A Breakdown and Analysis of the December, 2014 Sony Hack

Note: This article is being updated almost daily with new developments regarding the leaks from the Sony Pictures breach. Changelog of updates:

The Beginning (November 24)
Second Round of Leaks (December 3)
The Analysis Game (December 4)
The Next Chapter (December 5)
The Analysis Continues (December 7)
Fifteen Days Under Siege (December 8)
Reality and the Blame Game (December 9)
My Life At The Company, Part 1 (December 10)
Another Day, Another Email Spool (December 10)
Celebrity Gossip and Hacking Back (December 11)
Debates, Goliath, and Apologies (December 12)
My Life At The Company, Part 2 (December 13)
GOP at Christmas, Part 2 (December 14)
Cyber Insurance, Copyright, Parody (December 15)
Lawsuits, Terror, War, and we hope Hyperbole (December 16)
Leaks, Blame Game Redux, and Caving In (December 17)
Attribution is Hard, the Guessing Game, and Perspective (December 18)


On November 25, a new chapter was added to the chronicles of data theft activity. A group calling itself GOP or The Guardians Of Peace, hacked their way into Sony Pictures, leaving the Sony network crippled for days, valuable insider information including previously unreleased films posted to the Internet, and vague allegations it all may have been done by North Korea in retribution for the imminent release of an upcoming movie titled “The Interview”.

While politically motivated attacks and theft of intellectual property is nothing new, this incident certainly stands out for several reasons. First, via a Pastebin link, the group released a package and links to torrent files hosted on four sites consisting of 26 parts, broken out into 25 1GB files, and one 894 MB rar file. The files were also uploaded to the file sharing giants MEGA and Rapidgator, but removed by site managers shortly after. The researchers at RBS were able to access the files and analyze the content prior to the information going off-line, as well as reach out to GOP.

The results of the analysis provide unprecedented insight into the inner workings of Sony Pictures and leaked the personal information of approximately 4,000 past and present employees. As if the sensitive employee information wasn’t troubling enough, the leak also revealed curious practices at Sony, such as money orders used to purchase movie tickets that were apparently re-sold back to Sony staff.

The Guardians Of Peace made their contact information available for a brief time. RBS researchers used that opportunity to contact to the group seeking comment and received the following response:

I am the head of GOP.
I appreciate you for calling us.
The data will soon get there.
You can find what we do on the following link.

The link provided only led to a Facebook page that was not in use. The following time line gives more perspective and analysis of the details of the intrusion based on information made available via public sources.

 

The Beginning (November 24)

On November 24th, a Reddit post appeared stating that Sony Pictures had been breached and that their complete internal network, nation-wide, had signs that the breach was carried out by a group calling themselves GOP, or The Guardians Of Peace. This comes three years after a large series of attacks against Sony became public.

Within hours, Geek.com had reported that “Sony just got hacked, doxxed, and shut down” as Sony went into panic mode over the breach. Minutes after the original reddit post appeared, the thread exploded with comments and feedback about the content. Several links to additional files were included within the comments that included two text files that listed additional file names that were said to be coming in a subsequent leak of information from the Sony network.

In order to better understand the breach and the ramifications, Risk Based Security (RBS) reached out to the Guardians of Peace and asked for more information. During the brief email conversation, they stated that additional data leaks were forthcoming, and that they had obtained over a dozen terabytes of data from various Sony servers. The mail went on to say that additional information would be published soon, and provided a link to a Facebook page that appeared to be closed.

Movie Leaks (November 26th)

A few days after the the initial breach report was announced, four torrent links were published to torrent trackers that contained unreleased movies from Sony, obtained by GOP during the attack. These titles included Annie (December 19), Mr Turner (December 19), and To Write Love On Her Arms (March 2015). According to several torrent tracking sites, these files have been downloaded over 100,000 times.

On December 1st, NBC News aired a segment reporting that the FBI were investigating the breach and the possibility that North Korea was involved. While this may sound far-fetched at first, North Korea has a clear motive in attacking Sony. On December 25th, Sony is releasing a movie called The Interview, which follows the story of two celebrity TV hosts that get a chance to interview Kim Jong-un. Before heading to North Korea, they are asked by the C.I.A. to assassinate him. Despite the movie being labeled a comedy, North Korea has stated that if the movie is released, they would consider it an “act of war”.

When the BBC reached out to North Korean officials asking if they were behind the attack on Sony, they were given a curious response of “Wait and see.” North Korea had also complained to the United Nations about the movie earlier this year in July, while not naming it specifically.

First of the Leaks (December 1)

On December 1st, GOP started publishing the full cache of data files taken from Sony’s servers with the first chunk totaling a respectable 24.87GB of compressed files. Surprisingly enough, the GOP appears to have used compromised servers on Sony’s network to upload and seed the torrent for the leaked data, as well as uploading it to MEGA and RapidGator. Within hours of the upload, MEGA removed all links to the data. [Dec 9 update: subsequent analysis by Mario Greenly suggests Sony is not seeding/uploading data, only downloading it, likely in an attempt to slow progress for other downloaders.]

First leaked data summary, some analysis courtesy of IdentityFinder:

  • 26.4 GB in size, containing 33,880 files and 4,864 folders.
  • Includes 47,426 unique Social Security Numbers (SSN)
  • 15,232 SSN belonged to current or former Sony employees
  • 3,253 SSN appeared more than 100 times
  • 18 files contained between 10,860 and 22,533 SSN each.

Example of employee data found:

  • One file (\HR\Benefits\Mayo Health\Mayo XEROX assessment feed) contains 402 full Social Security numbers, internal emails, plaintext passwords,  and employee names
  • An additional 3000 or more Social Security numbers, names, contact details, contact phone numbers, dates of birth, email addresses, employment benefits, workers compensation details, retirement and termination plans, employees previous work history, executive salaries, medical plans, dental plans, genders, employee IDs, sales reports, copies of passport information and receipts for travel, as well as money order details to purchase movie tickets to resell back to the Sony staff. The leaked information also included documents, payment, and account information to order custom jewelry from Tiffany & CO via email.
 

Second Round of Leaks (December 3)

By this point, we can only imagine how Sony was in full panic mode attempting to respond to, and contain the breach. By this point, Sony executives had confirmed the leaked data was authentic. The mainstream media was coming to grips with the ordeal, exploring ideas on the ramifications, and the resulting fallout. Initial analysis of the data from the first set of files disclosed had begun, as the second disclosure of files occured. A GOP member identifying themselves as the leader of the group told RBS “Today more interesting data will be presented for you.” before pointing RBS to a new link containing additional files, as part of the email dialogue established (interestingly, one mail came from Hushmail who is known to cooperate with federal agencies). The second leak was considerably smaller, a mere 1.18GB containing two files named “Bonus.rar” and “List.rar”. While the files are small, they perhaps contain the most sensitive data to be disclosed by this point. This includes full security certificate information, internal and external account credentials, authentication credentials with plaintext passwords for systems such as the Sony YouTube page, UPS accounts.

