Sony ignored security evaluation before GOP [Guardians of Peace] hack, more data coming

Electronista ^ | Sun December 14, 2014 | Electronista Staff

[Spktyr]

'Christmas dump' incoming with more 'interesting' Sony Pictures data

Months before the hacker intrusion on Sony Pictures' network, analyst firm PricewaterhouseCoopers (PWC) performed an analysis on the company's security, and found it lacking. More than 100 devices were found to be unmonitored by corporate security following an incomplete transition from a private security firm to an in-house team. As a result, any Sony response to network intrusion would be, in the words of the auditors, "slow, fragmented, and incomplete, if it would even happen at all." However, corrective actions proposed by PWC seemingly went undone, which left the doors to the company open, sometimes literally, facilitating the attack.

Hackers thought to be operating out of North Korea took over and raided large portions of Sony Pictures' internal computer systems, and have been slowly releasing films, internal memos and emails, focus group studies and other material ranging from banal to sensitive for the studio. The group even posted sensitive financial and personal details of 47,000 employees, vendors, and actors who do or have worked for the company as far back as 1955. Last week, things took a turn for the sinister, when many employees who's information was leaked received a threatening email (though the GOP later denied they were behind that).

Sony had moved from a third party to in-house security teams in September 2013. The transition was anything but smooth, with the 100 devices cited by PWC not properly turned over to the staff. Most of the unmonitored, and unpatched, devices were web servers and managed routers.

The analyst firm warned Sony Pictures of the problem, saying that "security incidents impacting these network or infrastructure devices may not be detected or resolved [in a] timely [fashion]" on September 25. Ironically, the security evaluation was released in the hack group's last data dump.

Ex-employees confirm the lackadaisical attitude toward Internet security. One employee reported to Fusion that "one of our Central European website managers hired a company to run a contest, put it up on the TV network's website and was collecting personally-identifying information without encrypting it. A hack of our file server about a year ago turned out to be another employee in Europe who left himself logged into the network in a cafe."

Security firm Mandiant was hired to assess the damage and scope of the penetration by the GOP hacking group. Mandiant CEO Kevin Mandia told Sony Pictures that "the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public. The bottom line is that this was an unparalleled and well-planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared."

Corrective actions as a result of PWC's analysis were promised to be completed by October 31, 2014. There is no evidence that anything was actually completed by the in-house security team. Despite Mandiant's assurances to Sony that nobody could have been prepared for the attack, it is clear that Sony failed to perform even the most basic due diligence to prevent the breach.

Another former employee says that corporate culture is the root cause of the security lapses. He noted that the real problem with Sony Pictures' network security was "there was no real investment in, or real understanding of what information security is," pointing to the vast amount of sensitive data gleaned by the hackers that was stored unencrypted. Employees of Sony Pictures for the last 15 years were listed in the leaked documents. Sony's offer of credit monitoring and identity theft protection does not extend to former employees at this time.

The GOP is spreading word of a "Christmas gift" release of more data. A PasteBin post claims to contain "larger quantities of data" saying that "it will be more interesting. The gift will surely give you much more pleasure and put Sony Pictures into the worst state." The GOP claims that employees can "opt out" of the upcoming data release that may involve them, but they have to email the group to make this happen.

[Spktyr]

This aspect of the Sony fail hack doesn't seem to have gotten a lot of coverage.

Also, amusing picture of an apparently very upset Angelina Jolie with the idiot Sony executive lady whose liberal hypocrisy in emails has been exposed at the source link.

[Gene Eric]

>> Ironically, the security evaluation was released in the hack group’s last data dump.

Ironic.

[Travis McGee]

Michael Lynton's password was sonyml3.

http://www.newsfactor.com/news/Sony--A-Studio-Ripe-for-Hacking/story.xhtml?story_id=103003JX4B3L

The stolen files expose lax Internet security practices inside Sony such as pasting passwords into emails, using easy-to-guess passwords and failing to encrypt especially sensitive materials such as confidential salary and revenue figures, strategic plans and medical information about some employees. Experts say such haphazard practices are common across corporate America.

"Most people who say they're not doing that are lying," said Jon Callas, co-founder and chief technology officer for Silent Circle Inc., a global encrypted-communications service.

The emails show CEO Michael Lynton routinely received copies of his passwords in unsecure emails for his and his family's mail, banking, travel and shopping accounts, from his executive assistant, David Diamond. Other emails included photocopies of U.S. passports and driver's licenses and attachments with banking statements. The stolen files made clear that Diamond was deeply trusted to remember passwords for Lynton and his family and provide them whenever needed.

[CodeToad]

This is typical of all corporations. For all kinds of reasons, security is not good.

[Bob]

So, the Republicans pulled off this hack??? :=)

[Lazamataz]

The emails show CEO Michael Lynton routinely received copies of his passwords in unsecure emails for his and his family's mail, banking, travel and shopping accounts, from his executive assistant, David Diamond. Other emails included photocopies of U.S. passports and driver's licenses and attachments with banking statements. The stolen files made clear that Diamond was deeply trusted to remember passwords for Lynton and his family and provide them whenever needed.

Where I work, outgoing emails are scanned for possible passwords. If you are caught sending a password, any password, in email, the following happens:

• The account with the password is suspended, immediately.
• You are reprimanded and warned that another violation can result in immediate termination.
• All future outgoing emails are subject to hard scrutiny for a period of time.

