Norse Security IDs 6, Including Ex-Employee, As Sony Hack Perpetrators 158
chicksdaddy writes Alternative theories of who is responsible for the hack of Sony Pictures Entertainment have come fast and furious in recent weeks -- especially since the FBI pointed a finger at the government of North Korea last week. But Norse Security is taking the debate up a notch: saying that they have conclusive evidence pointing to group of disgruntled former employees as the source of the attack and data theft. The Security Ledger quotes Norse Vice President Kurt Stammberger saying that Norse has identified a group of six individuals — in the U.S., Canada, Singapore and Thailand — that it believes carried out the attack, including at least one 10-year employee of SPE who worked in a technical capacity before being laid off in May. Rather than starting from the premise that the Sony hack was a state sponsored attack, Norse researchers worked their investigation like any other criminal matter: starting by looking for individuals with the "means and motive" to do the attack.
HR files leaked in the hack provided the motive part: a massive restructuring in Spring, 2014, in which many longtime SPE employees were laid off. After researching the online footprint of a list of all the individuals who were fired and had the means to be able to access sensitive data on Sony's network, Norse said it identified a handful who expressed anger in social media posts following their firing. They included one former employee — a 10-year SPE veteran who he described as having a "very technical background." Researchers from the company followed that individual online, noting participation in IRC (Internet Relay Chat) forums where they observed communications with other individuals affiliated with underground hacking and hacktivist groups in Europe and Asia. According to Stammberger, the Norse investigation was eventually able to connect an individual directly involved in conversations with the Sony employee with a server on which the earliest known version of the malware used in the attack was compiled, in July, 2014.
HR files leaked in the hack provided the motive part: a massive restructuring in Spring, 2014, in which many longtime SPE employees were laid off. After researching the online footprint of a list of all the individuals who were fired and had the means to be able to access sensitive data on Sony's network, Norse said it identified a handful who expressed anger in social media posts following their firing. They included one former employee — a 10-year SPE veteran who he described as having a "very technical background." Researchers from the company followed that individual online, noting participation in IRC (Internet Relay Chat) forums where they observed communications with other individuals affiliated with underground hacking and hacktivist groups in Europe and Asia. According to Stammberger, the Norse investigation was eventually able to connect an individual directly involved in conversations with the Sony employee with a server on which the earliest known version of the malware used in the attack was compiled, in July, 2014.
Like an episode of 24... (Score:4, Insightful)
Cyber-hack against US subsidiary.
'Obvious' perpetrator targeted by hardliners in government who leverage the blood-lust of the populace, and who pressure the president into immediate action.
Actual perpetrators turn out to be a small group of disgruntled employees.
Re:Like an episode of 24... (Score:4, Insightful)
this was my first thought as well, nothing so well executed could be done without inside information.
Now for those who didn't realise before, this is why safecrackers find out what their target safe is and buy a duplicate to practice on first.
Re: (Score:2)
Really?
So the fastest way to find whoever cracked a certain safe is to look in the purchase records for any middle-class individuals buying expensive safes?
Re: (Score:3)
You don't need the whole safe, just the lock.
Re: (Score:2, Insightful)
Group 2 Combination Locks are what are being discussed here. La Gard, S&G, Diebold, and Mosler are some of the common brands. S&G 6730 is the generic one I'm used to. Nice locks...
"Autodialer" or "Soft Drill" if I was a bad guy. Drill and scope, or "through the spindle" tools would be my preferred tactics(if I knew the safe didn't have additional relockers). "Drilling the fence" or "drilling the bolt" are both pretty crude. You can also drill the back/bottom/sides/top of the container and then scope
Re: (Score:2)
Neal Caffery? Is it you?
Re: (Score:2)
This is why I just keep all my valuables in my pocket.
Re: (Score:2)
Like an episode of 24...
Following the story on Slashdot is like watching all of the "Previouslies..." but none of the episodes.
You pretty much get the gist and save a shitload of time.
Re: (Score:2)
MINISTRY OF TRUTH SAYS (Score:5, Insightful)
Oceania has ALWAYS BEEN AT WAR with East Asia.
