We already knew Sony Pictures Entertainment’s (SPE) hack was bad. We knew that the parent, Sony Group, had been exposed to cyber attacks of all kinds for years across its subsidiaries, and slow to effect real changes to prevent future attacks.
And we knew both Sony Group and SPE shot themselves in the feet, literally asking for trouble by way of bad decisions. Sony Electronics’ 2005 copy protection rootkit scandal and SPE’s utter lack of disregard for geopolitics opened the businesses to risk.
But FORTUNE magazine’s expose about the hacking of SPE — of which only two of three parts have yet been published — reveals a floundering conglomerate unable to do anything but flail ineffectively.
It’s impossible to imagine any Fortune 500 corporation willing to tolerate working with 1990s technology for any length of time, let alone one which had no fail-over redundancies or backup strategies, no emergency business continuity plan to which they could revert in the event of a catastrophe. But FORTUNE reports SPE had been reduced to using fax machines to distribute information, in large part because many of its computers had been completely wiped by malware used in the attack.
Pause here and imagine what you would do (or perhaps, have done) if your computer was completely wiped, taking even the BIOS. What would you do to get back in business? You’ve given more thought about this continuity challenge than it appears most of SPE’s management invested prior to last November’s hack, based on reporting to date.
A mind-boggling part of FORTUNE’s expose is the U.S. government’s reaction to SPE’s hack. The graphic above offers the biggest guffaw, a quote by the FBI’s then-assistant director of its cyber division. Knowing what we know now about the Office of Personnel Management hack, the U.S. government is a less-than-credible expert on hacking prevention. While the U.S. government maintains North Korea was responsible, it’s hard to take them seriously when they’ve failed so egregiously to protect their own turf. Continue reading
7:03 am – Popular Security Software Came Under Relentless NSA and GCHQ Attacks (The Intercept)
7:12 am – US and British Spies Targeted Antivirus Companies (WIRED)
9:48 am – Spies are cracking into antivirus software, Snowden files reveal (The Hill)
12:18 pm – GCHQ has legal immunity to reverse-engineer Kaspersky antivirus, crypto (Ars Technica-UK)
12:57 pm* – US, UK Intel agencies worked to subvert antivirus tools to aid hacking [Updated] (Ars Technica)(*unclear if this is original post time or time update posted))
~3:00 pm – NSA Has Reverse-Engineered Popular Consumer Anti-Virus Software In Order To Track Users (TechCrunch)
(post time is approximate as site only indicates rounded time since posting)
The question I don’t think anyone can answer yet is whether the hack of Kaspersky Lab using Duqu 2.0 was part of the effort by NSA or GCHQ, versus another nation-state. I would not be surprised if the cover over this operation was as thin as letting the blame fall on another entity. We’ve seen this tissue paper-thin cover before with Stuxnet.
For the general public, it’s important to note two things:
— Which firms were not targeted (that we know of);
— Understand the use of viruses and other malware that already threaten and damage civilian computing systems only creates a bigger future threat to civilian systems.
Once a repurposed and re-engineered exploit has been discovered, the changes to it are quickly shared, whether to those with good intentions or criminal intent. Simply put, criminals are benefiting from our tax dollars used to help develop their future attacks against us.
There’s a gross insufficiency of words to describe the level of shallow thinking and foresight employed in protecting our interests.
And unfortunately, the private sector cannot move fast enough to get out in front of this massive snowball of shite rolling towards it and us.
EDIT — 5:55 pm EDT —
And yes, I heard about the Polish airline LOT getting hit with a DDoS, grounding their flights. If as the airline’s spokesman is correct and LOT has recent, state-of-the-art systems, this is only the first such attack.
But if I were to hear about electrical problems on airlines over the next 24-48 hours, I wouldn’t automatically attribute it to hacking. We’re experiencing effects of a large solar storm which may have caused/will cause problems over the last few hours for GPS, communications, electricals systems, especially in North America.
EDIT — 1:15 am EDT 23JUN2015 —
At 2:48 pm local time Christchurch, New Zealand’s radar system experienced a “fault” — whatever that means. The entire radar system for the country was down, grounding all commercial flights. The system was back up at 4:10 pm local time, but no explanation has yet been offered as to the cause of the outage. There were remarks in both social media and in news reports indicating this is not the first such outage; however, it’s not clear when the last fault was, or what the cause may have been at that time.
It’s worth pointing out the solar storm strengthened over the course of the last seven hours since the last edit to this post. Aurora had been seen before dawn in the southern hemisphere, and from northern Europe to the U.S. Tuesday evening into Wednesday morning. It’s possible the storm affected the radar system — but other causes like malware, hacking, equipment and human failure are also possibilities.
