Sony Pictures system compromise

[jjstorm]

From http://www.wired.com/2014/12/sony-hack-what-we-know/ :

Quote:

How Did the Hack Occur?

This is still unclear. Most hacks like this begin with a phishing attack, which involve sending emails to employees to get them to click on malicious attachments or visit web sites where malware is surreptitiously downloaded to their machines. Hackers also get into systems through vulnerabilities in a company’s web site that can give them access to backend databases. Once on an infected system in a company’s network, hackers can map the network and steal administrator passwords to gain access to other protected systems on the network and hunt down sensitive data to steal.

What Was Stolen?

The hackers claim to have stolen a huge trove of sensitive data from Sony, possibly as large as 100 terabytes of data, which they are slowly releasing in batches. Judging from data the hackers have leaked online so far this includes, in addition to usernames, passwords and sensitive information about its network architecture, a host of documents exposing personal information about employees. The leaked documents include a list of employee salaries and bonuses; Social Security numbers and birth dates; HR employee performance reviews, criminal background checks and termination records; correspondence about employee medical conditions; passport and visa information for Hollywood stars and crew who worked on Sony films; and internal email spools.

Wow, this was a massive, massive devastating attack against Sony! This is one of the worst break ins that I can recall.

Would this have to have been a government agency because of the level of sophistication?

Does this show a high level of incompetence, not only on the part of administrators, but also, on the part of employees for maybe clicking on an email link?

[ocicat]

Quote:

Originally Posted by jjstorm

Would this have to have been a government agency because of the level of sophistication?

Does this show a high level of incompetence, not only on the part of administrators, but also, on the part of employees for maybe clicking on an email link?

There simply isn't enough information (yet) to draw such conclusions. Depending upon how Sony chooses to handle the matter, we may never know.

Corporations typically craft all public pronouncements to minimize any possible backlash -- especially where their profits are concerned. Any information made public following extraordinary events should be read with a great degree of skepticism.

[jjstorm]

Quote:

Originally Posted by ocicat

There simply isn't enough information (yet) to draw such conclusions. Depending upon how Sony chooses to handle the matter, we may never know.

Corporations typically craft all public pronouncements to minimize any possible backlash -- especially where their profits are concerned. Any information made public following extraordinary events should be read with a great degree of skepticism.

Well, in this case, they may not have any choice because of the level of the penetration. 4 movies that are not even in the theater yet were stolen, employee records, and a structure tree for all of their networks throughout the world and how to access them.

[sacerdos_daemonis]

Without reading the article and only reading the quote, my opinion is that it is not a government agency. Why?

Quote:

a host of documents exposing personal information about employees. The leaked documents include a list of employee salaries and bonuses; Social Security numbers and birth dates; HR employee performance reviews, criminal background checks and termination records; correspondence about employee medical conditions; passport and visa information for Hollywood stars and crew

Tax registry identification numbers, passport information and employee background checks/medical records can be very useful for criminals in the field of identity theft. That information can be used to make money for criminals and ruin the lives of those who have their identities stolen. Also, the level of penetration leads me to wonder if the perpetrator(s) is or was a disgruntled employee.

[ocicat]

Quote:

Originally Posted by jjstorm

Well, in this case, they may not have any choice because of the level of the penetration.

As a private corporation, Sony is not going to air all dirty laundry that exists. While the FBI may now be involved, what information is made public is still going to filtered. Maybe in time more of the truth might become available, but anything said now has to be considered suspect.

Using the language of "they may not have any choice" also has to be scrutinized as the tone is heavy-handed. Internally, Sony needs to address the problems, & this is up to their board of directors & the management structure in place. How much they, as a private entity, choose to reveal to the government is their choice.

From the government's perspective, their goal is to ascertain who perpetrated theft, & determine if a larger threat exists. Crucifying Sony for poor practices or lapses in judgement on the part of one or many is not going to take any identity theft back. Maybe fines will be made, but that is far beyond the focus of this website.

So, don't think that there is a single truth, & what truth may ultimately come out will most likely not be revealed on day zero. This isn't simply a technological issue. Lots of money & politics (both internal & external) are just as prominent.

I am bowing out of further discussion on this matter. It doesn't have anything to do with the *BSD family. Maybe something will be revealed later on, but not today. Further commenting now is premature & merely speculation.

[J65nko]

I think Kim Dotcom of Megaupload is behind it. Kim is a Korean name isn't it

[Martillo]

Quote:

Originally Posted by J65nko

I think Kim Dotcom of Megaupload is behind it. Kim is a Korean name isn't it

Maybe another Korean like Kim Kardashian broke the Internet at last

[jjstorm]

Quote:

Originally Posted by ocicat

I am bowing out of further discussion on this matter. It doesn't have anything to do with the *BSD family. Maybe something will be revealed later on, but not today. Further commenting now is premature & merely speculation.

