Yes he has won against 'the interview', a film that should never have been made and even if it was made, never would have been made public. I salute you hackers, you have shown what a small country like ours can do with so little cyberresources. It is the best example yet of the power of asymetric warfare
Putin must be wondering if he shouldn't pull back his tanks from Oekraine and just start some permanent cyberwar. It costs less and it is very difficult to point the finger to him.
but do not underestimate them
and read also this report
You can say that if you can add an image
you can add code (malware) or a snoopingware or a redirect or popup
this is not enormous but it is a signal that there is something wrong
and what is more
it wasn't even noticed so this is even more alarming because it means that you can do these things without being noticed
it wasn't even noticed by CERT or any securityservice (undermanned and underpaid)
oh and it isn't the first time that parts of the wallonie.be portal have been defaced which shows that there are too many parts to be managed and too few people and resources to do this securily
click on the link for more information http://www.zone-h.org/mirror/id/23337578
oh and just a reminder zone-h.org has a free alerting service for your domain and it is about 600 euro for such a service for all the .be domains but never found the money for that (they prefer giving thousands of euro's for papers and studies)
we have found the reason why
it is an old server and nobody looks at it
but they have made a very stupid mistake
if the site doesn't exist
you make a redirect in your dns server
and you take down everything that is old and no longer maintained on that server
so you don't get defacements and other attacks
because even if this subdomain is old, I am not sure if it isn't connected to the new servers because it is in the same masterdomain wallonie.be
but that domain isn't that old
spw.wallonie.be itself has hundreds of other subdomains like xyzw.spw.wallonie.be with logins and etc...
so this is a very strange page to destroy
and the hack become important again because it was in the main page that there was the upload, so the main page of hundreds of subdomains of the subdomain spw of wallonie.be
it looks like the chain got broken somewhere and somebody will have to fix it - FAST
one question for example is why one needs to have so many different login systems as they are all made in the wallonie.be domain ? I have the impression that this is begining to look like an impressionistic painting but in which you see you figures
"A prominent security researcher has put together a new database of hundreds of thousands of known-good files from ICS and SCADA software vendors in an effort to help users and other researchers identify legitimate files and home in on potentially malicious ones.
The database, known as WhiteScope, comprises nearly 350,000 files, including executables and DLLs, from dozens of vendors. Among the vendors represented in the database are Advantech, GE, Rockwell, Schneider and Siemens. The project is the work of Billy Rios, a former Google security researcher who has worked extensively on ICS and SCADA security issues. WhiteScope is a kind of reverse VirusTotal for ICS and SCADA files, allowing people to determine which files are known to be good, rather than which are detected as malicious.
“While participating in a few incident response engagements, I realized it’s fairly difficult to know what is a ‘legitimate’ ICS/SCADA file and what is not. Given the overwhelming majority of ICS/SCADA vendors refuse to sign their software, we’re stuck with determining whether files like ‘FTShell.dll’ or ‘WFCU.exe’ (both legitimate files btw) are really supposed to be there. With this problem in mind, I started a database of all the files I’ve seen on ICS/SCADA systems, so that others can compare notes,” Rios wrote in the FAQ for the site.https://threatpost.com/researcher-releases-database-of-kn...
well, the governments will need to oblige the developers to sign their code and to make it possible to control the signatures of these signatures
otherwise this makes no sense
what if this database gets hacked, penetrated or is impersonated ?
this is an enormous honeypot
and even if you don't hack it, you can penetrate the server or any other routing installation before it just to get network and other for the people who are responsable for those highly critical networks
"The report also contains more than 150 indicators of compromise. In most cases, once Operation Cleaver has infiltrated an organization, it has deep access via Active Directory domain controllers and credentials and compromised VPN credentials. In most cases, they’re exploiting vulnerabilities in Windows, Adobe products, Apache, and Cisco VPNs, switches and routers. Its most successful campaigns via these avenues, Cylance said, have been against South Korean transportation networks, including airports and airlines. To date no zero day exploits have been found, Cylance said.
"Cylance’s report also cautions that Operation Cleaver could have a special interest in airline and SCADA networks present in most critical industries. Overall, the campaign could be retaliation for Stuxnet, Duqu and Flame, Cylance said.
