Who Hacked Sony?

On December 22, 2014, in Past Morning Briefs, by David

At the end of my brief, brutal days in the film biz, one conclusion I drew about the way Hollywood Studios conduct their affairs is that they live precariously by the adage: “If It Ain’t Broke, Don’t Fix It.” No one who’s ever worked in the The Industry has ever accused studios of thinking too far ahead. Bottom line and just plain bad decision-making left rank and file workers to patiently sit on our hands, waiting for things to break. Last week the Sony Corporation found out just how costly such re-active thinking can be.

Luckily, we have a statement on the record from a high-ranking Sony official letting us in on his approach to Data Security. In the category, “Boy I Wish I Hadn’t Said That,” belongs this quote by the executive in charge of keeping Sony Corp’s voluminous digital assets safe and secure in response to an audit that found the company had Team-America-Kim-Jong-Ila weak password problem:

“It’s a valid business decision to accept the risk,” said Jason Spaltro, who is now Sony Pictures’ senior vice president of information security, in a 2007 interview with CIO. “I will not invest $10 million to avoid a possible $1 million loss.”

Let this serve as a reminder that short-sightedness, an epic ability to under-estimate value, and demonstrably poor business decision-making is crystallized forever by the miracle that is The Internet. Yes it was a few years later, but even then, might the totality of Sony’s digital assets be worth north of $1 million? North of $1 billion? A stone thrown in a glass house if there ever was one.

According to information released following the hack, Mr. Spaltro makes $300,000 in salary per year, but I don’t think he’s going to reach his bonus target of $400,000. Not this year.

But weak passwords were only part of the story of “The Hack Heard Round the World.” Alongside a torrent of Sony Hack stories impacting nearly every information category except Sports, we know that Anonymous hacked into Sony’s network back in 2011. In addition to troves of data swiped from Sony these last few weeks – executive and talent salary information, shooting scripts for major films, and e-mails containing revelations ranging from salacious to downright embarrassing – hackers snagged numerous files from individual users labeled Password.doc.

In other words, Sony employees served up documents containing lists of passwords, key chains full of keys the hackers can use to open all kinds of doors inside and outside the kingdom. Ouch. That’s a glitch that will keep on giving.

Knowing how studio bureaucracies operate when it comes to Security, both as a film studio employee in the early 90s, and as a Product Manager and strategist at Symantec Corporation from 1995-2005, I predict there will be a last minute revision to Sony’s budget next year shifting a few more dollars into the IT Group. Whatever brownie points Mr. Spaltro’s group may have earned in years past by keeping costs down will probably be used up and then some as 2014 turns into 2015. You’d think Sony and its internal security detail will learn a thing or two from this one.

But you never know. Businesses don’t like to spend money on non-revenue generating items, and Entertainment Companies usually require catastrophe-level events or worse to budget expenses that impact the bottom line without dollars promised in return. Ask anyone who works in Tech Support, Customer Service, and in some cases, Quality Assurance. There’s never enough dollars to properly fund these groups, anywhere. Prepare for some breakage.

The Hack most certainly qualifies as catastrophe-level, but if the content of Sony e-mails is any indication, upper management has more than its share of idiots, assholes, two-faced fuckwads, and just plain bad decision-makers, even for a Hollywood Film Studio. Using Mr. Spaltro’s logic above: Hey, Sony has already suffered the worst hack in the history of Information Security. Why spend money on IT? They can’t possibly get any worse at this…

I’m not saying that logic makes sense. But I am saying over the years I’ve worked at or with more than one international entertainment company that thinks that way. And I wonder whose heads will be rolling in the aftermath.

There will also be an obligatory employee memo, or series of memos, with updated security procedures likely to contain some choice words about choices like Password.doc. And once a full report is filed, they will likely find, as most companies do, that the lion’s share of damage was a direct result of human error by way of social engineering. Yes, it takes technical skill to carry out something this big, but the human element is a major part of the picture. Always. Just read that quote by the head of Sony IT. Either he really thought that way, or his boss did. Or they both did.

urlSo now we know the What (legendary hack), the When (likely starting in 2011 or even before, and culminating in November 2014), and the Where (Sony Corp’s network). Let’s take a look at the Why, the How, and the Who.

