Attribution is a blame game. It’s not about who did it, but who is best to blame. Ambulance chasing lawyers sue whoever has the most money, not who is most responsible. I point this out because while the U.S. “attributes” the Sony hack to North Korea, this doesn’t mean North Korea did the attack. Instead, it means that North Korea was involved enough to justify sanctions. It still leaves the question of “who did it” unresolved.
Showing posts with label Sony. Show all posts
Showing posts with label Sony. Show all posts
Tuesday, February 03, 2015
Monday, December 15, 2014
All malware defeats 90% of defenses
When the FBI speaks, you can tell they don't know anything about hacking. An example of this quote by Joseph Demarest, the assistant director of the FBI’s cyberdivision:
Update: Here is a previous post where I add a Metasploit exploit to a PDF containing a legal brief that gets past anti-virus.
"The malware that was used would have slipped, probably would have gotten past 90% of the net defenses that are out there today in private industry, and I would challenge to even say government”
He's trying to show how sophisticated, organized, and unprecedented the hackers were.
This is nonsense. All malware defeats 90% of defenses. Hackers need do nothing terribly sophisticated in order to do what they did to Sony.
Take, for example, a pentest we did of a Fortune 500 financial firm. We had some USB drives made with the logo of the corporation we were pen-testing. We grabbed a flash game off the Internet, changed the graphics so that they were punching the logo of their main competitor, and put text in the Final Score screen suggesting "email this to your friends and see what they get". We then added some malware components to it. We then dropped the USB drives in the parking lot.
This gave us everything in the company as people passed the game around. The CEO and many high-level executives ran it on their machines. Sysadmins ran it. Once we got control of the central domain controller, we got access to everything: all files, all emails, ... everything.
The point I'm trying to make here is that we used relatively unsophisticated means to hack an extremely secure company. Crafting malware to get past their anti-virus defenses is trivially easy. Everything we did was easy.
The problem isn't that hackers are sophisticated but that company are insecure. Companies believe that anti-virus stops viruses when it doesn't, for example. The FBI perpetuates this myth, claiming Sony hackers were sophisticated, able to get around anti-virus, when the truth is that Sony relied too much on anti-virus, so even teenagers could get around it.
The FBI perpetuates these myths because they want power. If the problem is sophisticated hackers, then there is nothing you can do to stop them. You are then helpless to defend yourself, so you need the FBI to defend you. Conversely, if the problem is crappy defense, then you you can defend yourself by fixing your defenses.
Update: Here is a previous post where I add a Metasploit exploit to a PDF containing a legal brief that gets past anti-virus.
Subscribe to:
Posts (Atom)