Upload File

a breakdown and analysis of the december, 2014 sony hack

  • Home
  • Documents
  • A Breakdown and Analysis of the December, 2014 Sony Hack
12
13/12/2014 A Breakdown and Analysis of the December, 2014 Sony Hack https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/ 1/12 Risk Based Security Not just security, the right security. Call Us! (855) RBSRISK | Log in About RBS » News Products » Services » Research Contact Us Home Security Intelligence » Industry Solutions » Compliance » Cyber Liability » A Breakdown and Analysis of the December, 2014 Sony Hack December 5, 2014 By Risk Based Security Note: This article is being updated almost daily with new developments regarding the leaks from the Sony Pictures breach. Changelog of updates: The Beginning (November 24) Second Round of Leaks (December 3) The Analysis Game (December 4) The Next Chapter (December 5) The Analysis Continues (December 7) Fifteen Days Under Siege (December 8) Reality and the Blame Game (December 9) My Life At The Company, Part 1 (December 10) Another Day, Another Email Spool (December 10) Celebrity Gossip and Hacking Back (December 11) Debates, Goliath, and Apologies (December 12) My Life At The Company, Part 2 (December 13) On November 25, a new chapter was added to the chronicles of data theft activity. A group calling itself GOP or The Guardians Of Peace, hacked their way into Sony Pictures, leaving the Sony network crippled for days, valuable insider information including previously unreleased films posted to the Internet, and vague allegations it all may have been done by North Korea in retribution for the imminent release of an upcoming movie titled “The Interview”. While politically motivated attacks and theft of intellectual property is nothing new, this incident certainly stands out for several reasons. First, via a Pastebin link, the group released a package and links to torrent files hosted on four sites consisting of 26 parts, broken out into 25 1GB files, and one 894 MB rar file. The files were also uploaded to the file sharing giants MEGA and Rapidgator, but removed by site managers shortly after. The researchers at RBS were able to access the files and analyze the content prior to the information going offline, as well as reach out to GOP. The results of the analysis provide unprecedented insight into the inner workings of Sony Pictures and leaked the personal information of approximately 4,000 past and present employees. As if the sensitive employee information wasn’t troubling enough, the leak also revealed curious practices at Sony, such as money orders used to purchase movie tickets that were apparently resold back to Sony staff. The Guardians Of Peace made their contact information available for a brief time. RBS researchers used that opportunity to contact to the group seeking comment and received the following response: I am the head of GOP. I appreciate you for calling us. The data will soon get there. You can find what we do on the following link. The link provided only led to a Facebook page that was not in use. The following time line gives more perspective and analysis of the details of the intrusion based on information made available via public sources. The Beginning (November 24) On November 24th, a Reddit post appeared stating that Sony Pictures had been breached and that their complete internal network, nationwide, had signs that the breach was carried out by a group calling themselves GOP, or The Guardians Of Peace. This comes three years after a large series of attacks against Sony became public . Within hours, Geek.com had reported that “Sony just got hacked, doxxed, and shut down ” as Sony went into panic mode over the breach. Minutes after the original reddit post appeared, the thread exploded with comments and feedback about the content. Several links to additional files were included within the comments that included two text files that listed additional file names that were said to be coming in a subsequent leak of information from the Sony network. In order to better understand the breach and the ramifications, Risk Based Security (RBS) reached out to the Guardians of Peace and asked for more information. During the brief email conversation, they stated that additional data leaks were forthcoming, and that they had obtained over a dozen terabytes of data from various Sony servers. The mail went on to say that additional information would be published soon, and provided a link to a Facebook page that appeared to be closed .

Upload: john-w

Post on 14-Sep-2015

22 views

Category:

Documents


0 download

Report

DESCRIPTION

A Breakdown and Analysis of the December, 2014 Sony Hack

TRANSCRIPT

  • 13/12/2014 ABreakdownandAnalysisoftheDecember,2014SonyHack

    https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/ 1/12

    RiskBasedSecurity

    Notjustsecurity,therightsecurity.

    CallUs!(855)RBSRISK|Login

    AboutRBSNewsProductsServicesResearchContactUs

    HomeSecurityIntelligenceIndustrySolutionsComplianceCyberLiability

    ABreakdownandAnalysisoftheDecember,2014SonyHackDecember5,2014ByRiskBasedSecurity

    Note:ThisarticleisbeingupdatedalmostdailywithnewdevelopmentsregardingtheleaksfromtheSonyPicturesbreach.Changelogofupdates:

    TheBeginning(November24)SecondRoundofLeaks(December3)TheAnalysisGame(December4)TheNextChapter(December5)TheAnalysisContinues(December7)FifteenDaysUnderSiege(December8)RealityandtheBlameGame(December9)MyLifeAtTheCompany,Part1(December10)AnotherDay,AnotherEmailSpool(December10)CelebrityGossipandHackingBack(December11)Debates,Goliath,andApologies(December12)MyLifeAtTheCompany,Part2(December13)

    OnNovember25,anewchapterwasaddedtothechroniclesofdatatheftactivity.AgroupcallingitselfGOPorTheGuardiansOfPeace,hackedtheirwayintoSonyPictures,leavingtheSonynetworkcrippledfordays,valuableinsiderinformationincludingpreviouslyunreleasedfilmspostedtotheInternet,andvagueallegationsitallmayhavebeendonebyNorthKoreainretributionfortheimminentreleaseofanupcomingmovietitledTheInterview.

    Whilepoliticallymotivatedattacksandtheftofintellectualpropertyisnothingnew,thisincidentcertainlystandsoutforseveralreasons.First,viaaPastebinlink,thegroupreleasedapackageandlinkstotorrentfileshostedonfoursitesconsistingof26parts,brokenoutinto251GBfiles,andone894MBrarfile.ThefileswerealsouploadedtothefilesharinggiantsMEGAandRapidgator,butremovedbysitemanagersshortlyafter.TheresearchersatRBSwereabletoaccessthefilesandanalyzethecontentpriortotheinformationgoingoffline,aswellasreachouttoGOP.

    TheresultsoftheanalysisprovideunprecedentedinsightintotheinnerworkingsofSonyPicturesandleakedthepersonalinformationofapproximately4,000pastandpresentemployees.Asifthesensitiveemployeeinformationwasnttroublingenough,theleakalsorevealedcuriouspracticesatSony,suchasmoneyordersusedtopurchasemovieticketsthatwereapparentlyresoldbacktoSonystaff.

    TheGuardiansOfPeacemadetheircontactinformationavailableforabrieftime.RBSresearchersusedthatopportunitytocontacttothegroupseekingcommentandreceivedthefollowingresponse:

    IamtheheadofGOP.Iappreciateyouforcallingus.Thedatawillsoongetthere.Youcanfindwhatwedoonthefollowinglink.

    ThelinkprovidedonlyledtoaFacebookpagethatwasnotinuse.Thefollowingtimelinegivesmoreperspectiveandanalysisofthedetailsoftheintrusionbasedoninformationmadeavailableviapublicsources.

    TheBeginning(November24)

    OnNovember24th,aRedditpostappearedstatingthatSonyPictureshadbeenbreachedandthattheircompleteinternalnetwork,nationwide,hadsignsthatthebreachwascarriedoutbyagroupcallingthemselvesGOP,orTheGuardiansOfPeace.ThiscomesthreeyearsafteralargeseriesofattacksagainstSonybecamepublic.

    Withinhours,Geek.comhadreportedthatSonyjustgothacked,doxxed,andshutdownasSonywentintopanicmodeoverthebreach.Minutesaftertheoriginalredditpostappeared,thethreadexplodedwithcommentsandfeedbackaboutthecontent.SeverallinkstoadditionalfileswereincludedwithinthecommentsthatincludedtwotextfilesthatlistedadditionalfilenamesthatweresaidtobecominginasubsequentleakofinformationfromtheSonynetwork.

