Sony Hack, attack on North Korea and the Attribution Problem

I’m wrapping myself in all sorts of tinfoil lately.

A whole lot’s been made of North Korea undergoing a Distributed Denial of Service attack yesterday that basically cut it off from the rest of the internet. There’s been speculation that the DDoS was perpetrated by the US, or by Sony, in response to the hack of Sony that North Korea’s currently being blamed for.

In regards to both the Sony hack and Korean DDoS, we don’t know at this point who did them. The FBI is obviously blaming North Korea for the former, but a number of experts find that implausible, as does this layperson. This is one of the major problems to the idea of “responding” to a cyberattack: unlike a gunshot, mortar or missile it’s hard as hell to tell where it came from. And the technologies to change that are the same technologies being abused by major governments around the world to spy on whole populations.

I’m going to go out on a limb here, though. And I’m going to make a stab at identifying the people that attacked North Korea and cut them off the internet.

It was the same damn people that hacked Sony.

I’m pretty sure the US wouldn’t respond with something as blatant as a DDoS attack, but it’s the perfect move to escalate US/North Korean tensions sky high. And it’s startlingly easy:

Prince and others bet that a run-of-the-mill DDoS attack took down North Korea’s Internet because the isolated country has a “pipe” to the Internet so narrow that a routine attack could easily flood its capacity and take it offline.

Ofer Gayer, security researcher at Incapsula, estimated North Korea’s total bandwidth at 2.5 Gbps, far under the capacity of many recent DDoS attacks, which typically are in the 10Gbps to 20Gbps range. “Even if North Korea had ten times their publicly reported bandwidth, bringing down their connection to the Internet would not be difficult from a resource or technical standpoint,” Gayer said, also in an email.

Almost all of North Korea’s Internet traffic passes through a connection provided by China Unicom, the neighboring country’s state-owned telecommunications company. North Korea has just a single block of IP (Internet protocol) addresses, or just 1,024 addresses, another vulnerability; in comparison, the U.S. boasts 1.6 billion IP addresses.

As the Computer World article states, there’s even the chance this is some random “kid in a Guy Fawkes mask.” But I’m willing to bet a small amount of money that it’s the same people that hacked Sony, who have no affiliation to North Korea whatsoever. It’s a fascinatingly easy way to screw around in the International Relations game, and a logical second step to their first with Sony. The inability to attribute hacks and cyberattacks means that a single actor can easily pretend to be both aggrieved sides.

The first attack had them down for nine hours yesterday. According to the folks that broke the story, DynResearch, North Korea is down again.

Let’s see what happens next.

Tor Carding Forum Shutdown Synchronicity

Tracking a slight synchronicity that I imagine no one but me finds interesting. Journalist and all-around security news badass Brian Krebs posted yesterday about the arrest of alleged counterfeiter Willy Clock:

In September 2014, I wrote about receiving a package of $500 in counterfeit U.S. currency from an unknown sender, after mentioning in a blog post about a rash of funny money resellers flooding underground cybercrime markets. Last week, U.S. authorities announced the arrest of a Texas man charged with leading the international counterfeit currency operation from a location in the Republic of Uganda.

The story’s interesting and worth reading on its own merits when you have a moment, but a particular facet of the investigation stood out to me. Clock used Tor Carding Forum to vend his counterfeit bills:

The government says Gustafson sold the bills through the Tor Carding Forum, a cybercrime shop that is unreachable from the regular Internet. Rather, visiting the Tor Carding Forum requires the visitor to route his communications through Tor, a free software-based service that helps users maintain anonymity by obfuscating their true location online.

Willy Clock’s phony currency wasn’t only available via Tor. By the middle of 2014, ads for his funny money were showing up on regular, Internet-based cybercrime forums. One reseller of Willy Clock’s notes even set up his own sales thread on Reddit.

That’s interesting to me not on its own but in combination with the announcement last Thursday that Tor Carding Forum is shutting down, relayed to me by Ars Technica (and linked in yesterday’s readings):

After many successful years I have decided to close TCF. There are several reasons including significant decline of quality contributions, what to do with sales/escrow, but ultimately I no longer have the time to run both TCF and Evolution. The site will remain online for a while to allow members to save any important messages or conclude any outstanding business, however new registrations are permanently disabled.