“Within our investigation, we had no direct evidence of a successful compromise of specific Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA) networks, but Cleaver did exfiltrate extremely sensitive data from many critical infrastructure companies allowing them to directly affect the systems they run,” Cylance said in its report. “This data could enable them, or affiliated organizations, to target and potentially sabotage ICS and SCADA environments with ease.”
first there is still some hesitation to really attack the critical infrastructure of other countries
secondly the importance of the Active Directory and its security is shown another time
third without double authentification you have no real secure authentification
read this 80page report http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
"Multiple sources are reporting that the links to the torrents for the stolen Sony internal data were posted on Pastebin late Monday morning. Less than an hour after that post went live, the individual hosts that were sharing copies of the Sony data came under sustained denial-of-service attacks apparently aimed at keeping the files from being shared with other torrent users. http://krebsonsecurity.com/2014/12/sony-breach-may-have-e...
If you know how P2P or bittorrent works than you know that if you don't delete the torrent in your client after you have downloaded it, you are sharing it with the whole world. You are becoming a publisher, a website in fact.
In this case it makes it enormously difficult for Sony to get the data off the web, but it seems that some operatives (it is hardly Sony itself because this is illegal in some countries even if you can't file a complaint because you are hosting illegal stolen files) are using the DDOS weapon to slow down the computers or sharers of their files to limit the spread.
This is an interesting development in the Torrent world because it can inspire others and because it will also have effects on routers and other installations not only of ISP's but from customers. You can start a DDOS but you will never because of the nature of the internet control all the fall-out of a DDOS attack
the advantage of having a snort on your network - or if it is too big on the most important part of your network - is that it can discover botnets and viruses before the identities of your antivirus have been updated and distributed
there is for the moment no virustotal check for the file so there is no way of knowing if your network was attacked with it
"“The following Snort signature can be used to detect the beacon traffic, though by the time the beacons occur, the destructive process of wiping the files has begun,” the alert warned.
Here’s the Snort signature, in case this is useful for any readers who didn’t get this memo:
Alert tcp any any – > [22.214.171.124, 126.96.36.199, 188.8.131.52] [8080, 8000] (msg: “wiper_callout”;
dsize:42; content: “|ff ff ff ff|”; offset: 26; depth: 4; sid: 314;http://krebsonsecurity.com/2014/12/sony-breach-may-have-e...
but that you understand it rightly
if that kind of traffic arrives than you have to take down the machine immediately because the beacon has started destroying all data on that disk and you are not sure that you will be able to recover it - there is absolutely no guarantee
and this is as important for your servers as for your desktops or laptops
There was a massive DDOS attack but nobody is sure where that came from.
There were infections through emailattachments
There seems to be some physical penetration.
There seems to be some employees that have helped the hackers.
before reading the quote you have to remember the following thing before jumping to conclusions
If this comes from North Korea, than it is an intelligence operation.
If this is an intelligence operation, than the operative methods of intelligence operations have to be taken into account.
One of the most important aspects in this is to hide your sources, your methods and your identity.
Secondly if by sending false information you can get an organisation to become totally paranoid and begin investigating every possibility and so to lose attention for the real sources, methods and you because they are investigating tens or hundreds of internal employees looking for the mole - than you have hit the organisation a second time and this time big time because it will be gone into purges and paranoia and even in total disintegration (like MI5 when they were hunting for the 5th Russian spy who was never found if there was ever one)
so this is the quote, but it can be just a diversion
I hope some people helping Sony have some intelligence background and are capable of playing the mindgames that the hackers seem to be playing
nevertheless, the physical security has to be integrated into the total securityplan of your organisation and people should wander freely around the building or offices (as is the case in some military headquarters.....)
"In a statement to The Verge, 'Lena' referenced the need for equality once again, adding that Sony didn't want such a thing, and that it was "an upward battle."
"Sony doesn't lock their doors, physically, so we worked with other staff with similar interests to get in. Im sorry I can't say more, safety for our team is important [sic]," 'Lena' told The Verge.