    Inordertobetterunderstandthebreachandtheramifications,RiskBasedSecurity(RBS)reachedouttotheGuardiansofPeaceandaskedformoreinformation.Duringthebriefemailconversation,theystatedthatadditionaldataleakswereforthcoming,andthattheyhadobtainedoveradozenterabytesofdatafromvariousSonyservers.Themailwentontosaythatadditionalinformationwouldbepublishedsoon,andprovidedalinktoaFacebookpagethatappearedtobeclosed.

  • 13/12/2014 ABreakdownandAnalysisoftheDecember,2014SonyHack

    https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/ 2/12

    MovieLeaks(November26th)

    Afewdaysafterthetheinitialbreachreportwasannounced,fourtorrentlinkswerepublishedtotorrenttrackersthatcontainedunreleasedmoviesfromSony,obtainedbyGOPduringtheattack.ThesetitlesincludedAnnie(December19),MrTurner(December19),andToWriteLoveOnHerArms(March2015).Accordingtoseveraltorrenttrackingsites,thesefileshavebeendownloadedover100,000times.

    OnDecember1st,NBCNewsairedasegmentreportingthattheFBIwereinvestigatingthebreachandthepossibilitythatNorthKoreawasinvolved.Whilethismaysoundfarfetchedatfirst,NorthKoreahasaclearmotiveinattackingSony.OnDecember25th,SonyisreleasingamoviecalledTheInterview,whichfollowsthestoryoftwocelebrityTVhoststhatgetachancetointerviewKimJongun.BeforeheadingtoNorthKorea,theyareaskedbytheC.I.A.toassassinatehim.Despitethemoviebeinglabeledacomedy,NorthKoreahasstatedthatifthemovieisreleased,theywouldconsideritanactofwar.

    WhentheBBCreachedouttoNorthKoreanofficialsaskingiftheywerebehindtheattackonSony,theyweregivenacuriousresponseofWaitandsee.NorthKoreahadalsocomplainedtotheUnitedNationsaboutthemovieearlierthisyearinJuly,whilenotnamingitspecifically.

    FirstoftheLeaks(December1)

    OnDecember1st,GOPstartedpublishingthefullcacheofdatafilestakenfromSonysserverswiththefirstchunktotalingarespectable24.87GBofcompressedfiles.Surprisinglyenough,theGOPappearstohaveusedcompromisedserversonSonysnetworktouploadandseedthetorrentfortheleakeddata,aswellasuploadingittoMEGAandRapidGator.Withinhoursoftheupload,MEGAremovedalllinkstothedata.[Dec9update:subsequentanalysisbyMarioGreenlysuggestsSonyisnotseeding/uploadingdata,onlydownloadingit,likelyinanattempttoslowprogressforotherdownloaders.]

    Firstleakeddatasummary,someanalysiscourtesyofIdentityFinder:

    26.4GBinsize,containing33,880filesand4,864folders.Includes47,426uniqueSocialSecurityNumbers(SSN)15,232SSNbelongedtocurrentorformerSonyemployees3,253SSNappearedmorethan100times18filescontainedbetween10,860and22,533SSNeach.

    Exampleofemployeedatafound:

    Onefile(\HR\Benefits\MayoHealth\MayoXEROXassessmentfeed)contains402fullSocialSecuritynumbers,internalemails,plaintextpasswords,andemployeenamesAnadditional3000ormoreSocialSecuritynumbers,names,contactdetails,contactphonenumbers,datesofbirth,emailaddresses,employmentbenefits,workerscompensationdetails,retirementandterminationplans,employeespreviousworkhistory,executivesalaries,medicalplans,dentalplans,genders,employeeIDs,salesreports,copiesofpassportinformationandreceiptsfortravel,aswellasmoneyorderdetailstopurchasemovieticketstoresellbacktotheSonystaff.Theleakedinformationalsoincludeddocuments,payment,andaccountinformationtoordercustomjewelryfromTiffany&COviaemail.

    SecondRoundofLeaks(December3)

    Bythispoint,wecanonlyimaginehowSonywasinfullpanicmodeattemptingtorespondto,andcontainthebreach.Bythispoint,Sonyexecutiveshadconfirmedtheleakeddatawasauthentic.Themainstreammediawascomingtogripswiththeordeal,exploringideasontheramifications,andtheresultingfallout.Initialanalysisofthedatafromthefirstsetoffilesdisclosedhadbegun,astheseconddisclosureoffilesoccured.AGOPmemberidentifyingthemselvesastheleaderofthegrouptoldRBSTodaymoreinterestingdatawillbepresentedforyou.beforepointingRBStoanewlinkcontainingadditionalfiles,aspartoftheemaildialogueestablished(interestingly,onemailcamefromHushmailwhoisknowntocooperatewithfederalagencies).Thesecondleakwasconsiderablysmaller,amere1.18GBcontainingtwofilesnamedBonus.rarandList.rar.Whilethefilesaresmall,theyperhapscontainthemostsensitivedatatobedisclosedbythispoint.Thisincludesfullsecuritycertificateinformation,internalandexternalaccountcredentials,authenticationcredentialswithplaintextpasswordsforsystemssuchastheSonyYouTubepage,UPSaccounts.

    Bonus.rarfilesummary:

    33.7MBcompressedContainsplaintextcredentials(~500total),serverinformation,internalIPaddressesandotherdata.Listofsecuritycertificatesforservers,users,andservices,andalistofwhateachcertificateisrelatedto.CredentialsincludeYouTubelogininformationfortheSonyPictures,Spidermanmovie,EvilDeadMoive,GrownupsTheMovie,andThisistheendmoviechannels,completelistofoldersocialmediaaccountsforcampaignsonfacebookandtwitter.121FTPplaintextcredentials,includingthemainSonyPicturesFTPserver.PlaintextCredentialsformajornewsandmediasiteslikeNYtimes,LATimes,DailyVariety,hollywoodreporter.com,indiewire.com.Plaintextpasswordsinformatslikesony12345forcriticalinternalandforwardfacingservices.UsernamepasswordscombosinafilenamedMyPAsswordscontain:novell,mediataxi,inflight,fidelity,spiDR,SPIRIT,sonystylefamilycenter,FEDEX,Connect,SPTI,AcronTASS,SPECourier,Concur,SPCPress,AIM,HRConnect,AMEX,outlookallincleartextwithusernameandpasswordcombos.AccountingandpaymentinformationforAMEXforTheInterviewinplaintext.AccountingandpaymentandotherrelatedcredentialsforDeathataFuneral

    List.rarfilesummary:

    1.8MBcompressedThreefilescontaininginternalandexternalPCdata,Linuxservers,andWindowsservers

    TheAnalysisGame(December4)

    Whenanalyzinghighprofilebreaches,itiscommonforthemediaandsecuritycompaniestomakemistakes.Thisoftenoccursduetoconflictingorunclearinformationthatseemsvalidonthesurface,butfallsapartunderheavyscrutiny.Forexample,aGizmodoarticlesaysthatSonystoredpasswordinformationinafoldercalledPassword.AbetterexplanationisthatthearchivereleasedbyGOPwascreated,andthehackersnamedthatfolder,notSony.BelowisascreenshotofsomeofthecontentsofthePasswordfolderfromtheGOPBonus.rarfile:

    ScheduleADemo! +

  • 13/12/2014 ABreakdownandAnalysisoftheDecember,2014SonyHack

    https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/ 3/12

    Asmorejournalistscommittimetocoveringthebreach,moredetailsemerge,makingthisaconstantlyunfoldingstory.Italsolendstoaformofpublicdebate,whereonejournalistmaycallintoquestionconclusionsofanother.Forexample,Wiredreleasedanarticletodaythatwentintodetailabouthowthecompromisemayhavehappened(malwaredubbedwiper)andalsocalledoutotherjournalistssayingtheNorthKoreanlinkisnotlikely.WhiletheymakegoodpointsabouttheGOPgroupandhownationstatesgenerallyconductcomputerintrusions,thereisalsothepossibilitythatitwasspecificallydesignednottolooklikesuchanattackforplausibledeniability.OritmaybeassimpleasNorthKoreasuggestingtheymayhavehadahandinit,tobolsterthenotionthattheyareseriouscontendersinInternationalcomputerintrusionsforespionageandspying,liketheircounterparts.