Re: (Score:2)
apparently the north korea ploy did not sell enough tickets for sony. next time they will do better.
Re: (Score:2)
Yeah, they could put a hawt chick as dictator of NK, this would sell better than the fat boy and his band of idiots.
Circumstantial at best ... (Score:5, Insightful)
Nothing anywhere near conclusive from the information provided.
Re: (Score:2)
but clearly excludes direct State involvement.
Re:Circumstantial at best ... (Score:4, Insightful)
Nothing anywhere near conclusive from the information provided.
While that is true, the same is true for the information released that suggested North-Korea is/was/would-be behind the hack.
Re: Circumstantial at best ... (Score:2, Funny)
North Carolina should not act in such regard!
Re: (Score:2)
Never publish your real evidence that could compromise the investigation, just the circumstantial bits to get the public interested.
If it was just circumstantial bits, then they can't come to a conclusion, of course. The presumption is they have more info
Re: (Score:2)
You can presume they have more. Perhaps Norse has a good enough reputation to merit that presumption. The other party's reputation, however, is quite a bit poorer, and I do not make that presumption about them.
Re: (Score:2)
Nothing anywhere near conclusive from the information provided.
More conclusive than, "A Korean IP address was involved, so it must have been the North Korean government!"
Re: (Score:2)
circumstantial yes, but far more substantial than the flimsy evidence the US Government used to declare it was NK.
lemme guess (Score:2)
Re:lemme guess (Score:5, Interesting)
You're making this too hard. You can upload terabytes of data using good old SSL or encrypt files with zip tools like 7-zip and there is nothing in the stream of data that will be recognized... that's what encryption is for.
The person wanting to get data out doesn't have to work hard at all to ensure it can't be recognized as it is being transmitted. The difficulty is in making sure that the users of the system don't notice the decrease in disk IO and loss of bandwidth. If they've got a good perimeter defense or the right heuristics for the server, they may notice "hey, that's more activity than usual" and respond, but that's about the only way to catch somebody in the act of transporting data out of a system.
Unless they're stupid. Which, with Sony's security, they could have been.
Re: (Score:3)
Or unless sending terabytes of data out is routine. Sony Pictures makes movies. Movies are digital. Digital video loves disk space.
So sending dozens of gigabytes a day to any random address may well be business as usual.
Re: (Score:3)
I'd be surprised if they don't ship out big pile of bits for rendering on the AWS/Google/MS clouds, since it's so much cheaper than buying dedicated CPUs that will then sit unused until the next batch of rendering needs to be done. Much of the original Star Wars movies were actually rendered after hours on servers at Informix and ARC GIS networks, so it's nothing new.
Re: (Score:2)
There are some cloud rendering solutions out there, but most studios have their own render farms in-house... and a lot of the companies you think are studios are mainly just production companies that outsource most of the heavy lifting to specialized shops (who work on multiple projects simultaneously and have no problem keeping a render farm busy).
Re: (Score:2)
Re: (Score:3)
6-7 years ago I worked for the then biggest payment service provider, BIBIT, we were part of the Royal Bank of Scotland and had a massive datacentre in Scotland, I am now unable to tell how big, only that it was huge.
Well every time Sony had a launch of some product (PS3, films, etc) they had to tell us in advance because they laid our whole datacentre flat. I recall once having to stay up in the middle of the night because we thought a massive DoS attack was going on as no other merchants were able to conn
Re: (Score:2)
I mean obviously that "other merchants were _UNABLE_ to connect..."
Re: (Score:2)
You think Sony did?
I doubt the value "most" in your statement.
Re: (Score:2)
Some certainly do and that bothers me. It shouldn't be that hard to set the MITM proxy to reject invalid certificates and provide the reason for the rejection to the users, but I haven't seen it done right.
from TFA (Score:4, Insightful)
Stammberger was careful to note that his company’s findings are hardly conclusive
Draw your own conclusion. At least he didn't throw in the old 'we have other information we won't reveal' claim the government always uses to mask its own speculation.
