Tag Archives: Sony

Sony Pictures CEO Interviewed By AP

Michael Lynton, Sony Pictures CEO, gave the AP the most extensive interview since the  attack.

Among other things, Lynton said that the hackers “They came in the house, stole everything, then burned down the house.”  He said “They destroyed servers, computers, wiped them clean of all the data and took all the data.”

More importantly, he said that six weeks later, the studio’s network is still down and is expected to remain so for a few weeks.

A few other things he said:

  • Sony did not have a playbook for this.  He said that maybe nobody could.
  • A team of 10-15 senior management people were tasked with keeping Sony’s 7,000 employees informed without having them panic.
  • Sony had an emergency notification system but not all employees were on the system, so they had to sign people up in the middle of the crisis.
  • They met with 400 to 500 Sony employees at a time on a sound stage on the property to talk to employees about identity theft and security tips.
  • The story kept making twists and turns, so responding was difficult.  They would have a plan in the morning and it would change by the evening.
  • When the theatre chains pulled out from screening The Interview, they were scrambling because they did not have a plan.  They said they had no plans to release it, which was correct, because they had no plan.
  • The movie has generated $31 million so far, which still makes it under water, but they have canabalized most of the future revenue by doing PPV on Christmas.
  • He declined to give a cost estimate for the breach – likely because they don’t really know yet – but that will be in their SEC filings eventually.
  • He still maintains that “we were adequately prepared  … nobody could have withstood an attack of this nature.”

Looking back, I would say – and they would likely say privately – that they were not adequately prepared.  They did some things right and many things wrong.

USA Today is reporting that 19,000 French web sites have been attacked or defaced since the Charlie Hebdo attack, and the number is growing.  The article quotes one security expert who calls this the new normal.

I don’t know if that is true, but if it is, planning is one thing companies need to spend some effort on.



Monday Morning Quarterback – The Sony Breach

I am certain we will see a number of people comment on what Sony shoulda/coulda/oughta have done and there is likely some truth in all of them.  Here is one and my thoughts on it, from Data Breach Today.  This is from a blog post by Matthew Schwartz.  He makes 7 points, which I mostly agree with:

1. Failure to spot the breach – IF the hackers really got away with 100 terabytes of data as some people claim, it is hard to understand how they did not catch this.  The devil is in the details (like did the hackers send the data to the Amazon cloud or Dropbox or some other seemingly normal place), but companies should be spending some time and effort to watch outbound traffic and look for anomalies.

2. Poor breach response – I think Matthew is right on with this one but I completely disagree with the conclusion.  I think most company’s breach response plans are woefully inadequate and I have said before that I think that Sony’s definitely fell into this category.  Where I disagree is with the recommendation that they should not have pulled the release of “The Interview”.  First, it was not their decision.  When the 4 big movie chains decided to pull it, the release was gone.  Sure, they could have gone forward and released it on the remaining few screens, but the effect would have been no different.  If Sony said they were releasing it and the only place it was showing was in a second tier theatre or in a small town, people would still figure it out.  Where their lack of a plan came through was their back and forth, on again, off again decision making process.  That made Sony look bad or even worse than they already looked.   If they decided to try and force the issue and release it and someone, completely unrelated to the hackers, decided to bomb a theatre and there was injury or loss of life, the lawsuits would have been staggering.  Until you solve that legal problem, Sony had to kill the release.

3. Shooting the messenger – Hiring a big name law firm to threaten the media was just dumb – and likely a result of #2 above.  All it did was give Sony more negative attention and it did not stop anyone from publishing anything.

4. Contradicting themselves – first they said they were going to release “The Interview”, then not, then saying they always planned to release it.  Sony hired famous spin doctor, Judy Smith (adviser to George HW Bush and Monica Lewinsky, among many others), but that seemed to happen late in the game (mid December maybe).  This likely goes back to #2 – not having a plan.  Judy should have been on board on day 1 — since she should have been under contract already.  A company the size of Sony should have a media/PR expert already under contract as part of their breach response preparation.  It doesn’t cost very much to have someone like that on retainer compared to what it did cost them after the fact, both in dollars and reputation.

