Jump to content

Recommended Posts

Posted

 

Recently a group of hackers breached the Sony network and started leaking sensitive information about the company. According to the FBI and the media, the state of North Korea carried out the attack in an attempt to suppress the release of an upcoming film called The Interview. The film is starring Seth Rogen and James Franco and features a controversial scene in which the North Korean dictator Kim Jong-un gets assassinated. Sony ultimately decided to pull the release the film, a move which President Obama condemned. What is the truth about the Sony hack?

 

North Korea

http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501

https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack

http://recode.net/2014/11/28/sony-pictures-investigates-north-korea-link-in-hack-attack

http://www.csoonline.com/article/2853893/disaster-recovery/fbi-memo-warns-of-malware-possibly-linked-to-hack-at-sony-pictures.html

http://blogs.wsj.com/digits/2014/12/18/kim-jong-un-death-scene-from-the-interview-leaked

http://www.businessweek.com/news/2014-12-15/sony-said-to-learn-last-year-about-large-network-security-breach

http://www.nytimes.com/2014/06/26/world/asia/north-korea-warns-us-over-film-parody.html


Flimsy Evidence

http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation

http://arstechnica.com/security/2014/12/fbi-claims-north-korean-involvement-in-sony-pictures-attack

http://arstechnica.com/security/2014/12/sony-pictures-malware-tied-to-seoul-shamoon-cyber-attacks

http://www.wired.com/2014/12/evidence-of-north-korea-hack-is-thin

http://krypt3ia.wordpress.com/2014/12/20/fauxtribution

http://blog.erratasec.com/2014/12/the-fbis-north-korea-evidence-is.html

http://www.csoonline.com/article/2861383/business-continuity/questions-remain-after-fbi-charges-north-korea-with-attack-on-sony-pictures.html?page=2

http://youtu.be/hiRacdl02w4?t=1m7s

http://www.thedailybeast.com/articles/2014/12/20/sony-hackers-guardians-of-peace-troll-fbi-fbi-is-the-best-in-the-world.html


Possible Motive

http://krypt3ia.wordpress.com/2014/12/04/sony-hack-the-revenge-of-the-un-no-not-really

http://www.cio.com/article/2861493/think-north-korea-hacked-sony-think-about-this.html

http://www.theverge.com/2014/11/25/7281097/sony-pictures-hackers-say-they-want-equality-worked-with-staff-to-break-in

http://www.businessinsider.com/sony-to-fire-10000-people-by-march-2012-10?IR=T

http://www.ibtimes.co.uk/sony-cuts-5000-jobs-it-exits-computer-business-1435312


Sony's Incompetence

http://www.bbc.co.uk/news/technology-30554444

http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html

https://www.emptywheel.net/2014/12/13/sony-hacked-its-not-one-massive-breach-its-more-than-50-breaches-in-15-years

http://www.cbc.ca/news/technology/hacked-sony-accounts-top-100-million-1.991417

http://blog.us.playstation.com/2011/04/27/qa-1-for-playstation-network-and-qriocity-services

http://www.thestreet.com/story/12976491/1/sony-breach-has-cybersecurity-industry-scrambling-for-answers.html

http://www.sony.net/SonyInfo/IR/financial/fr/13q4_sony.pdf

http://fusion.net/story/31469/sony-pictures-hack-was-a-long-time-coming-say-former-employees

  • Upvote 2
Posted

Near the end, Stef mentions declining Japanese work ethics and the role of the Japanese government as one of the reasons behind the ease of the attack. However, Sony pictures is an American subsidiary and the senior management team is also non Japanese. http://en.wikipedia.org/wiki/Sony_Pictures_Entertainment

Another reason behind the lack of security may be security reasons. Protecting your company's network may be too expensive compared to other methods of dealing with the problems.

 

the auditor told Spaltro, the passwords Sony employees were using did not meet best practice standards that called for combinations of random letters, numbers and symbols.

Summing up, the auditor told Spaltro, “If you were a bank, you’d be out of business.”

 

Source: http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html

 

Although Spaltro declines to talk about Sony’s security practices, he says that while Sony Online Entertainment is fully compliant, every company weighs the cost of protecting personal data with the cost of what it would take to notify customers if a breach occurred. Spaltro offers a hypothetical example of a company that relies on legacy systems to store and manage credit card transactions for its customers. The cost to harden the legacy database against a possible intrusion could come to $10 million, he says. The cost to notify customers in case of a breach might be $1 million. With those figures, says Spaltro, “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,” he suggests.

 

Source: http://fusion.net/story/31469/sony-pictures-hack-was-a-long-time-coming-say-former-employees/
 

Sony is preparing to ban gamers from the PlayStation Network (PSN) unless they waive the right to collectively sue it over future security breaches.

 


Source: http://www.bbc.co.uk/news/technology-14948701

Security is also based on monetary decisions. If a workaround is cheaper, chances are high it will be chosen insteaf od doing the right thing.

Posted

I worked briefly for AT&T, they had clearly taken great precautions to secure their network and of course as a big target they need to.

 

I now work for a small company with very little public profile, and their precautions are almost nonexistent. If someone wanted to steal everything it would not be hard... But it also wouldn't be worth the effort.

 

Anyhow, computer security is going to be something people learn about the hard way. Basic things like encrypted emails and files would have saved sony a lot of pain.

Posted

Why many hackers hate Sony? Ever since Sony tried to sue people who managed to jailbreak the Playstation, instead of rewarding them for figuring out the vulnerabilities, they really got into the bad side of the hacker community.

The IP's attacks come from are usually decoys, because they usually come from botnets (infected computers) and not from the attacker's personal computer.

Posted

About the shift in power mentioned on the video, here is the interesting thing:

 

Attacking is always easier than defending and all it takes is intelligence. People who are smart enough can hack into anything they want regardless of the amount of money they can invest in the attack. You will find that most hackers are really nice people who just want to help, but the scary thing of course is that some of those really smart hackers might actually be downright evil.

Another very important thing to mention: Many people in the hacker community are completely against these types of attacks, because even though the intentions behind many attacks are for the common good, physics says that every action has a reaction of equal strength in the opposite direction, and I am afraid that while our community pushes the limits of freedom of speech and freedom of information, it has created a monster with equal power within the NSA and has given them the reason they were looking for to completely remove freedom from the Internet.

Posted

I have to explain the Jailbreak thing I mentioned, because is probably a technical term most people do not understand:

 

Imagine that you buy a house, the house is yours so you can do anything you want with it as long as it's not harming anyone else, but Sony sold you a house you can't actually get in because you don't have the keys to the front door. So some people figured out how to get full control of their own property and the response they got from Sony is that they should be in prison for it, and this is why hackers are not happy with Sony.

 

Hacking is fundamentally about harmless reverse engineering, figuring out how things work so you can get them to work better, or in a way that it was not built for but is what you actually need it to do. What I just mentioned above resulted in many of the technologies we use on daily basis, hacking is not some kind of criminal activity, it is about tinkering and figuring things out, and in the same way that a knife can be used to save lives in the hands of a surgeon, it can also be used to harm people. Would surgeons be happy if people thought that anyone carrying a knife is a criminal?

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.