Sony Hack Was Not All That Sophisticated, Cybersecurity Experts Say
The Sony hack is a hydra-headed monster of a story, emerging from the sea late last month to descend on Los Angeles before going on to smash across the country, sprouting new heads as it went, dragging the badly battered body of a colossal global corporation in its dust.
A previously unknown group of hackers calling themselves the Guardians of Peace have become the subject of hundreds of articles splayed across every conceivable media digestion surface in the United States. This week it has become the stuff of both national security and mass market consumption, as Sony preemptively killed its buddy-comedy-cum-espionage-thriller The Interview in response to physical threats the Guardians of Peace made against moviegoers.
Then Friday (Dec. 19) the FBI released a statement confirming suspicions of North Korean involvement in the exploit:
“As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions.”
North Korea has subsequently denied any involvement.
This is quite possibly the most high-profile hack of all time. But according to security experts Billboard spoke to, it was by no means the most sophisticated.
“Going by the technical details that have been made public, we are not seeing some great level of sophistication here that we have seen in other attacks,” Marc Maiffret, longtime hacker and the cybersecurity technician credited with discovering the first Microsoft computer worm, told Billboard.
Stuart McClure, CEO of cybersecurity firm Cylance, deems the Sony attack “the biggest data dump the cybersecurity industry has ever seen.” He also said there was nothing terribly technically profound about the exploit itself. “All that is total garbage, straight out of Hollywood,” he said by phone. “There hasn’t been anything really new in 15 years, minimum. It’s the same stuff over and over again -- because it works.”
Sony declined to comment for this story.
McClure worked for McAfee as global CTO in 2011 when they were hired by Sony in the aftermath of the Anonymous hack that bedevilled Sony’s Playstation division that year. In recent weeks he has analyzed samples of the data surrounding the most recent attack, though he is not currently working with Sony. He has occasionally delivered keynote speeches on security issues at entertainment industry conferences.
“With the Playstation hacks, Anonymous didn’t use anything unique and were able to get in easily and stay a long time,” McClure said. “I got the impression that [Sony] executives didn’t care. Some basic technologies could have prevented a large part of this. This level of destruction of a company on American soil is unprecedented, but my 15 year-old could have written the code.”
A letter circulated to Sony Pictures Entertainment employees by CEO Michael Lynton contained the comments of Kevin Mandia, chief executive of the security firm Mandiant, which was hired by Sony to investigate the hack. In the letter, which was subsequently leaked, Mandia characterized the attack as “unique”, “unprecedented” and “undetectable by industry standard antivirus software.” In a phrase calculated to the rigours of legal liability he wrote that “neither SPE nor other companies could have been fully prepared” for the attack.
Both Cylance’s McClure and Kevin Mitnick, “the world’s most famous hacker," claim that the attack was neither unprecedented or unpreventable.
Mitnick had a tumultuous first three decades as a hacker before establishing Mitnick Security Consulting, a firm specializing in penetrating clients’ security systems for hire with both technical exploits and social engineering.
“It’s not [Sony's] fault that they couldn’t prevent the breach, Mitnick said, "but it is their fault if they were apparently unable to detect it, probably for months. The biggest surprise is the amount of data they were able to exfiltrate.”
A statement released by the hacking group claimed it had pilfered 100 terabytes of data from Sony’s servers, an enormous trove greater than the entire contents of the Library of Congress. The data released so far includes complete records of executives’ emails, sensitive employee information including social security numbers and health care data, along with Sony Pictures' movie projects in various stages of development.
McClure said that his research leads him to believe the breach was accomplished through some sort of social engineering, rather than by a computer program.
One striking thing to have emerged from the data that the Guardians of Peace have so far disseminated is the lack of security around passwords at Sony, including the revelation of an embarrassingly simple password CEO Michael Lynton was apparently using. It’s a clear sign that the company did not have sufficient corporation-wide password standards.
“There was clearly stuff going on with Sony’s security that was well outside of any industry best practice, and these were not one-offs but occurred en masse,” said Maiffret.
McClure noted that using even the basic encryption tools native to Windows may have prevented a good deal of the damage.
Electronic Frontier Foundation staff technologist Seth Schoen says that compromised passwords are a likely vector of infiltration in the hack, especially given Sony’s size.
“There is a password reuse epidemic,” Schoen said, “When attacking a large organization, hackers could try to find the names of people that work there, then look to other sites where passwords have been stolen, looking for matches. Next, trying those username and password pairs at the organization’s sites. As organizations get bigger it is more likely there will be an overlap, the odds just get better.”
It remains unclear how far into Sony the data dump will reach. Thus far, only Sony Pictures Entertainment has been directly affected. Mitnick says it’s likely the contagion could have spread to other corporate divisions like Sony's music division.
“There are usually access points [from one division to another],” he said.
McClure noted that, given the level of access the hackers were able to achieve, “gaining the same level of access into the other properties would be trivial.”
The information that the hacking group continues to release is providing the general public with an incredibly high-def look into the workings of the entertainment industry. The fallout could be enormous, as internal profit reporting is compared with public disclosures, say, or as the details of various deals are scrutinized by stakeholders. Already, some Sony employees have filed suit against the company for failing to protect their private information.
"At this stage in the game, not having good information security is negligent," said Tor Ekeland, a New York attorney specializing in internet law, "and on the face of it, it appears [Sony was] very sloppy.
Sony may have a difficult time trying to suppress the information from being shared and published, although they have hired attorney David Boies toward that end, a man whom Ekeland called "the best trial lawyer in America.”
Leslie Frank, a partner at the law firm King, Holmes, Paterno & Berliner, who specializes in entertainment copyright, says that Sony is unlikely to sway a court that publication of its internal documents is not protected by the First Amendment.
"Obviously Sony would prefer that none of its internal business was revealed, but it doesn't fall out of First Amendment protection just because it was a hacking," Frank said.
"Courts try not to decide First Amendment protection based on the content of the speech, but rather whether there is a public policy interest in protecting it. I can't think of one reason that publishing this information would counteract the protections of the First Amendment.”
While the scattered viscera of a global entertainment giant are hard to ignore, there is much more at stake in this saga.
“Beyond who emailed what to whom, or whether North Korea was responsible, hacking now is on the level that someone could hack a huge corporation like Sony for a physical world material benefit. Everyday types of hackers are going, ‘Wow, I can have that same effect.’ Where does it go next?” said Maiffret.
The success of the hack could inspire copycats, and this type of damage could spread on its own hype. The technical tools to carry out such an attack are out there, and have been. Now the bar has been raised for the type of damage that these tools can wreak.
"It’s fair to say that this attack marks the dawn of the age of cyber terrorism,” McClure said.
Mitnick believes that the US government should release all evidence from the attack to the world’s cybersecurity community, to build trust.
McClure agrees: “The greatest travesty of our industry is that [the details of the breach and attack] will never really be shared,” he said.
It’s unlikely that this story will find a tidy Hollywood ending. We may never know, completely and definitively, who exactly perpetrated these attacks or how. But hopefully every sizeable organization in America will realize how damaging their internal data can be, and protect it accordingly, even if that causes some organizational discomfort.