Friday, December 19, 2014

Sony, the DPRK, and the Thailand - Pyongyang Connection

UPDATE (19DEC2014 1725PST)
I'm top-posting this update because I've just learned of some new information about Loxley Pacific which makes me believe that the Loxley-DPRK connection should be investigated in a more rigorous fashion. This comes from Don Sambandaraksa's Bloggery article "Loxley and the Thai way of doing things":
"(I)n April 2003 a company in Japan, Meishin, attempted to export parts for nuclear centrifuges to North Korea. The intermediary was a Thai telecom company, Loxley Pacific, and the consignment was declared as telecom equipment in an attempt to avoid scrutiny."
"The sad thing was that because of the proper and elite image of Loxley in Thailand, the news blackout was almost absolute within the country. Editors did not wish to make an enemy of Loxley as their owners, the Lamsum family, have a banking, food, commercial and advertising empire that is no less omnipresent than that of True and CP owned by the Chearavanont family. Only the Lumsums prefer to keep themselves to themselves unlike the publicity hungry Chearavanonts."
"No publication would risk losing their advertising income by pointing out that they were part of North Korea’s nuclear program. No politician would dare to lose party funding by taking them on - the Lumsums were the fifth largest official donor to the Democrat party. The Chearavanonts, meanwhile, topped the 2011 list."
"The Bangkok Post’s Post Database section ran the story, but what should have been front page news on every newspaper in the country was instead run as a story on the back page of the the technology section. Such was the scale of denial."
The above is just a snippet of Don's full article which discusses Loxley, its subsidiary Loxley Pacific, and its sale to North Korea of a GSM network and an ISP. If Don is correct in his assessment about Loxley's political influence in Thailand and its deal-making with insiders, then chances are good that Loxley's own network is extremely vulnerable to being breached (who would be brave enough to tell the CEO?). Post-breach, it could be used as a vector to access North Korea's mobile and Internet networks. Anything the attackers do after that would be blamed on Pyongyang - no questions asked.

[Original Post Begins Here]
The White House appears to be convinced through "Signals intelligence" that the North Korean government planned and perpetrated this attack against Sony:
In one new detail, investigators have uncovered an instance where the malicious software on Sony’s system tried to contact an Internet address within North Korea
There is a common misconception that North Korea's ITC is a closed system therefore anything in or out must be evidence of a government run campaign. In fact, the DPRK has contracts with foreign companies to supply and sustain its networks. Those companies are:
  • Lancelot Holdings
  • Loxley Pacific 
  • Shin Satellite Corp
  • Orascom Telecomms Holding
Each offers a different service, but Loxley Pacific, a Thailand joint venture involving Loxley (Thailand), Teltech (Finland), and Jarangthai (Taiwan). 

Loxley Pacific is a subsidiary of Loxley, a Thai public company that provides a variety of products and services throughout the Asia Pacific region. According to its 2013 annual report, Loxley has 809 permanent staff and 110 contract staff. 

Loxley Pacific provides fixed-telephone lines, public payphone, mobile phones, internet, paging, satellite communications, long-distance/international services, wire or wireless in the Rajin-Sonbong Free Economic and Trade Zone. Star JV is North Korea's internet service run as a joint venture between the North Korean government and Loxley Pacific.

One of the easiest ways to compromise the Internet backbone of a country is to work for or be a vendor to the company which supplies the backbone. For the DPRK, that's Loxley, based in Bangkok. The geolocation of the first leak of the Sony data on December 2 at 12:25am was traced to the St. Regis hotel in Bangkok, an approximately 13 minute drive from Loxley offices.

This morning, Trend Micro announced that the hackers probably spent months collecting passwords and mapping Sony's network. That in addition to the fact that the attackers never mentioned the movie until after the media did pretty much rules out "The Interview" as Pyongyang's alleged reason for retaliation. If one or more of the hackers involved in this attack gained trusted access to Loxley Pacific's network as an employee, a vendor, or simply compromised it as an attacker, they would have unfettered access to launch attacks from the DPRK's network against any target that they wish. Every attack would, of course, point back to the hated Pyongyang government.

