Friday, December 19, 2014

There has never been a security breach like Sony.
Still no credible information. That means the press gets to speculate like mad.
Are we a nation of over-reacting, “ready, fire, aim,” “We don't need no stinking logic!” wimps? Judge for yourself.
(What would happen if this eventually got traced back to my Ethical Hacking class? After I flunked them for getting caught.)
US: Sony Cyberattack is ‘Serious’ National Security Matter
U.S. officials are treating a cyberattack on Sony Pictures as a "serious national security matter," with the National Security Council considering a proportionate response, the White House said Thursday.
… The U.S. Department of Homeland Security says "there is no credible intelligence to indicate an active plot against movie theaters."
President Barack Obama also downplayed the threat, saying his "recommendation would be that people go to the movies."
The U.S. State Department has denied media reports it had given its backing to the film.
… In an interview late Wednesday with ABC News, Obama called the cyberattack on Sony Pictures "very serious."
"We’re investigating it. We’re taking it seriously. We’ll be vigilant," Obama said. "If we see something that we think is serious and credible, we’ll alert the public. But, for now, my recommendation would be that people go to the movies."

White House Doesn’t Rule Out Cybercounterattack in Sony Hack
… Earnest said there have been a number of daily meetings at the White House about the hack, and that there are “a range of options that are under consideration right now” for a response. Earnest would not rule out a U.S. cybercounterattack on those behind the Sony hack, saying officials are mindful of the need for a “proportional response.”
… “Administration officials were consulted about the film prior to its release at the request of the company that was producing the movie,” Earnest said, confirming that officials had screened the film.

Hack attack spurs call for more NKorea sanctions
… Rep. Ed Royce, R-Calif., chairman of the House Foreign Affairs Committee, said he did not doubt North Korea was involved. He called for tougher U.S. sanctions to cut Pyongyang's access to hard currency, by excluding from the U.S. financial system banks in other countries that hold North Korean funds.

(Related) On the other hand...
Think North Korea hacked Sony? Think about this
… If the hack was all about stopping the release of "The Interview," why didn't that come up earlier? For the first couple of weeks, the messages that accompanied leaked data didn't mention the movie at all. It was more about Sony and its executives -- something underlined by the vindictiveness of the leaks.
… The movie wasn't mentioned until a message on Dec. 8, and then it was in addition to previous demands made by the group.
… The movie wasn't mentioned by name until Dec. 10, when the hackers also issued their threat to movie theaters.

Evidence in Sony hack attack suggests possible involvement by Iran, China or Russia, intel source says

Hackers May Have Planted Their 'Time Bomb' Inside Sony Months Ago
Trend Micro says that the particular type of software used to hack into Sony's network wasn't a specialist virus, instead it was widely available on the black market and was modified to specifically target Sony.
The hackers have probably been working inside Sony's systems for months, Bloomberg says.
Masayoshi Someya, a security "evangelist" at Trend Micro, claims that hackers took the computer virus and changed it to include account names, passwords and security software found within Sony's network. That would suggest that the hackers had detailed knowledge of Sony's corporate computer network.
… Multiple messages have flashed up on Sony Pictures computers in recent weeks, meaning that employees are left using fax machines and handwritten notes to communicate because the hackers still have access to their computer system.
That's perhaps the scariest part, for Sony: As of a few days ago the hackers were still inside Sony's network, according to The New York Times.

A question for Computer Security managers everywhere...
Are you working for the next Sony Pictures? Here’s some things to check at work

Strange and pathetic too.
“this is not intended to be a list of the biggest breaches, and not all of them are supposed to be funny. Think of this as our curated list of the most interesting data security events of 2014 in the VCDB.”
Read their roundup here.

Tools & Techniques for my Ethical Hackers. Adding “portable Apps” is simple. Source code is available.
"USBdriveby" Emulates Mouse and Keyboard to Hijack Computers
Security researcher Samy Kamkar has taken a Teensy 3.1 USB-based microcontroller and fitted it with software that can emulate a mouse and a keyboard when connected to a computer. The gadget, dubbed USBdriveby, leverages the fact that many systems blindly trust USB devices connected to them.
Once it's plugged in to a machine, USBdriveby immediately starts performing mouse and keyboard actions, which allows it to carry out a wide range of tasks, such as opening a backdoor, disabling the firewall, and controlling traffic flow by changing DNS settings. After the device is disconnected, the attacker has full access to the targeted computer.
"When you normally plug in a mouse or keyboard into a machine, no authorization is required to begin using them," the researcher explained. "The devices can simply begin typing and clicking. We exploit this fact
These types of attacks are not new, and there is reason to believe that the NSA has already been using such devices in its operations.
Earlier this year, at the Black Hat security conference, researchers at Germany-based SRLabs demonstrated that a USB device's firmware can be reprogrammed for malicious purposes. They called the attack "BadUSB." The methods developed by SRLabs are more sophisticated than the ones used for USBdriveby, but the German researchers had not released the source code for their modified USB controller firmware.
In September, researchers Adam Caudill and Brandon Wilson released BadUSB source code after a presentation at the DerbyCon security conference. They argued that the code had to be made public so that people can learn how to protect themselves against such attacks.

Surveillance is becoming ubiquitous-er.
Top 5 Ways You Are Spied On Every Day And Don’t Know It
Many people are oblivious to the ways in which they are monitored nearly every day, in some aspect of their lives. It might be while conducting business at a store, getting money out of an ATM, or even just talking on their cellphone while walking down a city street.

I can't imagine why...
Andrej Sokolow reports:
…the steady spread of sensors means more data is being accumulated all the time. Everything from blood pressure, to the time of day one typically leaves one’s house to a person’s standard bedtime to how many times one rolls over in bed – it’s all potentially captured by this new, personal technology.
Some see the flood of information as a source of potential. Start-up Vivametrica plans to take anonymized data from fitness data and try to forecast cases of health problems like diabetes or heart disease.
Taking it even further, Sension – an app for Google Glass, the company’s networked spectacles – can track 76 points on the face of a person being viewed with the glasses and put together an analysis of the subject’s emotional well-being. The idea is that this could help workers in sales as they try to assess how customers feel. But how might the customers feel about such analysis?
Read more on Government Technology.

Not much new that I see...
OVERNIGHT TECH: Obama signs cyber bills
President Obama on Thursday signed five cybersecurity bills into law, after an unexpected spate of legislative activity on the issue.
The five bills won’t satisfy the strongest backers of tough cyber protections, but they should help many government officials beef up their networks and were cheered by supporters when they rushed through Congress in the final days of its 2014 session.
… The Cybersecurity Enhancement Act, for instance, allows the Commerce Department to write voluntary standards to protect critical infrastructure and tells the White House’s Office of Science and Technology Policy to develop a federal cyber research plan.
… The National Cybersecurity Protection Act establishes in law the department’s national cybersecurity center, while
the Federal Information Security Modernization Act updates 12-year-old federal information security laws.
The Cybersecurity Workforce Assessment Act directs the DHS to build out a new strategy to recruit and hang onto the best and brightest workers in the field, and
the Border Patrol Agent Pay Reform Act allows the department to exempt some cyber staffers from normal government hiring rules.
… GOP Rep.-elect Will Hurd (Texas), a former CIA officer, was picked Thursday to lead the new House Oversight subcommittee on Information Technology.

No comments: