Information Security News
by Sean Gallagher
Stop us if this sounds familiar: a company executive does something that makes a foreign government’s leadership upset. A few months later, hackers break into the company’s network through a persistent cyber attack, and plant malware that erases the contents of hard drives, shuts down e-mail servers and phone systems, and brings operations to a screeching halt.
That’s not just what happened to Sony Pictures Entertainment in late November—it’s also what happened to Las Vegas Sands Corp., owners of the Sands, Venetian and Palazzo hotels and casinos in a cyber attack that began last January. The attack and the damage it did were kept quiet by the company until it was reported in a story by Bloomberg Businessweek today.
Attempts to reach Las Vegas Sands Corp. have gone unanswered, and a spokesperson for Dell SecureWorks—which was brought in to clean up the mess afterward and determine its cause—declined to speak about the article as it is the company’s policy not to discuss work done for a customer. But according to Bloomberg’s sources, the Sands attack was undertaken by “hacktivists” who were responding to a speech by Sands majority owner Sheldon Adelson. The billionaire 52-percent owner of the Sands and Israeli media mogul made an October 2013 appearance on a panel at the Manhattan campus of Yeshiva University, where he called for a nuclear attack on Iran to get the country to abandon its own nuclear program.
The malware that thoroughly penetrated Sony Pictures Entertainment was so sophisticated it likely would have worked against nine out of 10 security defenses available to companies, a top FBI official told members of Congress.
The comments, made under oath Wednesday by Joseph Demarest, assistant director of the FBI's cyber division, are the latest to largely let Sony officials off the hook. Last month's rooting of servers operated by Sony's movie division is believed to have exposed more than 100 gigabytes of data, including not only unreleased movies but, more importantly, personal details on tens of thousands of employees. Speaking before the Senate Banking, Housing, and Urban Affairs Committee, Demarest's apologist comments closely resembled those reported earlier this week from the CEO of Mandiant, the security firm investigating the breach on behalf of Sony.
"The level of sophistication is extremely high and we can tell...that [the hackers] are organized and certainly persistent," Demarest said, according to IDG News. "In speaking with Sony and separately, the Mandiant security provider, the malware that was used would have slipped or probably gotten past 90% of Net defenses that are out there today in private industry and [likely] challenged even state government."
by Sean Gallagher
Those trying to download files and films from the recent Sony Pictures Entertainment leak are being widely frustrated thanks to a large number of Torrent filesharing nodes that advertise fake “seeds." These files are offered via the Bittorrent file sharing protocol, and they match the signature of the stolen data while containing no usable content. Instead the bad seeds, which now may outnumber the computers actively sharing the actual files stolen from Sony, provide a download of corrupted or fake versions of the archive files for the vast majority of individuals attempting to access them.
According to a source at Sony that spoke with Re/Code, the company was using Amazon Web Services to run hundreds of virtual machines and distribute fake file versions to disrupt the Guardians of Peace (GoP) file dumps. That is supported by analysis from security firm Adallom, which tracks the signature of files on torrent streams and other sources in order to watch for data breaches from client companies.
Tal Klein, vice president of strategy at Adallom, told Ars that starting yesterday, “all of a sudden we saw files matching the SHA1 signatures of the Sony torrents starting to be populated across all the torrent sites.” He said that the files were intelligently designed to have the same signature as the GoP file torrents—unlike earlier opportunistic attempts by malware distributors who packaged malware using the same filenames used by the GoP file dumps.
Yesterday while reviewing our logs here at the SANS Internet Storm Center I stumbled upon these:
The reason this caught my eye is because I recall reading that GMail ignores periods in email addresses. For example, if I register [email protected] but then begin sending email to [email protected], it will arrive in my new inbox despite the additional periods.
Many blog and forum platforms have functionality for banning by email address. Spammers can use the periods in GMail addresses to subvert such banning controls by registering again without having to produce a truly new email address. Do your systems and/or websites allow for registering multiple accounts this way?
Where this becomes more interesting is that these logs indicate visitors that tried to log in using these email addresses without having even attempted to register them first. None of the above logs come from a single IP address, though the first two do come from a single IP range. Is this due to a poorly programmed bot, or is it indicative of something else?
Let us know what you think in the comments!
Alex Stanford - GIAC GWEB GSEC,
Research Operations Manager,
SANS Internet Storm Center
All aboard the internet of things infosec hype train
All that is obvious, because every infosec vendor is looking at the same "threat landscape", as we must call it these days. Every vendor's customers continue to make the same mistakes in the face of those threats, thanks to the universal constants of ...