Not an obvious target
Sony made a really bad film, about a really dodgy dictator.
No-one was surprised when they got owned so badly.
No-one was even that sympathetic, the film was terrible.
North Korea's cyber attack on Sony Pictures revealed two uncomfortable truths about cybersecurity: businesses don't have to be an obvious target to get hacked, and their aggressors don't have to be superpowers. Welcome, ladies and gentleman, to the world of asymmetric warfare on the interwebs, a themes that's likely to feature …
I'm not sure companies should really care about rogue states using cyberwarfare teams. At least not specifically. Because I doubt that North Korea poses that much more a of a threat to any company that any other random group of cyber criminals out for profit. I suppose there's more risk of horrible publicity, making you look really stupid, which is something criminals may not bother to do.
But the problem is that companies seem to be spending far too little time on securing their networks and information, given how quickly the threat is evolving. And how smart some of the "ordinary" cyber criminals have shown themelves to be.
So a random company just needs to worry about being as secure as it can be, and multi-layered security, so that access to some things doesn't automatically mean getting hold of everything. Only people at specific threat would need to worry about the state-sponsored attacks, and should hopefully be able to call on resources from their governments.
The problem is that cyber attack is so much easier than cyber defence. I do worry that our intelligence agencies may have been too excited by the shinies on offer, and so committed too much of their resources to attack tools. And not enough has gone into protection of our own networks and economies. But then, maybe that should be a different arm of government? Perhaps we should look at regulation in this area. Systemically important banks now have to undergo annual stress-tests, to see how they'd respond to another 2008-style crisis. Perhaps we should be making our large corporations, relevant government departments and particularly national infrastructure companies do something similar? So GCHQ could penetration test them - and see what bits of their networks and information are easily accessible and easily disruptable. And they should be tested on how they could respond to this, along with how they could recover from attacks that were designed to cause harm, rather than just steal stuff.
I know a lot of this already goes on. But not enough, I'm sure. And I bet it's mostly the companies like BT, who've already got strong connections with government. I wonder how much banking has been tested, given the creaking state some of their IT is in?
You raise many valid points. Even physical defence is harder than offence... thus the basis for the MAD philosophy of the Cold War era.
I find it interesting that the likes of NSA, GCHQ, et al, are not assisting our critical infrastructure in testing. Penetration testing seems to be the bailiwick of private firms and I would think they don't have the tools of the big 5. Rogue states are a problem just like the rogue terrorist... unpredictable in when and where they will strike. OTOH, I can see why the big 5 are not doing this since there's so damn many companies that would need to be tested.
Unfortunately, the NSA and GCHQ are at least as interested in IDing and hoarding zero-days for their own network/system penetration efforts as they are in releasing ID'd zero-days so that they can be addressed and IT made more secure.
I've said this about 10 times in other topics. The NSA needs to have it's cybersecurity responsibilities taken away and those need to be moved under another effective agency with no ties to the NSA or DoD. To the extent that sigint agencies outside the U.S. are expected to also run national cybersecurity efforts, I would strongly advise that those responsibilities be taken from them too. Otherwise, the traditional sigint desire to be able to access everything is most likely going to continue to trump the new responsibility to secure everything.
The NSA is part of the US DoD and gives recommendations to DISA on cyber defense.
It is interesting that you mentioned 2008, as the US DoD had a major compromise in that year and it was quite expensive to remediate, the primary issue was lack of adherence to DISA requirements in the baseline configurations of workstations, servers and antivirus.
My installation was in compliance and shrugged off the attack.
Back in 2004, I noticed attackers coming from a PRC location that was the same military organisations that made Norinco SKS and AK rifle copies. I had enough information to trace it via Google Earth, back when governments weren't smudging the satellite pics. They were very confident and arrogant until it came out on world wide news, and then they switched to University IPs, and then the current building location all sources point to. It is comical they don't even try to use the bot net or Tor to hide the original attack vector. But who is going to really challenge them anyway?
"the primary issue was lack of adherence to DISA requirements in the baseline configurations "
Having had to deal with the effects on 3rd parties of numerous DoD systems being used by skiddies and spammers through the 1990s and early 2000s this isn't really a surprise.
The standard US military response to being informed they had a problem was threats - which were duely forwarded to DISA. My understanding is that a lot of people ended up doing the electronic equivalent of scrubbing the parade ground with a toothbrush, but it was clear there was a systemic failure to address information security across the DoD.
