API tools faq
paste
italkyoubored

Addressing counterarguments that N Korea behind Sony hack

italkyoubored
Dec 26th, 2014
515
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.06 KB | None | 0 0
raw download clone embed print report
  1. Out of boredom, and while waiting for other things, here are varied arguments against the idea that the Sony hack was perpetrated by any group other than North Korea.
  2.  
  3. The arguments against North Korea as perpetrator of the hack can be found in varied places including:
  4.  
  5. http://gawker.com/a-lot-of-smart-people-think-north-korea-didnt-hack-sony-1672899940
  6. http://marcrogers.org/2014/12/18/why-the-sony-hack-is-unlikely-to-be-the-work-of-north-korea/
  7. http://marcrogers.org/2014/12/21/why-i-still-dont-think-its-likely-that-north-korea-hacked-sony/
  8. http://www.wired.com/2014/12/evidence-of-north-korea-hack-is-thin/
  9.  
  10. 1) There is the argument that The Interview only became a focus after the media made it so - that this subject was only raised on December 8 (Zetter, Wired). That raising this subject was an attempt to distract from the true perpetrator. What I find unusual about this argument is that if this is the case, the hackers appear to have deliberately attempted to present themselves as non-english speakers from the outset of the hack - in the english of the ransom note, of the Guardians of the Peace announcement, by having the malware's creator use the Korean language pack for Windows (this last detail, often left out, is mentioned in: http://recode.net/2014/12/02/details-emerge-on-malware-used-in-sony-hacking-attack/). So, this group from the very outset tried to present themselves as people able to speak english without fluency or immersion in the language, even left an indicator that their native language was Korean, yet only decided to present themselves as affiliated with North Korea on December 8. This also overlooks another detail. The hackers leaked Sony's movies to file sharing sites on November 30, indifferent entirely to the content of the films, arguably with the sole intent to have a financial impact on Sony's revenues; though they appear to have acquired all of Sony's film software from this year, they leaked _every_ film _except_ The Interview. Again, this is a week before they supposedly decided to shift the focus to North Korea.
  11.  
  12. 2) If this is a hacktivist group, it shows a marked difference from hacktivist groups of the past. LulzSec and Anonymous made it very clear that they were the ones behind any deed; LulzSec made no attempt, say, to attribute the Stratfor attack to Al-Qaeda. The idea of using such an attack in order to engage or escalate in any conflict, which in turn could be used to justify stricter surveillance of the internet, is exactly what such groups wanted to avoid. This attack also leaves out many details of past hactivist attacks - there is at once the proper analysis that they must stay secret, and at the same time they wish to be recognized. The LulzSec hacker was well-known for this - wanting to be recognized that a hack had been made by a group affiliated with him; when the Sun website was hacked, a fake news story was posted which featured Lulzsec members' names as anagrams. This overlaps with another detail of such hactivism - they often feature jokes which, however crude, are often witty - the kind of wit only someone fluent in english and anglo-american culture would attempt. Simply talking in "engrish" would not considered intresting or funny by their standards.
  13.  
  14. 3) That their "fluency" in media such as pastebin or reddit means that the hackers must be from North America or Europe. Nonsense. South Korea is far more wired than North America, and as everyone knows, 4chan is derived from 2chan. Pastebin is used because it's no fuss no muss and it's learning curve is zero. Anyone unfamiliar with english would be able to use it with ease, and would have used like services in other parts of the world. The format of reddit would be familiar to any 2chan user - again, part of reddit's popularity is because it is so easy to access and use.
  15.  
  16. 4) If the motive behind this hack was financial, these hackers are either entirely unskilled at it, or have no experience in hacking for cash whatsoever before hitting this huge target. They have a trove of SSNs, which they could harvest in various false ID scams, or sell to a dark market for such ends - but they simply dump them. They send a ransom note, but have no idea how such ransoms usually work. Companies often _do_ pay ransoms to hackers so that their security holes are not revealed. The procedure is to send a note making very, very clear that the hackers have high level access to the system and have already acquired valuable information - these hackers might have sent a note in clear, coherent english with the SSN of the CEO (Amy Pascal, say) along with a clip of Annie. They might point out one hole, and offer to send all the rest, contingent on a payment of bitcoins or some other untraceable means, etc. These hackers do the exact opposite - they send a note containing no such privileged information, written in terrible english, doing everything they can that their ransom demand is _not_ taken seriously.
  17.  
  18. 5) A Sony insider. If this is a Sony insider, a wronged worker, who wishes to humiliate the company, they have taken an unusual strategy. We would expect such an insider to leave out the SSNs of their hard-working lower level fellow employees, and stick to the personal info of top level execs. We would assume that this person is expect in their knowledge of the Sony hierarchy, and would isolate the most damaging information, rather than leave it to Western news organizations to parse it - these hackers seem to have little or no familiarity with Sony or any movie studio to know what was crucial information and what wasn't.
  19.  
  20. 6) There is the idea that somehow if you say that the evidence points towards North Korea, you are giving in to saber rattling. Nonsense. We know for certain that China has been behind several hacking attacks in the U.S., Canada, and Europe; Russia has allowed hacking and dark market activity to go on for years in the Ukraine. This doesn't give any pretext for war or counterattack. It's simply a question of proper identification of the threat.
  21.  