If you haven’t watched this Bloomberg-produced video yet, you should. The women directors interviewed are highly skilled and have been fighting Hollywood’s not-at-all-liberal misogyny for decades.
And yes, decades — nothing substantive has happened since 1983 when Reagan-appointee Judge Pamela Rymer ruled for two major studio defendants in the Directors Guild of America‘s lawsuits against them for their discriminatory hiring practices. There was an uptick for about one decade after the suit; by 1995, roughly 16% of movies were directed by women.
But since then the numbers have fallen, and neither the DGA nor the federal Equal Employment Opportunity Commission (EEOC) have done anything about it.
We could cut some slack on the first decade, between 1995 and 2005, right? Congress was full of right-wing zealots chasing the president over a blowjob, and the president who followed him was hyper-focused on going to war, pushed by Dick Cheney’s hand up his backside. Their administrations drifted along with them, shaped by their leaders’ attentions.
But a second decade now — over thirty years in all since 1983 — and the EEOC gave the matter no attention at all? It’s not as if the film and television industries aren’t right under the noses of people charged with paying attention. Who can work in government and say they haven’t watched any television or film in thirty years? Hello, West Wing?
Or is that an answer in itself, that the film and television industries are merely acting with government sanction, that it is U.S. government policy to discriminate in entertainment media because it serves national interests? Continue reading
But I need to get that shine back. My oldest is in a relationship with a sportsy guy, and I need to be able to talk with him without trying too hard and sounding like a total moron.
So, help a girl out. Auto racing. Baseball. Golf. That’s all that’s in my cable channel lineup right now, and I can’t muster enough excitement. Tell me what you think I should look for to get heated up about one of these, and is there something really juicy going on tomorrow?
— NHRA in Briston, TN on ESPN right now looks much as it did over the past couple decades. Is there some big technological breakthrough that makes these races different now than they were pre-2000? Fill me in.
— Folks in my other social media about were using lots of shouty caps about baseball and some guy named Scherzer. What happened? Which is/was the better game to watch: Detroit Tigers v New York Yankees, or LA Dodgers v SF Giants?
— And Tiger Woods has no game left they say, missing the cut at the U.S. Open. I did see this much in my timeline. I imagine poor Papa Earl is rolling in his grave, saying he was right that Tiger could only be stopped by a woman. I think it was the comprehensive use of word, “woman,” as in all women. Tiger hasn’t really had it together for any length of time since his marriage fell apart. Besides the current golden boy McIlroy, who else should I watch at the U.S. Open?
Golf has a little more appeal for me this summer. I used to play until a handful of years ago, when it just wasn’t fun any more. I lost my game, too, couldn’t spend enough time on the course. But now my youngest has landed his first job as bag boy at the nearby club. When he comes home after his shift it’s a hoot to listen to him describe navigating his inaugural work experience, let alone hear all the goofy things that happened to him on the job.
Like today, his first Saturday morning opening the course — he sent me a text mid-shift that read, HOLY TIPS. Came home with a wad of bills in his pocket, yelling how much he loved old dudes who played golf.
Now for this I can worked up.
This year continues to be a big one for women in film. Films featuring women as leads and/or directed by women made beaucoup at the box office. Mad Max: Fury Road, Pitch Perfect 2, Insurgent, and Fifty Shades of Grey are among the top ten films out of more than 284 released so far this year. Two of these films were directed by women; all four featured female leads. And two of these films put to lie once again the bullshit claim that ‘women can’t lead action films.’
The immense popularity of these movies — especially with women — demonstrates how much Hollywood underserves the female audience, in spite of repeated studies revealing how much women contribute to box office results. Women want women’s stories, told by women, and they’ve gotten them too rarely.
You’d think that Hollywood would actively court the single largest demographic by catering to its desires — but no. The film production pipeline remains solidly weighted toward men, still chasing the increasingly distracted 18-25 year-old male demographic.
It’s not as if women aren’t available as actors or directors. The Directors Guild of America (DGA) — the labor organization representing directors — counts among its ranks roughly 1200 female directors, reflecting the parity of female students who’ve been through film school or learned on the job in other production roles.
If a household name like Clooney doesn’t know more female directors, what exactly is it the DGA is doing for its female membership? It’s clearly not representing them within their own organization, let alone to studios and the public.
