Tag Archives: Sony

Sony – The “Nuclear” Option

USA Today is reporting a few more details about the Sony hack-attack.  This is very scary and businesses need to consider if this could happen to them (the answer is yes) and if it does, how would they handle it.  This is the kind of attack that would put many businesses out of business.  Businesses need to review what their business continuity and disaster preparedness plan would do in a case like this.

Because of the sheer destruction these hackers have caused, the security community is referring to this as the nuclear option.  Total destruction.  Destroy as much as you can.  Steal whatever you can.  Make the company sweat.

The details:

  • This is different from the Home Depot or Target attacks where the attackers were after credit cards to use or sell.
  • AS FAR AS WE KNOW, the attackers in the Sony case have not asked for a ransom and other than the vague comments about treating people well, they have made no demands.
  • The attackers did not launch a denial of service attack to try and make Sony’s web site unavailable to customers

These three facts make this very different than most attacks.

What we do know about the Sony hack/attack:

  • The malware  was not detectable by normal anti-virus software according to a statement released by the FBI.  In fact, they issued an FLASH bulletin to businesses to be alert to some of the symptoms of the attack.
  • Kevin Mandia, CEO of the Mandiant security firm said that it was “an unparalleled and well planned crime, carried out by an organized group, for which SPE [Sony] nor other companies could have been fully prepared”
  • The attackers stole a huge amount of data (different reports say hundreds of gigabytes to terabytes).
  • In my opinion, the only way to really know that you have the attackers out of there is to rebuild your entire infrastructure from scratch.  For a company the size of Sony, this is a HUGE undertaking.  Then you  have to figure out how to keep the bad  guys out.
  • The attackers have been dribbling out (if that is the right word for releasing gigabytes of data every day) embarrassing private data belonging to Sony and other companies (Deloitte).  The result of this leaking will likely be a number of lawsuits that will cost Sony a lot of time and likely, a lot of money.
  • The attackers crippled and erased hard drives of computers at Sony.  Even now, two weeks into this, employees are being told not to open their laptops for fear of the data on them being destroyed.
  • The GOP, the hacker group behind the attack said “the data to be released next week will excite you more.”  What the bleep are they going to release next?  If they have terabytes of data, this could go on for a while.
  • The attackers are also directly threatening employees and their families.  They said: “make your company behave wisely.”  if they did not, “not only you but your family will be in danger.”  What exactly this means is unclear, but if I was an employee, I would be nervous.

All in all, this is a huge leap from what attackers have traditionally been doing and unfortunately, this means that companies will have to up their game – including, probably, spending more money – as well.   Most companies do not have the financial resources of a Sony and if they were the victim of an attack like this, they would have to shut the doors.

This saga is far from over.



Today’s Breach News

Too many breaches … too little time 🙂

First a new breach – Bebe Stores (www.Bebe.com) confirmed that they had been breached, but  not much else.  They said it covered the US, Puerto Rico and the Virgin Islands. They did say that it did not affect their online store (no POS terminal to compromise, I suspect), nor did it impact Canada or R.O.W. (the rest of the world).  The store is offering free credit monitoring, although, as Brian Krebs pointed out, that has zero effect on your existing credit cards being used by miscreants.

There is one bit of good news – and maybe a sign that the retail industry is improving it’s detection capability.  They said the breach period was only 18 days.  Given that many of these breaches have gone on for months and a few for years, this is an improvement.

Hopefully, they will release more details soon.

On to Target.  Ars Technica and other sources are reporting that the judge in the Target lawsuit case told Target that their creative legal maneuver didn’t work and the lawsuit by the banks can move forward.  For those of you who did not see my earlier post, Target’s lawyers tried to claim that because Target and the banks suing them did not have a “special relationship”, the banks could not sue them.  The judge said yes, they can.  This has the potential to push more of the cost of breaches onto the retailers which would tend to move security up the food priority chain if it does (if you had to reimburse the banks for tens or hundreds of millions of dollars for fraudulent purchases, I suspect you would begin to pay more attention too).

Next, Sony.  Apparently an HR employee at Sony pilfered some data from his or her former employer, Deloitte, and that data got outed in the Sony hack-attack.  The data that got published because of this was payroll data on thousands of Deloitte employees.  Besides the fact that it showed a huge pay gap between male and female Deloitte employees, which could wind up as the basis of a lawsuit for Deloitte, I would assume that this employee signed an agreement not to steal proprietary information.  If I were Deloitte, I would be at least considering whether I should sue this ex-employee who is now at Sony.  It is possible that Deloitte gave this ex-employee or Sony their payroll data, in which case, the employee is in the clear, but I doubt it.  Can this thing get any weirder?