"If the claims are true, and the GOP had help from the inside in order to accomplish their aims, this is a disaster for Sony. It's one thing for an attacker to gain access from the outside; it's another when they can physically touch the environment. http://www.csoonline.com/article/2851649/physical-security/hackers-suggest-they-had-physical-access-during-attack-on-sony-pictures.html
in the article the claim is that some disgruntled people from Sony helped the hackers because she wanted more equality which means that probably some female employees are really pissed off and were manipulated by the hackers (intelligence operatives) to lend them some information (without really knowing what the impact would be and probably thinking it would be like another lulzsec attack). That is, if this is not a diversion.
if you take one and one together, you are at disgruntled female employees with high credentials who can bring external people inside the building without being double checked and with access to the backup
if this is the case, than some-one has taken or a server of a number of tera of several harddisks and copied this directly (at the high rate of the internal networks and not through the firewall so this explains why they didn't see it) If this is the case (I repeat, to be sure).
in such environments you would have to work with the information you have and make some assumptions about the possible scenario's and sometimes you can eliminate some of them immediately while other continue to be working scenario's for which you are looking for evidence to close it down as a dead end or something that is still plausible
if we go from a multistrategy attackplan than it is even possible that the infectionattacks are seperate from the copying of the backup and the intranet - even if they seem to be done by the same group
"another file being traded online appears to be a status report from April 2014 listing the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees. Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data.
now leaking on TOR makes it very hard to destroy the data online because it is being hosted on hundreds or thousands of computers
now it is possible to contact the people in several western countries to destroy that data because of the legal issues of sharing publicly such data but that can't be the case for the computers in other countries
you can also easily repackage the data in another file or make it a secret torrent that you only share on certain networks which makes cleaning it up very difficult
this means that it is impossible to do anything else than to consider it definitely lost and that for the respective persons they will have to get new numbers, new accounts and so on and that the cost of this has to be taken on by Sony
it is clear that it is the clear intent of the hackers to hurt and eventually destroy Sony who can do little to stop the leaking and the disastrous effects of it
as so much information has been copied Sony will have to consider that all internal information is compromised and will have to take these measures for all their employees which had any kind of information on the affected networks and installations
this distinction hasn't been made by the Belgian privacycommission in her guidelines of january 2013 about dataleakages and I am not sure that the European directive also makes this distinction.
"In the documents viewed by Salted Hash, the sales items were for airing rights to various shows such as Dr. Oz, Judge Hatchett, Outer Limits, and Stargate, SG-1. The documents also disclose details related to syndication rights for sitcoms such as King of Queens, Seinfeld, and Rules of Engagement.
While internal sales data is bad enough, the data dump has the ability to make Sony's situation worse.
It includes an internal phone list and organizational chart, complete with names, titles, departments, phone extensions (with outside line dialing information) and cellular phone numbers. The phone list was created in 2009, but it covers the company sales teams in Los Angeles, Atlanta, Chicago, and New York. http://www.csoonline.com/article/2852982/data-breach/sale...
The full first package is only 25 GB ..... out of the 11 terabyte that was claimed first
now they claim to have more than 100 terrabyte and they say they will continue to publish information
but the files are old - which means that they probably have gotten an hold on backupservers (also) which is interesting because those are not always (very rarely in fact) encrypted and the access is not always controlled that strictly. It also explains why so much information could have left the company because it could be that a big filetransfer is totally normal in the backup process
* hey jan what is this enormous surge in data traffic
* oh, it is the backup processes
* do we do a backup now ?
* don't know have to ask the backup people, they change all the time when they do backups
* okay, let's go on to the next incident, attack, malware
"Reacting to the news that North Korea is behind the attacks, a person claiming to represent GOP told Salted Hash:
"We are an international organization including famous figures in the politics and society from several nations such as United States, United Kingdom and France. We are not under direction of any state.
"Our aim is not at the film The Interview as Sony Pictures suggests. But it is widely reported as if our activity is related to The Interview. This shows how dangerous film The Interview is. The Interview is very dangerous enough to cause a massive hack attack. Sony Pictures produced the film harming the regional peace and security and violating human rights for money.