Bonus.rar file summary:

  • 33.7MB compressed
  • Contains plaintext credentials (~ 500 total), server information, internal IP addresses and other data.
  • List of security certificates for servers, users, and services, and a list of what each certificate is related to.
  • Credentials include YouTube login information for the SonyPictures, Spidermanmovie, EvilDeadMoive, GrownupsTheMovie, and Thisistheend movie channels, complete list of older social media accounts for campaigns on facebook and twitter.
  • 121 FTP plaintext credentials, including the main Sony Pictures FTP server.
  • Plain text Credentials for major news and media sites like NY times, LA Times, Daily Variety, hollywoodreporter.com, indiewire.com.
  • Plain text passwords in formats like “sony12345” for critical internal and forward facing services.
  • Username passwords combos in a file named My PAsswords contain: novell, mediataxi, inflight, fidelity, spiDR, SPIRIT, sony style family center, FEDEX, Connect, SPTI, Acron TASS, SPE Courier, Concur, SPC Press, AIM, HR Connect, AMEX, outlook all in clear text with username and password combos.
  • Accounting and payment information for AMEX for “The Interview” in plain text.
  • Accounting and payment and other related credentials for “Death at a Funeral”

List.rar file summary:

  • 1.8MB compressed
  • Three files containing internal and external PC data, Linux servers, and Windows servers
 

The Analysis Game (December 4)

When analyzing high-profile breaches, it is common for the media and security companies to make mistakes. This often occurs due to conflicting or unclear information that seems valid on the surface, but falls apart under heavy scrutiny. For example, a Gizmodo article says that Sony stored password information in a folder called ‘Password’. A better explanation is that the archive released by GOP was created, and the hackers named that folder, not Sony. Below is a screenshot of some of the contents of the ‘Password’ folder from the GOP ‘Bonus.rar’ file:

sonypassword

As more journalists commit time to covering the breach, more details emerge, making this a constantly unfolding story. It also lends to a form of public debate, where one journalist may call into question conclusions of another. For example, Wired released an article today that went into detail about how the compromise may have happened (malware dubbed “wiper”) and also called out other journalists saying the North Korean link is not likely. While they make good points about the GOP group and how nation states generally conduct computer intrusions, there is also the possibility that it was specifically designed not to look like such an attack for plausible deniability. Or it may be as simple as North Korea suggesting they may have had a hand in it, to bolster the notion that they are serious contenders in International computer intrusions for espionage and spying, like their counterparts.

What is curious in this story, is that the FBI released a “Flash Alert” regarding malware that comes after the reported attacks on Sony. This warning comes very late in the game, and also leads to more questions about the security analysts brought in to figure things out. The same article mentions that Mandiant was brought in to address this breach before it became public. Yet, Mandiant has not made a statement on the matter, while being notoriously media-friendly in blaming hacker sources, specifically the Chinese, even if they may not have been involved.

According to Re/code, Sony is set to announce that they have attributed the attacks to North Korea, making this a he-said, she-said ordeal in the short term. For those interested in more details on the malware found in Sony systems that may have been the point of compromise, Ars Technica has released a more detailed article focusing on it.

 

The Next Chapter (December 5)

As mentioned, this story is unfolding every day. New information, new perspective, and new deductions come every day. Risk Based Security has been tracking breaches for a very long time, and has frequently seen such high-profile breaches unfold over years. After the initial weeks or months of a breach, most news outlets and security companies lose interest. Long-term though, part of the story includes the eventual investigation, consultants, lawsuits, stock price fluctuations, and more. The entire picture of a major compromise is the real value, as that is where companies can fully learn of the risks of a breach.

Today the Guardians of Peace have contacted RBS, and likely other companies or journalists, with a third link to leaked data along with a short statement and request calling for others to join them:

Anyone who loves peace can be our member.
Please tell your mind at the email address below if you share our intention.
Peace comes when you and I share one intention!

jack.nelson-63vrbu1[at]yopmail.com

You can download a part of Sony Pictures internal data the volume of which is tens of Terabytes on the following addresses. These include many pieces of confidential data.

The data to be released next week will excite you more.

The leaked data has been uploaded as BitTorrent links to various file sharing sites via the same methods used in previous disclosures, some of which are served off breached Sony Pictures EC2 servers as well as being uploaded directly to the RapidGator file sharing service. As before, RapidGator quickly removed the data within three hours of it being posted.

The torrent is broken into 22 files spanning 52 parts which appear to be just over 100GB of compressed data. This leak has been titled “Financial data of Sony Pictures” so it likely contains financial details of Sony Pictures, the budgets of movies, or more.

Based on the history of contact from GOP, it appears that each day a new email address is used, and it suggests the accounts may be compromised email accounts. Whether these are fallout from the Sony breach or via another source remains unknown.

 

The Analysis Continues (December 7)

There have been several news outlets and security firms researching the Sony Pictures breach and analyzing the disclosed files as a result of the compromise. An interesting and unexpected development surfaced on today, when security researcher Dan Tentler announced early in the day that he had had a visit from FBI but was not home at the time.

Just to warn other security folk working on the Sony leaks – the FBI just visited my home. I wasn’t there, so I’m not sure what they wanted.

He followed up with a comment that was made to his wife:

according to my wife, who answered the door, they started the conversation with the words “illegally downloading”.

Mr. Tentler has been conducting his own analysis and has reported on the Sony incident. He posted a list of nodes where the leaks could be found which may explain the FBI’s interest and the subsequent “illegal downloading” comment made to his wife.

Now that the files have been downloaded from the publicly available sources, RBS has had a chance to do a preliminary analysis of the contents. The following is a screenshot showing a sample of the files, to put it into better perspective what is leaked. Note that filenames are logical, not descriptive and human-friendly:

sony-spe_03

These 22 individual files make up three larger files containing a large set of newly released data, predominantly based on financial information:

File SPE_03_01.RAR (Mostly from Sony Brasil)

  • 30,916 individual Files, 2,970 Folders. 16.4 GB / 9.99 GB (Compressed)
  • Banking statements, bank account information including wire transfer swift codes etc.
  • Financial year reports
  • Financial year forecasts
  • Budget reports
  • Overhead reports
  • Receipt and transaction account statements of computer hardware, vehicle (toyota hilux, mitsubishi space wagon), car accessories going back to 1998
  • Internal information for Sony Pictures Releasing International portal, screenshots, walkthroughs and other usage information.

File SPE_03_02.RAR (From Sony Pictures Imageworks, Vancouver, and Sony Pictures)

  • 89,800 Files, 10,990 Folders. 88.6 GB / 48.9 GB (Compressed)
  • Accounting information using Trintech Inc. software
  • Licensing contracts
    • Access Digital (Exyflix)
    • Amazon Europe
    • Amazon Japan
    • Clickpay Multimedia
    • Comcast
    • Eagle Eye
    • Gaia
    • Google (YouTube)
    • Media Vault
    • M-GO
    • Microsoft
    • Playstation
    • Sena
    • Sony Electronics
    • Sony visual products in
    • video futur
    • Yota (aka more)
  • Vendors (Too many to list)
  • Sony India Financial reports.
  • 528 Payrolls for Imageworks Canada with staff full names, contact numbers and residential addresses.
  • British Columbia Personal Tax Credit Returns scans of several employees with full personal information including social security number.
  • Photocopies and scans of driver licenses, passports and other tax related documents exposing a bunch of personal credentials, home addresses, full names, date of births, social security numbers and more.
  • Federal Tax Returns

File SPE_03_03.RAR

  • 113,002 Files, 39,612 Folders. 57.1 GB. / 48.1GB (Compressed)
  • Incident reports with full names, incident locations, injurys and postions held with sony.
  • SPE Global Security Guidelines v2
  • UL training users, full names, addresses, email addresses and common set clear text passwords
  • copies of employeement contracts and agreemtns, passports, drivers license, ssn, signatures.

Ongoing (December 7)

The LA Times reported on December 5th, and has said that the FBI have confirmed it, that just hours before the 3rd leak was published online, an unknown amount of Sony employees received threatening emails which are believed to have been sent by the GOP.

The emails which were written is what was described as “broken English”, wanted employees to sign a statement disassociating themselves with Sony, and if they did not, were warned that “not only you but your family will be in danger”. According to the LA Times, the email included a statement that makes suggests the digital headaches for Sony are going to continue to for some time to come.

“It’s false if you think this crisis will be over after some time,” the email said, according to a copy obtained by Variety. “All hope will leave you and Sony Pictures will collapse. This situation is only due to Sony Pictures.”

Adding to the speculation about how the compromise happened, Bloomberg is reporting that the compromise and first leak of data happened at the St. Regis Bangkok hotel in Thailand according to an unnamed person “familiar with the investigation”.