It can.  The NY Times is reporting that the GOP dumped “tens of terabytes” of Sony hacked data including passwords, social security numbers, salaries and performance reviews into pastebin.  That is way more than the 100 gigabytes that was reported earlier.  From a sheer bandwidth standpoint, either the hackers were walking out the door with disk drives in hand or they were streaming the hacked data for a while.

And lastly, for today, according to the LA Times, the payroll company that processes payments for SAG (Screen Actors Guild) members was breached.  The company says that the hacker only had access to the system for two hours, but they also said  “The information accessed included Social Security numbers, private accounts and addresses”.


More Sony News

CORRECTION:  I said below that the hackers stole 25 GB of data.  According to CSO Online, they RELEASED 25 GB of data and this is only a fraction of what they stole.

UPDATE:  Brian Krebs (KrebsOnSecurity.com) is now reporting additional information:

  • The attackers stole 25 GB of data
  • The malware destroyed data on an unknown number of internal servers (as I suggested below)
  • The reason that employees were told to turn off their computers and disable Wi-Fi is that the malware destroys the Master Boot Record and wipes data on infected computers
  • One spreadsheet being floated around includes the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees
  • Another spreadsheet contains the name, location, employee ID, network username, base salary and date of birth for more than 6,800 individuals.
  • Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data

Assuming all this is true, then we are dealing with California privacy law (SB1386 and its relatives) as well, potentially, as HIPPA violations, bringing the Department of Health and Human Services’ Office of Civil Rights into the picture.  Both of these could bring large fines (HHS OCR can levy fines of up to $1.5 million per violation and they get very creative on what a violation is – could  be as much as each record being a violation).

On a side note, Target has said that their costs for last year’s breach is now $250 Million and that there won’t be any other material costs.  I assume this does not include any fines or judgements – that would be extra – since none of the cases have come to trial and the regulators have not said anything that I am aware of.

The good news just keeps on coming for Sony.

The most important takeaway from this is “How would my company deal with our version of this scenario?”  If the answer is not “Effectively, thank you!”, then there is work to be done regarding business continuity and disaster recovery.

  • The FBI released a confidential alert to businesses and requested it be distributed only on a need to know basis.  In only a few hours,  Redmondmag.com published the details of it (this is why the Feds like to classify stuff.  If you publish something that is classified, you can go to jail for a long, long time – even if you claim freedom of the press.  Espionage laws trump that most of the time).  The gist of what was reported is that the malware wipes systems and overwrites data files making recovery very difficult, expensive and likely impossible to recover, except from backups.
  • On December 1st a spreadsheet was released with the salaries of the top 17 Sony Executives who make $1 million or more.  The spreadsheet also included names, job titles, home addresses, bonus plans and current salaries.
  • Sony is trying to find the miscreants who did this, of course.  It has been leaked that they have hired the cyber security gurus from FireEye’s Mandiant division.  My guess is those folks are helping to figure out how the attack took place and how to clean up the debris, as well as looking for any clues as to the source of the attack.
  • If the source of the attack is North Korea as speculated, then that is mostly a dead end.  If it was them, it was likely government sanctioned and I don’t think anyone is ready to invade North Korea over this.  Apparently, some of the software used in the attack was compiled in Korean.
  • Supposedly some business systems are back online, but Sony has not released any details.  How much work is left is unknown.
  • Sony is set to release two big budget movies this month (Annie on December 19 and The Interview on December 24).  Even if Sony manages to prop up the systems needed for the release process, the distraction  of the executives, the inability for the majority of the staff to operate normally and the media’s attention on Sony’s inability to keep their networks secure coulf have a negative effect at the box office.  On the other hand, some people say there is no such thing as bad publicity.  Only time will tell.
  • How much is all of this costing Sony – no clue yet.

Update on the Sony hack-attack

As I said in a previous post, it certainly appears that Sony is in the midst of a serious IT problem.  Sony has been extremely quiet except to say that they have a “system disruption” that they are “working diligently to repair”.

The important question to ask is “If this happened to our company, how would we deal with it?”.  These ransomware attacks are fairly common and, unfortunately, the only real way to know that you have removed the attacker’s access is to rebuild your entire network from scratch – which may be what Sony is doing.  What this means is having TESTED backups, backup copies of configuration data (preferably offline), and a staff that has actually performed the rebuild process before the crisis.  You may also need additional hardware as the cops may still be messing with your hardware.  You also need to understand how long the rebuild will take.  All this should be part of your disaster recovery plan.