"The news with The Interview fully acquaints us with the crimes of Sony Pictures. Like this, their activity is contrary to our philosophy. We struggle to fight against such greed of Sony Pictures."
if you read it you will see that this is typical propaganda newsspeak tactics
The action is not against the Film because the film is against North Korea but because it harms the regional peace because the dictator in North Korea is so mad about the film that he is capable of doing anything (saying that more attacks and even military incidents can be expected) and so the film harms regional peace and for this reason this film shouldn't have been made because is angers the great dictator. Sony should only have made films that the great dictator likes personally so he isn't so mad that he wants to turn his anger into a destructive attack - cyberwise or military
so we can expect more such attacks, military incidents and threats from the Great Dictator in the coming weeks
the only question is how the Chinese will respond or if they will try to calm it down
at the other side, don't be surprised if the film gets a limited distribution and only in specialised festivals and so on and if paychannels won't program it in their library
with the same reasoning we shouldn't have made any film about Hitler and the Nazis because we would be afraid of his reaction and the same about Ukraine (even if we are holding the same discourse to the Ukraine people all the time, that they shouldn't anger Putin and should try to negotiate something with him instead of resisting)
"Once installed on the victim's system, by way of a malicious email attachment in most cases, the malware – called a wiper in some circles – will initiate a beacon and phone home.
The malware described by the FBI relies on hardcoded IP addresses (C&C servers) in Italy, Thailand, or Poland, and connect them on either port 8080 or 8000. The malware will attempt to make connections every 10 minutes to each of the IPs. If that fails, a two-hour sleep command is issued, after which the computer is shutdown and rebooted.
The memo warns that once the beacons start, the process of wiping the files has begun http://www.csoonline.com/article/2853893/disaster-recover...
this is like most of the APT attacks that are described are very 'professional attacks and code only available to ...blablablabla'
but if you follow the same logical examination as any forensic investigation and you ask how the file came on the PC (even before asking yourself how it is possible that those workstations have so many administrative rights and so little protection .... behind that socalled firewall and other securitywalls)
than the answer is in most cases always the same
"it came as an attachment from the mail" or as a "download from a link in the mail"
but why do we accept that these attachments in the mail are downloaded and placed on the computers or our internal networks ? Why don't we place them on a sandboxed server (with no connection to the internet or even the intranet) where people can open them, read them and eventually sanitize them before placing them on a server in the network (that you can secure much harder than the rest of your servers (for example no networkconnections for files).
Ideally you should be able to let those files be analyzed every so many days by a number of antivirus, antimalware etc products and block all those where there are suspicions
this would be the cheapiest solution that would in fact be very easy to set up and add to your mailserver and network.
it is impossible to say who protects against the file because virustotal doesn't give any answer, nor on the MD5 nor on the filename
maybe this is done at the demand of the FBI to make it impossible for the attacker to discover which networks can be attacked easily because their antivirus isn't uptodate yet - even if in the other cases it doesn't mean that all the antiviruses on all the machines in the networks have updated libraries and protections
it is also clear that this virus is generic, it isn't build for a specific machine or model or version, it just attacks all the boot processes so it makes it much harder to protect against and much more dangerous to protect against once it is inside your environment (because if it had been written specifically for a specific machine you could calculate how many more of such machines you had and where they were located and what was the risk of each machine and concentrate immediately on those that are of most value to the organisation, business or network)
Size: 249856 bytes (244.0 KB)
PE Compile Time: 2014-11-24 04:11:08
Language pack of resource section: Korean
normally the name of the software would have let it pass through process controls
igfxtray.exe is a process which allows you to access the Intel Graphics configuration and diagnostic application for the Intel 810 series graphics chipset.This program is a non-essential system process, and is installed for ease of use via the desktop tray. http://www.processlibrary.com/en/directory/files/igfxtray...
the virusfile was uploaded yesterday to this sandbox (with connections to Tokio)
This file was already called malware in 2011 by this site (and it was attributed to the TRUECRYPT organisation but it isn't digitaly signed (well as long as such software can be placed into the boot or root of a pc without any digital signing we are just riding in the dark without lights - and if they were signed they have to be checked)
virustotal has for this file an analysis but some antiviruses didn't protect against it
this was an 32bits version - one that shouldn't have worked in an 64bits environment
2011 seems to be a very difficult year for the rootkit-bootkit developers as they have to migrate to 64bits :)
The reason for the attack is political
"Yet the technology news site Re/code reported that Sony was investigating to determine whether hackers working on behalf of North Korea were responsible for the attack as retribution for the company's backing of the film "The Interview."