    Whatiscuriousinthisstory,isthattheFBIreleasedaFlashAlertregardingmalwarethatcomesafterthereportedattacksonSony.Thiswarningcomesverylateinthegame,andalsoleadstomorequestionsaboutthesecurityanalystsbroughtintofigurethingsout.ThesamearticlementionsthatMandiantwasbroughtintoaddressthisbreachbeforeitbecamepublic.Yet,Mandianthasnotmadeastatementonthematter,whilebeingnotoriouslymediafriendlyinblaminghackersources,specificallytheChinese,eveniftheymaynothavebeeninvolved.

    AccordingtoRe/code,SonyissettoannouncethattheyhaveattributedtheattackstoNorthKorea,makingthisahesaid,shesaidordealintheshortterm.ForthoseinterestedinmoredetailsonthemalwarefoundinSonysystemsthatmayhavebeenthepointofcompromise,ArsTechnicahasreleasedamoredetailedarticlefocusingonit.

    TheNextChapter(December5)

    Asmentioned,thisstoryisunfoldingeveryday.Newinformation,newperspective,andnewdeductionscomeeveryday.RiskBasedSecurityhasbeentrackingbreachesforaverylongtime,andhasfrequentlyseensuchhighprofilebreachesunfoldoveryears.Aftertheinitialweeksormonthsofabreach,mostnewsoutletsandsecuritycompaniesloseinterest.Longtermthough,partofthestoryincludestheeventualinvestigation,consultants,lawsuits,stockpricefluctuations,andmore.Theentirepictureofamajorcompromiseistherealvalue,asthatiswherecompaniescanfullylearnoftherisksofabreach.

    TodaytheGuardiansofPeacehavecontactedRBS,andlikelyothercompaniesorjournalists,withathirdlinktoleakeddataalongwithashortstatementandrequestcallingforotherstojointhem:

    Anyonewholovespeacecanbeourmember.Pleasetellyourmindattheemailaddressbelowifyoushareourintention.PeacecomeswhenyouandIshareoneintention!

    jack.nelson63vrbu1[at]yopmail.com

    YoucandownloadapartofSonyPicturesinternaldatathevolumeofwhichistensofTerabytesonthefollowingaddresses.Theseincludemanypiecesofconfidentialdata.

    Thedatatobereleasednextweekwillexciteyoumore.

    TheleakeddatahasbeenuploadedasBitTorrentlinkstovariousfilesharingsitesviathesamemethodsusedinpreviousdisclosures,someofwhichareservedoffbreachedSonyPicturesEC2serversaswellasbeinguploadeddirectlytotheRapidGatorfilesharingservice.Asbefore,RapidGatorquicklyremovedthedatawithinthreehoursofitbeingposted.

    Thetorrentisbrokeninto22filesspanning52partswhichappeartobejustover100GBofcompresseddata.ThisleakhasbeentitledFinancialdataofSonyPicturessoitlikelycontainsfinancialdetailsofSonyPictures,thebudgetsofmovies,ormore.

    BasedonthehistoryofcontactfromGOP,itappearsthateachdayanewemailaddressisused,anditsuggeststheaccountsmaybecompromisedemailaccounts.WhetherthesearefalloutfromtheSonybreachorviaanothersourceremainsunknown.

  • 13/12/2014 ABreakdownandAnalysisoftheDecember,2014SonyHack

    https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/ 4/12

    TheAnalysisContinues(December7)

    TherehavebeenseveralnewsoutletsandsecurityfirmsresearchingtheSonyPicturesbreachandanalyzingthedisclosedfilesasaresultofthecompromise.Aninterestingandunexpecteddevelopmentsurfacedontoday,whensecurityresearcherDanTentlerannouncedearlyinthedaythathehadhadavisitfromFBIbutwasnothomeatthetime.

    JusttowarnothersecurityfolkworkingontheSonyleakstheFBIjustvisitedmyhome.Iwasntthere,soImnotsurewhattheywanted.

    Hefollowedupwithacommentthatwasmadetohiswife:

    accordingtomywife,whoansweredthedoor,theystartedtheconversationwiththewordsillegallydownloading.

    Mr.TentlerhasbeenconductinghisownanalysisandhasreportedontheSonyincident.HepostedalistofnodeswheretheleakscouldbefoundwhichmayexplaintheFBIsinterestandthesubsequentillegaldownloadingcommentmadetohiswife.

    Nowthatthefileshavebeendownloadedfromthepubliclyavailablesources,RBShashadachancetodoapreliminaryanalysisofthecontents.Thefollowingisascreenshotshowingasampleofthefiles,toputitintobetterperspectivewhatisleaked.Notethatfilenamesarelogical,notdescriptiveandhumanfriendly:

    These22individualfilesmakeupthreelargerfilescontainingalargesetofnewlyreleaseddata,predominantlybasedonfinancialinformation:

    FileSPE_03_01.RAR(MostlyfromSonyBrasil)

    30,916individualFiles,2,970Folders.16.4GB/9.99GB(Compressed)Bankingstatements,bankaccountinformationincludingwiretransferswiftcodesetc.FinancialyearreportsFinancialyearforecastsBudgetreportsOverheadreportsReceiptandtransactionaccountstatementsofcomputerhardware,vehicle(toyotahilux,mitsubishispacewagon),caraccessoriesgoingbackto1998InternalinformationforSonyPicturesReleasingInternationalportal,screenshots,walkthroughsandotherusageinformation.

    FileSPE_03_02.RAR(FromSonyPicturesImageworks,Vancouver,andSonyPictures)

    89,800Files,10,990Folders.88.6GB/48.9GB(Compressed)AccountinginformationusingTrintechInc.softwareLicensingcontracts

    AccessDigital(Exyflix)AmazonEuropeAmazonJapanClickpayMultimediaComcastEagleEyeGaiaGoogle(YouTube)MediaVaultMGOMicrosoftPlaystationSenaSonyElectronicsSonyvisualproductsinvideofuturYota(akamore)

    Vendors(Toomanytolist)SonyIndiaFinancialreports.528PayrollsforImageworksCanadawithstafffullnames,contactnumbersandresidentialaddresses.BritishColumbiaPersonalTaxCreditReturnsscansofseveralemployeeswithfullpersonalinformationincludingsocialsecuritynumber.Photocopiesandscansofdriverlicenses,passportsandothertaxrelateddocumentsexposingabunchofpersonalcredentials,homeaddresses,fullnames,dateofbirths,socialsecuritynumbersandmore.FederalTaxReturns

  • 13/12/2014 ABreakdownandAnalysisoftheDecember,2014SonyHack

    https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/ 5/12

    FileSPE_03_03.RAR

    113,002Files,39,612Folders.57.1GB./48.1GB(Compressed)Incidentreportswithfullnames,incidentlocations,injurysandpostionsheldwithsony.SPEGlobalSecurityGuidelinesv2ULtrainingusers,fullnames,addresses,emailaddressesandcommonsetcleartextpasswordscopiesofemployeementcontractsandagreemtns,passports,driverslicense,ssn,signatures.

    Ongoing(December7)

    TheLATimesreportedonDecember5th,andhassaidthattheFBIhaveconfirmedit,thatjusthoursbeforethe3rdleakwaspublishedonline,anunknownamountofSonyemployeesreceivedthreateningemailswhicharebelievedtohavebeensentbytheGOP.

    TheemailswhichwerewritteniswhatwasdescribedasbrokenEnglish,wantedemployeestosignastatementdisassociatingthemselveswithSony,andiftheydidnot,werewarnedthatnotonlyyoubutyourfamilywillbeindanger.AccordingtotheLATimes,theemailincludedastatementthatmakessuggeststhedigitalheadachesforSonyaregoingtocontinuetoforsometimetocome.

    Itsfalseifyouthinkthiscrisiswillbeoveraftersometime,theemailsaid,accordingtoacopyobtainedbyVariety.AllhopewillleaveyouandSonyPictureswillcollapse.ThissituationisonlyduetoSonyPictures.