The ACLU‘s May 12th letter to the federal Equal Employment Opportunity Commission (EEOC) spelled out DGA’s complicity with Hollywood’s exclusion of female directors, when it asked the EEOC to investigate discriminatory practices. DGA has denied the use of short lists, but apart from preparing regular reports on diversity in hiring, it’s not clear at all what the DGA does to further the hiring of women directors. Continue reading
In news dump territory — 2:59 p.m. on a Friday afternoon following this last Memorial Day, to be exact — Reuters published an EXCLUSIVE story in which anonymous sources claimed the U.S. launched a cyber attack on North Korea using a modified version of Stuxnet.
This is hardly news. It’s rather a confirmation by an anonymous source, likely a government official, of the Stuxnet program’s wider aims. This was discussed here at emptywheel in 2013.
Far too much of North Korea’s nuclear energy development program looked like Iran’s for Stuxnet not to be a viable counter-proliferation tool if North Korea had succeeded with uranium enrichment.
And far too much information had been shared in tandem between North Korea, Iran, and Syria on nuclear energy and missile development (see image), for Stuxnet not to have a broader range of targets than Iran’s Natanz facility.
Let’s assume folks are savvy enough to know the Stuxnet program had more than Iran in its sights.
Why, dear “people familiar with the covert campaign,” was the confirmation to Reuters now — meaning, years after the likely attempt, and years after Stuxnet was discovered in the wild?
And how convenient this confession, five days before Kaspersky Lab revealed the existence of Duqu 2.0? Did someone “familiar with the covert campaign” believe the admission would be lost in Duqu-related news?
With the confession, though, begins a volley of exchanges:
It’s anybody’s guess what the next lob will look like, especially after NK’s foreign minister met with China for reasons believed connected to drought aid.
You can bet there will be some effort to exchange nuclear inspection access for trade and aid, as previously negotiated during Bill Clinton’s administration.
The use of stolen Foxconn digital certificates in Duqu 2.0 gnaws at me, but I can’t put my finger on what exactly disturbs me. As detailed as reporting has been, there’s not enough information about this malware’s creation. Nor is there enough detail about its targeting of Kaspersky Lab and the P5+1 talks with Iran.
Kaspersky Lab carefully managed release of Duqu 2.0 news — from information security firm’s initial post and an op-ed, through the first wave of media reports. There’s surely information withheld from the public, about which no other entities know besides Kaspersky Lab and the hackers.
Is it withheld information that nags, leaving vaporous voids in the story’s context? Possibly.
But there are other puzzle pieces floating around without a home, parts that fit into a multi-dimensional image. They may fit into this story if enough information emerges.
Putting aside how much Duqu 2.0 hurts trust in certificates, how did hackers steal any from Foxconn? Did the hackers break into Foxconn’s network? Did they intercept communications to/from Foxconn? Did they hack another certificate authority?
If they broke into Foxconn, did they use the same approach the NSA used to hack Syria — with success this time? You may recall the NSA try to hack Syria’s communications in 2012, by inserting an exploit into a router. But in doing so, the NSA bricked the router. Because the device was DOA, the NSA could not undo its work and left evidence of hacking behind. The router’s crash took out Syria’s internet. Rapid recovery of service preoccupied the Syrians so much that they didn’t investigate the cause of the crash.
The NSA was ready to deny the operation, though, should the Syrians discover the hack:
…Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.”
Did the NSA’s attempted hack of Syria in 2012 provide direction along with added incentive for Duqu 2.0? The failed Syria hack demonstrated evidence must disappear with loss of power should an attempt crash a device — but the malware must have adequate persistence in targeted network. NSA’s readiness to blame Israel for the failed Syria hack may also have encouraged a fuck-you approach to hacking the P5+1 Iran talks. Continue reading
Big Data. Industry players are relying on large sets of data collected across the field to make decisions. They’re not looking at daily price points alone in the market place, or at monthly and quarterly business performance. They’re evaluating comprehensive amounts of data over time, and some in real time as it is collected and distributed.
Which leads to an Aha! moment. The fastest entrant to market with the most complete and reliable data has a competitive advantage. But what if the fastest to market snatches others’ production data, faster than the data’s producer can use it when marketing their product?
One might ask who would hack fossil fuel companies’ data. The most obvious, logical answers are:
— anti-fossil fuel hackers cutting into production;
— retaliatory nation-state agents conducting cyber warfare;
— criminals looking for cash; and
— more benign scrip kiddies defacing property for fun.
But what if the hackers are none of the above? What if the hackers are other competitors (who by coincidence may be state-owned businesses) seeking information about the market ahead?