The movie, which is due to be released in the United States and Canada on Dec. 25, is a comedy about two journalists recruited by the CIA to assassinate North Korean leader Kim Jong Un. The Pyongyang government denounced the film as "undisguised sponsoring of terrorism, as well as an act of war" in a letter to U.N. Secretary-General Ban Ki-moon in June.
The technical section of the FBI report said some of the software used by the hackers had been compiled in Korean, but it did not discuss any possible connection to North Korea.
"The report said the malware overrides all data on hard drives of computers, including the master boot record, which prevents them from booting up. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods," the report said.
Security experts said that repairing the computers requires technicians to manually either replace the hard drives on each computer, or re-image them, a time-consuming and expensive process. http://news.yahoo.com/exclusive-fbi-warns-destructive-malware-wake-sony-attack-002204335--finance.html
we have seen the hundreds of pages with all the sites and information that has been downloaded and now seems destroyed. It are whole intranets with intranetsites (and their code) and databases and internal applications and passwords and files and personal mailboxes and so it goes on for hundreds of pages
now it is clear that all the harddisks on which this data was found were virutally destroyed and I hope they have good external backups and that these were isolated from the network so that the hackers couldn't delete those at well (which was done in several hacking incidents)
by using destructive bootkits you also make i very hard to do some very professional forensic analysis because it will be very hard to find that evidence in the destroyed hard disks - eventually you will have to destroy it yourself to be able to recuperate some other data (instead of the eventlogs and other proof)
we already had viruses that blocked your data with an encryption key but this is a whole new ballgame..... they are just out to copy and publish your internal network and to destroy it totally afterwards with the only intent of making you pay by creating chaos
but the big question naturally is why Sony wasn't better prepared for this after its attacks and leaks in 2011
The minister of Security (as he calls himself) proposed to the minister of Defense of the same party (NVA) to let military patrol the streets in Belgium.
They have done already that once but than we had at the same time the attacks from the Bende van Nijvel and from the CCC which was creating the strategy of tension in Belgium voluntary or not as not all information about that will be declassified before I die
He refers to France but France started with military patrols at certain historic and strategic places after some real big terroristic attacks and because from time to time they arrest terroristic cells before they can attack. This is not necessarily a good strategy (in Great Britain it are just heavily armed policemen - but still policemen)
If the minister wants to put the military to any good use, he should place them at and around our nuclear installations where we have already lost one due to internal strategic sabotage and have lost another for two days because of a fire in an external electrical installation that is not protected by any wall or defensive installation
if we lose any of the other nuclear installations we will be in a real blackout and the only thing you have to do is to blow up some electrical installations outside the installations which are totally unprotected
oh, no not only I am saying this, it was on the journal of RTBF (http://www.rtbf.be/video/detail_jt-19h30?id=1975146 from minute 16) and in France there are also calls to militarise the protection and security of our nuclear installations (shortly after 9/11 there were military and missiles around our nuclear installations)
the first malware that targeted POS point of Sale systems was built for specific software and hardware and wanted only the credticard information
now from a specific malware it has grown into a platform to attack any vendor system for any reason
"Some recent POS investigations have revealed organized crime groups distributing malicious code and compromising networking environments of merchants and credit card devices, including ticket vending machines and electronic kiosks installed in public places and mass transport systems. One of the compromised devices was found in Sardinia in August 2014, giving the bad actors unauthorized access to it through VNC.
but the infections are only starting (one in Holland, one in France but none in Belgium for the moment)
it also means that the period of security by obscurity is over for these systems and that anti-cocal hackers will give us free coke (or none at all) or free busrides or just want to get pincodes on any access system (to have some physical penetration afterwards ?)
"The cybersecurity company FireEye has unearthed a team of email intruders that snoop through the correspondence of company executives who may possess market-moving information.
