The Sony hack can be traced back to how it all started, technically speaking; but you'll find details scattered around the Net and few journalists connecting the dots in a meaningful way. Technologists like myself don't (yet) know the "Who Done It" but we (mostly) know the "How They Done It". I'll trace back from knowns towards probable causes with as much non-technical jargon as humanly possible for a technical dissection. And the conclusion I reach is a very human treatment.
Test Positive: Wiper diseases
First off, there's tests for computer diseases much like human diseases. On Dec 2nd, a Flash was leaked that Reuters picked up that said the FBI had analyzed the Sony hack. The FBI send these Flash notices to technical teams within organizations and companies about their analysis of cybercrime, usually taken from actual samples. You can compare these Flashes to health notices sent out by the CDC to prevent outbreaks of malicious software (malware) but the difference is the FBI doesn't disclose their analysis to the public. (I think Flashes should be disclosed to secure a healthy computing society so I've no problem linking to the leak.) This Flash attributed the Sony hack to a well known class of computer "diseases" called wipers. These Wiper diseases -- including Destover, Wiper, Shamoon -- quietly and quickly usurp control of your computer and can delete all its data, according Symantec's synopsis (a cyber security specialist). A decent analogy to human disease would be an extremely fast-acting Parkinsons disease because the user loses normal functioning of the computer and may eventually lose all memory. Previous analysis of the Wiper disease by McAfee, another cyber security specialist, imply that these particular "diseases" enable cybercriminals to hold computer data for ransom because, if the victim doesn't comply with their demands then, the criminals will either steal or erase valuable data. Some call this concept ransomeware. The Destover disease even enables the cybercriminal to send messages to you via the ill-fated computer, which could be like the threatening emails that Sony employees have received from cybercriminals. Simply put, Sony's computers came down with a disease that enables ransom and terror like we are hearing about in the news.
Infection: Dropper Trojans
Next up: let's find out how Sony's computers were infected by this wiper disease. Similar to human infections, computers can develop diseases after being compromised. Much like a cut in your skin could fester if left untreated, a computer's firewall would have a "hole" that needs plugging. Whether the Sony hack involved firewalls or not, there needs to be a way in. One wiper "disease" called Destover, for example, was traced back to an infection via a particular family of Trojans. Trojans are another variety of malicious software that, just like their name implies, masquerade as legitimate software. This family of Trojans, often called Dropper Trojans, open up a means for a cybercriminal to remotely control the computer and "drop" an infectious malware into the victim computer. Symantec specifically linked the Destover disease to one such Dropper Trojan. Once infected, the ill-fated computer can spread the disease to trusted computers at an alarmingly virulent rate:
"The dropper was distributed to systems across the victim organizations, and within minutes of execution the [computer data] were wiped." Dissecting Operation Troy by McAfee.From initial infection to full blown disease happens in a matter of minutes. Sony's computers were infected by such a Trojan (or several Trojans) that dropped a Wiper disease quickly across its computer network and allowed cybercriminals to remotely steal Sony's data, including scandalous emails that the news has picked up.
Communicability: Spear Phisphing
Now that the infectiousness of the computer disease is identified, there comes the subject that causes panic in human health: communicability. For IT, the question becomes: why is my computer infected?! In Sony's case, these Dropper Trojans are not omnipotent and aren't usually able to exploit a computer themselves. Like all sleeping monsters, Trojans are dormant in the wild. When McAfee analyzed a Wiper disease that spread from these Trojans, they found evidence that users had been duped into trusting the malware by a technique called "spear phishing". Spear phishing means like it sounds: a cybercriminal went fishing and speared a user -- virtually speaking, of course. This technique targets VIPs, in this case someone like a Sony IT guy or Sony exec, and seduces people into downloading malicious software or revealing secure, technological information. One of these targeted VIPs almost always needs to click something that awakens the monster, just like Troy opened its gates to the Greek's trojan horse.
TrendMicro, another computer security specialist, researched trends in spear phisphing and found two critical methods used against VIPs: 1) email, and 2) attachments. That paper is poignant about the human factor in enabling cybercriminals:
Pre-infiltration reconnaissance is more generally associated with the human aspect. In this stage, attackers profile their human targets to gain initial entry to a target network. ... Social networking sites, corporate and academic publications, and organizations’ sites allow miscreants to harvest relevant information on their targets for various social engineering schemes.Essentially cybercriminals spy on you through seemingly innocent sources, like your Facebook profile and your company's Contact webpage. They send you an email that pops into your Inbox as an innocuous message from your company's IT department, or your Bank, or even a friend! The Trojan is actually that email's attachment or the link in that email. TrendMicro elaborates:
In a spear-phishing attack, a target recipient is lured to either download a seemingly harmless file attachment or to click a link. ... We found that the most commonly used and shared file types in organizations (e.g., .XLS, .PDF, .DOC, .DOCX, and .HWP) accounted for 70% of the total number of spear-phishing email attachments.Sony incriminated its own email as the culprit of spear phishing when the company prevented employees from opening their corporate Inboxes after the hack. Their reaction was a poor attempt at quarantining the outbreak. More than likely, a Sony employee had opened an email that looked like every other message they had received, clicked on an attached Word Doc, and went about their day at work -- while a Trojan infected their work laptop and the disease spread to the rest of Sony's computer network.
UPDATE: after my original posting, Wired Magazine published a similar article that also suspects the Sony hack originated from phishing and also identified the Destover malware from a biopsy of sorts performed by an independent security analyst.
Vaccination?! Don't Know; Don't Open
Everyday we open email, download documents, and go about our business without (knowingly) harming anything. Cybercriminals are using habitual, human behavior against us. Just like in medicine, there is no magic pill. There is no vaccination for spear phishing. Popular anti-virus software can act like a decent immune system and detect these Trojans and prevent a computer disease from spreading. The computer security speciality companies who I've cited here -- TrendMicro, McAfee, and Symantec -- sell anti-virus programs that detect the Dropper Trojans but so does Microsoft's own, free malware detector. Recall, however, that the Dropper Trojan's infection festers into a full blown Wiper disease in a matter of minutes so, unlike human disease progression, there can be no delay in anti-virus response. And even though the current Wiper diseases only infect Windows computers, Mac and Linux consumers are not always immune, nor are smartphones. Computer diseases mutate just like human ones. Anti-virus software makers bring an invaluable resource to the table by constantly releasing antidotes but the myriad of mutations known in just the Dropper family of Trojans is disconcerting.
The Sony hack is still an open case that's being investigated and popular news is hyping up the "Who Done It?" part. The technological, "How They Done It" story is far more empowering. Given the leaked FBI Flash and this preliminary dissection of Sony's hack, the first line of defense in our hands -- literally the mouse in your hand. We prevent computers that we touch from being hacked by our own due diligence. Our tact while using computers can make the cybercriminal's spear a blunt, impotent weapon when they go phishing for us. We stop hacks by securing our online privacy and taking responsibility for the integrity of technology, like deleting unexpected emails and closing suspicious looking websites. The motto "Don't know; don't open" is about as blunt as you can get.
We should be asking ourselves questions like, "Did John say he was going to send me a doc? Why is he using a different email address?! I'll chat him."
No comments:
Post a Comment