FBI Officially Fingers North Korea As Source Of Sony Breach
At first, the Federal Bureau of Investigation (FBI) wasn’t
so certain that North Korea was the responsible party for the massive
cyberattack on Sony. Earlier this
month, FBI cyber division assistant director Joe Demarest simply stated, “There
is no attribution to North Korea at this point.”
Today, however, there is no doubt that North Korea was
behind the attack.
… The FBI released a
statement this afternoon concluding that it "now has enough information to
conclude that the North Korean government is responsible for these actions.”
… While Sony will
have to deal with the aftermath of the hack and the controversy surrounding its
decision to cancel the film in the days, weeks, and months to come, the FBI is
at least letting American corporations know that it has their backs should such
an incident occur in the future.
“The FBI stands ready to assist any U.S. company
that is the victim of a destructive cyber attack or breach of confidential
business information,” the FBI added. “Working
together, the FBI will identify, pursue, and impose costs and consequences on
individuals, groups, or nation states [A new role for the FBI? Bob] who use cyber means to
threaten the United States or U.S. interests.”
[The FBI statement: http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation
(Related) But we don’t
seem to stick to the FBI’s “official” version.
Probably no Chinese sanctions.
Sony hack: China may have
helped North Korea, US states
China may have helped North Korea carry out the hacking
attack on Sony Pictures, a US official has told Reuters.
The official, who spoke on condition of anonymity, said the
conclusion of the US investigation was to be announced later by federal
authorities.
The Chinese embassy in Washington later stated that China
does not support "cyber illegalities".
(Related) Perhaps we
should take them up on their offer, since we don't seem to know what we're
doing. Actually, it might be a great
opportunity to learn what they are capable of – but I doubt they'd actually do
it.
North Korea Seeks Joint
Investigation Into Sony Hack With U.S.
North Korea’s government said it had nothing to do with the
hacking of Sony Corp.’s computer systems and called on the U.S. to hold a joint
investigation into the incident.
North Korea can prove its innocence and warned of “grave
consequences” if the U.S. fails to take up its offer, the country’s foreign
ministry said in an e-mailed statement today cited by the state-run Korea
Central News Agency. “As the U.S. is
spreading groundless allegations and slandering us, we propose a joint investigation,”
the ministry said.
Just in case you thought we learned anything from Sony… Don’t release any information during peak
shopping season. Upgrade your security
after the hack (Add this expense to the cost of the hack, making it an “Extraordinary
Item” on the Annual Report?) DO NOT
mention the T J Hooper or any “duty to use technology to reduce risk.”
Staples hack exposes 1.2
million credit cards
After a two-month wait, Staples on Friday
evening announced hackers broke into its computers and stole data on 1.16
million shoppers' credit cards and debit cards.
Staples first announced it was investigating
a potential data breach in the Northeast in October. Staples released details
of its investigation on Friday, just as the holiday shopping season comes to a close.
The breach affects those who shopped at a small fraction of
Staples (SPLS)
stores nationwide between July 20 and Sept. 16 this year. Cybercriminals now know a shopper's name, card
number, its expiration date and card verification code.
The breach affected 115 of the company's approximately 1,400
office supply stores in the United States. A web page has been set up noting which stores were affected.
… Staples is also
offering free identity protection, identity theft insurance and a free credit
report.
That might be a good public relations move for the company,
but in
reality, it's useless gesture. It doesn't take the valuable stolen data out of
criminal's hands. Criminals
now know your name and bank, which is useful information when paired with other
personal data available on the black market.
Staples apology is a familiar template for any company that
loses your data: "Staples is committed to protecting customer data and...
has taken steps to enhance the security of its point-of-sale systems, including
the use of new encryption tools."
It's unclear why Staples hadn't installed these
protections sooner, given that the Target hack in late 2013 was a
wake-up call for the retail industry.
Staples now joins the lengthy
list of companies
whose payment systems were attacked
by hackers in the past 12 months: Albertson's,
Home Depot (HD),
Michaels (MIK),
Neiman
Marcus, P.F.
Chang's, Target (TGT)and
SuperValu (SVU).
For your Computer Security manager: This is (probably) what breached
Sony. Can you afford to ignore it? If you said “Yes,” pretend you are on the
witness stand and explain it to the jury.
Indicators of Compromise for
Malware Used by Sony Hackers
Just hours after the FBI and President Obama called out North Korea as
being responsible for the destructive cyber attack against Sony Pictures,
US-CERT issued an alert, describing
the primary malware used by the attackers, along with indicators of
compromise.
While
not mentioning Sony by name in its advisory, instead referring to the victim as
a “major entertainment company,” US-CERT said that the attackers used a Server
Message Block (SMB) Worm Tool to conduct the attacks.
According
to the advisory, the SMB Worm Tool is equipped with five componments, including
a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive
Tool, and Destructive Target Cleaning Tool.
This also has ties to the Sony breach. Did the MPAA induce the Mississippi AG to
file this subpoena? (If not, why the
quick back-down?)