What would that look like? We’re talking really big money, impacting entire nation-state economies by breach-culled data. The kind of money that can buy governments’ silence and cooperation. Would it look as obvious as Nation A breaking the digital lock on Company B’s oil production? Or would it look far more subtle, far more deniable? Continue reading
Kaspersky Lab reported this morning a next-generation version of Duqu malware infected the information security company’s network.
WSJ reported this particular version may have been used to spy on the P5+1 talks with Iran on nuclear development. Dubbed ‘Duqu 2.0,’ the malware may have gathered audio, video, documents and communications from computers used by talk participants.
Ars Technica reported in depth on Kaspersky’s discovery of the malware and its attributes. What’s really remarkable in this iteration is its residence in memory. It only exists as a copy on a drive at the first point of infection in a network, and can be wiped remotely to destroy evidence of its occupation.
The infosec firm killed the malware in their networked devices by mimicking a power outage. They detached from their network suspect devices believed to contain an infecting copy.
Kaspersky’s Patient Zero was a non-technical employee in Asia. Duqu 2.0 wiped traces of its own insertion from the PC’s drive.
Neither WSJ or Ars Technica noted Kaspersky’s network must have been subject to a program like TREASUREMAP.
…Because the rest of the data remained intact on the PC and its security patches were fully up to date, researchers suspect the employee received a highly targeted spear phishing e-mail that led to a website containing a zero-day exploit. … (bold mine – source: Ars Technica)
How was a single non-technical point of contact in Asia identified as a target for an infected email? Continue reading
The leak of emails and intellectual property, including then-unreleased film The Interview, was labeled “a serious national security matter” by the White House. In January this year, President Obama issued an executive order increasing sanctions against North Korea, the purported origin of the hack on SPE’s network and computers.
Sony Pictures Entertainment (SPE) is a wholly-owned subsidiary of Sony Corporation, a Japanese multinational conglomerate. In offering retaliation on behalf of SPE, the White House placed SPE on par with critical U.S. infrastructure, though no one will be physically injured or die should SPE be hacked again, and the market won’t collapse if SPE loses money on all its movies this year.
If SPE, a foreign-owned, information security-challenged entertainment firm, is now entitled to military protection against cyberattack, what is it the White House and the U.S. will receive or has received in exchange?
What’s the exchange in this quid pro quo?
In 2013, STARZ network ordered the 16-episode adaptation of bestselling historical fiction novel, Outlander by author Diana Gabaldon, from production companies Tall Ship Productions, Story Mining & Supply Co., and Left Bank Productions, in association with Sony Pictures Television.
While STARZ was the U.S. distributor, offering the series on its own cable network, SPE’s TV arm appears to have handled overseas distribution to broadcast, cable, and video streaming services.
Outlander’s cross-genre narrative is set mainly in 1740s Scotland; the story is sympathetic to a Scottish protagonist and his time-traveling English wife who are caught between the British and Jacobites in the ramp up to the 1746 Battle at Culloden. The Scottish people and countryside are treated favorably in the series’ production.
The program debuted on STARZ in the U.S. on August 9 last year — a little less than six weeks before Scotland’s independence referendum (“IndyRef”). Outlander began airing in Canada and Australia in August also, and in October in Ireland after the IndyRef vote.
Distribution deals in other countries including Germany, Hungary, Japan, and the Netherlands led to wider release overseas last year.
But Outlander never received a distribution deal in 2014 in the UK, in spite of its many Scottish and British fans’ clamor and the source book’s status as a renewed bestseller in advance of the show’s U.S. debut. To date the series has only released on Amazon Prime Instant Video in the UK, for paid video-on-demand streaming — not on broadcast or cable.
At least one email leaked by hackers revealed that SPE personnel had a meeting or meetings with Cameron’s government. In an internal email from Keith E. Weaver, executive vice president, SPE executives were told,
“Your meeting with Prime Minister Cameron on Monday will likely focus on our overall investment in the U.K. – with special emphasis on the jobs created by Tommy Cooper [the ITV show], the importance of Outlander (i.e., particularly vis-a-vis the political issues in the U.K. as Scotland contemplates detachment this Fall), and the growth of our channels business…”
The implication is that SPE would suppress any effort to distribute Outlander to the benefit of Cameron’s anti-independence position, in exchange for “growth of our channels business…”
What exactly does this mean?
And is the pursuit of growth confined to SPE, or did “channels business” mean something else? Were Sony executives also looking for opportunities for Sony Corporation, which includes Sony Computer Entertainment, Sony Music Entertainment, Sony Mobile Communications (once known as Sony Ericsson), and Sony Financial?
Did SPE executives and the Prime Minister agree not to seek broadcast or cable distribution Outlander in the UK before this month’s election? Continue reading