Oh how great is this! (Score:4, Interesting)
Now being skilled and being laid of automatically makes you a crime suspect for having "means and motive".
For uns in IT business, we wouldn't be hired if we wouldn't have the knowledge that could also be used for blackhat purposes, and being laid of during a restructering is usually nothing an individual can control.
Thank you....
Re:Oh how great is this! (Score:5, Interesting)
motive, means, opportunity:
MOTIVE: disgruntled ex employees. Check.
MEANS: prearmed with information on the machinations of SPE, not ordinarily known to the public. Check.
OPPORTUNITY: High profile release with the potential to piss off a State leader and shift the blame onto him. Check.
Yes, being a pissed off ex employee with inside information and the chance to make a high profile disruption to those who would risk your mortgage and pension with little to no personal risk is a big fucking bullseye.
Re:Oh how great is this! (Score:5, Insightful)
Yes, but it shouldn't be THAT easy to produce people with those bullseyes.
"Hey, let's fire a few IT guys. Just in case we need to bring up some capeable, disgruntled ex-employees as scapegoats if we ever get hacked."
It's an effing huge diffrence if you are a suspect for something you are or do, or for something that someone else does to you.
Re: (Score:2)
"Hey, let's fire a few IT guys. Just in case we need to bring up some capeable, disgruntled ex-employees as scapegoats if we ever get hacked."
It looks like somebody needs to look up the terms liable, slanderous and more then likely falsifying and suppressing evidence. The correct thing to do for anyone caught in the scenario you are describing is ... nothing. Just sit back and let them dig a hole so deep that you can comfortably retire.
Re: (Score:2)
Are you really going to sit by and let it build up until it's too late? Yeah, most likely you'll get a fat settlement. The downside risk, however, is spending ten years in jail for a crime you didn't commit. That gamble isn't worth it.
Re: (Score:3)
I think the point was that Norse Security looked at this as if it was a criminal investigation as opposed to a political finger pointing match. If the police were investigating a crime and found that an ex-employee had posted angry statements about being fired prior to the crime being committed (Motive) and had the means and opportunity to do so, they would definitely be investigated as a suspect. Rightfully so, too.
Note that being investigated doesn't mean being charged with a crime. If the investigatio
Re: (Score:2)
Except those weren't their fingers they were pointing and waggling at each other.
Re: (Score:3)
I think the point was that Norse Security looked at this as if it was a criminal investigation as opposed to a political finger pointing match. If the police were investigating a crime and found that an ex-employee had posted angry statements about being fired prior to the crime being committed (Motive) and had the means and opportunity to do so, they would definitely be investigated as a suspect. Rightfully so, too.
Absolutely right. But let's think this through to the end. So, if I ever get laid off I would
a) not have the right to be "disgruntled" unless
b) I make sure I'll be surrounded by a potential witness just in case I'm investigated and need to produce an alibi for any time an attack on my ex-employer might have happend.
As you said, If I can't do that I wouldn't be dropped from the list of suspects unless "the investigation showed that the person had a good alibi or uncovered evidence that pointed away from that
Re: (Score:2)
You're right. In any serious investigation, there will be people investigated and harassed just on the basis of a few things. If your spouse is murdered, for example, the police are going to suspect and investigate you, and that's going to suck.
What is likely to happen, if you're innocent, is that the police will not find sufficient evidence to indict, whether or not they find the guilty party. This isn't a Phoenix Wright game, where you can only get acquitted of murder if you can convince the judge s
Re: (Score:2)
Yes. But it's not only judge and jury. Friends, Neighbours, employers, media..... to all of them you will stay the guy who never got convicted for the murder of his wife, if the guilty party can't be found.
Re: (Score:2)
> a) not have the right to be "disgruntled" unless
Note that the part of the post you quoted talks about posting "angry statements". E.g. don't publically claim you're gonna make them sorry. Stay off social media.