    Addingtothespeculationabouthowthecompromisehappened,BloombergisreportingthatthecompromiseandfirstleakofdatahappenedattheSt.RegisBangkokhotelinThailandaccordingtoanunnamedpersonfamiliarwiththeinvestigation.

    FifteenDaysUnderSiege(December8)

    Latelastnight,afteralongweekofpreviousdisclosures,theGOPhasreleasedthenextbatchofleakeddata.Thenewroundconsistsoffourarchivesmakingtwolargefiles,currentlybeingseededfromserversownedbySonyPicturesasbefore.Thetorrentthatincludesallfilesisonly2.8GBthistimeandhasalsobeenuploadedtoafewfilesharingwebsites,althoughweexpectthemtobetakendownquicklylikepreviousGOPuploads.

    Unlikepreviousdisclosuresthatwerestraightforward,thisgroupoffilescomesshortlyaftertheappearanceofaPastebinlink(now404)thatpurportstobefromtheGOP,andgivesareasonfortheattacksonSonyPictures,linkingittothenowcontroversialmovie,TheInterview.Thereisspeculationthatthenewannouncementmaynotbeauthenticasitdidnotgetsentoutviathepreviouschannels,andsuggestsanalmostafterthoughtofblamingthemoviefortheiractions.WithinhoursofthisbeingpublishedonPastebinithadbeenremovedbutwascachedbyGoogleonDecember8,201415:43:58GMT.Sincethen,thecachehasalsobeenremovedwhichmaybeduetoSonycomplaints.AccordingtoOwenWilliams,SonyhasbeensendingoutDigitalMillenniumCopyrightAct(DMCA)takedownrequestsrelatedtothebreachandsubsequentdisclosures.RBSmanagedtocapturethetextbeforeitwasremovedfrombothPastebinandGooglecache:

    byGOP

    WearetheGOPworkingallovertheworld.WeknownothingaboutthethreateningemailreceivedbySonystaffers,butyoushouldwiselyjudgebyyourselfwhysuchthingsarehappeningandwhoisresponsibleforit.

    MessagetoSONY

    WehavealreadygivenourcleardemandtothemanagementteamofSONY,however,theyhaverefusedtoaccept.Itseemsthatyouthinkeverythingwillbewell,ifyoufindouttheattacker,whilenoreactingtoourdemand.Wearesendingyouourwarningagain.Docarryoutourdemandifyouwanttoescapeus.And,StopimmediatelyshowingthemovieofterrorismwhichcanbreaktheregionalpeaceandcausetheWar!You,SONY&FBI,cannotfindus.Weareperfectasmuch.ThedestinyofSONYistotallyuptothewisereaction&measureofSONY.

    Thefollowingisasummaryofthefourthleak:

    05_01.rar

    mosokos.ost(AMicrosoftOutlookmailspool),3.5GBinsizemosokosisSteveMosko,PresidentofSonyPicturesTelevision.3,550fullcontactdetails,fullnames,emailaddresses,homeaddresses14,944sentemailsEmailcontentsincludeaccountinformation,passwordresetmails,personalemails,flightandtravelarrangementsAlsoincludesdiscussionsaboutinternaloperationswithinSony,the2013BreakingBadBlurayleak,discussionsaboutusingtorrentsandtheAXNnetworktodistributeHannibalEmailsfromfriendsandotherSonystaffaboutTVshowtorrentsanduploadstoYouTube,includingBreakingBad,KingofQueens,andHannibal.

    05_A.rar

    APascal1.ost(AMicrosoftOutlookmailspool),3.78GBinsizeAPascalisAmyPascal,CoChairman,SonyPicturesEntertainmentandChairman,SonyPicturesEntertainmentMotionPictureGroupOver5,000emailsincludedMostrecentInboxemailisfromNovember23,2014(likelywhenthemailspoolwastaken)Emailsconsistofsonyemployeerelations,personalinvoices,andpersonalemailsIncludestalkanddealsaboutupcomingmoviesContainscurrentandclosingbusinessdeals

    ViewoftheAPascal1.ostOutlookmailspoolshowingthefolders:

  • 13/12/2014 ABreakdownandAnalysisoftheDecember,2014SonyHack

    https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/ 6/12

    Speculationandanalysisoftheoriginalcompromisemethodisongoing.TheRegisterreportsthatKasperskyhaspublisheddetailsonthemalwarethatallowedtheattackerstogainafootholdintotheorganization.Accordingtotheresearchers,themalwarehasbeennamedBKDR_WIPALLbyTrendMicroandDestoverbyKaspersky(whichelicitedawarningfromtheFBI),andwaspreviouslyseeninattacksagainstSaudiAramcobytheWhoIsTeamin2012.Kasperskyresearcherswentontosaythatthisbacksclaimsthatthemalwarewasusedinthe2013DarkSeoulattacks,possiblylinkingthesamegrouporgroupstoamultiyearcampaignofhighprofilecomputerintrusions.

    SeeminglyunrelatedtotheGOPbreachofSonyPictures,butcoincidentalintiming,theSonyPlayStationNetworkappearstobesufferingtheirownproblemsasagroupcalledLizardSquadistakingcreditforacoordinatedlargescaledenialofserviceattack,thatfollowsapreviousoneAugustofthisyear.ViaTwitter,SonyPlayStationNetworkhasacknowledgedthatcustomersareexperiencingproblems,butdonotspecificallycitewhy.

    CulverCitySonyemployeeswillbebriefedbytheFederalBureauofInvestigation(FBI)onWednesdayregardingtherecentattacks,accordingtotheHollywoodReporter.MichaelLynton,EntertainmentChiefatSony,hasalsocalledforanallhandsmeetingonFridaytofurtherdiscusstheissue.

    RealityandtheBlameGame(December9)

    Generallywhenahighprofilewidescopebreachoccurs,newsoutletsandsomesecuritycompaniesarequicktosayitwastheworkofanadvancedattacker,andthatthebreachisunprecedented.AccordingtoMashable,MichaelLynton(SonyPicturesCEO)sentalettertoallemployeesfeaturingaletterfromKevinMandia,ofMandiant,thecompanyhiredbySonytoinvestigatethebreach.Anexcerptfromtheletter:

    Thisattackisunprecedentedinnature.ThemalwarewasundetectablebyindustrystandardantivirussoftwareandwasdamaginganduniqueenoughtocausetheFBItoreleaseaflashalerttowarnotherorganizationsofthiscriticalthreat,KevinMandia,MandiantSecurityConsulting

    AllanalysistodatesuggeststhemalwarewasnotuniquetoSony,andmayhavebeenusedseveraltimesbefore.Tryingtosuggestthatmalwarethatevadesindustrystandardantivirussoftwareisunprecedentedisridiculous.Antivirussoftwareroutinelyfailstoidentifymalwareduetothearchaicsignaturebasedmodeltheyuse.Thesoftwareonlydetectswhatitknowstolookfor,andwithafewtinychanges,oldmalwarecanbemadeundetectableagainuntilanewsignatureiscreatedandpushedtocustomers.Thatsubscriptionmodelistheprofitcenteroftheantivirusindustry,andtheyhavelittlereasontoimproveit.Further,suggestingthisbreachwasunprecedentedtothesizeandscopesimplyisnttrueeither.Largescalecompromiseslikethishitthenewseveryyear.

    IfyourecallonDecember4th,Re/codepublishedanarticlesayingthatSonywassettoofficiallyblameNorthKoreafortheattacks.Jumptotoday,amere5days

  • 13/12/2014 ABreakdownandAnalysisoftheDecember,2014SonyHack

    https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/ 7/12

    later,andtheFBIisofficiallysayingthereisnoattributiontoNorthKoreaaccordingtoReuters.