 

Fifteen Days Under Siege (December 8)

Late last night, after a long week of previous disclosures, the GOP has released the next batch of leaked data. The new round consists of four archives making two large files, currently being seeded from servers owned by Sony Pictures as before. The torrent that includes all files is only 2.8GB this time and has also been uploaded to a few file sharing websites, although we expect them to be taken down quickly like previous GOP uploads.

Unlike previous disclosures that were straight-forward, this group of files comes shortly after the appearance of a Pastebin link (now 404) that purports to be from the GOP, and gives a reason for the attacks on Sony Pictures, linking it to the now controversial movie, “The Interview”. There is speculation that the new announcement may not be authentic as it did not get sent out via the previous channels, and suggests an almost afterthought of blaming the movie for their actions. Within hours of this being published on Pastebin it had been removed but was cached by Google on December 8, 2014 15:43:58 GMT. Since then, the cache has also been removed which may be due to Sony complaints. According to Owen Williams, Sony has been sending out Digital Millennium Copyright Act (DMCA) take-down requests related to the breach and subsequent disclosures. RBS managed to capture the text before it was removed from both Pastebin and Google cache:

by GOP

We are the GOP working all over the world.
We know nothing about the threatening email received by Sony staffers, but you should wisely judge by yourself why such things are happening and who is responsible for it.

Message to SONY

We have already given our clear demand to the management team of SONY, however, they have refused to accept.
It seems that you think everything will be well, if you find out the attacker, while no reacting to our demand.
We are sending you our warning again.
Do carry out our demand if you want to escape us.
And, Stop immediately showing the movie of terrorism which can break the regional peace and cause the War!
You, SONY & FBI, cannot find us.
We are perfect as much.
The destiny of SONY is totally up to the wise reaction & measure of SONY.

The following is a summary of the fourth leak:

05_01.rar

  • mosokos.ost (A Microsoft Outlook mail spool), 3.5GB in size
  • “mosokos” is Steve Mosko, President of Sony Pictures Television.
  • 3,550 full contact details, full names, email addresses, home addresses
  • 14,944 sent emails
  • Email contents include account information, password reset mails, personal emails, flight and travel arrangements
  • Also includes discussions about internal operations within Sony, the 2013 Breaking Bad Bluray leak, discussions about using torrents and the AXN network to distribute Hannibal
  • Emails from friends and other Sony staff about TV show torrents and uploads to YouTube, including Breaking Bad, King of Queens, and Hannibal.

05_A.rar

  • APascal1.ost (A Microsoft Outlook mail spool), 3.78GB in size
  • “APascal” is Amy Pascal, Co-Chairman, Sony Pictures Entertainment and Chairman, Sony Pictures Entertainment Motion Picture Group
  • Over 5,000 emails included
  • Most recent Inbox email is from November 23, 2014 (likely when the mail spool was taken)
  • Emails consist of sony employee relations, personal invoices, and personal emails
  • Includes talk and deals about upcoming movies
  • Contains current and closing business deals

View of the APascal1.ost Outlook mail spool showing the folders:

sony-outlook-files

Speculation and analysis of the original compromise method is ongoing. The Register reports that Kaspersky has published details on the malware that allowed the attackers to gain a foothold into the organization. According to the researchers, the malware has been named BKDR_WIPALL by Trend Micro and Destover by Kaspersky (which elicited a warning from the FBI), and was previously seen in attacks against Saudi Aramco by the “WhoIs Team” in 2012. Kaspersky researchers went on to say that this backs claims that the malware was used in the 2013 Dark Seoul attacks, possibly linking the same group or groups to a multi-year campaign of high-profile computer intrusions.

Seemingly unrelated to the GOP breach of Sony Pictures, but coincidental in timing, the Sony PlayStation Network appears to be suffering their own problems as a group called Lizard Squad is taking credit for a coordinated large-scale denial of service attack, that follows a previous one August of this year. Via Twitter, Sony PlayStation Network has acknowledged that customers are experiencing problems, but do not specifically cite why.

Culver City Sony employees will be briefed by the Federal Bureau of Investigation (FBI) on Wednesday regarding the recent attacks, according to the Hollywood Reporter. Michael Lynton, Entertainment Chief at Sony, has also called for an all-hands meeting on Friday to further discuss the issue.

 

Reality and the Blame Game (December 9)

Generally when a high-profile wide-scope breach occurs, news outlets and some security companies are quick to say it was the work of an “advanced” attacker, and that the breach is “unprecedented”. According to Mashable, Michael Lynton (Sony Pictures CEO) sent a letter to all employees featuring a letter from Kevin Mandia, of Mandiant, the company hired by Sony to investigate the breach. An excerpt from the letter:

“This attack is unprecedented in nature. The malware was undetectable by industry-standard antivirus software and was damaging and unique enough to cause the FBI to release a flash alert to warn other organizations of this critical threat,” — Kevin Mandia, Mandiant Security Consulting

All analysis to date suggests the malware was not unique to Sony, and may have been used several times before. Trying to suggest that malware that evades “industry-standard antivirus software” is “unprecedented” is ridiculous. Antivirus software routinely fails to identify malware due to the archaic signature-based model they use. The software only detects what it knows to look for, and with a few tiny changes, old malware can be made undetectable again; until a new signature is created and pushed to customers. That subscription model is the profit center of the antivirus industry, and they have little reason to improve it. Further, suggesting this breach was “unprecedented” to the size and scope simply isn’t true either. Large-scale compromises like this hit the news every year.

If you recall on December 4th, Re/code published an article saying that Sony was set to officially blame North Korea for the attacks. Jump to today, a mere 5 days later, and the FBI is officially saying there is no attribution to North Korea according to Reuters.

“There is no attribution to North Korea at this point…” — Joe Demarest, Assistant Director of the FBI Cyber Division

It has also come to light via Mashable, via the leaked email archives from the fourth leak (December 8), that Michael Lynton (CEO), Amy Pascal (Chairman), and other executives received an email from hackers calling themselves “God’sApstls”. In the email, quoted below, the group threatens ‘great damage’ to Sony Pictures unless financial compensation was provided:

We’ve got great damage by Sony Pictures.

The compensation for it, monetary compensation we want.

Pay the damage, or Sony Pictures will be bombarded as a whole.

You know us very well. We never wait long.

You’d better behave wisely.

From God’sApstls

This goes against subsequent posts from the Guardians of Peace (GOP) who said the intrusion was related to the release of the movie, “The Interview”. At this point it is not clear if a single coordinated group of attackers is changing their public persona or if there are more than one group that have access to the network.

More fallout from the Sony Pictures compromise comes in the form of the attackers using Sony’s certificates to digitally sign the Destover malware. As reported by Kaspersky Labs, the signed malware appeared on December 5th and will result in additional malware being signed, and likely render subsequent attacks more effective. [Update: It turns out this was a prank carried out by a security researcher, who figured out the password of the certificate (same as the file name), and decided to sign the most amusing/ironic thing he could think of, the malware itself. We are also told that three other certificates used a password of “password”.]

 

My Life At The Company, Part 1 (December 10)

Now that journalists and security companies have had days to review the incredible amount of leaked data, analysis has shifted to focus more on the contents of the emails of Amy Pascal, Co-Chairman, Sony Pictures Entertainment and Steve Mosko, President of Sony Pictures Television. This has revealed odd details such as Sony continuing to make considerable money for the show Seinfeld, Sony executives concerned over the ending of the movie ‘The Interview’, and that George Clooney is very savvy.

Today also brought the fifth leak of data from the Guardians of Peace (GOP), titled “Gift of Sony for 5th day: My Life At The Company – Part 1”. As before, the leaked data was uploaded to various bittorrent tracking websites with the download consisting of five 1GB parts

The torrent file consists of 5 parts, all 1GB and in RAR format (spe_05_01.part[1-5].rar). The GOP have also included a new statement with this disclosure, again directed at Sony Pictures employees. The message states that they still have large amounts of information to disclose, including personal information and more email spools. The statement reads:

To SPE employees.
SPE employees!
Don’t believe what the executives of SPE says.
They say as if the FBI could resolve everything.
But the FBI cannot find us because we know everything about what’s going on inside the FBI.
We still have huge amount of sensitive information to be released including your personal details and mailboxes.
If continued wrongdoings of the executives of SPE drive us to make an unwanted decision, only SPE should be blamed.
Now is the time for you to choose what to do.
We have already given much time for you.

