Monday, December 22, 2014

Hack attack and counter-attack

I must be brief because my plate, today, is full. Earlier today, NPR broadcast a supremely irritating round table discussion on the alleged North Korean attack on Sony pictures. "Annoying" because every participant presumed as a given that NK was, in fact, the culprit -- and when asked how we can be sure of NK's guilt, one participant said, in essence, 'Because the government says so.'

North Korea isn't the only country in which the infallibility of Dear Leader is a given.

Now, it seems as though the United States has retaliated against the entire North Korean internet. It seems that NK has been hit with a massive distributed denial of service attack -- which will do exactly nothing to hurt most North Koreans, since so few have internet access.

But...is this U.S. retaliation? See here:
While many minds will immediately jump to the idea of retaliation by the United States, it’s worth noting that the international hacker’s group Anonymous has threatened action against North Korea for its actions against Sony. Additionally, as noted, the collapse that is being reported could be due to North Korea’s own efforts to disconnect its Internet connections in anticipation of retaliation from the outside world.
An interesting scenario, this. What if the cyber-war -- in both directions -- is being directed by non-state actors? What if outsiders are staging a North Korea/US war?

Talk about lulz!

Despite the presumptions of those smug panelists on NPR, many people still think that North Korea did not stage the Great Sony Hack. See here. The Gawker piece at the other end of that link points to this post by security expert Marc Rogers, an analysis which we looked at in a previous post here on Cannonfire. Marc offers an updated viewpoint here:
The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
What the FBI is essentially saying here is that some of the IP addresses found while analyzing the malware samples and the logs of the attack have been used in the past by North Korea. To me, this piece of evidence is perhaps the least convincing of all. IP addresses are often quite nebulous things. They are addresses of machines connected to the Internet. They are neither good, nor bad.

The IP address is never what is interesting. It’s what’s running on the system that has that IP address that is interesting. Furthermore, to imply that some addresses are permanent fixtures used by North Korean hackers implies a fundamental misunderstanding of how the internet works and in particular how hackers operate.

For starters, hackers – at least the ones that want to stay out of jail – do NOT use their own machines or websites as staging points for operations. Instead, they hijack other vulnerable systems and route their traffic through them – and often many others – as a way to hide their origin. You know IP addresses such as those belonging to hotels in Thailand for examples.
This analysis of the IP addresses shows that the trail does not point to NK. Here are the IP numbers:

202.131.222.102 – Thailand
217.96.33.164 – Poland
88.53.215.64 – Italy
200.87.126.116 – Bolivia
58.185.154.99 – Singapore
212.31.102.100 – Cyprus
208.105.226.235 – USA

These are all known proxies. Anyone can use a proxy.
At the end of the day, if these are all the IP’s that the US is using as evidence that DPRK carried out this attack I think it is pretty weak as evidence goes. The majority of these systems are proxies and known to be such and the others are weak systems that have likely been compromised for use in this attack and maybe others because hackers share a lot of these C&C boxes. They do so to muddy the waters so to speak, the more groups using them the more confusion can be sewn.

The machine in NY is interesting in that it is still online. I would have thought that the authorities would want to take that into evidence but there it is, still online. Maybe they are still getting round to that...
Verrrrry interesting.

Back to Marc:
So in conclusion, there is NOTHING here that directly implicates the North Koreans. In fact, what we have is one single set of evidence that has been stretched out into 3 separate sections, each section being cited as evidence that the other section is clear proof of North Korean involvement. As soon as you discredit one of these pieces of evidence, the whole house of cards will come tumbling down.
There's more. Here's a great round-up of the views offered by skeptics.
It isn’t that anyone is saying that North Korea didn’t do it. It is just that the information we have thus far doesn’t indicate that they did. Instead, it looks like the US government just wants it to be North Korea and the perpetrators want it to appear as though it is North Korea, and so everyone assumes it is North Korea. But other than that, there really is nothing.
What else can I add? After the Iraq war/WMD debacle, the "Uncle Sam says it, I believe it, and that settles it" argument doesn't have much power to persuade.

6 comments:

Alessandro Machi said...

The commerce argument, that the U.S. is allowed to advocate the assassination of a foreign leader in the pursuit of commerce, I find mind boggling.

jo6pac said...

The part I love is the Intertubes are down now in NC. I wonder who is in charge of the Intertubes?

I'm Anon said...

The Norks launched a pre-emptive strike against Hollywood and now they have to be punished. The Russians shot down MH17, Assad used poison gas on his own people, torture is a good thing, and we threw Osama into the ocean. The police are here for your protection. We said so and that settles it.
Joseph Goebbels is spinning in his grave in envy.

Anonymous said...

Joe, you should read this. Specifically, you should skip to Section 5 which deals with the assassination of JFK.

http://educationforum.ipbhost.com/index.php?showtopic=3326

I stumbled upon it after listening to a Dick Cheney interview wherein he mentioned how John Tower's nomination to be Secretary of Defense had been derailed in the Senate, making room for Cheney. Shortly thereafter, both John Tower and John Heinz died in small plane crashes - in a two-day period.

maz said...

I suspect I could take North Korea off the net if I wanted to, given a couple of days' reading. The country is so lightly connected to the outside world, even a moderately heavy DDOS attack would render them essentially isolated. The idea it would take a state-level effort is absurd.

Something I haven't seen discussed, though (and I've not yet read Marc Rogers' post, so apologies if he covers it), is where the NSA is on this. I mean, the hackers vacuumed up multiple terabytes' worth of data from Sony's servers over what was undoubtedly a days-long hack. And it's long been known the NSA has its fangs sunk deeply into [at least] all of the trunks into and out of the domestic 'net in order to extract [at least] all meta-data -- connection info, deep packet analysis, and so on. If traffic was detected between a known North Korea-affiliated server and *any* US address, I'd expect there to have been alarms flashing in Ft. Meade -- let alone between a suspected NK hacker and a major US [division of a multinational] corporation. Even if it wasn't caught in real-time, it should have taken no time at all to identify international traffic related to the hack using historical data. Sure, maybe it would simply lead to a proxy -- but given the sort of mistakes the hackers are alleged to have made, somehow I doubt the trail would have ended there.

Admittedly, the No Such Agency typically has transcended paranoia when it comes to secrecy. (There were a few NSA employees who went through GWU's Master's in Telecom program the same time I did, and I must say they were, hands-down, some of the strangest people I've met this side of a Tenderloin crackhouse.) But not only is this cat well out of the bag, it opened the barn doors and let out the horse. Hell, not only could it identify the Sony hackers without revealing anything not already plastered across the web months ago, it could do so using only data it could have collected legally. (And I mean honest-to-gosh legally, not Michael-Hayden-trust-me legally.) Seems to me this would be a terrific time for a well-placed leak to demonstrate to the American people just what it is we're getting in exchange for billions of dollars and the last shred of our privacy.

Assuming, that is, the hackers actually are based overseas. If the hackers are domestic, the NSA probably could still identify them -- they just couldn't admit it.

Anonymous said...

Or maybe this whole thing is made up to cover up all of the corruption and bribery which were revealed in the information found during the hacking. Perhaps stuff about connections to pedophilia rings and bribing of public officials.