Furthermore, password complexity is strictly enforced. Such things as Sonym13 would be disallowed.

[Lazamataz]

This is typical of all corporations.

Banks are the exception. The best security people end up banks, government, and companies like MS and Google.

[Lazamataz]

So, the Republicans pulled off this hack??? :=)

Nah. Just more purposeful conflation by the American Pravda / Ministry of Propaganda.

[Travis McGee]

How about the power companies that run our grid, pipelines, etc?

[Travis McGee]

How about power companies?

[Lazamataz]

I know from an industry insider that they are moving (though not nearly finished) to secure better. They are still, in places, a wide open fishbowl, but in other places have locked down well.

[usconservative]

Banks are the exception. The best security people end up banks, government, and companies like MS and Google.

True that. You should see some of the online & inline security systems I've built the last seven years. We can do stateful packet inspection on-the-fly without slowing down application traffic and predict behaviors before they happen now.

I was recruited by DHS four years ago to run one of their data collection points (I won't say hwere...) but they simply did'nt pay enough and I don't consider it my "patriotic duty" to take a huge pay cut just to work for the gub'mint.

[Lazamataz]

True that. You should see some of the online & inline security systems I've built the last seven years. We can do stateful packet inspection on-the-fly without slowing down application traffic and predict behaviors before they happen now.

We do that over here. I got busted in 2011 for a packet from ShowMyPC that would have possibly allowed for remote computer access. I was severely reprimanded, and told that if they EVER see that packet again, and it is NOT from one of the two sanctioned groups, I would be escorted off the campus by Security.

I honestly didn't know I had violated until two grim-expressioned men showed up at my cubicle, within one hour of allowing an Ohio state government user to view my PC for instructions on how to use the system I wrote.

Thank God I was being 100% cool and was 100% honest about what happened. I still was severely reprimanded. And, I learned our guys peek at the packet level in real-time.

[Mycroft Holmes]

Furthermore, password complexity is strictly enforced. Such things as Sonym13 would be disallowed.

This practice pretty much ensures that people will write down the everchanging complex passwords somewhere near their workstation. Ripe for social engineering.

	Freedom ≠ Free Stuff☭
	I, for one, welcome our new Cybernetic Overlords /.
Mash Dobbshead® for HTML, bop Hello_Cthlhu for XAMPP

[Lazamataz]

I was recruited by [gubmint] four years ago to run one of their data collection points (I won't say hwere...) but they simply did'nt pay enough and I don't consider it my "patriotic duty" to take a huge pay cut just to work for the gub'mint.

I actually went ahead with it, because OTrauma was elected in 2008. I figured many businesses would go belly up. I was right, many of my peers ended up with pink slips when their firm shut down.

The downside is I am paid 40k less per year than I am worth in the open marketplace.

The upside is I am still working, and, having significant talent like I do, I am advancing to Architect role in 2015.

[Lazamataz]

This practice pretty much ensures that people will write down the everchanging complex passwords somewhere near their workstation. Ripe for social engineering.

Go ahead. Try that stuff here.

I know someone fired for just that sort of thing.

[usconservative]

How about the power companies that run our grid, pipelines, etc?

Some of the stuff I've seen still RUNNING the power companies is downright scary.

I won't say which companies, however some of them are still running Windows NT 4.0 Servers running core functions at the power plant. Most of these servers are now virtualized to eliminate the problem of hardware failures however they're still not protected properly with multi-layer security (DMZ, Web, App, Core network zones) or multi-factor authentication systems to prevent unauthorized access.

BTW: Just last week I caught several Russian hackers using DNS spoofing through compromised South American, Netherlands and Spain based companies trying to hack into one of our public FTP Servers. They tried brute force SSH password cracking and executed over 59,000 brute force attempts in just over 3 minutes.

They didn't get in because we require matching certificates and dual-factor authentication for Internet exposed services and within their first 10 attempts (which happened in microseconds) I had an alert fired off and tracing programs already running to determine the true locations of the Russian hackers.

My own opinion based on the results I collected is that it was Russian State Sponsored hacking. It had to be due to its sophistication, the sheer volume of brute force password attempts in such a small amount of time, and the fact that the IP's traced back to Russian Government facilities.

Granted, I'm not supposed to say those things outside the bank and the FBI (who we work with on these things -- they're working with ALL the top tier banks directly) certainly wouldn't "approve" of my saying it.

[Lazamataz]

I know it’s SFTP but still, can’t you autoblock an IP after X number of failed attempts? You wouldn’t necessarily slow throughput if you limited the filter to authentication. Once a channel was established, pass through the filter without incident.

[Lazamataz]

Your public FTP is still SFTP, right?

[usconservative]

Yes, SecureFTP running on a non-standard port.

Additionally all external/internet based access to the server requires a matching certificate AND secondary authentication which would include the combination of a PIN and random generated code that's good for 15 seconds.

All of our Internal access to those servers happens over a private switched network using virtual KVM's to enable console port (serial port) based access.

I developed the security requirements and control standards for our organization. They passed our own internal Risk and Audit folks as well as the Feds.

After the first of the year I'll be tightening things down further. At some point it'll make our Unix/Linux and Windows Admin's and Engineer's scream, but that's ok. My job is to protect the bank. No one gets through on my watch.