As leaks from the recent Sony hack continue to make headlines and company executives apologize for insensitive comments made in exposed emails, we still don’t know how the hack occurred or the exact nature of the demands made by the attackers. But we’ve learned a bit about Sony’s security practices. And we’ve learned that the attackers may have tried to extort Sony before releasing its secrets. We’ve also learned that attempts by Sony to rally public support from rival studios has failed.
To date, about 200 gigabytes of data have been leaked. In one of their latest troves released Saturday, the hackers warned that even more damaging information was still to come and invited the public to send requests for what they’d like leaked. “We are preparing for you a Christmas gift,” they wrote. “The gift will be larger quantities of data. And it will be more interesting. The gift will surely give you much more pleasure and put Sony Pictures into the worst state. Please send an email titled by ‘Merry Christmas’ at the addresses below to tell us what you want in our Christmas gift.”
The hackers also invited Sony employees to send them a note requesting to not have their personal information released.
The new threats of disclosure have prompted Sony to get more aggressive in its offense. In a letter sent to media outlets Sunday, the company warned against publishing any leaked documents or information contained in them. It’s not clear what affect this may have on media outlets, but some file-sharing sites (or their hosting companies) appear to be getting nervous. As quickly as new releases from the hackers are being uploaded to some sites, the files are being taken down.
Here are some of the highlights of the Sony hack in the last week:
It’s unknown how long the hackers have been in Sony’s servers. But hackers obtained the credentials for two corporate user accounts for a Sony Picture Entertainment server back in February and “may have uploaded malware” to the network, according to an email leaked by the hackers that was sent by Courtney Schaberg, Sony’s vice president of legal compliance, to colleagues. In a subsequent email, Schaberg wrote that names and email addresses for 759 people “associated with theaters in Brazil” had been exfiltrated. Schaberg disclosed the information as part of a discussion about whether Sony had an obligation, under Brazilian law, to notify those affected by the breach.
Notably, Phil Reitinger’s name appears in the email thread. Reitinger is a big gun in security, having once served as Deputy Under Secretary for the Department of Homeland Security’s National Protection and Programs Directorate. The NPPD helps protect government civilian systems. Reitinger is also a former Microsoft executive, former director of the Department of Defense Cyber Crime Center and, ironically, former deputy chief of the Justice Department’s Computer Crime and Intellectual Property Section.
He left his DHS job in 2011 to join Sony as its chief information security officer where he’s responsible for overseeing the company’s global security efforts. Last year he was also appointed to New York Governor Andrew Cuomo’s cyber security advisory board.
A leaked data sheet from Sony shows that in 2011, the year Reitinger joined the firm, the company had a practice of storing passwords, Social Security numbers, dates of birth and other sensitive information unencrypted. The document shows, for example, that the company was storing unencrypted Social Security Numbers for 10,000 people, presumably employees, on its corporate benefits web site. Nearly 14,000 names, email addresses and passwords were also stored unencrypted on a server used for the Sony Pics Stock Footage web site. Presumably these credentials belonged not only to Sony workers who need access to stock footage, but also likely to journalists and others who use such footage.
It’s unclear if this particular data was still kept unencrypted under Reitinger’s watch, but other Social Security numbers have been leaked online by the hackers, and the widespread nature of the Sony hack and the enormous volume of data exfiltrated by the hackers provides evidence that the security problems persisted.
When news of the hack first went public in November, the hackers threatened to release documents if Sony didn’t meet an unspecified demand. “We’ve already warned you, and this is just the beginning,” the hackers wrote in a message that popped-up on Sony employee computers shortly before the Thanksgiving holiday. “We continue till our request be met.” The email, written by hackers who used the handle GoP or Guardians of Peace, implied previous correspondence with Sony, but didn’t state when that had occurred or the nature of it.
Now an email sent to Sony executives on Nov. 21, a few days before the hackers displayed their message on employee computers, has emerged among the trove of stolen and leaked documents. The email, addressed to Sony Pictures CEO Michael Lynton, Chairwoman Amy Pascal and other executives, appears to be an attempt at extortion.
“[M]onetary compensation we want,” the email reads. “Pay the damage, or Sony Pictures will be bombarded as a whole.” The email, however, wasn’t signed by GOP but instead by “God’sApstls.” The reference to “God’sApstls” also appeared in a malicious file that has been connected to the Sony hack. That file, examined by Symantec and other security firms, is part of a suite of attack files security firms are calling Destover and is designed to display the following message on the computer of victims:
It should be noted that neither the Nov. 21 email nor the message that appeared on victim machines made any reference to North Korea or the Sony film The Interview, which a number of news reports have suggested was the motive for the attack.