The newly leaked data includes information about Sony’s anti-piracy efforts, entertainment deals in the works, internal procedures related to tracking torrents and other illegal downloading. It also contains a document that outlines Sony’s cooperation with 5 major Internet Service Providers (ISPs) to collect full data for monitoring illegal downloads. In addition:

  • Motion Picture Association of America (MPAA) list of outstanding issues and other piracy related information.
  • Enhanced Content Protection proposals, drafts, and documents.
  • Potential Middle-East partnership deals from 2012.
  • Wages of international employees from Sony Australia and Sony China
  • Contact information of more than 2,500 employees, additional digital certificates, documents on Internet security, security advisories that may impact Sony systems
  • Research documents, internal information about Sony cameras being produced, NATO-Studio August 2014 Tech Meetings Agenda with talks about new technology being produced by Sony
  • Project non-disclosure agreements, budgets, financial forecasts for 2013 – 2015, information about projects schedules, deals, costs, profits, advertising revenue, and advisor fees.

Anti-piracy information from Google, YouTube, Netflix, and Farncombe including:

  • Total number of notices sent to ISPs with 100% success rate (2,537,932)
  • Alerts sent to subscribers (1,475,848)
  • Alerts that were not sent but should of been (41,917)
  • A breakdown of which content, how many types of alerts sent, and acknowledgements for 2012, 2013, and 2014
  • Confidential documents outlining deals, procedures for monitoring, and services provided by Farncombe
  • Large amount of proposals to Google, YouTube, and other services about how to censor search results, remove content from its search
  • Content protection documentation

Documents and internal tracking of console hacking information for the PlayStation including:

  • 27th Chaos Communications Congress (CCC), Console hacking 2010, PS3 Epic fail.
  • Verisign Fraud Alert: Phishing – the latest tactics and potential business impact.
  • BHUSA09-Marlinspike-DefeatSSL-PAPER1
  • us-14-Rosenberg-Reflections-On-Trusting-TrustZone-WP

A variety of documents on relations with the following companies: AXN, AMC Networks, Hoyts Australia, Animax UK, Channel 5 UK, Chello, Grupo Clarin, 2waytraffic, Dailymotion, Comedy Time, DirecTV, Crackle, Apple, iTunes, Google, YouTube, Hotfile, BBC, BITAG, Telstra, Rogers, Showtime, Sky, Skype, SNEI, Telus, Tesco, Virgin Media, TVN, Verizon, Telefonica, TTNET, Turner, True Net, Videotron, VUDU, Voole, Redline, and SingNet. The data on deals is extensive to say the least. Below is a small sampling of the folders and documents:

sony-documents

After the series of incidents with Sony in 2011, many analysts were curious about how it would affect Sony’s stock price. Between April 4, 2011 and October 12, 2011, Sony’s stock price dropped from $31.45 to $20.06. That begs the question if this round of incidents is also affecting the price.

sony-stock

Here we see the stock value between November 25th, when the breach became public, and today. Note that in our experience, we frequently see stock prices drop as an immediate reaction to such events, but often return to the original value within three months.

Yesterday we reported that attackers had used a Sony digital certificate (spe_csc.pfx) to sign the malware believed to have been used in the compromise. It has come to light that this was actually a prank of sorts, carried out by security researchers who figured out the easy-to-guess passwords protecting the certificates. RBS has seen a portion of the chat log in which they guess the passwords. After placing the signed malware on VirusTotal, Kaspersky apparently made the assumption that it came from the attackers. Steve Ragan summarized the prank in an article last night, and Colin Keigher who was close to the source of the prank, published a blog this morning giving additional details.

Perhaps the most interesting development though is the possible ‘doxxing’ (publishing personal information) of the Sony hackers. Via two Pastebin documents, the real name, address, nickname, birthday, and other personal details of five people are listed. Given the lack of provenance for this information, RBS is not going to further propagate it. The introduction text gives a summary of the alleged hackers:

Sony hackers DX. they hackers from Tunisia Hacker Team but covering as Guardians of Peace for op WeekofHorror to attack USA and support Syria and goverments that fight USA (china, korea, iran).

 

Another Day, Another Email Spool (December 10)

Today also brought the sixth disclosure from GOP, a single file named sony6.rar, that was uploaded to bittorrent tracking and file sharing sites. As usual, the file was quickly removed from the file sharing sites. The file contains another mail spool named “lweil00.ost”, which belongs to Leah Weil, Senior Executive Vice President and General Counsel for Sony Pictures Entertainment. Some details about the 3.84GB mail spool include a list of folders, number of emails, and a brief summary of the content.

Some of the folder names and mail count:

  • Admin: 56
  • Alertline: 286
  • Audit Reports: 28
  • Calendar: 6,815
  • Compliance dept: 45
  • Contacts: 178
  • Conversation history: 2
  • Deleted items: 4,296
  • Designated Employee Notice: 59
  • Division Head Meetings: 205
  • Executive comp: 60
  • Inbox: 41,229
  • Sec filings: 30
  • SEC FCPA: 102
  • Sent emails: 36,586
  • SPE Board: 19
  • SPE Subsidiaries Report:3
  • Legal: 78

Brief list of highlights:

  • Deleted mail contains email retention orders (current financial information email need to be held for 6 years as of 15th jan 2015 that will change to 2 years for all emails unless on legal hold)
  • SKY Perfect TV data leaked June of this year, including 10,000 customers name, email addresses, addresses, phone numbers, Pay-TV access control numbers (B-cas#), IC cards, and subscription information which may include payment details. (SKY PerfecTV is responsible for parts of AXN, owned by Sony.)
  • Discussions with Paula Askanas and others about uploading fake torrents to frustrate would-be pirates.
  • Instructions for how to respond to previous Sony hacking incidents with approved wording for Twitter and Facenook.
  • Extensive communications about the 2011/2012 attacks against Sony by Anonymous, including the #opsony threat, sharing pastebin links pertaining to Sony, vulnerabilities on Sony sites (e.g. “Subject: FW: ALERT – ANONYMOUS THREAT – XSS exploited on scajobs.sony.com!!”), details of internal investigations about hacking incidents, and employees attempting to ‘geo locate’ the hackers and match their handles to other aliases.
  • Internal concern that Mark Zuckerberg might sue Sony over the movie “The Social Network”.
  • Correspondence between Sony staff about George Clooney wanting to direct a movie based on Hack Attack. Concerns are expressed over potential legal issues if media giant Rupert Murdoch’s name is used within the movie since its based on a real story.
  • Emails about previous Sony breaches including SPE, Sony PlayStation, and other divisions of the company.
  • Emails about harassing calls from ANTI-SOPA protestors.

Given the severity of this breach, along with the history of previous Sony incidents, it is worth remembering the first part of a 2007 article titled “Your Guide To Good-Enough Compliance” by Allan Holmes. It is a good reminder that security is not just technology, but a mindset, and that failing to work toward a secure environment may have long-lasting repercussions.

 

Celebrity Gossip and Hacking Back (December 11)

The culture of watching celebrity lives has captivated the TV-watching audience for years now, with “reality” shows dominating news and airtime. With the Sony Pictures executive mail spools being leaked over the last few days, those analyzing the contents are running into emails from high-profile actors and actresses that communicate with them. As previously mentioned, George Clooney takes a hardline, intelligent approach to emails and knowing the contents could leak out.