Business continuity insurance likely would help pay for the costs if you have that and if it covers cyber disruptions (it may not – you may have to purchase cyber liability insurance to get cyber business continuity coverage), but checking on all of this in advance would be smart.

In terms of getting the data back that the attackers took, that probably is impossible.

The reason Sony shut off their internet connections world wide and forced people to use pencil and paper when this first happened a week ago is that, assuming this was not an inside job and the attackers don’t have co-conspirators inside the company, this is the only way to stop the attackers from doing more damage.

Unfortunately for Sony, employees have resorted to using their personal smart phones and Gmail, with the attendant security issues that represents.  The likelihood of getting that genie back in the bottle varies from slim to none.

For a publicly traded company like Sony, they will have to disclose the cost of this – between lost intellectual property, lost productivity, outside consultants and staff time to restore or rebuild what they need to do, the cost is likely in the tens of millions of dollars.  Not to mention, on top of those costs are litigation costs (certainly there will be lawsuits) and judgements.

It is not clear if the attackers told them to keep their mouths shut or whether they foolishly think they can keep the bad news under wraps by stonewalling the media.  If it is the latter, it is not working.

The group, calling itself the #GOP (not sure if that play on words is intentional), is reported to have obtained ‘corporate secrets’  and would leak them if their demands were not met.  It is being reported by some outlets that among the property lost were digital copies of celebrity passports such as Angelina Jolie’s.  Some outlets are saying that the attack is using a common form of ransomware, where the contents of file systems are encrypted with the GOP, in this case, hanging on to the decryption keys until their demands are met.

Variety, the trade rag for the movie industry, reported that five Sony movies have been leaked.  Four of these movies have not even been released yet.  The titles that were leaked were Fury, Annie, Still Alive, Mr. Turner and To Write With Love On Her Arm.  Fury was downloaded by 888,000 unique IP addresses.  These movies were DVD quality reviewer copies and were watermarked, but my guess is that the hackers do not care.  It is not clear if these purloined movies are part of the corporate secrets that would be leaked.  Certainly, leaking DVD quality copies of new movies that have not even been released could hurt sales.

According to the New York Post, staffers at Sony are being forced to use pen and paper to complete their work assignments.  The Post is also reporting that Sony is investigating whether North Korea is behind the attack since they are supposedly upset about Sony’s upcoming movie “The Interview”.  The New York Times is reporting that Sony’s information technology experts told an in-house conference call they were “making inroads” against the attack and expected to be back online by Monday.  What, exactly, that means is totally unclear.

The Register.uk is reporting that bosses have told their teams that it may take three weeks to recover from the attack.  The Register displayed this picture in one of their reports:


All in all, this is another black eye for Sony which has had more than it’s share of hacks, a serious distraction for employees, a field day for the media,  millions of dollars in costs, likely lawsuits and probably more policies and procedures for employees to follow.



What Your Office Might Look Like If You Are Hacked

According to multiple news reports (like BBC, Forbes, and  Computerworld), Sony has been hacked again.  This time they were hacked by the GOP (no, not that GOP, the Guardians of Peace).

So, here is what Sony’s office looked like yesterday – and your’s might if you get hacked.

Employees came into the office yesterday, turned on their computers and were greeted by this:



Sony (technically Sony Pictures Entertainment) told the media they were investigating an IT matter when this was leaked to the media – not a great job of rumor control.  Later that was updated to “Sony Pictures Entertainment experienced a system disruption, which are working diligently to resolve.”

The company’s internet connections were taken offline as a precaution.

Employees in New York, Los Angeles and the Culver City Studios were told not to access the internet or corporate email, to disable any wireless connections and voice mail (which goes to email) is intermittent.  Employees were told they could still use the phones.  Later, employees were sent home.

That was yesterday.  Today, day two, there is no update.  I suspect but have no inside information, that they really are not sure how deep the hackers are in the company or what information they exfiltrated.  Rumors include that the hackers had inside help.

The GOP is threatening to release internal “Secret and Top Secret” documents if their demands are not met.  The GOP also said that “this is just the beginning”.

Sony Pictures is a multi billion dollar company so I doubt it is going out of business any time soon (at least as a result of this – their financials have not looked too good in the last 8 quarters).  None the less, this is a serious disruption with no end in sight.

The political embarrassment of the hack will last a long time, especially after the multiple hacks they endured last year.

But here is the question.  Let’s assume this happened to your company.  How would your company handle it – from communications to operations to customers to vendors.  Are you prepared for something like this?