    ThereisnoattributiontoNorthKoreaatthispointJoeDemarest,AssistantDirectoroftheFBICyberDivision

    IthasalsocometolightviaMashable,viatheleakedemailarchivesfromthefourthleak(December8),thatMichaelLynton(CEO),AmyPascal(Chairman),andotherexecutivesreceivedanemailfromhackerscallingthemselvesGodsApstls.Intheemail,quotedbelow,thegroupthreatensgreatdamagetoSonyPicturesunlessfinancialcompensationwasprovided:

    WevegotgreatdamagebySonyPictures.

    Thecompensationforit,monetarycompensationwewant.

    Paythedamage,orSonyPictureswillbebombardedasawhole.

    Youknowusverywell.Weneverwaitlong.

    Youdbetterbehavewisely.

    FromGodsApstls

    ThisgoesagainstsubsequentpostsfromtheGuardiansofPeace(GOP)whosaidtheintrusionwasrelatedtothereleaseofthemovie,TheInterview.Atthispointitisnotclearifasinglecoordinatedgroupofattackersischangingtheirpublicpersonaoriftherearemorethanonegroupthathaveaccesstothenetwork.

    MorefalloutfromtheSonyPicturescompromisecomesintheformoftheattackersusingSonyscertificatestodigitallysigntheDestovermalware.AsreportedbyKasperskyLabs,thesignedmalwareappearedonDecember5thandwillresultinadditionalmalwarebeingsigned,andlikelyrendersubsequentattacksmoreeffective.[Update:Itturnsoutthiswasaprankcarriedoutbyasecurityresearcher,whofiguredoutthepasswordofthecertificate(sameasthefilename),anddecidedtosignthemostamusing/ironicthinghecouldthinkof,themalwareitself.Wearealsotoldthatthreeothercertificatesusedapasswordofpassword.]

    MyLifeAtTheCompany,Part1(December10)

    Nowthatjournalistsandsecuritycompanieshavehaddaystoreviewtheincredibleamountofleakeddata,analysishasshiftedtofocusmoreonthecontentsoftheemailsofAmyPascal,CoChairman,SonyPicturesEntertainmentandSteveMosko,PresidentofSonyPicturesTelevision.ThishasrevealedodddetailssuchasSonycontinuingtomakeconsiderablemoneyfortheshowSeinfeld,SonyexecutivesconcernedovertheendingofthemovieTheInterview,andthatGeorgeClooneyisverysavvy.

    TodayalsobroughtthefifthleakofdatafromtheGuardiansofPeace(GOP),titledGiftofSonyfor5thday:MyLifeAtTheCompanyPart1.Asbefore,theleakeddatawasuploadedtovariousbittorrenttrackingwebsiteswiththedownloadconsistingoffive1GBparts

    TodayGOPappearstoofreleasedanotherdropofdatathistimetitledGiftofSonyfor5thday:MyLifeAtTheCompanyPart1.Theleakhasbeenuploadedtoviatorrenttrackersandthe.torrentfileuploadedinasinglerarfiletosmallerfilehostingwebsitesasbefore.

    Thetorrentfileconsistsof5parts,all1GBandinRARformat(spe_05_01.part[15].rar).TheGOPhavealsoincludedanewstatementwiththisdisclosure,againdirectedatSonyPicturesemployees.Themessagestatesthattheystillhavelargeamountsofinformationtodisclose,includingpersonalinformationandmoreemailspools.Thestatementreads:

    ToSPEemployees.SPEemployees!DontbelievewhattheexecutivesofSPEsays.TheysayasiftheFBIcouldresolveeverything.ButtheFBIcannotfindusbecauseweknoweverythingaboutwhatsgoingoninsidetheFBI.Westillhavehugeamountofsensitiveinformationtobereleasedincludingyourpersonaldetailsandmailboxes.IfcontinuedwrongdoingsoftheexecutivesofSPEdriveustomakeanunwanteddecision,onlySPEshouldbeblamed.Nowisthetimeforyoutochoosewhattodo.Wehavealreadygivenmuchtimeforyou.

    ThenewlyleakeddataincludesinformationaboutSonysantipiracyefforts,entertainmentdealsintheworks,internalproceduresrelatedtotrackingtorrentsandotherillegaldownloading.ItalsocontainsadocumentthatoutlinesSonyscooperationwith5majorInternetServiceProviders(ISPs)tocollectfulldataformonitoringillegaldownloads.Inaddition:

    MotionPictureAssociationofAmerica(MPAA)listofoutstandingissuesandotherpiracyrelatedinformation.EnhancedContentProtectionproposals,drafts,anddocuments.PotentialMiddleEastpartnershipdealsfrom2012.WagesofinternationalemployeesfromSonyAustraliaandSonyChinaContactinformationofmorethan2,500employees,additionaldigitalcertificates,documentsonInternetsecurity,securityadvisoriesthatmayimpactSonysystemsResearchdocuments,internalinformationaboutSonycamerasbeingproduced,NATOStudioAugust2014TechMeetingsAgendawithtalksaboutnewtechnologybeingproducedbySonyProjectnondisclosureagreements,budgets,financialforecastsfor20132015,informationaboutprojectsschedules,deals,costs,profits,advertisingrevenue,andadvisorfees.

    AntipiracyinformationfromGoogle,YouTube,Netflix,andFarncombeincluding:

    TotalnumberofnoticessenttoISPswith100%successrate(2,537,932)Alertssenttosubscribers(1,475,848)Alertsthatwerenotsentbutshouldofbeen(41,917)Abreakdownofwhichcontent,howmanytypesofalertssent,andacknowledgementsfor2012,2013,and2014Confidentialdocumentsoutliningdeals,proceduresformonitoring,andservicesprovidedbyFarncombeLargeamountofproposalstoGoogle,YouTube,andotherservicesabouthowtocensorsearchresults,removecontentfromitssearchContentprotectiondocumentation

  • 13/12/2014 ABreakdownandAnalysisoftheDecember,2014SonyHack

    https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/ 8/12

    DocumentsandinternaltrackingofconsolehackinginformationforthePlayStationincluding:

    27thChaosCommunicationsCongress(CCC),Consolehacking2010,PS3Epicfail.VerisignFraudAlert:Phishingthelatesttacticsandpotentialbusinessimpact.BHUSA09MarlinspikeDefeatSSLPAPER1us14RosenbergReflectionsOnTrustingTrustZoneWP

    Avarietyofdocumentsonrelationswiththefollowingcompanies:AXN,AMCNetworks,HoytsAustralia,AnimaxUK,Channel5UK,Chello,GrupoClarin,2waytraffic,Dailymotion,ComedyTime,DirecTV,Crackle,Apple,iTunes,Google,YouTube,Hotfile,BBC,BITAG,Telstra,Rogers,Showtime,Sky,Skype,SNEI,Telus,Tesco,VirginMedia,TVN,Verizon,Telefonica,TTNET,Turner,TrueNet,Videotron,VUDU,Voole,Redline,andSingNet.Thedataondealsisextensivetosaytheleast.Belowisasmallsamplingofthefoldersanddocuments:

    AftertheseriesofincidentswithSonyin2011,manyanalystswerecuriousabouthowitwouldaffectSonysstockprice.BetweenApril4,2011andOctober12,2011,Sonysstockpricedroppedfrom$31.45to$20.06.Thatbegsthequestionifthisroundofincidentsisalsoaffectingtheprice.

  • 13/12/2014 ABreakdownandAnalysisoftheDecember,2014SonyHack

    https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/ 9/12

    HereweseethestockvaluebetweenNovember25th,whenthebreachbecamepublic,andtoday.Notethatinourexperience,wefrequentlyseestockpricesdropasanimmediatereactiontosuchevents,butoftenreturntotheoriginalvaluewithinthreemonths.

    YesterdaywereportedthatattackershadusedaSonydigitalcertificate(spe_csc.pfx)tosignthemalwarebelievedtohavebeenusedinthecompromise.Ithascometolightthatthiswasactuallyaprankofsorts,carriedoutbysecurityresearcherswhofiguredouttheeasytoguesspasswordsprotectingthecertificates.RBShasseenaportionofthechatloginwhichtheyguessthepasswords.AfterplacingthesignedmalwareonVirusTotal,Kasperskyapparentlymadetheassumptionthatitcamefromtheattackers.SteveRagansummarizedtheprankinanarticlelastnight,andColinKeigherwhowasclosetothesourceoftheprank,publishedablogthismorninggivingadditionaldetails.