  22. 7) One final, small point. Rogers in http://marcrogers.org/2014/12/21/why-i-still-dont-think-its-likely-that-north-korea-hacked-sony/ says that the IP addresses are not those of the hackers' machines as if it's some kind of revelation, apart from what the FBI has already said. No, they've already stated clearly that these IPs are most likely those of hijacked machines, of people unwitting that they're involved in this hack. From http://recode.net/2014/12/02/details-emerge-on-malware-used-in-sony-hacking-attack/:
  23.  
  24. The attackers apparently used compromised computers in Thailand, Italy and Poland to carry out the attacks. The FBI’s warning says these systems belonged to parties unrelated to the attackers or the victim.
  25.  
  26. There are no doubt other points that I've forgotten, but I have to go now.
  27.  
  28. POSTSCRIPT (27/12/2014):
  29.  
  30. A supplemental note to address something I came across in @BiellaColeman's twitstream - https://twitter.com/CSMPasscode/status/548474414611042304 - that hacker group Lizard Squad was behind the Sony hack. The link goes to an article in the Christian Science Monitor, http://www.csmonitor.com/World/Passcode/2014/1224/This-is-Lizard-Squad-the-nebulous-hacker-group-now-tied-to-the-Sony-hack (" This is Lizard Squad, the nebulous hacker group now tied to the Sony hack"), which features the note that a single security firm, IntelCrawler, believes Lizard Squad was behind the Sony hack. Again, we have a strong deviation from previous behavior of a hacker group. The brand "Lizard Squad" is incredibly important to the group, as important as a flag to a nation-state, the colors for a gang, or the tag of tag artists. Their hacks appear to be in part an attempt to propagate the "Lizard Squad" brand; and they often force their victims to brand themselves with the tag. And yet in the Sony hack, perhaps their biggest achievement, they take entirely the opposite tact - they keep themselves entirely hidden, not giving their name away, but letting another brand, the Guardians of Peace, to take credit. This is a group that has previously been indifferent, indeed reckless, about the consequences of law enforcement, and yet here they are suddenly circumspect about being linked to a breach. The equivalent would be for a graffiti team to pull off their most formidable achievement, scaling the Empire State building, say, and rather than putting down the logo associated with them, allowing an entirely different brand to be painted on.
  31.  
  32. POSTSCRIPT (29/12/2014):
  33.  
  34. One link that has been breathlessly passed around (for instance, Kashmir Hill @kashhill https://twitter.com/kashhill/status/549630538454011904) has been "A New Script: Clues in Hack Point to Sony Insiders" (https://securityledger.com/2014/12/new-clues-in-sony-hack-point-to-insiders-away-from-dprk/). What's astonishing is how opaque the evidence is, how ardently it's taken in, while expressing skepticism over FBI claims. Kurt Stammberger, vice president of security firm Norse, gives us a gold nugget of evidence: there were lay-offs at Sony earlier this year and there were people angry about such layoffs. Among those laid off was one individual who had a "very technical background". This person also communicated with people affiliated with underground hactivist groups. What does "affiliation" mean? What were these "hacktivist" groups? There are many shades, and many hacktivist groups would refuse to do many of the things involved in the Sony hack - and would refuse to do something like use the Korean language pack and drop other clues to throw blame on a nation-state that had nothing to do with the hack. Neither Stammberger nor Norse provides any answers or clarification here.
  35.  
  36. The writer of this piece ("Paul") appears to be remarkably indifferent to the quality of information given out - anything that might support the thesis is shoveled in. This includes a link to a piece about the timestamps of when data was transferred off Sony's computers - "Researchers have used those time stamps to infer the speed with which the data was transferred off Sony’s network." (http://gotnews.com/breaking-can-conclusively-confirm-north-korea-not-behind-sony-hack/) Researcher? The link is to a story written and "researched" by Charles Johnson, a man notorious for his recklessness and error-prone reporting (a list of his abysmal mistakes can be found here: http://gawker.com/what-is-chuck-johnson-and-why-the-web-s-worst-journal-1666834902). A refutation of Johnson's "conclusive confirmation" can be found in the article comments: http://gotnews.com/breaking-can-conclusively-confirm-north-korea-not-behind-sony-hack/#comment-1754792635
  37.  
  38. POSTSCRIPT (31/12/2014):
  39.  
  40. With regard to the stylometric analysis of Taia Inc., suggesting that the hackers were Russian speakers, one point often left out that's made in the NY Times article citing their research ("New Study May Add to Skepticism Among Security Experts That North Korea Was Behind Sony Hack", http://bits.blogs.nytimes.com/2014/12/24/new-study-adds-to-skepticism-among-security-experts-that-north-korea-was-behind-sony-hack/) is that the amount of material used for their conclusion is considered insufficient for any such analysis, let alone anything like a solid deduction. From the Times article: "Even so, Taia Global’s sample size is small. Similar computerized attempts to identify authorship, such as JStylo, a computerized software tool, requires 6,500 words of available writing samples per suspect to make an accurate finding. In this case, hackers left less than 2,000 words between their emails and online posts." It should also be noted that in 2010, Jeffrey Carr, the founder of Taia argued that the Stuxnet Iran worm did not originate with the U.S. and Israel, but came from China, which was targeting India, because Siemens technology is used on their satellites, there was a glitch in their satellites, and Stuxnet targets Siemens hardware (http://thediplomat.com/2010/10/was-china-behind-stuxnet/). This, to say to the least, is a guess with little or no present basis, with near consensus that Stuxnet was designed specifically to target Iran's reactors and required someone to enter restricted facilities to implant the malware - not a case of an accidental infection.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!