Whodunit?The mechanics of a!ack a!ribution

DISCLAIMER

This talk contains general information about legal ma!ers. The information is not advice, and should not be treated as such.

The legal information in this talk is provided “as is” without any representations or warranties, express or implied. Mark Nunnikhoven makes no representations or warranties in relation to the legal information in this talk.

Without prejudice to the generality of the foregoing paragraph, Mark Nunnikhoven does not warrant that: the legal information in this talk will be constantly available, or available at all; or the legal information in this talk is complete, true, accurate, up-to-date, or non-misleading.

You must not rely on the information in this talk as an alternative to legal advice from your a!orney or other professional legal services provider.

If you have any specific questions about any legal ma!er you should consult your a!orney or other professional legal services provider.

You should never delay seeking legal advice, disregard legal advice, or commence or discontinue any legal action because of information in this talk.

Nothing in this legal disclaimer will limit any of our liabilities in any way that is not permi!ed under applicable law, or exclude any of our liabilities that may not be excluded under applicable law.

IANAL(I am not a lawyer)

Mark Nunnikhoven Sr. Research Scientist @marknca

Date Event

21-Nov Sony CEO Michael Lynton warned in anonymous email to “behave wisely”

24-Nov Story of a hack at Sony Pictures Entertainment leaks

25-Nov 5 unreleased movies show up online (Fury, Annie, Mr. Turner, Still Alice and To Write Love On Her Arms)

01-Dec PII published, FBI starts investigation

02-Dec Passwords, security certificates, marketing materials leaked online

04-Dec Passwords, security certificates, marketing materials leaked online

07-Dec Kevin Mandia email to Sony, “This a!ack is unprecedented in nature"

08-Dec More leaked data, first direct mention of…

Date Event

08-Dec More leaked data, first direct mention of…

11-Dec Gawker breaks story mentioning previous a!ack in February, 2014

13-Dec More leaked data, promise of more as a “Christmas present”

14-Dec Sony’s legal team threatens various media outlets

16-Dec Class action suit filed against Sony by former employees

16-Dec GoP issues threat to movie theatres & goers

17-Dec Sony cancels release a"er theatres raise concerns

18-Dec US o#cials “confirm” North Korean involvement

19-Dec FBI issues formal statement assigning a!ribution to North Korea

http://www.dailymail.co.uk/news/article-2880880/FBI-conclusively-links-North-Korea-Sony-hack.html

Watch the video online

Date Event

19-Dec FBI issues formal statement assigning a!ribution to North Korea

20-Dec North Korea denies involvement, o$ers “joint investigation”

http://www.theguardian.com/us-news/2014/dec/21/obama-us-north-korea-state-terror-list-sony-hack

Watch the video online

Date Event

20-Dec North Korea denies involvement, o$ers “joint investigation”

21-DecNorth Korea threatens “the White House, the Pentagon and the whole U.S. mainland"

22-Dec US government calls on North Korea to compensate Sony

22-DecState Department says there is “no specific credible threat information that lends credence” to North Korea’s threat

22-Dec North Korea bows out of UN Security Council meeting on human rights record

23-Dec Sony recants and decides to release movie to theatres

24-Dec“The Interview” is released in digital channels. Earns $31 million by 06-Jan-2015

I, BARACK OBAMA, President of the United States of America, find that the provocative, destabilizing, and repressive actions and policies of the Government of North Korea, including its destructive, coercive cyber-related actions during November and December 2014…

*emphasis added

http://www.foxnews.com/politics/2015/01/07/fbi-director-reveals-new-evidence-linking-n-korea-to-sony-hack-answers-skeptics/

Watch the video online

Relevant

Authentic

Hearsay

Acceptable as a copy

Is it?

“An IP known to be associated with North Korean activity”Statement #1

“NSA activity verified the actions were taken by North Korea”Statement #2

“An IP known to be associated with North Korean activity”Statement #1

SECTION 31

Definitions 31. (1) In this section,

“corporation” « personne morale »“corporation” means any bank, including the Bank of Canada and the Business Development Bank of Canada, any authorized foreign bank within the meaning of section 2 of the Bank Act and each of the following carrying on business in Canada, namely, every railway, express, telegraph and telephone company (except a street railway and tramway company), insurance company or society, trust company and loan company; “government”« gouvernement »“government” means the government of Canada or of any province and includes any department, commission, board or branch of any such government; “photographic film” « pellicule photographique »“photographic film” includes any photographic plate, microphotographic film and photostatic negative.

