We reflect on the lessons learned from the Sony Hack & discuss some of the tools used to own their network.

Plus a overview of what makes up a filesystem, a run down of the Bacula backup system & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Schneier: Lessons from the Sony Hack

• Bruce Schneier, a noted security researcher, discusses the things we can all learn from the Sony hack
• An attack like this can happen to anyone, but that doesn’t mean Sony didn’t make it easy for the attackers
• One of the first things to think about when looking at a hack is: Was this an opportunistic attack, or a targeted attack?
• “You can characterize attackers along two axes: skill and focus. Most attacks are low-skill and low-focus — people using common hacking tools against thousands of networks world-wide. These low-end attacks include sending spam out to millions of email addresses, hoping that someone will fall for it and click on a poisoned link. I think of them as the background radiation of the Internet.”
• “High-skill, low-focus attacks are more serious. These include the more sophisticated attacks using newly discovered “zero-day” vulnerabilities in software, systems and networks. This is the sort of attack that affected Target, J.P. Morgan Chase and most of the other commercial networks that you’ve heard about in the past year or so.”
• “But even scarier are the high-skill, high-focus attacks­ — the type that hit Sony. This includes sophisticated attacks seemingly run by national intelligence agencies”
• That is not to say that all high-skill high-focus attacks are committed by governments, the attacker just needs to be highly motivated
• “This category also includes private actors, including the hacker group known as Anonymous, which mounted a Sony-style attack against the Internet-security firm HBGary Federal, and the unknown hackers who stole racy celebrity photos from Apple’s iCloud and posted them. If you’ve heard the IT-security buzz phrase “advanced persistent threat,” this is it.”
• “The hackers who penetrated Home Depot’s networks didn’t seem to care much about Home Depot; they just wanted a large database of credit-card numbers. Any large retailer would do”
• “Low-focus attacks are easier to defend against: If Home Depot’s systems had been better protected, the hackers would have just moved on to an easier target. With attackers who are highly skilled and highly focused, however, what matters is whether a targeted company’s security is superior to the attacker’s skills, not just to the security measures of other companies. Often, it isn’t. We’re much better at such relative security than we are at absolute security.”
• “We know people who do penetration testing for a living — real, no-holds-barred attacks that mimic a full-on assault by a dogged, expert attacker — and we know that the expert always gets in. Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable.”
• “For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.”
• Additional Coverage
• Investigators believe a newly identified SMB (Server Message Block, mostly used in Windows file sharing and networking) worm was involving in the Sony hack
• “The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a command and control (C2) infrastructure with servers located in Thailand, Poland, Italy, Bolivia, Singapore and the United States, the advisory said”
• The worm had 5 major components: Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning
• US-CERT Advisory

Norse identifies 6 individuals they believe behind Sony hack, including Ex-employees

• Norse, an attack intelligence company, has used its research facilities to investigate the Sony hack, and made some unsurprising conclusions
• “HR files leaked in the hack provided the motive part: a massive restructuring in Spring, 2014, in which many longtime SPE employees were laid off. After researching the online footprint of a list of all the individuals who were fired and had the means to be able to access sensitive data on Sony’s network, Norse said it identified a handful who expressed anger in social media posts following their firing. They included one former employee — a 10-year SPE veteran who he described as having a “very technical background.” Researchers from the company followed that individual online, noting participation in IRC (Internet Relay Chat) forums where they observed communications with other individuals affiliated with underground hacking and hacktivist groups in Europe and Asia. According to Stammberger, the Norse investigation was eventually able to connect an individual directly involved in conversations with the Sony employee with a server on which the earliest known version of the malware used in the attack was compiled, in July, 2014”
• Norse Blog: The nature of Cyber Security and Strategies for Unprecedented attacks
• Video: Norse on MSNBC
• Video: Norse on CBS – is the FBI wrong about North Korea
• Video: Norse on CNN – Former Sony employee implicated in attacks
• Video: Norse on CNN – Norse answers questions about Sony Hack
• Norse Blog – Where do we die first? Find your businesses weakness
• Norse Blog – Breach detection is at least as important as perimeter security
• Additional Coverage
• Do not accept the myth that the attacker is always ahead
• No, North Korea Didn’t Hack Sony – The Daily Beast

Twitter date bug confuses many client applications.

• Many Twitter clients, including the popular client TweetDeck, showed tweets during the last week of the year as being from a year ago
• Many users then found that, even with the official app, they were not able to login anymore
• Turns out the problem was that Twitter’s servers had been sending the incorrect date for all HTTP responses from the API
• The incorrect date format variable was used, strftime(3) defined 2 different ways to express the year
• The most common one: %Y – is replaced by the year with century as a decimal number
• It seems that a programmer at Twitter chose the first one in the man page that mentioned the year:
• %G – is replaced by a year as a decimal number with century. This year is the one that contains the greater part of the week (Monday as the first day of the week).
• So, this went undetected because it would return the correct year, except in the case of the last week of the year, if that week happens to fall more within the new year than within the current year
• So December 30th 2014, was reported was December 30th 2015, which is a year in the future

FreeNAS – up and running!

• Dropbox – Photo 2015-01-02 14 08 50.jpg
• Dropbox – Photo 2015-01-02 14 09 17.jpg
• Dropbox – Photo 2015-01-02 14 11 10.jpg
• Dropbox – Photo 2015-01-02 14 13 26.jpg
• Dropbox – Photo 2015-01-02 14 13 38.jpg

Feedback:

• Re: FW Question

• The Opensource Sphirewall Project

• Filesystem confusion

• UK ISPs using malware-spreading techniques to enforce censorship

• Bacula Overview (with a bit of depth)

• Bacula – Installing on Ubuntu – YouTube

Round Up:

• FBI says search warrants not needed to use “stingrays” in public places
• OpenSSL 1.0.1k, 1.0.0p, and 0.9.8zd released, fixing bugs known since October.
• The OpenSSL dtls1_buffer_record flaw was fixed in OpenBSD’s LibreSSL in May 2014
• ​Android Lollipop is out, but almost no one is using it
• Don’t envy the offense – defenders can be smart too
• Execute arbitrary commands on Asus routers via UDP CVE-2014-10000
• Is it APT if you can buy it off the shelf? New attack uses expensive but easily obtainable pentesting software in attack. May result in analysts incorrectly attributing the attack to nation states or other highly capable attackers
• A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever
• When Security goes right – Should more companies have a Security Officer, and an easy way for researchers to contact them?
• Comcast lobbyists hand out VIP cards, bypass hold when contacting comcast support
• Critical flaws in NTPd could allow code execution
• NTP Flaw marks first time Apple uses automated OS X update, forcing the update on all customers
• Staples (Office Superstore) breach affects over 100 stores and up to 1.16 million credit cards. Breach was originally detected in October
• Samsung announces production of 20nm LPDDR4 – faster than Desktop DDR4 and uses half the energy of LPDDR3 – much longer battery life in mobile devices is expected