Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending January 9, 2015. Covers enterprise, controversies, reports and more.
This week Microsoft put its advance security info behind a paywall, a Google engineer caught Gogo Inflight faking Google certs, super cookies showed that incognito mode is meaningless, Sony hack attribution infighting got weird, and more.
Gogo Inflight Wifi Service got caught intentionally issuing fake Google SSL certificates. Adrienne Porter Felt, an engineer that is a part of the Google Chrome security team, discovered while on a flight that she was being served SSL certificates from Gogo when she was requesting Google sites.
"Super cookies" can be used to place permanent trackers on people's PCs, tablets and smartphones. Researcher Sam Greenhalgh revealed, "Super cookies can be created by abusing the "HTTP Strict Transport Security" (HSTS) security feature, which websites can use to tell browsers to enforce encryption, by using the HTTPS version of the site rather than the unprotected HTTP site." The super cookies aren't stopped by incognito mode -- nor private modes of Apple Safari, Mozilla Firefox and Opera (Microsoft's Internet Explorer is only protected because it doesn't support HSTS at all).
This week in Sony hack drama began when Sony CEO Kazuo Hirai said Monday night at the Consumer Electronics Show in Las Vegas, "How many of you went to see a great Sony movie this holiday?" "'Annie' is a fantastic movie, isn't it?" he quickly joked.
Hirai was referring to "The Interview", neatly sidestepping the fact that despite Sony and FBI claims that Sony was hacked specifically to prevent the showing of the film, Sony made it available across a number of online platforms and in roughly 580 independent movie theaters -- and absolutely nothing happened as a result.
Attribution this week became a sore spot for everyone -- everyone except Sony, anyway.
The FBI once again dug in with attribution to North Korea, with backup from the NSA and Mandiant, yet critics continued to ask pointed questions. The conversation became decidedly less adult with a little bit of passive aggressive name-calling from one of Mandiant's [apparently] more sensitive spokespeople.
FBI chief James Comey speaking at an event Wednesday said that hackers who targeted Sony's networks used proxy servers in an attempt to disguise their identity, but "several times they got sloppy."
Marc Rogers, voicing the questions of many security researchers, pointed out that the FBI director's additional information may have been intended to put questions to bed, but did exactly the opposite. Calling the complete statement "weak circumstantial evidence" Rogers, the Director of SecOps at DEF CON said, "Is the FBI really saying that they don't know what the vector was, or are they just being coy? If they genuinely don't know what the vector was, then I have even more concerns."
"In sophisticated attacks, finding the responsible party can be next to impossible," writes Accuvant's Jeff Horne in Diversionary Tactics 101. "In reality, any "mistakes" or "oversights" that clearly point toward a specific party are rarely done by accident; they are intentionally added to point response teams in the wrong direction."
After FBI's head honcho told us how he feels, on Thursday National Security Agency Director Admiral Michael Rogers expressed support for pointing the finger at North Korea. The NSA was asked to examine malware used in the Sony hack and played a supporting role in determining its origins, Rogers said.
Not surprisingly, Rogers also urged Congress to pass legislation that would encourage information sharing between private companies and the government on cyber threats -- which many fear may actually be where all this is headed.
FBI has finally admitted that NSA told them, and it's based on NSA SIGINT. So, that's basically that, then.
The Obama administration's extraordinary decision to point fingers at North Korea over the hacking of Sony Pictures Entertainment Inc. could lead to a courtroom spectacle in the event charges are ultimately filed against someone without ties to the isolated country, such as a disgruntled employee or an unrelated hacker.
Meanwhile, the pranks and hoaxes continued, fooling a few. Media unaccustomed to writing about infosec still struggled to understand even the very words they used, or, in some cases, came across as hacker groupies. Some came out with articles which did little to advance the conversation -- pitting the opinions of Mandiant and FBI believers against fans of infosec's NK-attribution critics.