Marginal note: When print admissible in evidence (2) A print, whether enlarged or not, from any photographic film of

h!p://laws-lois.justice.gc.ca/eng/acts/c-5/

which, (a) contains computer programs or other data; and (b) pursuant to computer programs, performs logic and control, and may perform any other function. “data” « données » “data” means representations of information or of concepts, in any form. “electronic document” « document électronique » “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data. “electronic documents system” « système d’archivage électronique » “electronic documents system” includes a computer system or other similar device by or in which data is recorded or stored and any procedures related to the recording or storage of electronic documents. “secure electronic signature” « signature électronique sécurisée » “secure electronic signature” means a secure electronic signature as defined in subsection 31(1) of the Personal Information Protection and Electronic Documents Act. 2000, c. 5, s. 56.

h!p://laws-lois.justice.gc.ca/eng/acts/c-5/

h!p://laws-lois.justice.gc.ca/eng/acts/c-5/

In plain-ish english:

You have to prove the evidence is authentic(31.1) and that

hasn’t been changed(31.2). That the system that generated it

was running “properly” or at least it’s operation didn’t a$ect

the integrity of the evidence(31.3). The evidence must have

been stored as part of ordinary operations and not at the

request of the parties introducing it.

?

Year 2010 2011 2012 2013 2014Jail Time (years) 40 26 19.8 38 31.5

Name Sentence (Rank)

Christopher Sco! 7 years (#8)

Kenneth Lucas II 11 years (#5)

Christopher Chaney 10 years (#6)

Jeremy Hammond 10 years (#6)

David Ray Camez 20 years (#1)

Max Ray Vision|Butler 13 years (#4)

Nichole Michelle Merzi 5 years (#10)

Rasmuz Frisenholt 400 hours service (#30)

Adrian-Tiberiu Oprea 15 years (#3)

Nicholas Knight 90 days service (#29)

Albert Gonzalez 20 years (#1)

James Je$ery 2.5 years (#14)

Iulian Dolan 7 years (#8)

Go!frid Svartholm 3.5 years (#12)

American Young O$ender 6 year probation (#23)

Lewys Martin 2 years (#16)

Cameron Lacroix 4 years (#11)

Ryan Cleary 2 years, 8 months (#13)

Ki! Willians 1 year service (#26)

Sigurður Ingi Þórðarson 2 years (#16)

Ryan Ackroyd 2.5 years (#14)

Canadian Young O$ender 18 months probation (#27)

Daniel Trenton Krueger 2 years (#16)

Jake Davis 2 years (#16)

Cody Kretsinger 1 year (#21)

Freya Newman 2 year probation (#24)

Mustafa Al-Bassam 20 months probation (#25)

Ma!hew Weaver 1 year (#21)

Christopher Weatherhead 1.5 years (#20)

Ashley Rhodes 7 months (#28)

Notable Cybercrime Convictions (Global)

0

10

20

30

40

2010 2011 2012 2013 2014

Jail Time (Years) Convictions

Number of Cybercrime A!acks vs. Convictions (Global)

0

8

15

23

30

2010 2011 2012 2013 2014

Attacks (Billions) Convictions

Number of Cybercrime A!acks vs. Convictions (Global)

0

8

15

23

30

2010 2011 2012 2013 2014

Attacks (Billions) Convictions

Number of Cybercrime A!acks vs. Convictions (Global)

0

8

15

23

30

2010 2011 2012 2013 2014

Attacks (Billions) Convictions

Gap of hopelessness

1 in 2.7 billion

2

5942921875= billions of a!acks[9.2 + 12.3 + 16.4 + 21.9 + 29.2] / convictions[30] + billions of a!acks

Rough odds of being convicted of a cybercrime[2010—2014]

DISCLAIMER

This talk contains general information about legal ma!ers. The information is not advice, and should not be treated as such.

The legal information in this talk is provided “as is” without any representations or warranties, express or implied. Mark Nunnikhoven makes no representations or warranties in relation to the legal information in this talk.

Without prejudice to the generality of the foregoing paragraph, Mark Nunnikhoven does not warrant that: the legal information in this talk will be constantly available, or available at all; or the legal information in this talk is complete, true, accurate, up-to-date, or non-misleading.

You must not rely on the information in this talk as an alternative to legal advice from your a!orney or other professional legal services provider.

If you have any specific questions about any legal ma!er you should consult your a!orney or other professional legal services provider.

You should never delay seeking legal advice, disregard legal advice, or commence or discontinue any legal action because of information in this talk.

Nothing in this legal disclaimer will limit any of our liabilities in any way that is not permi!ed under applicable law, or exclude any of our liabilities that may not be excluded under applicable law.

IANAL(I am not a lawyer)

“CSI” DEPTH

by @misbehave

by @jdhancock

Random | Targeted | No hopeActor Type

THANK YOU@marknca