Now we learn of drama between Amy Pascal and Scott Rudin over the highly-anticipated upcoming biopic on Steve Jobs, in which there is serious disagreement over Angelina Jolie’s disappointment that director David Fincher would be involved in ‘Jobs’ instead of her own movie, ‘Cleopatra’. Despite the differences between Pascal and Rudin, the leaked emails show they do have one thing in common: joking about President Obama’s race. In another exchange between Pascal, Michael Lynton, and Clint Culpepper, they are candid in their feelings for an actor asking for more money to promote a movie via social media:

“I’m not saying [Kevin Hart’s] a whore, but he’s a whore.” — Clint Culpepper (President, Screen Gems)

With the leaked emails, the public is also learning a wide variety of personal information about celebrities. In addition to email addresses, analysts are finding out aliases celebrities use when traveling, phone numbers, and more. These include Brad Pitt, Julia Roberts, Tom Hanks, and more according to Sophos.

Changing tracks, the other interesting development is how people are reacting to, and labeling Sony’s efforts to curb piracy. More specifically, some are considering and/or labeling the actions as a denial of service (DoS) attack. In using that term, they are effectively suggesting that Sony’s tactics are illegal. The tactics in question are based on Sony using hosted servers to pollute a bittorrent swarm, making the downloading of the illicit files (in this case the leaked data) more difficult. By introducing hundreds or thousands of peers that advertise they have parts of the file, and then failing to send them, would-be downloaders experience considerably slower rates. In some cases this causes them to give up on the download completely, and in other cases may mean the download could take more than a day, rather than an hour or three.

The use of the term ‘denial of service’ appears to originate in an article from re/code, where they say that Sony “is using hundreds of computers in Asia to execute what’s known as a denial of service attack on sites where its pilfered data is available”. Technically, this is true as a denial of service attack is just that; it denies some level of service to users. However, in this case Sony is attempting to deny people from obtaining the leaked data from their network. Is this legal? Based on our understanding of U.S. computer crime laws, their actions do not technically violate the Computer Fraud and Abuse Act (CFAA, specifically 18 U.S. Code § 1030). However, according to the Department of Justice manual on prosecuting computer crime, this may be up for interpretation by a district attorney as far as what constitutes a “legitimate user”:

Intruders can initiate a “denial of service attack” that floods the victim computer with useless information and prevents legitimate users from accessing it. [..] Prosecutors can use section 1030(a)(5) to charge all of these different kinds of acts.

This boils down to whether journalists can publish the contents of material that were illegally obtained by a third party. The Student Press Law Center (SPLC) maintains a great summary of this issue and cites the Supreme Court’s 2001 decision Bartnicki v. Vopper, which struck down wiretapping statutes that prohibited the disclosure of illegally intercepted communications. With this in mind, then anyone attempting to download the leaked Sony data *are* legitimate users and Sony’s efforts to deny that service may violate the CFAA. We’re not lawyers and this is certainly a case full of gray, not black and white.

The one thing we can say with certainty is that using the term “Denial of Service” (DoS) or “Distributed Denial of Service” (DDoS) are loaded terms, as they are typically used to to describe either a technical attack against a system (where intent and ethics aren’t part of the discussion), or the actions of a criminal. This terminology gets further confusing and misleading when it is accompanied with phrases like “When the hackee becomes the hacker… In a somewhat amusing twist to the ongoing Sony Pictures hack…” or more aggressive wording like “Sony Pictures is employing hacking techniques…”, since this begins to ascribe specific criminal notions to their actions. The one thing Sony is doing right in all this mess, is denying everything.

 

Debates, Goliath, and Apologies (December 12)

Whenever a large breach occurs and involves the disclosure of personal email, even if “professional”, several debates re-emerge. The first revolves around the ethics of reading private emails. On one hand those emails, while public, were never meant to be published. On the other hand, quite simply, they were made public. This is not a debate that will be ‘won’ as both sides have valid points. One thing to keep in mind is how you would feel if your emails were leaked. RBS has balanced this dilemma by analyzing the meta-data (e.g. mailbox size, number of mails) rather than the content. Instead, we make observations about what others have published regarding the content and link to their articles.

The second debate that crops back up is the ethics of downloading stolen content such as emails. As mentioned on yesterday’s update, the Supreme Court 2001 decision in Bartnicki v. Vopper says that downloading and using stolen material such as email is legal for journalists. However, current intellectual property (IP) and copyright law could trivially challenge that ruling if were to re-appear in front of the Supreme Court. Regardless of that decision, Kashmir Hill reminds us that simply downloading the stolen content may prompt a visit from federal authorities. Not only has Dan Tentler (@viss) been visited, but Steve Ragan has also had a run-in with the FBI over the Sony material. We have little doubt that they are not the only two to have been visited. We also want to remind the FBI that visiting journalists and researchers who are downloading and analyzing the material are not who you are really after. Assuming you are trying to catch the individuals that actually compromised Sony’s network. If you treat them as sources instead of persons of interest, you may find they can assist you with your job.

The third debate that tends to come up among journalists is if analysis or snippets of such emails should be published after downloading and reading. Variety weighs in on this topic in an article titled “Why Publishing Stolen Sony Data is Problematic But Necessary”. While some of the material coming out of the leaks is very personal and embarrassing (e.g. racial jokes, calling professionals obscene names), such leaks can also lead to information that is specifically of interest to the public and should not be kept behind closed doors.

On the bad side of such disclosures, we see that the leaks are revealing very sensitive information such as employee’s children health information including special needs, diagnoses, and treatments. The leaks further go on to reveal birth dates, gender, health conditions, and medical costs for as many as 34 Sony employees, according to Bloomberg. On the good side of such disclosures, we find out that the MPAA, in conjunction with six studios, allegedly plans to pay elected officials to attack Google in an effort to curb piracy dubbed “Project Goliath”, according to TechDirt and The Verge. These two things are pretty much the opposite ends of the spectrum on the harm versus value of leaked data.

Finally, after weeks of silence, one Sony executive has broken their silence and gone on record about the leaked emails, albeit briefly. Amy Pascal, Co-Chairman, Sony Pictures Entertainment, has apologized and given an explanation for the racially insensitive comments directed at President Obama. Food for thought this weekend; if your email was published, what would you have to apologize for, if anything?

 

My Life At The Company, Part 2 (December 13)

Today brought the seventh leak of data from the Guardians of Peace (GOP), titled “My Life At The Company – Part 2”. This follows a Pastebin post in which they warn Sony executives that an important message has been sent to them:

by GOP

Important

Message to SPE executives

I’ve sent you a message.
Confirm your mailboxes.

The Pastebin post with links to the newly leaked information from Sony networks is accompanied by another message saying that upcoming Christmas leaks will contain larger quantities of data and it will be “more interesting”. One thing that is already interesting is that GOP says if anyone sends an email titled “Merry Christmas” to one of five provided email addresses, they will take requests with what should be in the upcoming leak:

We are preparing for you a Christmas gift.
The gift will be larger quantities of data.
And it will be more interesting.
The gift will surely give you much more pleasure and put Sony Pictures into the worst state.
Please send an email titled by “Merry Christmas” at the addresses below to tell us what you want in our Christmas gift.

The actual data leaked today appears consists of 6.45GB of uncompressed data, distributed via bittorrent links that do not appear to be seeding from same 54 IP addresses previously seen. The data consists of 6,560 files throughout 917 folders. A screenshot showing a sampling of the leaked data:

sony-leak-7-folders

A very brief analysis suggests this leak contains:

  • Sony internal documents for tracking deals, expenditures, and revenue.
  • Complete working folders for Jim Underwood (likely ex-Sony Executive VP, Worldwide Digital and Commercial Strategy [LinkedIn Profile])
  • Documents related to the acquisition of Grouper Networks in 2006 and related material the following years.
  • Many acquisition proposals, Sony’s perspective on the pros and cons to the deals, companies of interest, and potential profit, including Left Bank Pictures.
  • Drafts on the best ways to battle piracy, from 2009 on.
  • Enhanced Content Protection Overview written by Chris Odgers – complete analysis of possibilities of breaches, exploits, detection, and prevention methods for data streaming services to prevent hijacking.
  • Emails about Australian TV not being finalized before screening started. This appears to be related to the recent run of older American TV shows like Starksy and Hutch.
  • Breach monitoring and revocation rules for Phase 1 Service if the F1 Box is hacked.
  • Business documents and dealings with Abril.com out of Brazil.

