This week a critical GitHub vuln was found, ICANN was hacked, International Business Times was hacked by the SEA, Microsoft's update blunders continued, a new Boleto malware family was discovered, the Sony drama reached the heights of hysteria, and more. Updated with FBI announcement on the Sony hack attribution, and reactions.
If you use #Git on Windows or OS X, patch your client NOW! Critical code execution vulnerability. http://t.co/Kdzu3sUFbB
-- Sven Slootweg (@joepie91) December 18, 2014
Accidentally reversed parts of the latest @SnapChat iOS tonight with @dtsbourg. Snaps are still "encrypted" with hardcoded string in binary.
-- Frederic Jacobs (@FredericJacobs) December 16, 2014
It was also really easy to determine that @michaelduong is building the App Store releases of @Snapchat iOS. Hackers know who to target.
-- Frederic Jacobs (@FredericJacobs) December 17, 2014
Snapchat loads pinned certificates ( https://t.co/ZCTtMVFgSo) but doesn't seem to validate them. I could MITM. #fail pic.twitter.com/uFLXDHdQOw
-- Frederic Jacobs (@FredericJacobs) December 17, 2014
The week began with Sony threatening news outlets and bloggers to destroy any leaked Sony documents and not to publish any docs, accompanied by a misinformed op-ed by Aaron Sorkin, best described as mansplaining the hack. Both aggressions caused reporters and news outlets to double-down on the story. Sony also sent its teams in to remove users and threads on Reddit about the leaked trove, resulting in a after takedown than with the leaked celebrity nudes (angering the Reddit community), causing some to wonder if Sony's so-called 'Diamond Lane' for fast takedown access, also discovered in the leaks, had come to pass.
#PT Archived: https://t.co/Qj6oPrb20r Expect "Diamond Lane" Del. @Jaliotea @Cyber_War_News @MichaelKelleyBI @tomgara pic.twitter.com/VTKQ3EF0Es
-- Mr. Green (@Mario_Greenly) December 16, 2014
Also Monday, Sony sent out letters to employees outlining the full scope of data that was compromised by attackers shortly before the Thanksgiving holiday, including medical records -- weeks after the hack was first reported. By Thursday no less than three lawsuits were filed against Sony by current and former employees, and many expect this is just the beginning.
Reporters continue to go through the leaks, and it's no wonder Sony doesn't want anyone to report on what they're finding. Emails revealed more racism, but worse. Thursday Techdirt caught The MPAA's Secret Plan To Reinterpret The DMCA Into A Vast Censorship Machine That Breaks The Core Workings Of The Internet with DNS blocking. Further Sony emails revealed collusion between the MPAA and US Attorneys General to target Google and essentially revive SOPA in a campaign called "Project Goliath." Google's legal team struck back with a very angry post Thursday night.
Meanwhile, press played a bizarre he-said, she-said game of fingering North Korea as the perpetrator, which came to a climax when a Pastebin allegedly by Guardians of Peace suggested a terrorist attack on movie theaters if Sony's no-one-heard-of-it-until-now, previously doomed to flop film about killing North Korea's Great Leader wasn't pulled.
The paste was so different than the rest of the hacker group's communication in every way that it caused many following and reporting on the story to question its veracity, or discussing its possibility of being a false flag.
@Cyber_War_News Anyone else think that Sony probably made the terrorist threats to give themselves a way out without seeming to submit?
-- Digital Prisoner (@ndroidFTW) December 18, 2014
Sony pulled the film from theaters, getting more attention for the film than anything, and causing the majority of people who weren't following the nuances of the situation to declare the 'terrorist hackers' had won -- while the greater security communities watched in disbelief wondering if everyone had lost their minds. Spoiler alert: they had.
The threat became a convenient foil for Sony's worsening headlines, and has been re-reported to extremes, fanning flames of terrorist attack hysteria from Hollywood to Fox News, to the US Government. As media attention shifted to the alleged threat, the White House decided that the Sony hack was now a 'serious national security matter'. Despite the lack of credible evidence that North Korea is behind the attack, and the FBI saying there's nothing linking North Korea to the Sony hack, many now believe it to be true, helped along with outlets like the Washington Post stating "intelligence officials" believe with "99% certainty it's gotta be North Korea.
The whole thing turned into even more of a three-ring circus Wednesday when the New York Times and other outlets announced that an 'unnamed source' at the White House said it was North Korea, followed by a named source from the White House Thursday morning saying the White House refused to confirm North Korea as the culprit.
By Thursday, the amount of respected infosec professionals, researchers, hackers and professional security researchers calling the North Korea theory out as BS is truly a news story unto itself. Sony's poor reaction to everything about this attack isn't escaping seasoned infosec industry members. One called it "beyond the realm of the stupid."
While everyone was distracted, more Sony email communication leaks surfaced showing that Sony's North Korea film was made in communication with and received the 'blessing' of the US State Department.
One thing is for sure: The evidence had better be credible and believable, because there are a lot of expert eyes on this. In my opinion, the 'who' isn't the most interesting unanswered question. It's the 'how' -- just how did they exfiltrate that gigantic dump? And of course, the 'why' of it: what aren't we seeing? And I really hope someone writes up an opsec think-piece about all this, because the operational security practices of these attackers is already seeming like the stuff of legends.
Damn, the Feeb's evidence for DPRK involvement is total weak sauce. Nothing new at all. :-( http://t.co/ruFrFifLDB
- the grugq (@thegrugq) December 19, 2014
Update: The US FBI has officially announced that it believes North Korea to be responsible for the attack on Sony Pictures Entertainment. The FBI has not provided evidence to satisfy info sec critics, and simultaneously the Department of Homeland Security has declared what amounts to a war on hackers.
Important reactions to this development:
FBI's #Sony statement sure to leave many #infosec ppl wondering how/why it came to #NorthKorea conclusion so quickly: http://t.co/N0hTgXilra
-- Sara Sorcher (@SaraSorcher) December 19, 2014