I'm no more inclinded to believe a former US Marine or a security company who are selling protection than I was the FBI. Even if it was NK, and I'm yet to see compelling evidence, companies do not have to worry about a similar attack if they don't go around publicly slagging the NK regime.
Can't be arsed to piss around with the link to 'Tips and corrections' - this should be a form not a link to my non-existent email program!
'North Korean defectors say that 'Bureau 121' hackers operate from Shenyang withing the People's Republic of China, CNN reports.' - what is withing, do you mean within?
'The FBI in its attribution refers to IP addresses used by North Koreans, not IP addresses within North Korea, an important destination.' - not sure destination is the correct word, distinction?, designation?
I left school at 16 with a CSE 'C' in English, I was/am crap at writing, I expect better from professional(?) journalists. Did anyone other than the article writer read this before publication? </rant>
English was about the only subject I was any fucking good at due to it being one of the few subjects where I had an actual teacher (as opposed to a nun pretending she could teach. None of 'em could). We had the same teacher for classics, hence me getting As in both (at O and A Level).
Marion Joan Sykes, the best damn teacher I ever had. Haven't seen her in almost 25 years and, sadly, expect she's no longer around - you knocked on the staff room door and you needed breathing apparatus when it was opened, can't recall a single teacher that didn't smoke (and even Sister Kevin smoke the foulest smelling Churchillian cigars. Yes, you read that correctly, your eyes are fine, her full name was Sister Kevin Arthur Russell. No I've no fecking idea why, either)).
Aside from that, I fucking hated that school. Zoë 'My Dad's on Telly' Ball was in my year and she was fucking insufferable; fucking hated her coz she got away with everything just coz of her fucking father! Bitch! Suspect she only got anywhere because nepotism.
As a ratio to valid traffic - much less then the smurfs and other broadcast reflection attacks that were flying around in 1998-1999. In those days it was a significant fraction of the traffic. On a really bad day in an ISP NOC you could have half of your traffic comprising of DOSes. Now - not so much. A DOS here or there is big, but DOSes as an overall proportion of the traffic are significantly less than what they used to be during the early days of amplification attacks (amplification by directed broadcast from a spoofed source).
So, that leads to the next important question to which enquiring minds need to know the answer:
How many porn videos are there which feature cats?
I'm assuming that most viewers of cat videos are human, rather than cat, so we can classify purely cat porn in the category of 'cat videos' - given that there will only be a very small number of either humans (or cats) online who'll be interested in that as porn...
...it's pretty much under duress. They've cut off electricity and oil supplies for months at a time in the past couple of years.
The lion's share of support for NK did (and still does) come from Russia. It's a creation of Iosif Vissarionovich Stalin - and the NK Cult of Personality is taken directly from Stalin's playbooks.
China's support for NK is mostly about keeping an influence on an unstable neighbour. NK is backed into a corner enough that they may lash out in any direction if cut off and the chinese are also understandably worried about having millions of refugees pouring over the border if the leadership implodes.
It wouldn't surprise me in the slightest to find out that the PLA have been keeping the NSA fully informed about what's happening in Shenyang, but I still have major doubts about the veracity of claims that NK was behind the Sony attacks. It's just far too convenient a foreign bogeyman when everything points to an inside job.
...... Western Fortunes and Western Fortune Cookie Monster Mashing and Bashing/ReHashing
Attacks by the "unstable and unpredictable" nation state of North Korea are in some ways scarier than Chinese cyber-espionage which although massively damaging economically are predictable and cause less havoc and destruction, Gib Sorebo (chief cybersecurity technologist) of science and technology firm Leidos argues in a blog post on lessons from the Sony Pictures hack.
Hmmm? Extremely switched on and MMORPG enabled is most certainly an equally concerning and/or exciting phorm of instability and unpredictability for powers that be intellectually challenged and into the flogging of dead horses/outmoded systems of SCADA defence.
Is the Exotic and Erotic and Esoteric East and China and Russia and N. Korea the new Wild Wacky West Frontier with Klondikes for Renegade Rogue Private Pirates?
Crack Hack the Fortune Cookie Monster with XSSive code[s] injections/exfiltrations allows one to Flash Crash and Run any Market in Racing Condition and Ponzi Skin, and delivers ...... New Global Intelligence Grid Players to Gallant Knights in Distress and Round Tables and Great Games, both Right Royal and Ancient and Modern and Postmodern.
Biting the hand that feeds IT © 1998–2020