But as if information about the hackers behind the attack isn’t already confusing enough, in the latest leaks published by the hackers on Sunday, the group claims to have no knowledge of the threatening email sent to Sony. This raises the question of whether there was more than one group of hackers in Sony’s network or if the hackers are simply trying to distance themselves from the earlier extortion attempt. The hackers do, however, demand that Sony “stop immediately showing the movie of terrorism which can break the regional peace and cause the war!” If it’s a reference to The Interview it comes only after numerous media outlets have made a connection between the movie and the hack, suggesting the attackers may have found the media-invented motive more appealing than their previous one.
The hackers warned executives in their new leak that the sooner they “accept our demands” the better. “The farther time goes by, the worse state SPE will be put into and we will have Sony go bankrupt in the end.” They also posted a note to Sony employees: “We have a plan to release emails and privacy of the Sony Pictures employees. If you don’t want your privacy to be released, tell us your name and business title to take off your data.”
It’s unclear how many, if any, Sony employees will take them up on the offer.
Sony might have been the victim of a spectacular hack but it’s not sitting idly waiting for authorities to act.
Instead the company has reportedly inserted itself between would-be downloaders and the stolen documents they covet to dissuade them from accessing the real trove. The company has apparently done this by seeding fie-sharing torrents with fake files masquerading as the real documents. The fake files download slowly, taking hours—sometimes a day—to finish, leaving the downloader with nothing valuable when the process is complete. Some media outlets have referred to this as a denial-of-service attack, but that is a misnomer. A denial-of-service attack is illegal under the Computer Fraud and Abuse Act and involves an attack “that floods the victim computer with useless information and prevents legitimate users from accessing it,” according to a Justice Department definition (.pdf). It would be a denial-of-service attack if Sony were to send a flood of data requests to machines hosting the stolen documents, preventing users from accessing the real files on those machines. Instead, Sony is simply luring would-be downloaders to honeypot files to distract them from downloading the real ones.
Screenwriter Aaron Sorkin, creator of “The Newsroom,” apparently lost all sense of irony and lashed out at the media this weekend in a New York Times op-ed, calling outlets that published information contained in the leaked documents “morally treasonous and spectacularly dishonorable.” His fury stemmed not from the fact that some of the leaks involved him—a film executive speculated in one of the leaked emails that Sorkin was bankrupt and was possibly sleeping with the female author of a book he’s adapting (Sorkin denied both)—but because the leaked documents weren’t newsworthy.
“I understand that news outlets routinely use stolen information,” he wrote. “That’s how we got the Pentagon Papers, to use an oft-used argument. But there is nothing in these documents remotely rising to the level of public interest of the information found in the Pentagon Papers.” What part of the studio’s post-production notes on Cameron Crowe’s new project are newsworthy, he wondered. He also suggested the media were hypocrites for decrying the NSA’s violations of privacy while helping the Sony hackers violate the privacy of Sony employees. “[S]o much for our national outrage over the National Security Agency reading our stuff. It turns out some of us have no problem with it at all,” he wrote.
“As demented and criminal as it is, at least the hackers are doing it for a cause,” he noted. “The press is doing it for a nickel.”
But Sorkin’s admonishment to journalists is perhaps undercut by comments he made at the Tribeca Film Festival earlier this year when he said that no one should consider him an expert on journalism and that he’s “not capable of teaching a professional journalist a lesson.”
“I haven’t become an expert in anything. I’m not sophisticated when it comes to politics, when it comes to journalism. I’m not as smart as the characters [in The Newsroom] are or, as you can see, as articulate…,” he said. “I want to make it clear: I don’t know nothin’.”
Sorkin wasn’t the only one angry with news outlets. In its letter sent to media outlets on Sunday, Sony warned that the leaked documents contained “stolen information” and demanded that news outlets avoid them or destroy them if already obtained. Sony “does not consent to your possession, review, copying, dissemination, publication, uploading, downloading or making any use” of leaked information, stated the letter written by attorney David Boies. “If you don’t comply with this request,” he wrote, Sony “will have no choice but to hold you responsible for any damage or loss arising from such use or dissemination by you.”
The Times, in its story discussing the letter, pointed a finger at other media outlets while distancing itself from the documents. It noted that the data “has provided a feast for traffic-hungry websites like Fusion and those owned by Gawker Media, along with some mainstream news organizations like Bloomberg… . The Times has reported on some Sony emails and company-related data based on the accounts of other news organizations and on statements from Sony executives.” It should be noted that Fusion is partly owned by the Walt Disney Company, a Sony competitor.
The paper also mentioned that Sony executives had tried to convince rival studio chiefs in recent days to sign a public letter of support for Sony. But sources told the Times that Sony’s competitors rejected this idea because they thought a letter would be ineffective and might come across as “a publicity stunt.”
There are also concerns, the paper notes, that other studios who speak too loudly in support of Sony may find themselves on the bad end of a hack.