    Perhapsthemostinterestingdevelopmentthoughisthepossibledoxxing(publishingpersonalinformation)oftheSonyhackers.ViatwoPastebindocuments,therealname,address,nickname,birthday,andotherpersonaldetailsoffivepeoplearelisted.Giventhelackofprovenanceforthisinformation,RBSisnotgoingtofurtherpropagateit.Theintroductiontextgivesasummaryoftheallegedhackers:

    SonyhackersDX.theyhackersfromTunisiaHackerTeambutcoveringasGuardiansofPeaceforopWeekofHorrortoattackUSAandsupportSyriaandgovermentsthatfightUSA(china,korea,iran).

    AnotherDay,AnotherEmailSpool(December10)

    TodayalsobroughtthesixthdisclosurefromGOP,asinglefilenamedsony6.rar,thatwasuploadedtobittorrenttrackingandfilesharingsites.Asusual,thefilewasquicklyremovedfromthefilesharingsites.Thefilecontainsanothermailspoolnamedlweil00.ost,whichbelongstoLeahWeil,SeniorExecutiveVicePresidentandGeneralCounselforSonyPicturesEntertainment.Somedetailsaboutthe3.84GBmailspoolincludealistoffolders,numberofemails,andabriefsummaryofthecontent.

    Someofthefoldernamesandmailcount:

    Admin:56Alertline:286AuditReports:28Calendar:6,815Compliancedept:45Contacts:178Conversationhistory:2Deleteditems:4,296DesignatedEmployeeNotice:59DivisionHeadMeetings:205Executivecomp:60Inbox:41,229Secfilings:30SECFCPA:102Sentemails:36,586SPEBoard:19SPESubsidiariesReport:3Legal:78

  • 13/12/2014 ABreakdownandAnalysisoftheDecember,2014SonyHack

    https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/ 10/12

    Brieflistofhighlights:

    Deletedmailcontainsemailretentionorders(currentfinancialinformationemailneedtobeheldfor6yearsasof15thjan2015thatwillchangeto2yearsforallemailsunlessonlegalhold)SKYPerfectTVdataleakedJuneofthisyear,including10,000customersname,emailaddresses,addresses,phonenumbers,PayTVaccesscontrolnumbers(Bcas#),ICcards,andsubscriptioninformationwhichmayincludepaymentdetails.(SKYPerfecTVisresponsibleforpartsofAXN,ownedbySony.)DiscussionswithPaulaAskanasandothersaboutuploadingfaketorrentstofrustratewouldbepirates.InstructionsforhowtorespondtopreviousSonyhackingincidentswithapprovedwordingforTwitterandFacenook.Extensivecommunicationsaboutthe2011/2012attacksagainstSonybyAnonymous,includingthe#opsonythreat,sharingpastebinlinkspertainingtoSony,vulnerabilitiesonSonysites(e.g.Subject:FW:ALERTANONYMOUSTHREATXSSexploitedonscajobs.sony.com!!),detailsofinternalinvestigationsabouthackingincidents,andemployeesattemptingtogeolocatethehackersandmatchtheirhandlestootheraliases.InternalconcernthatMarkZuckerbergmightsueSonyoverthemovieTheSocialNetwork.CorrespondencebetweenSonystaffaboutGeorgeClooneywantingtodirectamoviebasedonHackAttack.ConcernsareexpressedoverpotentiallegalissuesifmediagiantRupertMurdochsnameisusedwithinthemoviesinceitsbasedonarealstory.EmailsaboutpreviousSonybreachesincludingSPE,SonyPlayStation,andotherdivisionsofthecompany.EmailsaboutharassingcallsfromANTISOPAprotestors.

    Giventheseverityofthisbreach,alongwiththehistoryofpreviousSonyincidents,itisworthrememberingthefirstpartofa2007articletitledYourGuideToGoodEnoughCompliancebyAllanHolmes.Itisagoodreminderthatsecurityisnotjusttechnology,butamindset,andthatfailingtoworktowardasecureenvironmentmayhavelonglastingrepercussions.

    CelebrityGossipandHackingBack(December11)

    ThecultureofwatchingcelebrityliveshascaptivatedtheTVwatchingaudienceforyearsnow,withrealityshowsdominatingnewsandairtime.WiththeSonyPicturesexecutivemailspoolsbeingleakedoverthelastfewdays,thoseanalyzingthecontentsarerunningintoemailsfromhighprofileactorsandactressesthatcommunicatewiththem.Aspreviouslymentioned,GeorgeClooneytakesahardline,intelligentapproachtoemailsandknowingthecontentscouldleakout.

    NowwelearnofdramabetweenAmyPascalandScottRudinoverthehighlyanticipatedupcomingbiopiconSteveJobs,inwhichthereisseriousdisagreementoverAngelinaJoliesdisappointmentthatdirectorDavidFincherwouldbeinvolvedinJobsinsteadofherownmovie,Cleopatra.DespitethedifferencesbetweenPascalandRudin,theleakedemailsshowtheydohaveonethingincommon:jokingaboutPresidentObamasrace.InanotherexchangebetweenPascal,MichaelLynton,andClintCulpepper,theyarecandidintheirfeelingsforanactoraskingformoremoneytopromoteamovieviasocialmedia:

    Imnotsaying[KevinHarts]awhore,buthesawhore.ClintCulpepper(President,ScreenGems)

    Withtheleakedemails,thepublicisalsolearningawidevarietyofpersonalinformationaboutcelebrities.Inadditiontoemailaddresses,analystsarefindingoutaliasescelebritiesusewhentraveling,phonenumbers,andmore.TheseincludeBradPitt,JuliaRoberts,TomHanks,andmoreaccordingtoSophos.

    Changingtracks,theotherinterestingdevelopmentishowpeoplearereactingto,andlabelingSonyseffortstocurbpiracy.Morespecifically,someareconsideringand/orlabelingtheactionsasadenialofservice(DoS)attack.Inusingthatterm,theyareeffectivelysuggestingthatSonystacticsareillegal.ThetacticsinquestionarebasedonSonyusinghostedserverstopolluteabittorrentswarm,makingthedownloadingoftheillicitfiles(inthiscasetheleakeddata)moredifficult.Byintroducinghundredsorthousandsofpeersthatadvertisetheyhavepartsofthefile,andthenfailingtosendthem,wouldbedownloadersexperienceconsiderablyslowerrates.Insomecasesthiscausesthemtogiveuponthedownloadcompletely,andinothercasesmaymeanthedownloadcouldtakemorethanaday,ratherthananhourorthree.

    Theuseofthetermdenialofserviceappearstooriginateinanarticlefromre/code,wheretheysaythatSonyisusinghundredsofcomputersinAsiatoexecutewhatsknownasadenialofserviceattackonsiteswhereitspilfereddataisavailable.Technically,thisistrueasadenialofserviceattackisjustthatitdeniessomelevelofservicetousers.However,inthiscaseSonyisattemptingtodenypeoplefromobtainingtheleakeddatafromtheirnetwork.Isthislegal?BasedonourunderstandingofU.S.computercrimelaws,theiractionsdonottechnicallyviolatetheComputerFraudandAbuseAct(CFAA,specifically18U.S.Code1030).However,accordingtotheDepartmentofJusticemanualonprosecutingcomputercrime,thismaybeupforinterpretationbyadistrictattorneyasfaraswhatconstitutesalegitimateuser:

    Intruderscaninitiateadenialofserviceattackthatfloodsthevictimcomputerwithuselessinformationandpreventslegitimateusersfromaccessingit.[..]Prosecutorscanusesection1030(a)(5)tochargeallofthesedifferentkindsofacts.