BTW, this is not exclusive to cyberspace. In meatspace, if you go around badmouthing someone, talking about how you're "gonna make him pay", and that someone is soon found murdered, you're a potential suspect.
Re: (Score:2)
pissed off ex employee with inside information and the chance to make a high profile disruption to those who would risk your mortgage and pension with little to no personal risk is a big fucking bullseye.
this simply narrows down your search, doesn't make anyone a suspect. it might turn out to be bogus and the motives totally different.
but they claim to have found a connection, that's a lead. not a strong one, in my opinion, but they may have no better. anyone wondering how they got access to the irc content? duh ...
Re: (Score:2)
Re: (Score:2)
motive, means, opportunity:
MOTIVE: Maniacal leader, irrationally hates movie. Check.
MEANS: l33t haxor squad. Check.
OPPORTUNITY: disgruntled IT person sells info on computer network. Check.
See, it's fun to connect dots.
Re: (Score:2)
ok. Cite your sources. Mine are all in the summary.
Re: (Score:2)
I'm not going to cite sources for maniacal leader or l33t haxor squad. Those are well known. For disgruntled employee, I'm citing the summary as well. People laid off of work, complaining online, etc. The summary (and article) is conjecturing that disgruntledness alone is sufficient for carrying out a devastating attack. I'll conjecture that a NK operative located a disgruntled employee through web chats and bribed him to get the needed info. That's just as valid as your story.
Re: (Score:3)
That's absolutely correct. Again, means and motives. The intersection of those two sets would give you persons of interest. If a security researcher doesn't look at the admins in a breech, would you consider them competent?
So you might be a 'suspect'. In the real word (as opposed the paranoid crazy version here) someone would politely sit down with you and discuss a few things. Then someone else might come over and discuss some more things. Your work logs might be reviewed. If you worked through home
Re:Oh how great is this! (Score:4, Insightful)
It DOESN'T mean that the swat team will barrel through your door or that the FBI will cart off your desk.
Unless the local Sheriff's Department just took delivery of that surplus MRAP and M4s and wants to try them out.
Re: (Score:2)
That's what meth labs are for.
Bonus points: They go BOOM when you shoot at them.
Re:Oh how great is this! (Score:5, Insightful)
It DOESN'T mean that the swat team will barrel through your door or that the FBI will cart off your desk.
And some times it does. Seems like the best thing is to make certain no one thinks you are disgruntled
Re: (Score:2)
I was thinking of saying something similar, about not using social media. However it occurred to me that they could just as easily read your email if they wanted to. So it would require never writing any email saying anything negative about your former company, to anyone... Well that is not freedom of communication in the slightest.
You would end up having to _believe_ that you actually weren't discruntled to be able to hide it s
Re: (Score:3)
Yes, but that's not how it happens in real life.
Even if the full SWAT team is a rather rare, it's not unheard of. And those people who will sit down and politely ask some questions still probably may well arrive in police cars parked in front of my house. May be enough to have to look for a new neighbourhood to move to.
But even that isn't more as an unlikely nuissance. Your name will most likely leak somewhere and each and every script kiddie that couldn't log into PSN on Christmas (not related, I know. but
Re: (Score:2)
So you might be a 'suspect'. In the real word (as opposed the paranoid crazy version here) someone would politely sit down with you and discuss a few things. Then someone else might come over and discuss some more things.
If you're a 'suspect', and they want to talk to you, then at a minimum, you're forced to pay to retain counsel (unless you're stupid, and talk to them without one). So you're screwed no matter what at that point.
Re: (Score:2)
How would it not? Having means and motive does not make you guilty, though. A subtlety missed by many.
Re: (Score:3)
Read the headline. It's obviously enough to be "identified [...] as perpetrator". I know, I'm not a native english speaker, but doesn't that imply at least some level of guilt? The missed subtlety that the public misses is if he is found guilty by a scandinavian antivirus-company or by judge and jury. So if the name of that suspect leaks somehow (which is more than likely), he will be guilty in the eyes of the public. Including future potential employers.