As other researchers and journalists perform a more extensive analysis, we will provide links, summaries, and commentary on it.

Between Sony’s efforts to hinder acquiring the data via the torrents, and the file-sharing sites rapidly removing leaked data, some people have begun to make their own archives of the leaked data on additional sites. Some of them are being shared via Twitter and others via additional file sharing sites.

Following up on the legal angle (covered on December 11 update), Betabeat has published an article titled “No Gray Area: It’s Definitely Not OK to Publish Emails From the Sony Hack” in which they point out the moral and ethical issue with disclosing details of the leaked data. They argue that a variety of news outlets including Perez Hilton called the disclosure of celebrity nude photos “a crime”, while having no issue publishing private conversations from Sony executives. This is an interesting observation as it appears to establish the line between ‘acceptable’ (leaked emails) and ‘taboo’ (nude celebrity photos) for journalists. We are sure that this is a debate that will rage on for some time. [Note that the Perez Hilton article that mentions the word ‘crime’ cites Jennifer Lawrence’s statements in which she called the publication of her photos a ‘sex crime’.]

Business Insider has also published an article citing an “IT worker employed by a firm that has access to Sony’s computer network” that says Sony’s network security was “outdated and ineffective”. The article goes on to reference the “Password” folder that contained numerous passwords, but as we previously noted, that was likely at the hands of the attackers, not necessarily Sony. In another article from re/code, they also reveal that the leak contains a very recent security audit performed by PricewaterhouseCoopers LLP between July 14 and August 1. re/code reports that the audit found over 100 systems that were not being monitored by corporate security, who were charged with overseeing Sony’s infrastructure.

 

GOP at Christmas, Part 2 (December 14)

The last few years have shown us that the U.S. legislative body is not always in touch with the current state of computer crime, and often very out of touch when it comes to the notion of “cyberwar”. Time Magazine reports that Rep. Mike Rogers (R-Mich), chairman of the House Intelligence Committee suggested that a nation-state, specifically North Korea, was behind the attack on Sony. This was on Friday, three days after the FBI declared that North Korea was not responsible. Time goes on to quote Rogers as saying:

“That was the first [time] — if you take at face value public reports — a nation state decided a retribution act could result in destroying data, bringing down a company…” — Rep. Mike Rogers, Chairman of the House Intelligence Committee

Most everyone in computer security knows, taking initial public reports at face value is not a wise action. As we have pointed out in previous updates, the attribution for this attack has ranged from North Korea, to an independent group known as the Guardians of Peace, and has also seen some indication that multiple groups may be involved.

Even worse than Rogers’ reliance on initial early public reports, he or Time Magazine are using the term ‘cyberwar’ to describe this attack. That is simply dangerous and misleading. If this is a group of computer criminals acting on their own, it sets a dangerous precedent that a few random people could conduct war. Such terms, when used in Congress, can invoke the wrong image of what is really happening, and lead to an over-reaction in U.S. response. That could lead to knee-jerk legislation or worse.

Following up on the legal aspect of the breach, David Boies, a lawyer for Sony, has sent a firmly worded three-page missive to several media organizations including the New York Times stating that the leaked documents are “stolen information”. He goes on to demand that if a media organization has acquired them, that they be destroyed. His letter states:

“[Sony] does not consent to your possession, review, copying, dissemination, publication, uploading, downloading or making any use [of the information].” — David Boies

All of this comes days before the eighth leak of data from the Guardians of Peace, titled “GOP at Christmas, Part 2″, published earlier today (Note: yesterday’s disclosure was titled “Gift of Sony for the 7th Day – GOP at Christmas” making today’s release ‘Part 2′). Like previous leaks, the data has been made available via several bittorrent trackers, and uploaded to RapidGator and TurboBit, where it was subsequently removed. Given the pattern of the data being removed so rapidly from various file sharing sites, it is pretty clear that they are either monitoring for Sony-related data being uploaded, likely to avoid legal issues, or receiving take-down requests from Sony.

Today’s leak centers around the email spool of O’Dell Steven, Senior Vice President, International Distribution for Sony Pictures Releasing International. The leak comes with two short messages for Sony Pictures Entertainment and Sony’s staff further warning them about what is to come, if their demands are not met:

Message to SPE
The sooner SPE accept our demands, the better, of course.
The farther time goes by, the worse state SPE will be put into and we will have Sony go bankrupt in the end.

Message to SPE Staffers
We have a plan to release emails and privacy of the Sony Pictures employees.
If you don’t want your privacy to be released, tell us your name and business title to take off your data.

The attackers claim that Sony staffers can opt-out of the upcoming leaks, which may be a ploy to engage employees. It will be interesting to see if they follow through, or even if they actually monitor the email addresses provided.

A quick analysis of the leaked mail spool (spodell.ost) shows that it is 5.53GB uncompressed, and contains over 72,900 emails spread across 7 primary folders. A bulk of the emails (54,793) are in the ‘Sent’ folder going back to May 20, 2008, with 12,414 in the inbox, and 4,276 deleted. As with previous disclosures, the topic of piracy seems to be front-and-center, specifically related to cinemas responsible for allowing camcorders to record movies in India, Taiwan, Japan, Brazil, Australia, and others.

 

Cyber Insurance, Copyright, Parody (December 15)

Today brings us a wide variety of updates and perspective for the ongoing Sony breach and resulting fallout. In no particular order…

More journalists have acknowledged receiving the three-page missive instructing them not to publish details from the leaked data, as mentioned in yesterday’s update. Brian Krebs writes about his “cease and desist” letter in an article titled “In Damage Control Sony Targets Reporters”. Krebs cites an analysis by UCLA law professor Eugene Volokh who goes into detail on if Sony has a legal leg to stand on in pursuing journalists. TechDirt, who offers commentary, says that this is a bad move for Sony and points out the curious use of “stolen information” versus “Stolen Information” throughout the document. As for Krebs, like other journalists he plans to continue on and will not be deterred by the letter, saying:

While I have not been the most prolific writer about this incident to date, rest assured such threats will not deter this reporter from covering important news and facts related to the breach. — Brian Krebs

As more news of the fallout comes to light, the topic of data breach insurance (aka ‘cyber liability’ aka ‘cyber insurance’ aka other terms) has finally come up. Steve Ragan at CSO published a well-researched article to this effect, saying that leaked documents show Sony Pictures has “upwards of $60 million in cyber insurance coverage” and then questions if it is enough. Per the article, it goes on to say that after Sony Pictures was breached in 2011, the company “made a claim of $1.6 million in damages with Hiscox, their cyber insurance carrier at the time.” That damage figure was calculated after the disclosure of 37,000 people’s personal information, making the new breach potentially staggering when it comes to a monetary damage assessment.