Under international law, "the fact that a cyber operation has been routed via the cyber infrastructure located in a State is not sufficient evidence for attributing the operation to that State" (Rule 8, The Tallinn Manual). The White House must responsibly evaluate other options, such as this one, before taking action against another nation state. If it takes such action, and is proved wrong later, which it almost certainly will be, the reputation of the U.S. government and the intelligence agencies which serve it will be harmed.

Wednesday, December 17, 2014

Why You Should Demand Proof Before Believing The U.S. Government On North Korea and Sony

Yesterday evening the New York Times reported that un-named American intelligence officials have concluded that the North Korean government was "centrally involved" in the massive breach against Sony (NYSE: SNE), and that the White House hasn't yet decided how it will respond.

Such a claim, if true, requires that two things should be done immediately:
  1. The identities of the intelligence officials need to be revealed, or at least the agency that they work for.
  2. Point to the proof that supports that finding.
Chances are better than 50/50 that the agency is DHS; the agency which since its inception has redefined the word incompetent.
Over the past four years, employees have left DHS at a rate nearly twice as fast as in the federal government overall, and the trend is accelerating, according to a review of a federal database. 
A parade of high-level departures, on top of other factors, has meanwhile helped slow the rollout of key cybersecurity initiatives, including a program aimed at blocking malicious software before it can infiltrate civilian government computers, former officials say.
The Inspector General's DHS report that came out last month was highly critical as well.

But even if the NY Times source wasn't DHS, the IC is rarely unified when it comes to intelligence analysis; especially cyber intelligence.The NASDAQ investigation as reported by Bloomberg is a great example.
In early January, the NSA presented its conclusions to top national security officials: Elite Russian hackers had breached the stock exchange and inserted a digital bomb. The best case was that the hackers had packed their malware with a destruction module in case they were detected and needed to create havoc in Nasdaq computer banks to throw off their pursuers. The worst case was that creating havoc was their intention. President Obama was briefed on the findings. 
Later in the investigation, some U.S. officials questioned whether the NSA had pushed the evidence too far. Malware often changes hands—it’s sold, stolen, or shared. And the technical differences between attack code and something less destructive can be surprisingly small. At the time, NSA Director Keith Alexander and his agency were locked in a fight with government branches over how much power the NSA should have to protect private companies from this new form of aggression. Such a brazen attack would certainly bolster its case.
Cyber Intelligence Can Be Contradictory and Unreliable
Federal agencies' demand for cyber threat intelligence is voracious and they pay well. That demand is frequently met by companies like Mandiant, now part of FireEye - the company handling Sony's incident response. The problem is that these companies have no oversight and no standardized vetting of sources.

A recent Carnegie Mellon report on cyber intelligence tradecraft reported:
"Overall, the key findings indicate that organizations use a diverse array of approaches to perform cyber intelligence. They do not adhere to any universal standard for establishing and running a cyber intelligence program, gathering data, or training analysts to interpret the data and communicate findings and performance measures to leadership."
It isn't hard to find examples.

Cylance's last report "Operation Cleaver" claimed that Iran is a sophisticated cyber adversary and pointed to Shamoon as proof. However, technical reporting by both Kaspersky Lab and Crysys Lab noted that Shamoon's author was incompetent; that due to "silly errors" the malware was only 50% effective. If you want to make the case that Iran is a sophisticated cyber warfare actor, you shouldn't point to poorly written malware as an example.

Crowdstrike's "Putter Panda" report made the claim that posts in a Chinese XCar forum were secretly coded messages used to convey information about hacking jobs when it was really just an online forum about cars. This mistake happened because Crowdstrike's researchers used Google Translate instead of native Chinese linguists. When researchers see hidden Chinese hacker messages where none exist, it makes it difficult to accept their analysis of North Korean language peculiarities.

According to Sophos, Dark Seoul malware is not particularly sophisticated and easy to detect. Symantec referred to Dark Seoul not as malware but as a hacker group responsible for four years of attacks against South Korean websites including the DDoS attack against some U.S. government websites over Independence Day weekend in July 2009.
McAfee referred to Dark Seoul as an operational name but then changed it to Operation Troy, extended the attack to a four year campaign and, unlike Symantec, added the claim of espionage as the campaign's purpose.