Way to easy to have your life ruined without being gu
Re: (Score:2)
Read the headline. It's obviously enough to be "identified [...] as perpetrator". I know, I'm not a native english speaker, but doesn't that imply at least some level of guilt?
That sentence, as written, implies guilt, without any doubt. If I was the engineer who was accused, and everything was in the UK, I would sue for libel, and I would win.
Re: (Score:2)
For uns in IT business, [...]
Bisste Deutscher? LOL
Re: (Score:2)
You act as if disgruntled (ex-)employees have never done such a thing before. You would be wrong.
Re:Oh how great is this! (Score:5, Funny)
You act as if disgruntled (ex-)employees have never done such a thing before. You would be wrong.
Seems like they need to gruntle them then..
Re: (Score:2)
Is that what they are calling it these days?
Sounds like "dirty" fun doesn't it?
Re: (Score:2)
This is impossible! (Score:5, Insightful)
How could it possibly be something as pedestrian as upset employees?
Re: (Score:3, Interesting)
Because in corporate America they are the same thing.
Re: (Score:2)
move along ACitizen nothing to see here. just be thankful that your glorious leaders has protected you from heinous and continuing cyber terror.
also mod +1
Re:This is impossible! (Score:4, Funny)
answered in a suitably apocalyptic fashion
Cool. So the rumors that Kayne West and Kim Kardiashian are moving to Pyongyang are true?
Re: (Score:2)
Re: (Score:3)
Bang on the money. The well reasoned arguments here: http://marcrogers.org/2014/12/... [marcrogers.org]
were made before the DPRK link was fixed in the news cycle. It was then instructive to watch workings of the new McCarthyist cheerleaders, even (especially) here on Slashdot. People seriously writing 'the FBI have all the incriminating evidence, they just can't share it with you' type-comments.
The eleven years since the non-existence of WMDs may seem long time for the kiddies running the military's multiple personality s
Re: (Score:3)
Told you it wasn't North Korea (Score:4, Interesting)
And yet I was called a North Korean and other things for saying what is obvious.
Love the internet. So fuck you all. I was right and you FBI/President believing dumb fucks are wrong, again.
As I said before, the USA owes the NK a big fucking apology.
Told you it wasn't North Korea (Score:5, Funny)
I just talked with all the rest of the guys here on Slashdot, and we all agree: how could we be so stupid? We're all sorry and it definitely won't happen again; we'll pay really close attention to everything you say from here on out.
Re: (Score:2)
but they won't. Sony won't even offer KJU any royalty for using his likeness in an entertainment (term used loosely) without his express consent. Why should they? No, seriously, why? Enquiring minds wish to know.
Re: (Score:2)
"This Is (An Entertainment)" is a play by Tenessee Williams, so it's about as fucking English as it gets, you fucking tool.
Re: (Score:2)
you have access to the same tools as I do, so if you would please to answer your own question, I have better things to do than satisfy your pedantry.
Re:Told you it wasn't North Korea (Score:5, Insightful)
Seems to me you're doing exactly what the guys you're poo-pooing were doing - using your own opinions to turn next to no data into proof positive that you were right.
Re: (Score:2)
While you are correct that the opinions aren't conclusive, THEY ADMIT THAT. For that reason I'm willing to give their opinions reasonable credence, and scoff at those who believe the spokesman for the FIB.
Re:Told you it wasn't North Korea (Score:5, Funny)
That sounds just like something a North Korean would say...
Re: (Score:2)
OK, that's funny. I'd give you mod points, but I traded them for crack.
Told you it wasn't North Korea (Score:2, Funny)
I like how you worked both "I told you so" and "I was right, you were wrong" in there. Wait, are you my girlfriend? Baby, is that you? Come back to bed honey, I didn't mean any of those awful things I said.
Re: (Score:2)
And yet I was called a North Korean and other things for saying what is obvious.
Love the internet. So fuck you all. I was right and you FBI/President believing dumb fucks are wrong, again.
As I said before, the USA owes the NK a big fucking apology.
