Sony hacked in February, knew about security flaws before data leak

As Sony leaks keep pouring in, it serves as a vivid reminder that even a company's internal emails should include only what you want your mother to hear aloud in court, or your clients to read on the Internet.

Sony make believe security

The Sony hack is a cross between a disastrous train wreck that you can’t turn away from and tabloid magazines – you know, the ones around checkout lanes that claim things like “aliens ate my baby.” But in this case, the tabloid headlines in mainstream media are grabbed from real internal emails.

It may be normal to be anxious about what you might say to the President of the United States and discuss that with colleagues; of course, Sony Pictures entertainment chairman Amy Pascal and producer Scott Rudin probably thought the email exchange was private. Yet the racially charged emails mocking President Obama, joking about what black-themed films the President might like, have resulted in the two issuing public apologies.

Other emails between Pascal and Rudin revealed what they really think of some celebrities; one described Angelina Jolie as a 'minimally talented spoiled brat.' Others discussed salaries, medical conditions, and even names that celebrities use as aliases to protect their privacy when checking into hotels. Due to the dirt made public, a “source” told NY Daily News that Pascal “will likely be fired.”

Although the FBI said the malware used on Sony would likely have gotten past 90% of cybersecurity defenses, other leaked data shows that Sony executives knew about the shoddy state of Sony’s security two months before the leaks started. Joseph Demarest, assistant director of the FBI’s cyberdivision, told members of the Senate Banking, Housing and Urban Affairs Committee, “The malware that was used would have slipped, probably would have gotten past 90% of the net defenses that are out there today in private industry, and I would challenge to even say government.”

Hack reveals Sony’s horrible security practices

Sony stored thousands of passwords in a file named Password; there were Excel spreadsheets, Word documents, PDFs and zip files listing the usernames and passwords to hundreds of social media and web service accounts as well as passwords for Sony Pictures’ internal computers.

Sony used SpiritWORLD as its central system for distributing media. In February 2014, Sony’s VP of legal compliance admitted that the “system may have been obtained by an unauthorized party, who then may have uploaded malware.” After the SPE server was hacked and attackers made off with Brazilian corporate files via SpiritWorld, Sony decided to keep quiet and not warn 759 people who had sensitive information like name, address and email address, compromised. The legal compliance VP advised:

I recommend against providing any notification to individuals given a) the lack of a notification requirement; b) the limited data fields involved; and c) the fact that notifying would not likely have much effect in terms of mitigating potential damages.

Then there’s the Sony IT assessment from hell that leaked. The report, dated September 25, 2014, detailed past security protocol for dealing with “security incidents,” such as when Sony was hacked in February but didn’t tell, as well as the current state of Sony’s IT management.

In 2013, Sony put its Global Security Incident Response Team (GSIRT) “in charge of overseeing core responsibilities and general monitoring for the company's various subsidiaries, including Sony Pictures. While GSIRT would monitor security overall, the third-party team that SPE had been using was still responsible for implementing various security measures (firewalls, intrusion prevention systems, etc.)” The report, according to Gizmodo, explained that “after GSIRT took over monitoring duties, 1 out of 42 of SPE's firewalls and 148 non-security devices (e.g. routers and servers) went totally unmonitored because SPE's third-party security vendor never explicitly told its new overseer to do so.”

Put another way, although GSIRT did escalate 195 security incidents from September 2013 to June 2014, before August, “the GSIRT team was failing to monitor 149 out of a final total of 869 systems they wished to monitor. That meant they were blind to 17% of their environment.” The report pointed out that “security incidents impacting these network or infrastructure devices may not be detected” or resolved in a timely manner.

In addition, procedures have not been developed to reconcile the population of security devices that are being monitored by GSIRT to the actual SPE security devices that should be monitored to validate accuracy and completeness. As a result, additions, changes and deletions not communicated by SPE to GSIRT may not be detected, and critical security devices may not be monitored.

The report also said that GSIRT decided not to send over monitoring reports that SPE IT had previously been receiving.

The reports provided by the prior security monitoring providers included security threat trending (e.g.,common threats across SPE), log monitoring statistics (e.g., total events for a given month and how they are addressed), top attack categories for a given month, top sources of attacks by country, security devices providing the most alerts, top devices contributing to event correlation, the number of events triggered by more than one source (correlated events) and a summary of what SPE could do to reduce specific attacks.

The Sony leaks are not a small drip, but a faucet pouring filth for the whole world to see; the total train wreck may change how Hollywood does business, sending text messages and email exchanges “underground” in the form of more face-to-face communications.

GOP hackers are not done leaking Sony’s dirt either; when leaking the seventh cache of files, GOP claimed it will release a “Christmas gift” that will put Sony Pictures in the worst light yet.

“The gift will be larger quantities of data. And it will be more interesting," the hackers warned. "The gift will surely give you much more pleasure and put Sony Pictures into the worst state.”

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)