Names Are Collections Of Technical Indicators, Not People
Names given to hacker groups by cyber intelligence companies don't refer to actual people (with a few notable exceptions). Instead they refer to technical indicators or TTPs (tools, techniques and procedures) that attacks have in common. There's no way to tell who belongs to any group, or if you can identify one member of a group from a certain year, where that member is today. Further, different companies assign different names to the same groups which is why you end up with names like Comment Crew, APT1, Soy Sauce, GIF89a, Shanghai Group, and Comment Panda on the unclassified side, and "Bravo Charlie" on the classified side.

This feeding of commercial cyber intelligence which hasn't been subjected to any critical scrutiny or source validation to intelligence agencies where it gets a new code name and classification is a disaster waiting to happen.

Challenge Everything
Is North Korea responsible for the Sony breach? I can't imagine a more unlikely scenario than that one, and for many of the same reasons that Kim Zetter detailed in her excellent article for Wired.

My advice to journalists, business executives, policymakers, and the general public is to challenge everything that you hear or read about the attribution of cyber attacks. Demand to see the evidence, not scrubbed "indicators of compromise" that can't be validated. Be aware that the FBI, Secret Service, NSA, CIA, and DHS rarely agree with each other, that commercial cyber security companies are in the business of competing with each other, and that "cyber intelligence" is frequently the world's biggest oxymoron.


"Responsible Attribution: A Prerequisite for Accountability" by Jeffrey Carr - NATO Cooperative Cyber Defense Centre of Excellence  Tallinn, Estonia. 

Friday, December 5, 2014

"Measure Twice. Bite Once" - Suits and Spooks DC 2015 Supports The Warrior Dog Foundation

You have 5 days left before the Early Bird rate for Suits and Spooks DC/Pentagon City ends on December 10th. For the first time, we'll be holding this event at the Ritz Carlton Pentagon City and we're going to honor the work of the Warrior Dog Foundation by hosting a dinner for them on February 4th.

Normally the tickets for the dinner are sold separately from the Suits and Spooks registration but between now and December 10th, if you register for Suits and Spooks DC/Pentagon City, we'll buy you your ticket to the dinner.

Everyone who registers for Suits and Spooks, whether you register for the dinner or not, will receive an awesome t-shirt which shows a modified Suits and Spooks playing card logo that has been integrated with the Warrior Dog Foundation "paws" and ribbon and the tag line:


Visit the brand new Suits and Spooks website to learn more, and register before December 10th to take advantage of this great offer.

Wednesday, December 3, 2014

The One Statement That Changes Everything For A Corporation That's Been Breached

Imagine that you're a publicly-owned company that has just been hacked in a BIG way. You're now in damage control mode. You've made a preliminary announcement. You've hired a high profile and very expensive Incident Response company. That's all SOP. After a reasonable amount of time goes by there is one statement that you can make which will change the game entirely. Guess which one it is:

THE INSIDER STATEMENT: A former ACME Corporation employee named Wiley E. Coyote stole the company's plans for a Jet-Propelled Unicycle by tricking a security guard into thinking it was just a big lunch box.

THE HACKTIVIST STATEMENT: The ACME Corporation's network has been breached by a fast-running ground cuckoo called RoadRunner.

THE NATION STATE STATEMENT: The ACME Corporation is the victim of a highly sophisticated cyber attack by an elite State-sponsored group of hackers.

If you guessed The Nation State Statement, you're right. Here's why.

Companies that get pwned by hacktivists like Anonymous or LulzSec look like they're incompetent because hacktivists launch low-level attacks against low-hanging fruit that shouldn't be there in the first place. Plus, hacktivists frequently get caught and then flip on their compadres. Bottom line, your multi-billion dollar multinational corporation has just been breached by some low-rent kid with no balls and your CEO looks like a jerk.

If, on the other hand, your company was breached by an insider, it opens a huge can of worms for your General Counsel because you hired the guy and malicious insiders always, ALWAYS, give early warning signs before they rip you off, which you clearly missed. With the hacktivist, you may look like a jerk but at least you can blame someone else. If you're the victim of an insider, heads are going to roll.

