Update on the Sony hack-attack

As I said in a previous post, it certainly appears that Sony is in the midst of a serious IT problem.  Sony has been extremely quiet except to say that they have a “system disruption” that they are “working diligently to repair”.

The important question to ask is “If this happened to our company, how would we deal with it?”.  These ransomware attacks are fairly common and, unfortunately, the only real way to know that you have removed the attacker’s access is to rebuild your entire network from scratch – which may be what Sony is doing.  What this means is having TESTED backups, backup copies of configuration data (preferably offline), and a staff that has actually performed the rebuild process before the crisis.  You may also need additional hardware as the cops may still be messing with your hardware.  You also need to understand how long the rebuild will take.  All this should be part of your disaster recovery plan.

Business continuity insurance likely would help pay for the costs if you have that and if it covers cyber disruptions (it may not – you may have to purchase cyber liability insurance to get cyber business continuity coverage), but checking on all of this in advance would be smart.

In terms of getting the data back that the attackers took, that probably is impossible.

The reason Sony shut off their internet connections world wide and forced people to use pencil and paper when this first happened a week ago is that, assuming this was not an inside job and the attackers don’t have co-conspirators inside the company, this is the only way to stop the attackers from doing more damage.

Unfortunately for Sony, employees have resorted to using their personal smart phones and Gmail, with the attendant security issues that represents.  The likelihood of getting that genie back in the bottle varies from slim to none.

For a publicly traded company like Sony, they will have to disclose the cost of this – between lost intellectual property, lost productivity, outside consultants and staff time to restore or rebuild what they need to do, the cost is likely in the tens of millions of dollars.  Not to mention, on top of those costs are litigation costs (certainly there will be lawsuits) and judgements.

It is not clear if the attackers told them to keep their mouths shut or whether they foolishly think they can keep the bad news under wraps by stonewalling the media.  If it is the latter, it is not working.

The group, calling itself the #GOP (not sure if that play on words is intentional), is reported to have obtained ‘corporate secrets’  and would leak them if their demands were not met.  It is being reported by some outlets that among the property lost were digital copies of celebrity passports such as Angelina Jolie’s.  Some outlets are saying that the attack is using a common form of ransomware, where the contents of file systems are encrypted with the GOP, in this case, hanging on to the decryption keys until their demands are met.

Variety, the trade rag for the movie industry, reported that five Sony movies have been leaked.  Four of these movies have not even been released yet.  The titles that were leaked were Fury, Annie, Still Alive, Mr. Turner and To Write With Love On Her Arm.  Fury was downloaded by 888,000 unique IP addresses.  These movies were DVD quality reviewer copies and were watermarked, but my guess is that the hackers do not care.  It is not clear if these purloined movies are part of the corporate secrets that would be leaked.  Certainly, leaking DVD quality copies of new movies that have not even been released could hurt sales.

According to the New York Post, staffers at Sony are being forced to use pen and paper to complete their work assignments.  The Post is also reporting that Sony is investigating whether North Korea is behind the attack since they are supposedly upset about Sony’s upcoming movie “The Interview”.  The New York Times is reporting that Sony’s information technology experts told an in-house conference call they were “making inroads” against the attack and expected to be back online by Monday.  What, exactly, that means is totally unclear.

The Register.uk is reporting that bosses have told their teams that it may take three weeks to recover from the attack.  The Register displayed this picture in one of their reports:


All in all, this is another black eye for Sony which has had more than it’s share of hacks, a serious distraction for employees, a field day for the media,  millions of dollars in costs, likely lawsuits and probably more policies and procedures for employees to follow.



Cyber Security Weaknesses Would Reduce The Sales Price Of An Acquisition

An Article last week in the Pittsburgh Post-Gazette written by the law firm of Meyer, Unkovic & Scott LLP, stated what I would think is obvious, but apparently not.

78 percent of global dealmakers report that cybersecurity isn’t a part of the due diligence process before mergers and acquisitions.

And why, you ask, is that so?  The answer also seems obvious to me —

90 percent of survey respondents reported that information about past breaches or cybersecurity weaknesses would reduce the sales price of an acquisition.

Alternatively, and even worse from the broker’s or seller’s standpoint, some buyers might walk away from the deal, and that would be the last thing that the seller or broker want.  Since the broker is not legally required to suggest to the buyer that performing a cyber due diligence assessment and if one is performed, it might either reduce the sales price or blow up the sale, the broker is not going to suggest it.  Ultimately, the buyer is left holding the bag.

From the buyer’s standpoint, requiring a cyber security due diligence audit is a smart negotiating move.  If there are any serious issues then the seller should be required to fix them before the close or the buyer should walk away from the deal.  If the buyer is comfortable that whatever cyber security issues are present are not fatal, then the buyer can and should negotiate a lower price.

Assuming the buyer is using a broker or lawyer – and the buyer should be – It seems to me that it borders on negligence for the buyer’s agent not to strongly recommend that a cyber due diligence be performed prior to closing.

Mitch Tanenbaum

What Your Office Might Look Like If You Are Hacked

According to multiple news reports (like BBC, Forbes, and  Computerworld), Sony has been hacked again.  This time they were hacked by the GOP (no, not that GOP, the Guardians of Peace).

So, here is what Sony’s office looked like yesterday – and your’s might if you get hacked.

