting it right (or not)!
Read Declan’s password article here.
Declan O’Riordan, Head of T&VS Security Testing, will be following up his prize winning EuroSTAR conference paper with a Live Webinar of his presentation:
Webinar: ‘The What? Why? Who? How? Of Application Security’
11 February 2015. 2:00pm – 3:00pm (GMT)
Register to attend this FREE webinar at TESTHuddle
In May this year Declan will also be speaking in the USA at STAR East and presenting two application security workshops for developers and testers in Brussels at Belgium Testing Days.