So some information comes out that it might be someone outside of NK or sponsored by NK (at least based on this little bit of information that isn't really even classifiable as evidence) and you are ready to beat your chest about how right you were? Sounds like you are exactly as right as everyone who said it was NK last week. I would start a slow clap, but...
Re:Told you it wasn't North Korea (Score:5, Insightful)
OK, let's see. A government agency issues an opinion on who did it: Obviously a lie.
A commercial security company issues an opinion on who did it: Case closed.
Love the Internet.
Re: (Score:2)
As I said before, the USA owes the NK a big fucking apology.
We just released a movie starring their beloved leader. Is that not enough?
Sigh (Score:5, Insightful)
starting by looking for individuals with the "means and motive" to do the attack.
The problem is that Sony is- I wanted to say incredibly lax about security, but that's clearly not right — egregiously careless about security, and also typically, boringly evil so the people with motive are legion. You could find people with motive and opportunity under any rock.
Re: (Score:2)
Yes. The "conclusions" are "This is not conclusive.", and I believe that. It's also a reasonable scenario, with reasonable amount of data (that's checkable if you care enough). This quite different from the pronouncement by the government.
Your point, that it could be any number of other groups I also believe to be correct, though I haven't investigated.
um... (Score:2)
Wait what?
They searched through Sonys files, found a layoff... and that's a surprise?
And then they found that there were some with "Technical background" that were laid off at the same time?
Then they found that one of those had access to one of the first servers that got penetrated?
Oh no! They were in a "hacking IRC channel"!!! That's like all... of the IRC channels. And he used his real name in the channel? I doubt that...
In summary, they found out that Sony had a layoff that affected at least 1 sysadmin a
Re: (Score:3)
Propaganda (Score:2)
Your choice, co-ordinated propaganda campaign or massive incompetence.
Really, really weak evidence (Score:5, Informative)
Folks,
The evidence here is really, really weak. The connection is tenuous enough and the original pool of possible suspects via their methodology is large enough that I sure as heck wouldn't rule out a connection via random chance. Until we get better evidence, this isn't worth very much.
Norse Security says as much in The Fine Article:
--Paul
Re: (Score:2)
With their rampant spying surely they have the missing key evidence, that is of course unless their spying doesn't extend to corporate interests.
Work Environment (Score:3)
Re: (Score:2)
If SPE fires talented people with a long tenure of service and puts them at risk of homelessness because reasons, then yes, I would say they probably are a bad company to work for, which is why I will not purchase any of SPE's products ever again. I will also favor changes in policies to give workers who are fulfilling their duties in the private sector more (not absolute) job security through concrete actions via lobbying officials at opportune moments and contributing capital to political movements that a
Re: (Score:2)
Is working for Sony that bad?
Deja vu. This exact question was asked the last time Sony made the news.
Yes. Yes it is.
After reading TFA... (Score:5, Insightful)
Oh so just lay the blame on some poor sap (Score:3)
and see where the stones fall, then post a disclaimer on the article saying "Well it might not be him" ????? Profit?
If true, they will walk! (Score:2)
Re: (Score:3, Informative)
forum
fôrm/
noun
noun: forum; plural noun: forums; plural noun: fora
1.
a place, meeting, or medium where ideas and views on a particular issue can be exchanged.
Re: (Score:2)
Of course this would be a far stretch.
Personally I never thought it NK, what would they gain by going after Sony other than some retribution for Japanese occupation of Korea.
Re: (Score:2)
I've always suspected that had more to do with reported NK threats against SK nuclear reactors. I still suspect that. Do note, however, that US culpability in the shutdown of NKs internet connetion is, while quite plausible (and I suspect orchestrated with China's acquiescence) is not proven.
Re: (Score:2)
Actually, I still don't know it wasn't North Korea. It may be that the FBI has solid evidence they aren't going to release at this time, and the people indicated by Norse Security did nothing against Sony, despite having motive and means. I find Norse Security more believable than the FBI here, but they are identifying suspects rather than saying anybody in particular was responsible.
Re: (Score:2)
Thanks. That's what I got out of the summary, but apparently many others got something else.