Employees came into the office yesterday, turned on their computers and were greeted by this:



Sony (technically Sony Pictures Entertainment) told the media they were investigating an IT matter when this was leaked to the media – not a great job of rumor control.  Later that was updated to “Sony Pictures Entertainment experienced a system disruption, which are working diligently to resolve.”

The company’s internet connections were taken offline as a precaution.

Employees in New York, Los Angeles and the Culver City Studios were told not to access the internet or corporate email, to disable any wireless connections and voice mail (which goes to email) is intermittent.  Employees were told they could still use the phones.  Later, employees were sent home.

That was yesterday.  Today, day two, there is no update.  I suspect but have no inside information, that they really are not sure how deep the hackers are in the company or what information they exfiltrated.  Rumors include that the hackers had inside help.

The GOP is threatening to release internal “Secret and Top Secret” documents if their demands are not met.  The GOP also said that “this is just the beginning”.

Sony Pictures is a multi billion dollar company so I doubt it is going out of business any time soon (at least as a result of this – their financials have not looked too good in the last 8 quarters).  None the less, this is a serious disruption with no end in sight.

The political embarrassment of the hack will last a long time, especially after the multiple hacks they endured last year.

But here is the question.  Let’s assume this happened to your company.  How would your company handle it – from communications to operations to customers to vendors.  Are you prepared for something like this?  



DarkHotel Malware

Wired reported on an interesting (yes, I know I am strange, to think that malware attacks are interesting, but they are!) malware attack.

The malware, known as DarkHotel, pops up a message alerting the user to a software update as soon as they connect to the hotel’s WiFi.

Of course, the update is not a legitimate update, but rather a piece of malware that the attackers are getting you to install for them.  Thank you for helping out.

Reports by Kaspersky Labs, the Russian anti virus vendor say that they have seen the attacks at five star hotels and they seem to be targeted at business travelers and sometimes specific travelers.

Kaspersky said that the attackers have been active for at least seven years.

According to Wired, the attackers use zero day exploits and a kernel mode keystroke logger  – not simple to do.  In addition, the code is signed.  It appears that the attackers reverse engineered the certificates of several certificate authorities.  The combination of all of this tends to indicate that these attacks are either state sponsored or state sanctioned.

According to Kaspersky, the attackers show up at the hotel a couple of days before the target arrives, loads the malware on the hotel servers (after hacking them) and then removes the malware from the hotel servers when the target leaves.

Kaspersky counter attacked a few (26) of the attackers servers in October gaining access to the logs of the attackers, at which point the attackers did an emergency shut down of close to 200 of their command and control servers.

For more details, read the Wired article linked above.

More importantly, this attack vector could be recreated pretty simply in a less sophisticated implementation.

I recommend that you should never load a patch or update while connected to a public WiFi network – especially if it is a place you frequent or that people would know, in advance, that you are going to be there on a particular day or time.

Another Nation State Sponsored Trojan?

ars technica reported yesterday on a very sophisticated trojan that has been around, they say, since 2008, went dark in 2011 and came back in 2013.

The trojan is comprised of 5 stages, all but the first of which is encrypted and is serially decrypted to avoid detection.

The interesting part about it is that it apparently is a framework with plugins to attack everything from your keyboard to your mouse to a radio base station.  The link above has more details and a graphic showing the architecture of this thing.  It seems to be very sophisticated.

Supposedly, there have only been around 100 known infections – but do we really know? – mostly inside ISPs.  Symantec suggests that this was done not to spy on the ISP, but rather on their customers.

Now that the cat is out of the bag, I am sure we will hear more in the coming days.  This could be another Stuxnet.


Why You Should Use Your Debit Card As A Credit Card

Many of us try hard not to use our credit cards.  As a result, we tend to use our debit cards frequently.

Many debit cards carry either a Visa or Mastercard logo, which allows you to use the card as either a debit card or a credit card.  No matter which option you choose, the money is withdrawn from your bank account immediately, so from a financial standpoint, it really does not matter which option you choose.

Merchants such as Walmart, often try very hard to get you to choose the debit option.  The reason for this is that the merchant pays a smaller fee to their bank or payment processor for each transaction if you choose the debit option over the credit option.  For large transactions, this difference can be significant to the store, because if you choose the credit option, the store pays a percentage of the transaction amount.  If you chose debit, the store pays a flat fee, no matter the size of the transaction.

HOWEVER, from your perspective as a consumer, if the store that you shop at and use your card as a debit card is hacked – and that seems to be all too common these days – the bad guys can duplicate your debit card and with your pin, can empty your bank account.

Most banks allow you to limit the amount of withdrawals that are permitted on a daily basis to reduce your exposure.  Many banks also will send you a text message, in real time, every time your debit card is used – including atm withdrawals – so you will know instantly if your card is being used.   If you get a text message and you didn’t use your card, call your bank immediately to shut down the card.

So, even though some stores cajole you to use your card as a debit card, I recommend that, for your own financial safety, you shouldn’t do it.

There was an item on the news tonight here in Denver that some RTD (the local transit agency) ticket kiosks were compromised with skimming devices and some users had ATM withdrawals made from their bank accounts afterwards.  Had they used the card as a credit card, the skimmer operator would not have had their ATM PIN and would not have been able to withdraw cash from their bank account.

Mitch Tanenbaum