The SONY Hack – Release ‘The Interview’ into the Wild
The most recent hack of Sony is not about salacious gossip, who holds the power in movietown, or who has poor taste in “jokes.” To poorly paraphrase John Donne, it is not about asking for whom the bell tolls, it tolls for IT.
While the challenge for IT security is daunting, in every aspect of business – since the first transaction was made thousands of years ago – the ability to securely make subsequent transactions has always been a business’ prime objective. Sony has been keenly aware of its position as a target, and if reports are true, disregarded the most basic security steps expected (and required) post-attack, to secure sensitive data.
According to BusinessWeek, Sony was warned about a year ago that hackers had infiltrated its network and were stealing gigabytes of data several times a week, underscoring a pattern of lapses predating a recent attack that has spilled Sony Pictures’ secrets onto the Internet.
In late 2013, the hackers sifted through data from the company’s network, encrypted the information to cover their tracks and mined it on a regular schedule, said a person familiar with Sony’s investigation of the breach who asked not to be named because the findings are confidential.
The company’s cybersecurity problems date at least as far back as 2011, with a breach of Sony’s PlayStation video-game network.
The discovery was part of a companywide review of cybersecurity practices following the 2011 hack that extended for more than two years and which, while shoring up the security of some parts of the network, left holes remaining.
The extent of the breach last year was discovered by an outside contractor after Tokyo-based Sony found suspicious traffic on its corporate computers and requested an analysis. Quoting an unnamed source, BusinessWeek goes on to report that even after discovering the thefts, Sony didn’t conduct an audit to determine how much content was stolen.
Sony is warning current and former employees about fraudsters who might be prowling the Internet to take advantage of leaked personal information.
US Confirms North Korea Involved
From The New York Times: American intelligence officials have concluded that the North Korean government was “centrally involved” in the recent attacks on Sony Pictures’s computers, a determination reached just as Sony on Wednesday canceled its release of the comedy, which is based on a plot to assassinate Kim Jong-un, the North Korean leader.
Senior administration officials, who would not speak on the record about the intelligence findings, said the White House was still debating whether to publicly accuse North Korea of what amounts to a cyberterrorism campaign. Sony’s decision to cancel release of “The Interview” amounted to a capitulation to the threats sent out by hackers this week that they would launch attacks, perhaps on theaters themselves, if the movie was released.
Next come the lawsuits: we know that the most personal information released includes passwords, paychecks, credit card and social security numbers, salaries, and more. According to The LA Times, lawyers representing former Sony Pictures employees have separately filed in Los Angeles two lawsuits that seek class-action status, alleging Sony Pictures Entertainment was negligent in the months leading up to the devastating hack. One of the complaints — a 45-page federal lawsuit, which seeks to represent former and current Sony employees — contends that Sony ignored warnings that its computer network was prone to attack.
Sony “failed to secure its computer systems, servers and databases, despite weaknesses that it has known about for years” and “subsequently failed to timely protect confidential information of its current and former employees from law-breaking hackers,” according to the federal complaint filed late Monday.
The other suit, which was filed in Los Angeles Superior Court on Tuesday, also alleges negligence and invasion of privacy of former Sony employees. The breach is expected to cost Sony Pictures tens of millions of dollars as the company rebuilds its computer network, bolsters security and deals with piracy and the legal fallout.
Loss to Shareholders
The hack has sent stock down 10% in past week. While the fluctuations have not been massive, there is concern that losses will mount as new files are released. Bill Fries, co-manager of the Thornburg International Value Fund and an investor in Sony’s stock, said that it’s “not good for any company to have management show such insensitivity that gives them adverse publicity.”
Release it into the Wild
The best idea we’ve seen? Release the movie The Interview into the wild. As written by The Verge’s Bryan Bishop:
“This is a scenario unlike anything we’ve ever seen before, and Sony Pictures is at a unique point in history. As theater chain stocks dipped Tuesday, the hacks began to look more like true economic terrorism — impacting an entire industry, not just a lone company. TV shows and movies will undoubtedly stay away from portraying North Korea in a negative light moving forward, the chilling effect that this kind of strong-arming leads to. And what happens between now and Christmas Day, when the film is (still) scheduled for release, will establish a precedent that sets the tone for years to come.
The hackers, whomever they may be, have used the internet to attack Sony Pictures. They’ve used it to intimidate Sony Pictures. Now Sony can use that same internet to fight back and spread The Interview across the world.
Put it online.
Can stolen material be used by reporters?
From HuffPost: The New York Times, for one, has covered revelations from the hacked Sony emails, but only after they’ve first been made public by other news organizations. Executive editor Dean Baquet said Monday it “would be a disservice to our readers to pretend” that already-surfaced documents “weren’t revealing and public.”
Times reporters have not only stopped short of first reporting information from the hacked email cache, but according to one, have been advised by the papers’ attorneys not to download and open them at all.
Hacktavism as Terrorism
From USA Today: The country’s five biggest theater chains will not screen The Interview due to hacker threats, multiple sources say.
Regal Entertainment will “delay” screening the Seth Rogen-James Franco comedy, which was set to open Christmas Day, according to a statement sent to USA TODAY.
“Due to the wavering support of the film The Interview by Sony Pictures, as well as the ambiguous nature of any real or perceived threats, Regal Entertainment Group has decided to delay the opening of the film in our theatres,” the statement reads.