5. Ceding Control Of the Conversation – After the hackers published the emails of several Sony executives and made the executives look bad, Sony looked like a deer in the headlights.  Going back to #2 and #4, I think they had and “Oh, S**t” moment.  Lack of planning caught them unprepared and as a result, left the hackers in control of the conversation.  In a vacuum, the media goes with what they have.

6.  Failure to take responsibility – Amy Pascal, head of SPE, told Bloomberg that it was nobody’s fault at the studio.  Sure, it was not her PLAN to do this, but ultimately, it certainly is her responsibility.  Hopefully, the Board of Directors has already corrected that confusion on her part.

7. Hoarding Old Emails – Actually, I would say hoarding old data.  They had social security numbers (in plain text in spreadsheets) for 50,000 employees.  They don’t have 50,000 employees.  Bloomberg, in March 2014, reported that SPE had 6,500 employees world wide and were about to make cuts to improve profitability.  How far back does that data go?  A data retention policy is important not only in the case of a breach, but also in case of a lawsuit.  Hackers cannot steal data that does not exist.  If you need to retain it for legal reasons, keep it in a virtual or physical vault.

My Conclusion – It seems to me that the lack of a plan was probably their number one problem.  Their number two problem was not effectively managing (controlling) the data that they did have.  Given that they have been hacked several times before, the lack of a breach response plan is an epic-fail and should be a resume-generating event.  The responsibility lies squarely with the Board of Directors and on Amy Pascal and Michael Lynton, the co-chairpersons of Sony Pictures.  I wonder if there will be some vacancies at SPE in the near future?


Background on the group that took down Sony and Microsoft on Christmas

Unlike the Sony breach in November, the group that took down Sony’s and Microsoft’s game network on Christmas (see article) seems to be very interested in getting attention.  Hopefully enough so that the FBI finds them, but that is another story.

What is more important is that the people who did this, according to Brian Krebs, are not on the high end of the hacking community at all and may have been doing this as a sales pitch for their new business.

Their new business is a DDoS (like they did to Microsoft and Sony, apparently) service for hire.  For $5.99 a month you can knock your favorite site offline for 100 seconds at a time (not sure if you can just keep doing this).  For $129 a month, you get a DDoS attack that lasts for more than 8 hours at a time.  They currently have over 132,000 followers on Twitter, so they are getting some attention.

According to Brian, they lifted (stole?) the entire source code for this service from TitaniumStresser, one of their competitors.  They also exposed a database with information on all of their current users (1,700) accidentally.

One of the Lizards, Vinnie Omari yapped enough to get picked up by the London cops.  I suspect they have a few questions for him.

The more important point here is that *IF* it turns out that you can really “take out” anyone you want for $129 a month, are more people going to do that?

According to Vinnie, he got drunk celebrating his 22nd birthday the day before Christmas, woke up on Christmas still half drunk and decided to take down Sony’s and Microsoft’s game networks for laughs – and because it would annoy a lot of people (they have around 150-200 million users).

If anyone can take down a major online service for $130, what should we expect to happen in 2015?  I don’t know, but if I had a business that provided online services to customers, I would certainly be concerned and I might want to think about some preparation.  Would a competitor or disgruntled customer decide to take my site down – for laughs?



Update on Sony and The Interview

In an about face, after Art House Convergence posted a letter to Sony expressing their desire to show the picture, Sony is allowing theatres, mostly Indies, to screen the movie The Interview on Christmas day.  The best guess is that the number of theatres that will offer it is around 200-300.  In addition, Sony is also offering it up on video on demand at the same time.  While this normally cuts into the box office numbers, given that the chains are not showing it, offering it on VOD at the same time it is being released into theatres likely won’t hurt ticket sales.  In fact, reports are that the web site of the Alamo Drafthouse, one of the Indie chains that is showing it in Dallas and other cities, was unavailable earlier today.  Not because of an attack, but rather because ticket buyers were swamping the web sites.

