Modern field guide to security and privacy

After Comey's speech, critics still unconvinced by the FBI's Sony hack theories

Although FBI Director James Comey meant to clarify the agency's case against North Korea in the Sony hack this week, his comments did little to change the balance of a polarized, but largely skeptical, cybersecurity community.

Ben Margot/AP/FILE
FBI Director James Comey at a 2014 press conference in San Francisco.

Brian Honan still doesn't buy it.

Even after FBI Director James Comey spoke this week about the agency's evidence tying North Korea to the Sony hack, Mr. Honan, a security specialist, says the connections remain too weak.

At a cybersecurity conference at Fordham University on Wednesday, Mr. Comey announced the agency's newest piece of technical evidence: Internet protocol address. The hackers, he said, blundered while sending e-mails and failed to mask the true IP addresses that represent their devices on a network. Those addresses, he said, were "exclusively” used by North Korea.

But that wasn't exactly the smoking gun Honan and other skeptics in the security community needed to convince them that North Korea is the real culprit.

"IPs can be spoofed and computers at IPs can be compromised," says Honan, director of BH Consulting, an Irish security firm. “In my experience, no IPs are every guaranteed to be ‘exclusively’ used by anybody."

Honan wonders why these IP addresses had not been released to researchers for independent review or, at a minimum, to allow network administrators at risk of an attack from North Korea to block that traffic.

"The last time the FBI said IP addresses they found were controlled by North Korea was when the initial statement said they were hardcoded into the malware. Experts agreed they were wrong,” says Rob Graham of Errata Security, an Atlanta cybersecurity firm. "There is little reason to believe them this time."

He's referring to research conducted by Scot Terban, a security expert and popular blogger often known by his Twitter handle ‘Krypt3ia,’ and Sean Sullivan of F-Secure, a Helsinki-based provider of online security products.

According to Mr. Terban, the IPs pointed to an international list of widely used proxy servers and one compromised computer in New York.

While Mr. Sullivan is reserving his judgement on the e-mail IPs until his team can examine them, he still questions some of the vagaries in Comey’s talk this week.

"The FBI didn’t say why they thought the e-mails were actually from the hackers," says Sullivan. "It could just be a separate group of North Koreans saying ‘You guys suck.' "

According to Terban, Comey didn't produce enough evidence to back up his claims about the IP addresses. “If they have a log, produce the log. It’s not like North Korea doesn’t know.”

Meanwhile, analysts that already agreed with the government's North Korean attribution continue to support the FBI's theory.

"I was always certain. I’ve seen what they've seen," says Dmitri Alperovitch, cofounder of CrowdStrike, a California security firm. Soon after the initial FBI report linking the Sony hack to North Korea, CrowdStrike announced it had been tracking the same North Korean hackers for many years. 

Mr. Alperovitch says that FBI's announcement this week was more about sending a message to enemy states that the US is capable of quickly attributing cyberattacks and less about convincing loud and dissenting voices in the security community. 

"Establishing a precedent for response," said Alperovitch. "That's what they were thinking."


of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.