But imagine if you could point the finger at foreign government; especially one that everyone hated like Iran or North Korea. For many years, China was the go-to culprit but now it's more impressive to be hacked by Russia or the DPRK. If you can blame a nation state by calling the actors "state-sponsored", then you cannot be held responsible. You'd be the victim of a military organization or an intelligence service with vast funding and sophisticated capabilities that could overcome any corporate network. Plus, everybody wins! By blaming North Korea for example you have instantly created a news story which focuses attention on that idiot in Pyongyang instead of your CEO. You've have helped the White House and Congress further their DPRK policies. Your Incident Response company's CEO is now in love with you because you've guaranteed him international headlines which might result in a lucrative acquisition down the road.

Blaming a nation state for your company's attack is WIN - WIN - WIN.

There is one caveat, however.

Because it is so wonderful to be able to claim to be the victim of hackers employed by a foreign government, you have to be careful that the evidence supports your claim. If it looks like an inside job and you claim nation-state, it might have the opposite effect. Then your "win" will vanish faster than a RoadRunner's "beep beep".

Monday, December 1, 2014

The Latest Sony Breach And Its Potential SEC Problems

Sony's (NYSE: SNE) latest network breach is also potentially one of its worst when it comes to financial impact on the company. The attackers (Guardians of Peace) stole five movies including Brad Pitt's "Fury" and released them online. "Fury" alone has had over 1.2 million downloads in the last three days according to Variety, which makes it the second most downloaded movie currently being pirated. The other movies stolen by hackers include "Annie", "Mr. Turner", "Still Alice", and "To Write Love on Her Arms".  The hackers also stole multiple terabytes of internal company financial and personal data which they released today on Pastebin. Depending upon what was stolen, this could make Sony liable for millions of dollars in penalties if includes controlled PII data.

The company's PlayStation unit had been repeatedly and successfully breached by attackers in 2011 which cost it an estimated $171 million and "affect revenues for its fiscal 2011 year" according to its IR group (investor relations). Page 8 of its 2011 Annual Report dedicated one paragraph to that event, 90% of which spoke about how "sophisticated" the hackers were (they actually weren't sophisticated at all) and how they have reinforced their security, blah blah.

The current attack against Sony Entertainment Pictures has potentially done more damage and may involve one or more insiders. Sony has engaged an IR firm to investigate the attack and is cooperating with the FBI, which is pretty standard procedure.

I looked at Sony's annual reports since 2011 and the language used in describing its cyber risk factors remains pretty much the same as this quote from its 2014 20F filing:
"Moreover, as network and information systems have become increasingly important to Sony’s operating activities, the impact that network and information system shutdowns may have on Sony’s operating activities has increased. Shutdowns may be caused by events similar to those described above or other unforeseen events, such as software or hardware defects or cyber-attacks by groups or individuals." 
"Similar events in the future may result in the disruption of Sony’s major business operations, delays in production, shipments and recognition of sales, and large expenditures necessary to enhance, repair or replace such facilities and network and information systems. Furthermore, Sony may not be able to obtain sufficient insurance in the future to cover the resulting expenditures and losses, and insurance premiums may increase. These situations may have an adverse impact on Sony’s operating results and financial condition."
"Sony makes extensive use of information technology, online services and centralized data processing, including through third-party service providers. The secure maintenance and transmission of customer information is a critical element of Sony’s operations. Sony’s information technology and other systems that maintain and transmit such information, or those of service providers or business partners, and the security of such information possessed by Sony or its business partners may be compromised by a malicious third-party or a man-made or natural event, or impacted by intentional or inadvertent actions or inactions by Sony employees, or those of a third-party service provider or business partner. As a result, customer information may be lost, disclosed, misappropriated, altered or accessed without consent. For example, Sony’s network services, online game business and websites of certain subsidiaries have been subject to cyber-attacks by groups and individuals with a wide range of motives and expertise, resulting, in some instances, in unauthorized access to and the potential or actual theft of customer information."
"In addition, Sony, third-party service providers and other business partners process and maintain proprietary Sony business information and data related to Sony’s business, commercial customers, suppliers and other business partners. Sony’s information technology and other systems that maintain and transmit this information, or those of service providers or business partners, and the security of such information possessed by Sony, third party service providers or other business partners may also be compromised by a malicious third-party or a manmade or natural event, or impacted by intentional or inadvertent actions or inactions by Sony employees, or those of a third-party service provider or business partner. As a result, Sony’s business information and customer, supplier, and other business partner data may be lost, disclosed, misappropriated, altered, or accessed without consent."