Maybe if they would have been using OpenBSD, this would not have occurred.

All kidding a side,

This is probably the first break in that has left me scratching my head. I really hope they catch those responsible.

[jggimi]

It has been widely reported that the security practices in use by the company were far from "best". If accurate, those practices may have contributed to attack by providing open vectors, or contributed to the extent of the damage from the attack. At this point it still unclear exactly how the attack proceeded, and the public may never obtain a clear picture.

Just from one press report discussing Sony's security practices:

Quote:

Many of the documents containing personal and corporate information were not encrypted in any way...Although some files were password-protected, most were accompanied by a folder containing the passwords...Although it is not known how the attackers accessed the Sony data, it is likely they used stolen or credentials provided by insiders, which would have been useless, had the company used two-factor authentication....folders for salary, heath and other personal data were stored in the same directories as other data.

[jjstorm]

Quote:

Originally Posted by jggimi

It has been widely reported that the security practices in use by the company were far from "best". If accurate, those practices may have contributed to attack by providing open vectors, or contributed to the extent of the damage from the attack. At this point it still unclear exactly how the attack proceeded, and the public may never obtain a clear picture.

Just from one press report discussing Sony's security practices:

Based on the article it appears that a lot of blunders were committed by Sony, Although the FBI states in their memo that if you are using Windows Server you are vulnerable, it is beginning to look like an inside job. Very interesting reading.

[rocket357]

Quote:

Originally Posted by J65nko

I think Kim Dotcom of Megaupload is behind it. Kim is a Korean name isn't it

Whatever motivation could Kim Dotcom have to hack Sony?

Quote:

Originally Posted by jjstorm

Maybe if they would have been using OpenBSD, this would not have occurred.

All kidding a side...

Given what jggimi has pointed out about their security practices, I don't think OpenBSD would have helped.

[jggimi]

There was an internal memo from Mandiant's CEO to Sony's, that Sony circulated, which has been discussed in the press today. To quote Time:

Quote:

The malware was undetectable by industry standard antivirus software and was damaging and unique enough to cause the FBI to release a flash alert to warn other organizations of this critical threat,” said Mandia in the note to Lynton. It went on to say that “neither SPE nor other companies could have been fully prepared” for the attack, which leaked employees’ salaries, social security numbers and other data, as well as unreleased films.

Since industry-standard virus detection has been mentioned, I might assume that the attack vector was via Windows platforms, which are common targets of phishing campaigns such as was used as an initial vector against RSA several years ago. But that is just a guess on my part.

What we learned from the RSA debacle was to assume compromise could occur on any platform that is not carefully gapped from a computing network. Therefore we deploy tiered infrastructures to manage data paths and we employ mutli-factor authentication for all our workstations, not just those using remote access.

We've also learned since that gap protocols must be revised as knowledge is gained. The advent of "BadUSB" firmware attacks requires us to mitigate or eliminate USB attachments on gapped platforms.

If what has been reported about Sony's practices are true -- and the primary source has been the attackers themselves -- the company had none of these things in place. If true -- and I'll repeat this is conjecture -- whatever firewalls they had in place were therefore focused on keeping out the unauthenticated only.

We learned from RSA not to trust our own workstations. Users, sure. Their platforms, no.

---

What can we learn from RSA and Sony?

Let's have a show of hands:

How many *nix admins have configured their /etc/sudoers file so that they don't get prompted for their password? And of this group with its hands raised, how many have ever installed any software without inspecting every line of source code, first?

I thought so. You can lower your hands, and then run visudo(8) and change your administrative practices for the better. Right now.

[roddierod]

I'm no security expert or network engineering guru...but why are servers with employee information, future movies or any sensitive information connected to publicly accessible networks? Why would such things not be on there own network not accessible via the internet, that would seem like step one to me.

[jggimi]

What is known about the RSA attack was that it began with targeted phishing, against users in the company's HR department. Several workstations were compromised. From there, the attackers used the workstations as entry-points into other systems, using the workstations as starting points for their next attacks ... on servers behind the firewalls.

We know very little about Sony's network infrastructure, but my assumption, based on the circulated Email yesterday, is that one or more Windows workstations were compromised using one or more "zero day" attacks that would have circumvented their antivirus software tools, if any were deployed. From there, acting as the workstation's authenticated users, the attackers proceeded to other systems, assuming of course that the data that was stolen resided on other systems, rather than on the compromised workstations. Not enough is known.

