Just to be clear, we’re talking about the big Sony hack in late November 2014, which involved massive data breeches, Hollywood stars, racy pictures and lots of money – NOT the massive Denial of Service attack Sony’s online gaming service suffered over Christmas. (Just to bring that story up to date: the hacker gang Lizard Squad claimed responsibility for the attack late last year, an alleged culprit behind the latter was arrested last week and the infamous Kim Dotcom got them to stop the attack with free vouchers to his new Mega file sharing network.) The Sony Playstation attack was generally hated by everyone, and it certainly should prompt you to update and secure your routers – but we’re looking at the other Sony hack.
To recap: Sony had their data stolen, were blackmailed (unsuccessfully, apparently) and had the compromised data either deleted from their own servers, released to the public, or both, Maybe the public mostly cared about the gossip, and other, more dire compromises – in fact, Sony didn’t even crack the top ten list of hacks for 2014 – but in this article, I’m going to go over how this hack can be something you (and maybe your company) can learn from. The internet has come a long way since its inception, but we still have a way to go when it comes to security.
Timeline of the Sony Hack
Late November 2014
Sometime in late November, the Sony computer network was penetrated. According to media reports online, the black hat hackers left the following somewhat cryptic message, “Hacked by #GOP. Warning: We’ve already warned you, and this is just the beginning. We have obtained all your internal data including secrets and top secrets.”
To show that they weren’t messing around, the black hat hackers started to distribute some or all of the files stolen from Sony on the company’s own Playstation network.
Around this time, the media started to pick up the story, reporting that North Korea was “likely” behind the attacks. Among the files were 47,000 social security numbers, credit card numbers, passport details, and, of course, all the juicy emails.
In another bizarre twist, the black hat hackers demand that The Interview, a Seth Rogen comedy about killing the leader of North Korea, not be shown in any theaters. This would make sense if the initial media reports about the attack coming from North Korea were correct. But we all know how correct initial media reports are most of the time.
The Anti-Social Network
Business Insider reported that leaked emails show Facebook CEO Mark Zuckerberg tried to stop The Social Network in its tracks, but Sony execs didn’t let up. “I said to Zuckerberg when he tried to stop The Social Network, ‘No one wants their sophomore year in college examined or portrayed,'” Sony Pictures CEO Michael Lynton wrote to another exec in May 2014.
The Interview has a very low-key premiere, even though it’s getting a ton of press.
Good journalists everywhere continued to digest the tens of thousands of documents. Much more embarrassing than gossip about this or that actor or actress was information about bribes paid by Sony to be able to release movies in the country.
Sony officially cancels The Interview. After much speculation and a lot of press, The Interview was released online, reportedly after Sony CEO was given advice by Google CEO Eric Schmidt, who said, “This is what we’ve been waiting for.”
President Obama says that Sony made a mistake by pulling the movie. That, in addition to getting a phone call from Google, led to the movie being launched online via a million screens. Meanwhile, the FBI was still blaming North Korea for the attack.
As you might imagine, North Korea was none too happy with the accusation, even if the IP addresses of the attackers appeared to have come from the country. They were even more concerned that President Obama and his administration had orchestrated the movie. (As if they had nothing else going on, apparently.)
On Christmas Day, The Interview is released online around the world. While Sony executives and stockholders are happy, some employees claimed that Sony didn’t do enough to protect their private information. Remember that bit about the leaked social security numbers? A second and third lawsuit were also filed after the movie was released.
The latest? Sony is still reportedly weeks away from fixing their servers. If you want to see a list of all the other information leaked, you can check here. More importantly, I want to talk just a little bit about what the Sony hacks mean for you.
How the Sony Hacks Affect You
The fact that a large corporation can be so easily hacked hopefully has you thinking harder about your own information security. You may be thinking that you’re just a normal person and the black hat hackers aren’t concerned with you, but you’d be wrong. Bad guys don’t care who they attack as long as they can make some money. This is why they scan thousands or even millions of computers – they are looking for ones that aren’t secured properly. The same techniques hackers use for accessing big targets like Sony (and Target) can be even more effective when they can stumble across you – if your system is vulnerable, that is.
In addition to using SSL / TLS on your entire site and keeping all of your software on the server up to date, there are a few pretty obvious lessons from Sony’s that can help keep you protected at all times:
Control Access to Your Data INTERNALLY, Too
Maintaining your firewalls and limiting port access are very good ideas – but they don’t help when the black hats are already inside the gates. A file that several thousand people have access to isn’t “Top Secret”. Limiting access to crucial data via basic practices like role-based security makes it much less likely a security breech will expose it. All modern file systems allow admins to control who accesses what – the more internal checks to wholesale sharing of data you have, the better your chances are in the class action lawsuit.
Practice Good Security Hygiene
Alongside access control is how you choose to secure your internal data – writing the combination to your locked payroll drawer on the drawer, with an arrow pointing to it and the word “combination to this drawer!” is a bad idea, and the electronic equivalent – say, storing thousands of passwords in a plaintext file named PASSWORDS – is just as bad. Keeping a large number of unique, hard-to-break passwords in a hard-to-access format is indeed a pain – but the alternative is even worse. Just imagine it was data from your visitors, clients or family that started to spread online – then consider options like password managers and two-factor authentication.
Learn From Your Mistakes (and Sony’s)
Sony has been a magnet for attacks of all sorts for quite some time (one source counts 22 separate security breeches between 2011 and 2013 -and this is not counting DDoS attempts). The reason security professionals are so agog about November’s attack isn’t that the latest compromise happened – it’s because similar serious compromises have happened multiple times before, but Sony apparently learned nothing about securing their data from their previous failures. Properly securing even a basic website takes quite a bit of work, but it’s something you need to stay on top of if you want to be safe and successful. Hopefully Sony’s hack can help you realize the importance of information security in the 21st century.