This is pretty generic stuff, evidenced by the fact that the language doesn't contain anything specific to Sony that wouldn't apply to every other public company. SEC regulations on risk disclosure require that the language to be non-generic so Sony like all registrants will need to find a way to accurately estimate their risk of a cyber attack without providing actionable intelligence to potential attackers (which I believe is entirely possible).

Sony never filed an 8-K on the 2011 breach and to date they haven't filed one on this breach (8-Ks are to be filed on material corporate events that shareholders should know about). I've left a message for their IR desk to call me back so that I can ask them why that is but so far, no joy.

A Taia Global white paper on the SEC and Cyber Risk Factors was just published last Monday and is available for download at the company website.

Thursday, November 27, 2014

Selective Listening Can Kill Your Business (Thank You Gordon Ramsay)

The problem of selective listening (hearing only what you want to hear while ignoring all else) has killed a lot of businesses, especially restaurants. In fact, I suspect that the problem is pervasive across all industries and government agencies.

On Kitchen Nightmares, I watched restauranteurs who were at the brink of closing argue with Chef Ramsay that the problem wasn't the tasteless, frozen, microwaved crap that they served in their almost empty restaurant. It couldn't be because "everyone loves my food".  "Who's everyone? Your restaurant's empty", Ramsay would say. Then there were owners like Sebastian (Sebastian's Pizza) and David (The Black Pearl) whose egos wouldn't allow them to take advice.

I credit Ramsay's series about failing restaurants for helping me avoid those traps and others while I launched and built the Suits and Spooks security event series. After all, a conference is a lot like a pop-up restaurant except with worse food.

I wanted more than anything to build something that was different and that would deliver value to my customers. Inspired by what I learned from Gordon, I picked interesting and unique venues. I imagined that I was creating a menu when I curated my speakers - selecting ones that would add a unique "flavor profile" to Suits and Spooks attendees.  I made sure that I greeted every attendee personally, and listened to their feedback - both positive and negative.

The result was that Suits and Spooks, launched in September, 2011, was sold to Wired Business Media in April, 2014, just two months before Gordon Ramsay announced that after 12 seasons and 123 episodes, Kitchen Nightmares would wrap for good.

So today, on Thanksgiving, I'd like to say thank you to Gordon Ramsay for producing a show that inspired me to build something that I was passionate about and make it a success.

Monday, November 24, 2014

SEC Risk Factors: How To Determine The Business Value Of Your Data To A Foreign Government

“Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure.”


The SEC’s Cybersecurity Disclosure Guidance of 2011, President Obama’s Executive Order 13636 on Critical Infrastructure Cybersecurity (2013) and the launch of NIST’s Cybersecurity Framework (2014) has had a major impact on publicly traded companies and financial institutions who are struggling with quantifying their risk analysis in the new domain of cyberspace.

While the SEC has not yet codified its cybersecurity guidance (Corp Fin Disclosure Guidance: Topic No. 2), it has already issued 50 comment letters to public companies that have not adequately complied with the new guidelines. In fact, that appears to be a long-standing complaint of the SEC staff who would “like [registrants] to ... get away from mind-numbing risk factors disclosures to a more targeted discussion.”

Although the SEC’s cybersecurity guidelines aren’t yet regulations, the disclosure of risk factors such as credit and liquidity have been a requirement for many years3 and a mandatory non- generic risk factor analysis of a company’s digital assets cannot be far off. The dilemma that boards and general counsels are facing today is that too much disclosure might hurt the company’s business, while too little disclosure may, at a minimum, result in the company receiving an SEC comment letter.

This white paper will explore where the SEC is headed on this issue and propose a novel solution that’s both specific to the company and avoids the potential danger of revealing too much information about company vulnerabilities - the ability to verifiably assess the value of your intellectual property (IP) to a rival Nation State by establishing its Target Asset Value™.

You can obtain a copy by visiting the Taia Global website.