    Thisboilsdowntowhetherjournalistscanpublishthecontentsofmaterialthatwereillegallyobtainedbyathirdparty.TheStudentPressLawCenter(SPLC)maintainsagreatsummaryofthisissueandcitestheSupremeCourts2001decisionBartnickiv.Vopper,whichstruckdownwiretappingstatutesthatprohibitedthedisclosureofillegallyinterceptedcommunications.Withthisinmind,thenanyoneattemptingtodownloadtheleakedSonydata*are*legitimateusersandSonyseffortstodenythatservicemayviolatetheCFAA.Werenotlawyersandthisiscertainlyacasefullofgray,notblackandwhite.

    TheonethingwecansaywithcertaintyisthatusingthetermDenialofService(DoS)orDistributedDenialofService(DDoS)areloadedterms,astheyaretypicallyusedtotodescribeeitheratechnicalattackagainstasystem(whereintentandethicsarentpartofthediscussion),ortheactionsofacriminal.ThisterminologygetsfurtherconfusingandmisleadingwhenitisaccompaniedwithphraseslikeWhenthehackeebecomesthehackerInasomewhatamusingtwisttotheongoingSonyPictureshackormoreaggressivewordinglikeSonyPicturesisemployinghackingtechniques,sincethisbeginstoascribespecificcriminalnotionstotheiractions.TheonethingSonyisdoingrightinallthismess,isdenyingeverything.

    Debates,Goliath,andApologies(December12)

    Wheneveralargebreachoccursandinvolvesthedisclosureofpersonalemail,evenifprofessional,severaldebatesreemerge.Thefirstrevolvesaroundtheethicsofreadingprivateemails.Ononehandthoseemails,whilepublic,werenevermeanttobepublished.Ontheotherhand,quitesimply,theyweremadepublic.Thisisnotadebatethatwillbewonasbothsideshavevalidpoints.Onethingtokeepinmindishowyouwouldfeelifyouremailswereleaked.RBShasbalancedthisdilemmabyanalyzingthemetadata(e.g.mailboxsize,numberofmails)ratherthanthecontent.Instead,wemakeobservationsaboutwhatothershavepublishedregardingthecontentandlinktotheirarticles.

    Theseconddebatethatcropsbackupistheethicsofdownloadingstolencontentsuchasemails.Asmentionedonyesterdaysupdate,theSupremeCourt2001decisioninBartnickiv.Voppersaysthatdownloadingandusingstolenmaterialsuchasemailislegalforjournalists.However,currentintellectualproperty(IP)andcopyrightlawcouldtriviallychallengethatrulingifweretoreappearinfrontoftheSupremeCourt.Regardlessofthatdecision,KashmirHillremindsusthatsimplydownloadingthestolencontentmaypromptavisitfromfederalauthorities.NotonlyhasDanTentler(@viss)beenvisited,butSteveRaganhasalsohadaruninwith

  • 13/12/2014 ABreakdownandAnalysisoftheDecember,2014SonyHack

    https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/ 11/12

    theFBIovertheSonymaterial.Wehavelittledoubtthattheyarenottheonlytwotohavebeenvisited.WealsowanttoremindtheFBIthatvisitingjournalistsandresearcherswhoaredownloadingandanalyzingthematerialarenotwhoyouarereallyafter.AssumingyouaretryingtocatchtheindividualsthatactuallycompromisedSonysnetwork.Ifyoutreatthemassourcesinsteadofpersonsofinterest,youmayfindtheycanassistyouwithyourjob.

    Thethirddebatethattendstocomeupamongjournalistsisifanalysisorsnippetsofsuchemailsshouldbepublishedafterdownloadingandreading.VarietyweighsinonthistopicinanarticletitledWhyPublishingStolenSonyDataisProblematicButNecessary.Whilesomeofthematerialcomingoutoftheleaksisverypersonalandembarrassing(e.g.racialjokes,callingprofessionalsobscenenames),suchleakscanalsoleadtoinformationthatisspecificallyofinteresttothepublicandshouldnotbekeptbehindcloseddoors.

    Onthebadsideofsuchdisclosures,weseethattheleaksarerevealingverysensitiveinformationsuchasemployeeschildrenhealthinformationincludingspecialneeds,diagnoses,andtreatments.Theleaksfurthergoontorevealbirthdates,gender,healthconditions,andmedicalcostsforasmanyas34Sonyemployees,accordingtoBloomberg.Onthegoodsideofsuchdisclosures,wefindoutthattheMPAA,inconjunctionwithsixstudios,allegedlyplanstopayelectedofficialstoattackGoogleinanefforttocurbpiracydubbedProjectGoliath,accordingtoTechDirtandTheVerge.Thesetwothingsareprettymuchtheoppositeendsofthespectrumontheharmversusvalueofleakeddata.

    Finally,afterweeksofsilence,oneSonyexecutivehasbrokentheirsilenceandgoneonrecordabouttheleakedemails,albeitbriefly.AmyPascal,CoChairman,SonyPicturesEntertainment,hasapologizedandgivenanexplanationfortheraciallyinsensitivecommentsdirectedatPresidentObama.Foodforthoughtthisweekendifyouremailwaspublished,whatwouldyouhavetoapologizefor,ifanything?

    MyLifeAtTheCompany,Part2(December13)

    TodaybroughttheseventhleakofdatafromtheGuardiansofPeace(GOP),titledMyLifeAtTheCompanyPart2.ThisfollowsaPastebinpostinwhichtheywarnSonyexecutivesthatanimportantmessagehasbeensenttothem:

    byGOP

    Important

    MessagetoSPEexecutives

    Ivesentyouamessage.Confirmyourmailboxes.

    ThePastebinpostwithlinkstothenewlyleakedinformationfromSonynetworksisaccompaniedbyanothermessagesayingthatupcomingChristmasleakswillcontainlargerquantitiesofdataanditwillbemoreinteresting.OnethingthatisalreadyinterestingisthatGOPsaysifanyonesendsanemailtitledMerryChristmastooneoffiveprovidedemailaddresses,theywilltakerequestswithwhatshouldbeintheupcomingleak:

    WearepreparingforyouaChristmasgift.Thegiftwillbelargerquantitiesofdata.Anditwillbemoreinteresting.ThegiftwillsurelygiveyoumuchmorepleasureandputSonyPicturesintotheworststate.PleasesendanemailtitledbyMerryChristmasattheaddressesbelowtotelluswhatyouwantinourChristmasgift.

    Theactualdataleakedtodayappearsconsistsof6.45GBofuncompresseddata,distributedviabittorrentlinksthatdonotappeartobeseedingfromsame54IPaddressespreviouslyseen.Thedataconsistsof6,560filesthroughout917folders.Ascreenshotshowingasamplingoftheleakeddata:

    Averybriefanalysissuggeststhisleakcontains:

  • 13/12/2014 ABreakdownandAnalysisoftheDecember,2014SonyHack

    https://www.riskbasedsecurity.com/2014/12/abreakdownandanalysisofthedecember2014sonyhack/ 12/12

    Sonyinternaldocumentsfortrackingdeals,expenditures,andrevenue.CompleteworkingfoldersforJimUnderwood(likelyexSonyExecutiveVP,WorldwideDigitalandCommercialStrategy[LinkedInProfile])DocumentsrelatedtotheacquisitionofGrouperNetworksin2006andrelatedmaterialthefollowingyears.Manyacquisitionproposals,Sonysperspectiveontheprosandconstothedeals,companiesofinterest,andpotentialprofit,includingLeftBankPictures.Draftsonthebestwaystobattlepiracy,from2009on.EnhancedContentProtectionOverviewwrittenbyChrisOdgerscompleteanalysisofpossibilitiesofbreaches,exploits,detection,andpreventionmethodsfordatastreamingservicestopreventhijacking.EmailsaboutAustralianTVnotbeingfinalizedbeforescreeningstarted.ThisappearstoberelatedtotherecentrunofolderAmericanTVshowslikeStarksyandHutch.BreachmonitoringandrevocationrulesforPhase1ServiceiftheF1Boxishacked.BusinessdocumentsanddealingswithAbril.comoutofBrazil.