CNN reports reports today that the leak also included an early version of the screenplay for the upcoming 24th James Bond movie titled “Spectre”. The producers of the film, Eon Productions have posted a statement on the official movie site, warning the masses that publishing the script violates copyright law. While this may seem to bleed into the last few days of legal threats, note that copyright law is more straight-forward and has considerable history behind it with regards to demanding takedowns. For example, in the late 90s, many web sites that were compiling lyrics to popular songs received takedown requests from music artists, producers, and media companies citing it violated copyright. Eon Production’s statement hinges on this very point:

The screenplay for SPECTRE is the confidential information of Metro-Goldwyn-Mayer Studios and Danjaq, LLC, and is protected by the laws of copyright in the United Kingdom and around the world. It may not (in whole or in part) be published, reproduced, disseminated or otherwise utilised by anyone who obtains a copy of it. — Eon Productions

With any breach of this magnitude, there are countless media outlets that cover the event in some fashion. Fortunately for the public, most of this coverage is relatively well done and offers a more classic news style, looking for a balanced narrative. Unfortunately, there are always some outliers that go way too far, offering commentary or analysis that is absurd and that we desperately wish were hyperbole. Today’s outlier comes from notorious DJ Howard Stern who likened the attack on Sony to 9/11. According to the NY Daily News, Stern recently quipped:

This attack is no different than a 9/11-type attack. They stole this material. It probably was North Korea. They want to f–k with Sony. They’re really pissed off. It’s outrageous. The president should have announced immediately we’re under attack… — Howard Stern

To this we can only state that such comparisons are an absolute insult to the victims of the 9/11 attacks, and ultimately only serve to hurt Sony as it further polarizes them in the public’s eye. Some are already speculating if this is a “PR car crash from which company may never recover”. Consider that we have seen less than 10 leaks including a small number of executive mail spools. If the Guardians of Peace truly have over 100 terrabytes of stolen information and plan to leak more every day until Christmas, there may be a wide variety of further damaging details to come. Finally, some have moved on to the unofficial sixth stage of grief (humor or parody) and are turning to comedy after shock and acceptance. One such remark was via a reddit ‘Showerthoughts’ post suggesting that “Sony should make a movie about the Sony hacks.” Well, someone else has delivered a parody trailer already. Perhaps the healing can really begin.

 

Lawsuits, Terror, War, and we hope Hyperbole (December 16)

It seems like each day the issues surrounding the Sony breach grow considerably, and it isn’t just from the leaked data. As more people begin to contemplate the breach, as Sony reacts to different aspects of it, and the logical fallout happen, a world of perspective emerges. Given the large number of issues surfacing, we will try to keep this as brief as possible. That said, this may be a substantial update. In no particular order…

First up, Steve Ragan reports at CSO that some of the leaked data may fall under Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations, which covers the security and/or disclosure of Protected Health Information (PHI). Per Wikipedia, citing Title 45 of the Code of Federal Regulations, PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. Ragan’s article goes on to quote from the letter Sony sent to affected employees and give more details about the data leaked (Full copy of the letter in PDF). Seth Rosenblatt at CNet writes about two former employees who are suing Sony over the breach of healthcare information. Based on a quick PACER search, the case was filed yesterday in the District Court for the Central District of California (Western Division – Los Angeles) and has been assigned case number 2:14-cv-09600-RGK-SH.

After more than a week of veiled threats from the attackers, Guardians of Peace, Sony has made its first move that appears to cater to their demands. According to NPR, Seth Rogan and James Franco have canceled several media appearances that were to promote their upcoming movie, “The Interview”. Despite this shift in media promotion, the movie still appears to be scheduled for release on December 25th. A second potential move, according to NY Daily News, is that Sony Pictures executive Amy Pascal may be fired to send a message. After her email was leaked by the GOP, a wide variety of embarrassing emails were published including racially charged content, insulting high-profile actors, and more.

Speculation has been flying over how long the GOP had acess to Sony’s networks. While the general consensus is “about a year”, Network World reports that it may have been in February. According to their article, Sony used SpiritWORLD as a central system for distributing their media, but admit the system may have been compromised and malware uploaded. The compromise resulted in personal information of 759 people being exposed, including name, address, and email address. The article goes on to say that Sony’s VP of legal compliance admitted to the hack, but recommended the individuals not be notified. It’s unclear at this time if the decision to forego notification is in keeping with Sony’s statutory obligation to do so.

Attribution in computer compromises is a surprisingly complex task that may ultimately never be definitive. While an attacker may appear to come from an IP address belonging to a certain country, you can’t simply assume the attacker originated there. Or that the country sponsored the attacks, even if it actually did. Savvy computer criminals will compromise multiple low-end machines and use them as bounce-points, diverting their traffic through them. An administrator or security professional looking at logs on the compromised system will only potentially see connections from that one IP address, not where the attacker actually came from originally. The early talk about North Korea was speculative at best, and appears to have been debunked since (see previous updates). Now, the blame shifts again, this time to China.

In what ultimately amounts to more speculation based on a few tenuous facts and an unnamed source, Deadline Hollywood is reporting that the attacker could be China. Their unnamed source tells them “Mandiant has investigated so many Chinese attacks. It’s kind of their forte.” True, but as several security professionals have commented in the past 24 hours, “because Mandiant is involved, it must be the Chinese? That’s a pretty big stretch.” While Mandiant is known for their investigations into alleged state-sponsored Chinese hacking teams, many wonder if they have become the proverbial hammer that only sees a nail. It should also be noted that while they have that reputation among some, Mandiant has investigated many hacking teams from other countries.

Despite that speculation, perhaps that is why we are now hearing more rhetoric regarding the breach, specifically suggesting that the attack on Sony is an “act of war”. Michael Kelly and Armin Rosen at Business Insider make their case that it should be, despite quoting the widely accepted Tallinn Manual on the International Law Applicable to Cyber Warfare which clearly states that the attack on Sony does not meet the criteria for an act of war. They go on to quote noted security expert Dave Aitel, an ex-NSA employee and current CEO of Immunity, Inc., who says:

“We need to change the way we think about cyberattacks. In many cases, these aren’t ‘crimes’ — they’re acts of war. A non-kinetic attack (i.e., destructive malware, destructive computer network attack) that causes just as much damage as a kinetic attack (i.e., a missile or bomb) should be viewed at the same level of urgency and need for US government/military response.” — Dave Aitel, Immunity Inc.

The first question this brings to mind is if malware “causes just as much damage as a [missile or bomb]”. For the average citizen, especially the majority not affected by this breach, they would likely argue against such claims. The second issue that comes to mind is that Aitel suggests there should be “firm diplomatic repercussions for these types of attacks.” Perhaps, but Aitel also believes North Korea is behind this according to the article, while the FBI says they are not involved. Given the list of possible suspects named so far, which includes North Korea, China, and an independent group of non-state hackers, such “diplomatic repercussions” could be a disaster unless we have definitive attribution of the attackers, which we may never get.

As an example to the attribution problem, Mario Greenly points out that the first computer to seed data in the latest leak is hosted in or around Taipei, Taiwan. Does this suggest the attacker is located there? Or does it mean the attacker picked a compromised computer there to host the data, in an effort to mislead investigators? Given that a single botnet, which is a group of compromised systems controlled by a person or group, can be as large as 450,000 systems, it isn’t a stretch that skilled attackers could pick and choose which systems to use to hide their tracks, or throw off those looking for them. The most important part of the process at this point is to try to obtain positive attribution. Then, Sony can determine what legal remedies are available to them, or if this becomes a bigger issue that requires Government response.

Almost as if prompted, the notion that this is an act of war was further bolstered after the ninth leak released today, which included a message that hints at terror attacks. The GOP posted the following to Pastebin today which suggested there may be real-world terror attacks at theaters showing “The Interview” on Christmas day, likening the attacks to those on September 11, 2001:

[..]
We will clearly show it to you at the very time and places “The Interview” be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to.
Soon all the world will see what an awful movie Sony Pictures Entertainment has made.
The world will be full of fear.
Remember the 11th of September 2001.
We recommend you to keep yourself distant from the places at that time.
(If your house is nearby, you’d better leave.)
[..]

Damon Beres at the Huffington Post writes about this statement and cites an unnamed Department of Homeland Security official who confirmed they are aware of the threat, but emphasized “there is no credible intelligence to indicate an active plot against movie theaters within the United States.

And finally, that brings us to the ninth leak posted today, titled “1st Christmas Gift, Michael Lynton”. As the name suggests, this disclosure includes two files, both email spools (mLynton.ost is 864MB and mLynton1.ost is 1GB) for Michael Lynton, Chairman and CEO of Sony Pictures Entertainment. The mails range between November 8, 2013 and November 22, 2014. Some of the folder names and mail count between both files:

  • Inbox: 12,482
  • Contacts: 7,085
  • Calendar: 5,433
  • Deleted: 6,966
  • Lost & Found: 12,629
  • Drafts: 77

It should be noted that these spools are almost half the size of previous leaked email spools, and neither file contains a ‘Sent’ folder. Oh, one last thing… are the GOP on Twitter? We remain skeptical for now.