On behalf of current and former TCF staff, thanks for all your support and we’ll see you around Evolution Forums!

A TCF vendor getting thoroughly nailed and TCF almost simultaneously announcing that it’s winding operations down reminded me pretty keenly of a few previous carder forums that had been compromised and run by federal investigators in order to bust yet more vendors and buyers. Until the investigation is ended or consolidated, and the site is either formally raided or shut down “organically” by its administrators.

In this case the admin in question, Verto, also administrates one of the biggest dark net markets still going: Evolution. If (and that’s a damn big if) TCF was compromised, Evo almost certainly is. Which would be a huge coup for law enforcement. It’d also make sense to consolidate the TCF/Evo investigation into just one, which might’ve warranted the shutdown.

There are quite a few problems with this scenario, not the least is that TCF was the problem of the Secret Service, and I’m not sure their jurisdiction would cover Evo. But the vendor bust – site shutdown timing is just wickedly convenient to me.

Update on Tor Server Shenanigans

Posted as part of my readings yesterday some apparent server seizures in Europe. The admin has posted an update:

Brief update to the situation.

Having further investigated and followed up some information leads, we (for now) are excluding direct law enforcement involvement in the events of yesterday with my server cluster, but we do have further information that something unusual was occurring. Until we’ve been able to make the proper requests however we can’t disclose what this is without running the risk of prejudicing the investigation.

I have emailed some of the DirAuths to remove several nodes and IPs from the blacklist that we feel confident have not been breached or compromised in any way. Of course everyone should still ensure they always use TLS when available and PGP encryption to prevent a single point of failure!

Most/all of our mirrors should now also be online again. The hidden service versions may be a little shaky at first as we are making some changes to our Tor configurations, but nothing which should make them unusable.

Readings: Dark Markets, Bitcoin sentence, Tor server seizures

Quotes in quotation marks, comments in italics.

Ars Technica: After Silk Road takedowns, Dark Web drug sites still thrivingAlways worth watching the dark markets. The black market tells us quite a lot about the market in the clear.

Engadget: Bitcoin exec to spend two years behind bars for Silk Road transactions – “…Faiella would instruct customers to deposit money to third-party bank accounts, then Shrem would use BitInstant to transfer the corresponding amount back to him, which he’d pass on to buyers’ Bitcoin wallets. An undercover agent, for instance, deposited $500.11 to a bank account and got $444 worth of BTC later that same day.”

Tor: Possible upcoming attempts to disable the Tor networkTor warns of upcoming server seizures in an attempt to incapacitate the network. Then this happened:

Tonight there has been some unusual activity taking place and I have now lost control of all servers under the ISP and my account has been suspended. Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers.

Sony, Entitlement and Moral Hazard

After the devastating hacks perpetrated against Sony Pictures much has been made of North Korea’s involvement. I’m not yet sold on North Korean origination for a number of reasons. As Dave Kennedy noted on Twitter, Sony’s sizable March layoffs included a fair amount of the IT staff, which is a great way to breed weaponized animosity. Add to that this excellent post by Marc Rogers, “Why the Sony hack is unlikely to be the work of North Korea.” But hey. We’re going with North Korea as the perpetrator anyway, according to the FBI press release. So for the purposes of the rest of this post let’s assume the FBI is correct and North Korea is behind the hack.

President Obama has vowed a response directed at North Korea “in a space, time and manner that we choose.” So we’ve now gone from an FBI response all the way to nation-state actors. This is some pretty thorough bullshit. Let me explain why.

The first response to the Sony hack that I see is that “this is a free speech issue.” “North Korea interfered with the ability of Sony and their content creators to speak freely by showing their movie, and the government must respond to protect it.” Here’s the problem: this isn’t a free speech issue. Free speech doesn’t include the ability to create and broadcast without consequences; in American context, free speech is the ability to communicate without government interference. Consequences have always been a part of the nature of speech.