If you take the FBI’s findings at its word (and why would you?), the likely answers are: “The Interview”, by way of networks in North Korea and/or Northern China (better access in China), and employees of or contractors for the North Korean government.

However, there are lots of reasons to question whether North Korea really did perpetrate The Hack, not least of which are the numerous perceived inadequacies of the rogue nation-state. Given the agitation generated by “The Interview”, it sure wouldn’t be difficult to make it look like North Korea did it. Easier for an accomplished hacker to frame them than it would have been for North Korea to have actually done it. Unless Kim Jong-un has some world class hackers in his Rolodex.

Articles on this question are beginning to pop up, including this one from Wired that I found because I’ve been having trouble believing that The Hack is a North Korea Joint: http://www.wired.com/2014/12/evidence-of-north-korea-hack-is-thin/.

In light of Sunday’s Anonymous Announcement, that they hacked the Sony network in 2011 and told Sony that they did it (in addition to hinting that they have a copy of “The Interview” and plan to release it themselves on Christmas), some Simpler Theories are evolving. It seems more likely that either some Hacktivist entity opened the gates, then passed off to one or more organizations which may or may not be related to the North Korean government.

It also seems unlikely that on one hand the hacker that broke into the system takes credit for the hack, referencing the name Guardians of Peace (GOP), but the North Korean government denies involvement. If the North Korean government is behind it, but they don’t want to take credit, why would they want an entity they hired to leave a name along with a motive leading right back to them? Because they’re inept? If you follow that line of reasoning, how were they “ept” enough to perpetrate the most humongous hack of all time?

141201-kim-jong-un-computer-kns-1130_b391bb41ce08c9145a088fbaa7554157.nbcnews-fp-1040-600There’s more to this than meets the eye. It’s likely we’ll hear more about The Hack, who did it, how and why in the near future. And while my preference is not to blame the victim, especially when the stakes are so high and the losses so great, it’s difficult to avoid the conclusion that when more is known, Sony will ultimately accept (or wrongly avoid) significant responsibility for what happened.

The trail of information leading up to The Hack point to far too many deficiencies in Sony Studio’s Security policies, strategies and leadership. Because of this, it’s likely that the consequences could have been reduced significantly under a more proactive, better funded, and/or more talented security team. For starters, the Sony IT Executive under-estimated the value of his own job and the assets he was hired to protect. And he did it on the record.

If the company knew that it had been breached before, it should have investigated the hack in 2011, reinforced firewalls, revised security protocols and best practices, including advising against Password.doc. You can monitor traffic in and out of a corporate network. If data is flowing out unsupervised, at weird hours, in high volume, or to suspicious IP addresses, you can do something about it. Clever naming practices, complex data organization and infrastructure, obfuscation measures and red herrings can protect assets like critical e-mails, financial information, and James Bond scripts. Wasn’t anyone watching the gates?

Sure it’s easier to call out a solution, or to point fingers in hindsight. But the job of the Security Professional is to be Proactive. If it ain’t broke, and it matters to you, you should be trying to break it from just about every angle to avoid having an outsider break it first. Fixing a mess like this is never a pleasant task.

And whatever you do, if breakage might be a problem for you, even if your boss, your boss’ boss, and your boss’, boss’ boss tells you that you’re not going to get the money you need to secure the digital assets of your multi-billion dollar corporation, never, ever, ever go on the record saying that your half-ass, penny-wise, pound-foolish IT non-strategy is an acceptable business risk. It’s like telling the army attacking your castle that you’ve decided not to fill the moat and that the Southern wall is made of paper mâché. You might as well be leaving the door open, ringing a bell and saying: “Come and get it!!”


Comments are closed.