As mentioned above, two-factor authentication might have protected the servers from the "authenticated" user workstations. Separate tiers for databases, application servers, and users might have slowed or limited the damage from the attack. (An example of an internal control -- which could be by firewall management of network tiers -- would be to only permit access to a database server from its application servers, and not directly from any user workstations.)

But all of this is conjecture.

[Carpetsmoker]

The scenario that jggimi describes is also similar 2011 DigiNotar compromise. From this page:

Quote:

DigiNotar had its network highly segmented and had a number of those segments separated from the public Internet. However, the company did not have strict enforcement of the rules on its network, something that may have enabled the attacker to move from the Web server he initially compromised over to the servers that house the certificate authorities.
[...]
used to create tunnels that allowed the intruder to make an Internet connection to DigiNotar’s systems that were not directly connected to the Internet. The intruder was able to tunnel Remote Desktop Protocol connections in this way, which provided a graphical user interface on the compromised systems, including the compromised CA servers.”

Which is the same root problem (trusting machines inside your network).

Oh, and wikipedia also mentions:

Quote:

In a VASCO press release dated June 20, 2011, one day after DigiNotar first detected an incident on their systems VASCO's president and COO Jan Valcke is quoted as stating "We believe that DigiNotar's certificates are among the most reliable in the field."

... which shows how far you can trust these sort of companies with your security (RSA's handeling of the breach was also far-from-optimal, to put it mildly).


A personal anecdote from a few weeks ago:

I had some people sleeping over because they were attending a conference in my city; at some point we wanted to play some music on someone else's laptop, and I realised that *anyone* on my WiFi or ethernet can access all data on my NFS shares, where I keep all of my data (music, tax files, lots more). Yikes! I promptly switched to samba.
While I am not completely naive in these matters, this had simply never crossed my mind before; I've been using NFS like this for close to 15 years (back then I *was* naive about these things), and simply never gave it a second thought since, as this was "how I had always been doing things"...

[jggimi]

On my internal networks, NFS access is protected by IPSec. The VPN is a separate, logical subnet -- a tier -- and access is controlled by keys (X.509 certificates).

[jggimi]

It appears there is now some corroboration that the Sony business unit which came under attack was not using industry best practices for their IT security. From Reuters:

Quote:

FBI representatives plan to meet with Sony employees on Wednesday to provide them training in cybersecurity practices, [FBI spokesman Joshua] Campbell said.

[jggimi]

Bruce Schneier weighs in on his blog. His view is focused on the social damage, rather than the technical.

[fn8t]

Whenever I hear about this sorta thing, it reminds me of some cracker manifesto I read in the 90's. It was a boastful article that I didn't (and still don't) feel had anything more than spitefulness in it. The overall countenance of the writer(s) held quite a bit of knowledge inside the large range of topics outlined. Allot of heat was directed at coding standards that were abandoned during the Microsoft rise to fame (especially during Win98 development). There was also some rambling about Unicode I can't pin a direct memory on, and at the time I didn't really have the technical knowledge to completely absorb the content anyway. The memory marker for me was presenting the read to fellow's of greater experience than myself (some of them family) and noticing the shock and scare exercised by these men, even though they determined the writing to be full of hot air. The gist of the article claimed that as long as the new standard were followed, those within the know would always have unapproved access to systems "securely" designed under the direction and expansion of these new standards. The climax was that these things where right in line with the large scale push for the "super highway".

It was among many other similar types of, conspiracy like, raving available at that time. We have an extremely vast availability of gloomy manifestos, with today's networking. That old article had a greater capacity to become memorable due to my age and the age of the world at the time. Its only gifted nature was the creative use of predicting the inevitability of future security struggles. Today an article like that wouldn't mean much to me, if it actually received my attention. Still, I can't help but walk down memory lane every time it's fiction like genius has an opportunity to rise.

[jggimi]

Fingers are starting to point. The most considered of these that I have seen is by James A. Lewis, Senior Fellow at CSIS. He wrote (in part, see the full article for complete context):

Quote:

This sequence of events is by no means conclusive, but it is suggestive. Looking at it, there are three possible explanations:

1. This was an act of retribution by the North Korean government similar to previous acts of retribution against South Korean media outlets. The action against Sony is consistent with previous North Korean cyber “attacks.”
2. Activist South Korean programmers enamored of Kim Jong Un were responsible.
3. Activists outside Korea were responsible, learning enough Korean to confuse matters.

The quote is from Dr. Lewis' article published today by 38north.org, a project of the School of Advanced International Studies, Johns Hopkins University.