If ticket sales go well and there are no incidents, then the chains might start showing it early next year.  Likely, this is due to the challenges of scheduling screens and potentially bumping showings off screens that have already been scheduled.

Tim League, founder of Alamo Drafthouse, said their first move, after deciding to screen the movie, was to contact local police to plan for this.  Plans include training for all managers and staff, which seems like a good idea in any case.

Sony is still trying to contain the damage and is threatening to sue Twitter for not suspending the accounts of users who are tweeting damaging emails.  I am not sure if Twitter is scared or not, but so far, they have not suspended the account in question.

On the other side of the planet, North Korea has had three separate Internet outages in the last two days – two short ones and one 9 hour long one.  Who is responsible for these outages is unknown, but it appears likely the work of independent hackers.




CERT Alert on the Sony Malware

The U.S. CERT, part of the Department of Homeland Security,  has released an alert describing the malware that took Sony apart pretty effectively.   Without going into a lot of detail, here is the high level overview:

  • The malware takes advantage of Windows SMB (server message block) protocols that are common to all versions of windows
  • The malware worms its way through the target’s network using brute force guessing of Windows share passwords.  It reports back home every 5 minutes with its successes and asks for new instructions
  • It has a listening component that listens on specific ports on the infected machine (probably for commands)
  • It has a backdoor component that handles file transfer, system survey, proxying and can execute arbitrary commands.  It can even open ports on the victim’s host firewall (one reason I don’t like software based firewalls)
  • The malware has a proxy tool that allows it to listen on a particular port and perform a variety of administrative functions for the malware
  • It contains a module to overwrite data on up to 4 disk drives and if the user has local admin privileges, it also overwrites the master boot record so the computer will not boot.
  • It has a network propagation wiper that allows it to worm its way through the network using built in network shares, drop the malware on the new machine and start destroying that machine.

As you can tell from this very brief description, this is a pretty sophisticated piece of software that someone spent a fair amount of time constructing.

Based on what is described in the alert, this malware would do a pretty good job of laying waste to any network it was found on.

The wiper part is what does the actual damage.  The rest is for recon and control.  By overwriting the disk, you make recovery, for all reasonable situations, impossible and the only option left is to rebuild the system from scratch.  This is why Sony told employees not to turn on their computers and not to connect to the company Wi-Fi.

There were reports in the media of security experts (like Kevin Mandia of Mandiant)  saying that there was nothing Sony could have done to protect itself.  Given this analysis and the assumption that someone did something to get it started inside the Sony network (like clicking on a malicious link), I tend to agree with him.

They probably should have seen the data going out. 50 or 100 terabytes of outbound traffic is a lot, even for Sony.  But if these guys were in there for 6 months, then even that might not be obvious.  And, Sony may not do outbound traffic analysis.


Sony cancels release of The Interview

After the Sony hack attackers threatened movie theatres and movie goers if theatres showed the Sony movie “The Interview”, Sony announced today that it was cancelling the release.

USAToday put the production cost of this movie at near $44 Million, which Sony stands to lose if they do not release this movie, but the risks are too great to both theatre owners and Sony if the movie was released and someone – even a copycat – were to blow up a movie theatre.

While some people complained that Sony was giving in to the attackers – and they are – those are the same people that would sue Sony if something happened, so it is a no win for Sony.

As a side note, the Terrorism Risk Insurance Act – the law that was enacted after 9/11 as a backstop for the insurance industry in case of a multi-hundred-million dollar claim as a result of a terrorist act – was not renewed by Congress and expires on December 31st.  While we do not know if Congress will renew it next year, the expiration of TRIA gives the insurance companies the right to cancel terrorism risk policies on January 1st.  Given that a claim could cause an insurance company to become insolvent, it is certainly possible that insurance companies will cancel policies after the 1st, leaving large building owners and events like the Super Bowl on their own to cover risk from a terrorist act that causes a big claim.