From Bloomberg: Security experts are poring over the malware used in the recent attack against Sony (SNE), as well as the massive amount of data released as a result of the attack, in an attempt to recreate what happened.
An early examination of the malware makes it clear the hackers had become familiar with the Sony network beforehand, according to Jaime Blasco, the director of AlienVault Labs. Blasco said his analysis of the code found the names of Sony’s internal servers as well as credentials and passwords needed to connect to the network. The malware was used to communicate with IP addresses in Europe and Asia, he said, which is common for hackers trying to obscure their location.
Blasco also noted that some of the code was written in Korean, which seems to point to the most common working theory about the perpetrators—that they work for the North Korean government.
“What this shows you is that the IT guys tell the board and top management they’ve got the problem under control, and everybody goes back to business as usual,” says Adam Epstein, a corporate consultant with Third Creek Advisors in Danville, Calif. “The weaknesses you see at Sony and other companies, large and small, can’t be fixed by installing one more firewall or some new antivirus software. By the time the good guys zig, the bad guys are already zagging.”
Bloomber’s Paul Barrett continues: The malware used against Sony Pictures “would have gotten past 90 percent of the net defenses out there today in private industry,” Joseph Demarest, assistant director of the FBI’s cyber division, told the Senate Banking Committee on Dec. 10. Sony nevertheless made itself especially vulnerable to suffering damage once the intruders got in. Those celebrity aliases and additional personal data are said to have been stored in a folder titled “publicity bibles.” Computer passwords were compiled in a document invitingly called “passwords,” and so forth.
Reddit Takes Down Sony Hack Forum
In a rare decision, Reddit has taken down a forum that housed links to hacked Sony Pictures documents.
The website on Tuesday banned the subreddit SonyGOP, which was filled with links to hundreds of gigabytes of Sony ( emails, movie scripts, internal memos and personal information about employees. )
The hacking group Guardians of Peace has mostly used the website Pastebin to post links to the hacked documents, but other people have copied and pasted those links on Reddit, making it a popular repository for people looking to pore through the hacked materials.
Reddit said it shut down the SonyGOP subreddit in response to requests from Sony to take down the links.
The Digital Millennium Copyright Act allows media companies to ask websites take down copyrighted material, but the websites are not obligated to take down links themselves — let alone shut down an entire page or site. Yet Reddit took the unusual measure of banning the entire subreddit.
Not Even Korea Can Stop the Internet
From The Verge: Things leak. They spread. A version of Kim Jong-un’s death scene is already out in the wild. So what Sony should really do is take the game online. Throw the movie up on iTunes and Amazon. Get crazy and give Crackle a shot. Take the threat of attacking theaters and diffuse it with the truth that the hackers don’t seem to understand: we live in a world where every living room, every computer, and every phone is a theater. And whether it’s leaked government documents or a goofy comedy from the Neighbors guy, nothing stays hidden for long.
Would it open Sony up to having additional emails leaked? Would it open up content providers to potentially adding their names to the hackers’ hitlist? Potentially, and we certainly don’t know what other personal threats have been made directly to the heads of Sony Pictures. But anyone expecting the leaks to stop at this point hasn’t been paying attention, and as long as the movie is kept under wraps there’s that dangling, implied threat: don’t show it or else. Releasing the movie online would allow the company to take a principled stand against its attackers and shatter that tension….
…Releasing it for free would bring a bonanza of good will at a time when the studio needs it, but charging could be an even stronger choice, serving as a bold experiment in day-and-date video-on-demand releases.
It’s not just about SONY – the Snapchat connection
From The Verge: One of the least expected companies to take collateral damage in the epic Sony Pictures hack has been Snapchat. CEO Evan Spiegel regularly trades emails with Sony Pictures CEO Michael Lynton, who sits on Snapchat’s board, and the revelations from the pair’s emails have been spilling out all week. Among them: the company secretly bought a company that makes a Google Glass-like product; it’s actively pursuing plans to insert music into the app; and the company turned down a bigger offer from Facebook than the $3 billion originally reported. But there are other revelations in there, too: that Chinese internet company Tencent felt insulted by him during fundraising negotiations, for example, and that he and his co-founder sought to take $40 million for themselves during a fundraising round. View a copy of Spiegel’s email to employees here.
There is more to come from this hack. As Sarah Perez writes in TechCrunch: If an organization of Sony’s size is susceptible to hacking, anyone is.
In the aftermath, Sony has now hired FireEye Inc.’s Mandiant forensics unit to clean up this massive cyber attack, as the FBI investigates the incident. But the immediate damage has been done and the damage may continue for some time. Only a small number of documents have been revealed so far – the hackers reportedly captured over 100 terabytes of data….that this happened, that this level of private data can be revealed, and that it can be revealed with ease can help us all. Let it serve as a warning to everyone from corporate IT to everyday consumers to protect ourselves…or risk becoming the next Sony.
Just Call Firestorm
Only resilient businesses survive disasters. And, of all the disasters you have seen, the WORST will be the one that happens to YOUR company.
Business continuity planning identifies mission-critical business functions and enacts policies, processes and procedures to ensure the continuation of these functions during and after unforeseen incidents. Business continuity planning should be supported by Information Technology strategies and plans that meet the requirements of the business for critical technology dependencies.
Proper planning can keep a disruption from becoming a disaster. After all, the value of your company lies in its ability to continue to deliver critical products and services, and produce revenue.
Learn more, and pass our information on to Sony.