Google lawsuit forces
MPAA-backed attorney general to retreat
Remember that post Google put up this week that accused the
MPAA of trying to
resurrect the spirit of SOPA with the help of state prosecutors (that
included evidence based on some of Sony Pictures' leaked emails)? It just turned into a lawsuit -- and it's
already having an affect. The search
giant has updated the page to explain that it's asking federal
courts to dismiss a subpoena Attorney General Jim Hood sent to Google back in
October. That 72-page document asserted
that he believed that Google has violated the Mississippi Consumer Protection
Act, and had failed to take actions to prevent crimes committed by using its
services. Now that Google is suing, Hood
made a statement via the New
York Times, calling for a "time out" and saying he
will call the company to "negotiate a peaceful resolution of the issues
affecting consumers."
Perspective. Would
this apply to Big Brother too?
Because of HIPAA constraints, I can’t provide a lot of details,
but when a teenaged patient was in my office with a parent, the teen complained
that the parent had required the teen to download an app that enabled the
parent to track the teen.
“What do you think about parents tracking teens that way?”
my patient asked me in front of the parent.
“I think it’s an invasion of privacy,” I immediately
answered.
The teen’s parent was very unhappy with that
answer, but I stand by it. If you can’t trust your
teen to tell you the truth about where they’re going, then you have a problem
that a tracking app will not solve.
And if your justification is that you’re worried
about their safety, then is your anxiety their problem or your problem? I’ve often heard parents say, “Well, I
wouldn’t let them go out if I didn’t have the peace of mind from knowing that I
can tell where they are.” So wait: you would
keep your teen a prisoner in their home because you’re worried? Seriously? Unless your teen poses a threat to themselves
or others, do you really want to convey that you don’t trust them? Even though they’ll be moving out or going off
to college in a year or two? Will they
suddenly become responsible then? Will
the world suddenly become a safer place?
What are you teaching them now?
There are alternative ways to communicate with
your teen and to develop trust. Start
when they’re young and build a relationship with them whereby they know they
need to call you and let you know where they will be – and that they need to be
there or call you in advance if they are about to change their plans/location. My kids learned early on to be responsible
about letting me know where they’d be, and in turn, I almost never told them
that they couldn’t go somewhere. I got
peace of mind from our arrangement. What
they got was a sense of responsibility and the absence of guilt most of their friends
who lied to their parents had.
It really isn’t that difficult, folks. Don’t rely on privacy-invasive technology as
a substitute for good communication and parent/child relationships.
At least they didn’t call it “The Matrix.”
Orin Kerr writes:
Regular readers will recall the mosaic
theory of the Fourth Amendmentintroduced by the DC Circuit in United States v. Maynard, by which law
enforcement steps that aren’t searches in isolation can become searches when
aggregated over time. For the most part,
judges have been pretty skeptical of the mosaic theory. For example, in the recent oral argument in
the Fourth Circuit in United States v. Graham, on whether the
Fourth Amendment protects historical cell-site data, the mosaic arguments
didn’t gain a lot of traction for the defense.
In this post, however, I want to
focus on two recent federal district court decisions that cut against this
trend and adopted the mosaic theory.
Read more on WaPo Volokh Conspiracy.
“Papers, Citizen!
Without papers, you don’t exist in the eyes of your government.”
From EPIC.org:
Beginning in 2015, many federal
facilities will require
a “Real ID” for entry where identification is required. Several states have opted out of the Real ID Act, a federal
mandate to modify the design of state drivers licenses, raising questions about
the ability of people in those states to access federal buildings and board
commercial aircraft. EPIC, supported by a
broad coalition, opposed the Real ID regulations, arguing that many of the
required identification techniques, such as facial recognition and RFID tags,
compromise privacy and enable surveillance. EPIC, joined by technical experts and legal
scholars, also provided detailed
comments to the Department of Homeland Security about the program and later
issued a L6[report: “REAL ID
Implementation Review: Few Benefits, Staggering Costs” (May 2008). For more information see: EPIC:
National ID and the Real ID Act.
I see business opportunities here.
Feds make path for Internet
television
… Specifically, the
rules would give companies operating over the Web or any other method of
communication the same rights to buy rights to TV programming that companies
such as Comcast and DirecTV currently enjoy.
I’ll use the first one with my students.
Strategic Humor: Cartoons
from the January-February 2015 Issue
Never fails to amuse me.
… According to an Inspector General audit of how it handles student loans, the Department of
Education lacks “a coordinated plan for preventing borrowers from defaulting.” [Imagine that
Bob]
… Oh look. LAUSD students can start to take their iPads home. I’m struck by this comment about the students
getting their devices home safely: “School Police Chief Jose Santome estimated
it would take 80 more officers to scale up the patrols to the district’s 800
campuses.”
… The Class of 2015 – the writers whose work will enter the public domain * next year. (* Except
in the US, where nothing will enter the public domain.)