 

Leaks, Blame Game Redux, and Caving In (December 17)

Today’s round-up of post-breach fallout is diverse. Points of interest:

As expected, many more details have emerged from the leaked mail spools. One little bit that stood out as interesting takes us back to 2013 when a story broke about Facebook offering as much as $3 billion to acquire start-up SnapChat. According to BusinessInsider, it turns out that several mails were exchanged between SnapChat CEO Evan Spiegel, SnapChat board members, and Sony. Now that those mails are public, it offers more insight into what is still considered to be one of the craziest IT acquisition deal rejections in history.

The second interesting thing to come from the leak are the Motion Picture Associate of America’s (MPAA) apparent plans to try to negatively impact the Internet by attacking DNS servers. According to The Verge, the tactic was first proposed as part of the now defunct Stop Online Piracy Act (SOPA), but the MPAA is still looking for legal justification to take this route in efforts to curb online piracy.

So far, we’ve heard theories that North Korea, China, and a group of non-state actors were involved in the breach. The latest theory comes from the Hollywood Reporter, in which they outline an interesting coincidence. One of the emails allegedly sent from the Guardians of Peace came from an account configured with a ‘real name’ of “Nicole Basile”. That name is the same as an accountant who worked for Sony in 2011, according to LinkedIn, and a payroll accountant on at least one Sony production. Of the various mails received by RBS claiming to be from GOP, that name does not appear in any of them. Of all the names we received, none appear to match current or past Sony Pictures employees. As it is, this is a pretty tenuous link given the email spools leaked contain email received in November, 2014, two or more years after Basile worked there.

In addition to the series of compromises in 2011, more information has emerged regarding a compromise of the Sony corporate network in 2013 according to Bloomberg. While details are sparse, the attackers were never identified but allegedly stole “gigabytes of data” several times every week for a period of time.

The biggest news today centers around the decision of several theatre chains canceling the movie premier of ‘The Interview’. According to CNN, AMC Entertainment, Regal (RGC), Cinemark (CNK), Carmike Cinemas (CKEC), Bow Tie Cinemas and Southern all dropped the movie that was to open on December 25th. This prompted Sony to officially cancel both the New York premiere and the general the release as well, according to a Sony statement posted by Mark Day. In the statement, Sony refers to the attack against their network as “unprecedented” even though there is clearly precedent for such large scale intrusions. Roger Grimes at InfoWorld also makes this point in an article, speaking from his own experience performing computer security reviews after attacks.

The cancellation of a major studio picture is unexpected, and potentially sets the wrong precedent. As Steve Ragan writes, this basically shows that any group of attackers can make a veiled threat against a studio and theaters, and potentially cancel or disrupt the release of a movie. While many people think it is overly cautious, they also have to admit that theater patron safety would have to come first if they were making the decision. On the other hand, many people took to Twitter calling out theater chains and Sony as “nutless weasels”, asking if all releases would be run past North Korea, and saying that their decision “appeases terrorists”. Producer Judd Apatow was also vocal, saying the choice was “disgraceful” among other things.

 

Attribution is Hard, the Guessing Game, and Perspective (December 18)

We have brought up the issue of “who is to blame” in the Sony hack several times. Original reports indicated North Korea was likely behind it. Then we heard no, they were not. Some speculated China was involved, simply because Mandiant was called in by Sony. Others suggest this is a group of individuals, with no state-sponsorship, using the political climate to throw off would-be investigators. Now? We’re back to the beginning, with North Korea being named as ‘definitely’ involved. There’s only one problem at this point…

Yesterday afternoon, news outlets all over started reporting that the U.S. is blaming North Korea for the attacks on Sony. These accusations are all based on what appears to be a wide variety of unnamed “officials” with no indication that they are in a position to know anything about the breach. The New York Times article, which appears to be a central source of the accusations, says “administration officials” among other terms, but again do not qualify why said officials would have any specific knowledge of the investigation. That article has been dissected to a degree showing how the firm title accusing North Korea buckles under subsequent observations and quotes. Ultimately, we have a named FBI official in a position to have knowledge of the investigation on record saying it was not North Korea, and we have an unknown amount of unknown officials that may or may not have knowledge of the investigation. Yet, the prevailing thought based on watching social media is that most people believe North Korea was behind it.

According to the Washington Post, who spoke with an “intelligence official” who was “briefed on the investigation”, they are almost certain hackers working for North Korea were behind the attack. To counter this, we have pieces from Kim Zetter at Wired and security professional Marc Rogers who make a case that North Korea is likely not involved. One point that can’t be said enough is that “attribution is hard” given the nature of computer intrusions and how hard it is to ultimately trace an attack back to a given individual or group. Past attacks on Sony have not been solved, even years later. The idea that a mere two weeks into the investigation and there is positive attribution, enough to call this an act of war, seems dangerous and questionable.

Intelligence officials believe with “99 percent certainty” that hackers working for the North Korean government carried out the attack, said one individual who was briefed on the investigation and spoke on the condition of anonymity. — Washington Post

At this point, it certainly could be North Korea. Or China. Or a group of people with no political affiliation, laughing at their tricks that have thrown the rest of society for a loop. As we have said before, it would be best if we reserve judgement until there is a documented forensic trail that truly establishes some level of attribution with certainty. At that point, Sony Pictures and the U.S. government can determine the best way forward. As Jason Koebler at Vice writes, “Reaction to the Sony Hack Is ‘Beyond the Realm of Stupid’” and has a wide variety of points that put the events in perspective.

Following up on the “fallout” angle, it appears that this attack has resulted in the cancellation of two movies. The first movie canceled, ‘The Interview’ has been extensively covered in the media and is accompanied by diverse commentary saying it was the right thing to do or it was caving in to terrorist demands. According to The Wrap, the second movie cancelled, not even in full production, is titled “Pyongyang” and was to star Steve Carell. Produced by company New Regency and directed by Gore Verbinski, the story is based on a graphic novel and follows a Westerner that is accused of espionage in North Korea. According to the Internet Movie Database (IMDB), it was also to be a comedy.

While the technical investigation into the breach is carried out, Tech Crunch reports that Sony is being forced to embrace legacy technology such as faxes and face-to-face meetings. Given that the compromise appears to be extensive, companies cannot assume that the attackers have stopped accessing the network. To err on the side of caution, they must assume that just about every device on their network is compromised.

Finally, in the wake of the North Korea guessing game, we’d like to offer a few points of perspective. When the Guardians of Peace (GOP) called for the cancellation of ‘The Interview’, no one thought it would work. Yet it did. Since the demands of the GOP centered around that and the demands have now been met, Jake Kouns asks if that means the leaks are over? Cyber War News reminds us that one hack led to one movie being cancelled and the world cares deeply. Yet every day, hundreds of companies are hacked leading to tens of thousands of credentials being leaked. Despite that, no one cares. It is interesting how a large media company can have such influence outside the scope of their usual means of influence (i.e. movies). Despite the veiled threats from the GOP suggesting December 25 may see “9/11 type attacks”, President Obama is saying there is no credible threat and encouraging Americans to go to the movies according to CNN. Finally, Mitt Romney chimes in with this great idea:

.@SonyPictures don’t cave, fight: release @TheInterview free online globally. Ask viewers for voluntary $5 contribution to fight #Ebola.

Unfortunately for Romney and those supporting his idea, a CNN email flash arrived shortly after the Tweet saying “Sony Pictures has no further release plans for ‘The Interview,’ a company spokesperson tells CNN’s Brian Stelter, discouraging speculation that it might release the movie digitally.”

RBS will update this timeline with more information as it becomes available.