    Asotherresearchersandjournalistsperformamoreextensiveanalysis,wewillprovidelinks,summaries,andcommentaryonit.

    BetweenSonyseffortstohinderacquiringthedataviathetorrents,andthefilesharingsitesrapidlyremovingleakeddata,somepeoplehavebeguntomaketheirownarchivesoftheleakeddataonadditionalsites.SomeofthemarebeingsharedviaTwitterandothersviaadditionalfilesharingsites.

    Followinguponthelegalangle(coveredonDecember11update),BetabeathaspublishedanarticletitledNoGrayArea:ItsDefinitelyNotOKtoPublishEmailsFromtheSonyHackinwhichtheypointoutthemoralandethicalissuewithdisclosingdetailsoftheleakeddata.TheyarguethatavarietyofnewsoutletsincludingPerezHiltoncalledthedisclosureofcelebritynudephotosacrime,whilehavingnoissuepublishingprivateconversationsfromSonyexecutives.Thisisaninterestingobservationasitappearstoestablishthelinebetweenacceptable(leakedemails)andtaboo(nudecelebrityphotos)forjournalists.Wearesurethatthisisadebatethatwillrageonforsometime.[NotethatthePerezHiltonarticlethatmentionsthewordcrimecitesJenniferLawrencesstatementsinwhichshecalledthepublicationofherphotosasexcrime.]

    BusinessInsiderhasalsopublishedanarticlecitinganITworkeremployedbyafirmthathasaccesstoSonyscomputernetworkthatsaysSonysnetworksecuritywasoutdatedandineffective.ThearticlegoesontoreferencethePasswordfolderthatcontainednumerouspasswords,butaswepreviouslynoted,thatwaslikelyatthehandsoftheattackers,notnecessarilySony.Inanotherarticlefromre/code,theyalsorevealthattheleakcontainsaveryrecentsecurityauditperformedbyPricewaterhouseCoopersLLPbetweenJuly14andAugust1.re/codereportsthattheauditfoundover100systemsthatwerenotbeingmonitoredbycorporatesecurity,whowerechargedwithoverseeingSonysinfrastructure.

    RBSwillupdatethistimelinewithmoreinformationasitbecomesavailable.

    FiledUnder:DataBreaches,NewsTaggedWith:GOP,GuardiansofPeace,SonyPictures

    Richmond,VA(855)RBSRISKEMAILUS

    Resources:

    VulnDBVulnerabilityIntelligenceCyberRiskAnalyticsISO/IEC27001:2005PrecertificationConsultingYourCISOServicesSecurityIntelligenceReportsRiskAssessmentsSecurityProgramGapAnalysis

    AboutUs

    RiskBasedSecurity,Inc.,incorporatedin2011,wasestablishedtobettersupporttheusers/contributorstotheOpenSecurityFoundation,OSF,withthetechnologytoturnsecuritydataintoacompetitiveadvantage.

    TheOSFswealthofhistoricaldata,combinedwiththeinteractivedashboardsandanalyticsofferedbyRiskBasedSecurityprovideafirstofitskindriskidentificationandsecuritymanagementtool.[ReadMore...]

    LatestNews

    ABreakdownandAnalysisoftheDecember,2014SonyHackDataBreachQuickViewReleasedFirstNineMonthsOf2014GeneralLiabilityvs.CyberLiabilityInsuranceWhyIsCyberLiabilityInsuranceSoDifficultForPeopleToUnderstand?HackingExposed78%OfAllRecordsCompromisedInFirstHalfOf2014JakeKounsAppearsOnEpisodeOfBoomBustRiskBasedSecurityToPresentAtBlackHatandDEFCON

    TopofPage

    Copyright2014RiskBasedSecurity.PrivacyPolicy.TermsofUse


Hacking Borhan Kazimi pour. Agenda How to hack How to hack using How to prevent hack using

INSIDE SONY PICTURES: The Story Of Innovation Theft By Sony · “ABC’s” hack prevention technology on its own corporate files, the hackers from Korea never would have been able

FBI Wrong on Sony Hack

 · Sony. SNC-CS10 Sony; SNC-CS11 Sony. SNC-CS20 Sony; SNC-CS3 Sony. SNC-CS50N Sony; SNC-DF40 Sony. SNC-DF50 Sony; SNC-DF70 Sony. SNC-DF80 Sony; SN

Hack the hack

How to Hack a twitter account - Twitter Hack

What the hack - Yahoo! Hack India Hyderabad 2013

Opening Talk, Why We Hack \ AnalogFolk Hack Festival

Release Notes: Crestron Database Release Notes...Sony BDP-S500 Sony BDP-S5000ES Sony BDP-S550 Sony BDP-S560 Sony BDP-CX7000ES Sony BDP-CX960 Sony BDP-S7000ES Sony BDV-E300 Sony BDV-E500W

BREAKDOWN PHENOMENA A FOCUSSED APPROACH Breakdown …

Hack Humanity - Hack The Workplace - Heroification & Gamification

Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

Check Point Secure Point Secure Platform Hack form Hack

Abacus Hack Day Singapore - Winning hack

Sony · Sony Deutschland G.m.b.H. Sony Device Technology (Thailand) Co., Ltd. Sony Electronics Inc. Sony Electronics (Singapore) Pte. Ltd. Sony EMCS (Malaysia) Sdn. Bhd. Sony Ericsson

Hack the BOSS at Open Hack Day - London

Sony · Sony

Authentication security - the quick and easy way! authentication.pdf · Authentication security - the quick and easy way! ... Did the latest Sony hack leak my info? ... Gawkers Database

Sony P32 modification with external power hack P32 modification with...Sony P32 modification with external power. Just a reminder BFoutdoors assumes no responsibility to any damage

Winning Hack - Rewind, relive your festival \ AnalogFolk Hack Festival

Hack Day Tweet about Hack Day today! _technovation_

The 2014 Sony Hack and the Role of International Law

Whenever · PDF filehackers leaked about 200 gigabytes of confidential data belonging to Sony Pictures ... told investigators he hacked into in ... • Hacking your phone, hack your

Sony Hack - York University · master boot records victim machines can no longer boot forensics investigation no longer possible! Sony hack = first use of Destover against ‘corporate

SHARED RESEARCH PROGRAM · (e.g. Sony Hack, 2014) Terrorism ... Local proxies Staging servers... 13 | Internal Network Monitoring and Anomaly Detection through Host Clustering 25

HACK-IT-N 2018 · HACK-IT-N 2018 DOSSIER DE PARTENARIAT [email protected]

Hack Clubs Hack Night: the "Things" edition

SONY Pictures Entertainment - Hack of the Century...SONY Pictures Entertainment - Hack of the Century 4 cancelling the release of the movie. Although identified as the sole culprit

The 2014 Sony Hack and the Role of International Lawjnslp.com/.../uploads/2017/10/The-2014-Sony-Hack-and-the-Role-of-International-Law_2.pdfThe 2014 Sony Hack and the Role of International

Named Entity Recognition and Linking · Sony Ericsson sony erricson, sony ericsson, sony ericson, sony ericcson, sonyericsson, sony ericssion, sn, sony, sonyeric ... –Utilize early

SECURITY IS DEAD. LONG LIVE SECURITY.docs.media.bitpipe.com/io_12x/io_127325/item_1234502/Unisys_Whi… · The Sony hack remains the most memorable, as it first introduced the public

Sony Playstation Hack Presentation

LAZARUS UNDER THE HOOD - Threatpost · Sony Pictures Entertainment hack and a strong similarity in the malware tools. Sometime later, ... The only case where malware targeting the

Hack your way to transaction city - Paper Conf/Hitcon/Hitcon-2016/1201 R2 1320 cics... · Ayoub ELAASSAL [email protected] @ayoul3__ CICS BREAKDOWN Hack your way to transaction

library.temple.edu (RW) 93/403-1748 SONY-1 SONY-3 SONY-2 SONY-4 SONY-1 SONY-3 SONY-2 SONY-4 SONY-1 93 ... ~~6 albert,eddie rg people chss/SONY 37 shannon doherty wipe