FireEye said the team has carried out attacks against nearly 100 publicly traded companies or their advisory firms in possible attempts to play the stock market. Most of the targets are health care or pharmaceutical companies. It noted that the shares of those firms can move dramatically after the announcement of clinical trial results, regulatory decisions or other significant developments.
FireEye has labeled the group FIN4 and says it focuses on capturing usernames and passwords to email accounts, which gives the group access to private email correspondence. The group does not use malware, which helps it evade detection.
they send emails from friends or contacts that ask you to fill in a form with your email credentials
than they use those email credentials to read over your shoulders your email
and this you can only end when your company emailservice does the same location control as Google and Yahoo - except when they do it from the same location or through a hacked site or a local proxy that gives the same protection
information is much more important than showing off that you have hacked or defaced something
the best solution is double authentification
"The security break at Sony Pictures marks the second time that Sony Corporation had been targeted by hackers. In 2011, the online network for Sony's PlayStation game console was broken into, exposing names and credit card numbers for millions of customers. By the time damages from more than 50 class-action lawsuits had been paid, it's estimated that Sony spent more than $2 billion as a result of the breach.
"Further disturbing is that thus far the studio's IT experts have been unable to reverse the attack and get the computer system back to normal. “The IT department has absolutely no idea what hit them or if they can recover any of their files or operating systems, or even turn on their computers Monday,” said the insider. http://www.thewrap.com/sony-execs-working-on-chalkboards-while-hackers-claim-stolen-data-includes-stars-ids-budget-and-contract-figures/
and here you will find a good overview of what is lost (private keys, code, ID's, contracts,.....) and all other information you may need inside the discussion https://www.reddit.com/r/hacking/comments/2n9zhv/i_used_t...
the numbers speak for themselves
Fury is in the States in the theatres while annie still had to be released worldwide
“Fury,” a war film that stars Brad Pitt and Shia LaBeouf, has reportedly been downloaded by over 1.2 million unique IP addresses, while “Annie” has been downloaded by an estimated 206,000 unique IP’s, according to the piracy-tracking firm Excipio. http://conservativeblogscentral.com/archives/7389
this is a disaster
and proof that if you don't use anonimizing software your torrent traffic will be kept somewhere for some time
"According to an approximation, 11,000 GB data was ripped off by the hackers and have warned if their demands are not met all this data would be released in the wild.
A thread on Reddit provided information on what hackers could have stolen from the Sony pictures system. According to the thread, the data might contain passport and visa information for cast and crew working on Sony movies, Outlook inboxes, documents detailing the company’s IT systems plus accounting and research information- but all this is just a small part of this gigantic breach.
and this is not a joke
"By Friday, it was believed that the staff at the company were forced to do their work with pen and paper and that it could take up to three weeks to completely get out of the massive breach http://thehackernews.com/2014/11/sony-pictures-movies-leaked.html
and these are the five unreleased films that you will find on torrents
how do you do that ?
Get 11.000 GB of information past a firewall and security and logs and monitors and people who are supposed to look at those screens without anything or anybody seeing anything
do you understand how MUCH information that is ?
even with a normal trafficvolumemonitor (how much a connection, server or accounts transports normally) you would have seen that something is not right and an alert would have gone off (this is very efficient to leave videostreaming open but blocking downloads of movies)
so we will have new Sony movies and mailboxes of filmstars and pics of them and so on very soon.... except if they pay up (and they hardly have any choice don't they)
- "Still Alice" starring Julianne Moore, Alec Baldwin – US release date: Jan 16, 2015
- "Mr Turner" starring Timothy Spall. – US release date: Dec 19, 2014
- "Annie" starring Jamie Foxx and Cameron Diaz. – US release date: Dec 19, 2014
- "Fury" starring Brad Pitt – US release date: Oct 17, 2014
- "To Write Love on Her Arms" – US release date: March 2015
it is also astonishing that after the massive lulzsec breaches they weren't capable over the last 2 years to upgrade their security to an acceptable level which means that they didn't make any new big investments, didn't install new monitor rooms and didn't extend their staff and procedures
it also means that they don't have any system of Data leakage prevention
even stranger that it came from North Korea - how the hell do you accept an 11 terrabyte download to North Korea ?
follow the information about this hack