Consequences arising from the Sony hack already have well-established, long-hallowed remedies: those in civil and criminal court. These are the same remedies offered every other company, corporation and person in the United States. Were a foreign dissident hacked in America (it happens regularly) doubtless that would warrant a criminal investigation by the FBI. But we wouldn’t see Obama up on television getting ready to act on the federal and international level. It’s incredibly troubling the attention that a corporate entity is getting that is routinely denied to dissidents of all stripes. The message from the US government is: “We protect corporate speech. Individuals are largely on their own.”

We have the Computer Emergency Readiness Team in the Department of Homeland Security to analyze, reduce and respond to cyber threats and incidents like Sony’s hack. What we also have is a pervasive corporate lobbying environment utterly hostile to government cybersecurity standards. Every time the government tries to make more stringent standards mandatory the corporate entities involved appeal to the politicians they’ve contributed to on both sides of the aisle to water it down or kill it. So we’re left with a largely voluntary cybersecurity framework that helps set us up for instances like this. But now that an incident’s happened one of these same corporate entities is basically appealing for an international response, and it feels a bit like scammed Bitcoiners demanding FBI action to recover the money they pumped into an intentionally opaque, extragovernmental currency system.

And let’s be clear: Sony’s ground to an electronic halt not by consequences of speech but by its own bad digital hygiene. Of course the response to bringing up Sony’s own practices is that I’m victim-blaming. To bring victim-blaming into this we need to treat the corporation as a person, and that’s also bullshit. Sony Pictures has a clearly stated duty to stockholders (among others) to firm itself up against attacks like this as a simple matter of good business. It’s the legal responsibility of a legal entity, not an anthropomorphized construct requiring consideration of its personality and circumstance. Sony had a legal requirement to protect itself and it failed. This isn’t victim-blaming but requiring an organization to engage in Best Practices-type behavior in order to protect shareholders, employees and customers.

This is where the hack morphs from a speech issue to an economic one: the idea of moral hazard. Moral hazard occurs when someone takes risks they otherwise wouldn’t have when they know that someone else bears the burden, often a government. It was writ large in the 2008 financial crisis when we realized that investment banks were assuming massive leverage and insurers were handing out insanely large policies (credit default swaps) and depending on the government to bail them out when it all soured. Is Sony entitled to nation-state action as a remedy to the consequences they’ve faced? Of course they’re not. Sony’s losses are what corporate insurance is for, in worst case scenarios. Not a presidential address or an international reaction. Because insurance policies are not only triggered by consequences, but possess their own: failure to adhere to conditions such as adopting cybersecurity best practices invalidates the policy. There is no entitlement in an insurance policy, it’s purely a business transaction. The taxpayer does not bear the burden of being Sony’s “protector of last resort.”

And the idea of the US acting in order to protect the corporate speech of a Japanese company administrated from Tokyo is almost as enraging as acting to protect Sony when they’ve been busy threatening websites, newspapers and other entities with legal action over reporting related to the hack. Sony may even have launched cyberattacks of its own, trying to overload websites hosting the leaked data.

What’s my proposal, then? Exactly what I offered above: the same civil and criminal remedies at law offered to every other individual and company in the United States. An FBI investigation for sure, but good lord, keep the State Department dogs of war harnessed good and tight.

Read: LA iPad Shenanigans, Digital Citizenship, Bluetooth Credit Card Repository

Quotes in quotation marks, commentary in italics.

boingboing: FBI seizes LA school district’s Ipad purchasing docs – “It’s not clear what they’re investigating, but the DoJ subpoenaed everything related to the $70M program to give Ipads to all 650K kids in the district.” – Almost surely, as noted in the article, improper bid process/maybe kickbacks. Will be interesting to see, though.

Motherboard: Let’s All Become E-Residents of Estonia – “Starting today, people across the world can apply to become an “e-resident” of the Republic of Estonia, the small EU country just west of Russia.” – Odd little mechanism for what looks like a state-based Trusted Identity setup. Worth watching, as Estonia often is.

Verge: My experience with Coin Beta in the real worldBasically, a bluetooth card that stores all your credit/gift cards, similar to Apple Pay. Doesn’t do a great job at explaining what Coin is before jumping into the mechanics, but as long as you can follow, interesting to watch. Sad it’s so prone to malfunction. Want to grab one solely to eke out its weaknesses.