Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Deconstructing The Sony Hack: What I Know From Inside The Military
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/6/2015 | 4:20:01 PM
Take on faith that the government's attribution picture is credible
Thanks for this analyis @JeffSchilling.  You make a strong case that there is alot more that we don't know about the government's thinking on North Korea than we do know (or ever will know). That said, to those in the cybersecurity world who have lost their trust in government, it's a giant leap of faith.. 
BobD346
50%
50%
BobD346,
User Rank: Apprentice
1/6/2015 | 5:23:48 PM
Commentary
Good article. Your comment about not sleeping well at night should definitely be heeded. Every CSO/CISO should not sleep well at night! I have enjoyed all of the commentary from the mainstream media - like they know! Retired Air Force member here!
Jeff.schilling
0%
100%
Jeff.schilling,
User Rank: Author
1/6/2015 | 6:06:22 PM
Re: Take on faith that the government's attribution picture is credible
Marliyn, thank you for your comments.  Attritbution in this case is really only important for the government/Law Enforcement and the victiim to worry about.  I applaud the FBI for getting some techical data out to us relatively quickly that allowed us to take some proactive measures.  Knowing how that process worked, Sony likely gave them permission to share that information with the broader community which is to their credit as well.  
Jeff.schilling
50%
50%
Jeff.schilling,
User Rank: Author
1/6/2015 | 6:08:35 PM
Re: Commentary
The ransome actors are gaining in sophistication of their operational processes.  If this truly is ransome actors, this is a serious escalation that is should not be a wake up call, it should be an awakening.
Wolf6305
50%
50%
Wolf6305,
User Rank: Apprentice
1/7/2015 | 9:20:31 AM
Re: Commentary
Thanks for the reminder about the relative speed of government cyber-attack.  It reminds me of a scam model where the bad guys also impersonate the authoratative response, confusing the issue and slowing down actual law enforcement actions.  What if the same group that attacked Sony also attacked N Korea's infrastructure?  Then the public is left with the impression that maybe the US is retaliating for the Sony attack, as is a common reconstruction floating around the Internet right now. 
Jeff.schilling
100%
0%
Jeff.schilling,
User Rank: Author
1/7/2015 | 10:04:38 AM
Re: Commentary
That is an interesting theory and very plausable.  That would be what I would do as well to cause more confusion.
SgS125
100%
0%
SgS125,
User Rank: Ninja
1/7/2015 | 11:07:04 AM
REGIN
Should we also wait to hear from the Government on what they had intended to do woth the REGIN attacks?

I agree that the "media" who ever you consider them to be, has it wrong, will always have it wrong, and can't understand enough of the situation to ever report anything other than what they are told to repeat.

If you are sleepless over this then you have already lost your battle.  It's always the next unknown threat that gets us, no point in worrying over it or asking for more money to protect you from things you don't know about or can't plan for.  

We can only hope that all the exploits that our "freinds" in Government hold secret will not be used against us.

 

 

 

 
Jeff.schilling
0%
100%
Jeff.schilling,
User Rank: Author
1/7/2015 | 12:06:17 PM
Re: REGIN
Re: REGIN, no clear attribution has been assigned to this framework.  I doubt that it ever will be clearly attributed.  There are lots of sophisticated nation-state threat actors, I would not jump to any conclusions on who is holding the strings on that framework.

In the US, we have US Code Title 50 congressional legislation that limits foreign intelligence collection on US soil by the US Intelligence Community.  Any exceptions to this are adjudicated by the FISA court when the Intelligence Community can show that the data they want to collect on US soil is critical to putting the pieces together on other global collection efforts.  There have been some well-publicized cases where some folks believe the FISA court got the decision wrong, I am inclined to agree in some cases with those skeptics that the collection was an over reach.  However, I will offer that there is no other cyber super power that has this kind of oversight that keeps their intelligence collection limited to foreign collection only.  They might not get it right every time, but there is no systemic abuse that we should worry about.  I do not lose any sleep over this at all.

To clarify what keeps me up at night, threat actors had for the most part focused on Computer Network Exploitation.  Now they are more increasingly getting kinetic and destroying IT infrastructure, having a serious business impact.  Most large multinational organizations like Sony and many others have a very large surface area of attack due to the massive complexity associated with managing a global enterprise.  I think some of the big companies should start changing their strategy from trying to protect everything, to protecting what is important and assuming everything else is potentially compromised.

Thank you for your comments.  This is great dialogue.  

 
SgS125
50%
50%
SgS125,
User Rank: Ninja
1/7/2015 | 12:14:28 PM
Re: REGIN
I suspect that since the Sony situation has overtaken the media and completly obfuscated the REGIN discovery we will not hear much more about it.  There were several fine technical analysis of the code and it's methods.  A seriously long read for anyone who cares to speculate on the methods and uses of this type of malware.

 

Let's hope that we and our networks we protect don't have anything interesting enough for the players that play to ruin our day.

 

Don't forget to hide your backups!  They can't encrypt or erase what they can't find.

 

 
TerryB
50%
50%
TerryB,
User Rank: Ninja
1/7/2015 | 1:36:38 PM
Ransomware and backups
Jeff, how did that ransomware attack put that hosted company out of business? Surely people are still making backup copies of their (hopefully) virtual servers and more timely copies of the data itself? I could see this causing a loss of some data, like from last backup. But to take them out of business completely? How is that possible?

Is there something about ransomware and backups I'm not understanding? What you describe would be major pain in rear end here while we rebuilt services and data. But knocking us out of business, I don't think so.

Actually I know so since our primary business server is an IBM i5 server which is not addressable from internet and can't be infected by someone clicking on rogue attachment/web page.

It is our infatuation with Windows type computers which run script and allow easy o/s corruption, combined with connecting directly to Internet for "customer services" which has put us all here. Anyone got stories of IBM mainframes being pawned like these Windows/Linux servers are? Besides an inside attack, of course. No system can survive that if the good guy decides to become a bad guy. You can only hope to stop them sooner rather than later in that case.
Page 1 / 2   >   >>


Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9024
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
CVE-2020-9025
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
CVE-2020-9026
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.
CVE-2020-9027
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the TRACE field of the resource ping.cmd. The NTP-2 device is also affected.
CVE-2020-9028
PUBLISHED: 2020-02-17
Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow stored XSS via the newUserName parameter on the "User Creation, Deletion and Password Maintenance" screen (when creating a new user).