Sony makes cybercrime even more dangerous


By now most people are pretty sick of hearing about how the internal networks at Sony’s movie studio were flayed, gutted and served up to strangers on the Internet. The coverage gets repetitive after a while, despite how riveting it can be to read gossipy little tidbits, like the ludicrously subjective “greenlight studies” explaining which films get made and why, scripts, financial projections and actual copies of unreleased films, outside-vendor contracts, personal contact information of stars, along with some of their social security numbers and hotel-check-in-aliases of major stars, pissy emails between angry studio execs. Hand it to Sony; it can lose more colorfully than most companies can win.

Still, Sony got hacked so thoroughly that the temptation is to think it just got unlucky. Maybe it pissed off a murderous dictator with a coterie of surprisingly skillful cyber-saboteurs. Maybe it was too pinchpenny and abusive toward employees who decided to strike back – but on far too grand a scale for just a bunch of disgruntled office workers to pull off.

Regardless of who was involved, or what actually happened, Sony has set another in a string of similar accomplishments, by being the victim of an attack no one thought could happen at a large, technologically sophisticated company – a data breach so thorough and which went so deep inside the organization that people glommed on to the idea that the government of a nuclear-armed state struggling with poverty, political isolation and the entrenched, systemic insanity of its leadership could get so mad about a Seth Rogen movie that it would unleash the hounds on Sony’s IT infrastructure before the movie was even released.

Granted, that’s the only time it’s possible to save yourself the pain of a Seth Rogen movie, but it still seems like an overreaction from a national government, even considering how often and by how much Iran and other national governments have been upping the ante on the game of international cyberwar ever since the revelation of Stuxnet showed it was possible to physically attack a country, militarily, without actually going there.

Regardless of whether any government was involved at all, we pay attention to Sony IT disasters (though there’s a lot more disaster to pay attention to than you’d think was possible). Sony’s disasters are the IT industry’s version of a major political sex scandal – lots of juicy, gossipy tidbits about the outré goings on of the high and mighty with just enough serious impact on the way the rest of the government or industry is run to justify slavering over the tawdry details.

But this data breach isn’t like all other data breaches.

In addition to the juicy stuff, attackers claim to have stolen terabytes of data and have proved that they got internal employment and medical data on employees, HR documents, criminal background checks AND more than 11,000 documents with RSA SecureID tokens, Lotus Notes IDs and certificates, vendor passwords, FTP access info, login data for outside services, lists of networking hardware, servers, QA, staging and production database servers and maps detailing much of Sony’s internal IT infrastructure.

“In short, the IT data leak is everything needed to manage the day-to-day operations at Sony,” according to a Dec. 4 story by Steve Ragan at CSOonline that thrummed with tension but still underplayed how bad the damage really is.

The breach “is no longer just an IT issue,” Ragan wrote in a story two days earlier in which he pointed out that having its IT blueprints floating around the Internet turned a single attack on Sony into a “binary bomb with a lit fuse.”

The bomb is likely to cost Sony six months and more than $100 million, Reuters suggested in a story Dec. 9.

That’s bad, but at what point do you have to decide Sony was asking for it?

Following the attack in November, former employees told Fusion that Sony Pictures’ tiny security crew (11 for a user base of 6,500) was heavy on managers and light on people doing the work; they did lots of security assessments but never followed up on recommendations and never got around to doing anything about subtle weaknesses in security like storing thousands of logins and passwords in clear-text files in a folder named Password, with no password protection.

That’s worse than most other bad-security situations you’ll hear about, but a LOT worse than any company that had a high profile series of attacks just three years before during which information on more than 10 million customer accounts was stolen and cleanup cost an estimated $171 million.

During more than three months of attacks on Sony sites all over the globe – attacks impressively detailed and documented rundown by Security Curmudgeon at hackerish/open-Internet-eral/anarcho-technologian community site – Sony lost information from 77 million accounts, 12 million of them with credit card numbers unencrypted, and still doesn’t know who attacked it. Despite that, Sony only made it to No. 7 on CSO’s list of the 15 worst data breaches of the 21st century.

That series of attacks is a milestone in the history of corporate IT security, because it was such a good example of how badly a company could be hurt that was technologically savvy enough to build a big business online, but sloppy and careless enough not to secure it.

Now Sony’s set another precedent – how badly it’s possible to get hurt with help from your own employees, or security so lax your attackers could wander in at will.

Sony isn’t the only example of ante-upping in the civilian digital-attack league. The FIN4 group that used spearphishing and mimicry of Wall Street dialects to get unprecedented access to insider information proved industrial espionage was becoming more competitive.

The Target and Home Depot attacks proved how good central-European organized-criminals could be with malware.

If North Korea does turn out to be the force behind the latest Sony attack, that will also mark a new era in cybersecurity – one in which nation-states are able and willing to directly attack multinational corporations to punish or intimidate them into falling into line.

And, since the Internet isn’t limited by national boundaries, even companies doing their best to avoid confrontation couldn’t get out of a pinch by leaving a bully’s country.

It seems unlikely, now, that North Korea is to blame, which dials down the cybercrime intensity a bit, but still leaves the question unanswered of who actually did it. Could Sony piss off enough of its own employees enough to destroy their employer?

Or is there an organization skilled and ruthless enough to subvert or cooperate with insiders to do such unbelievable damage, while stealing data less valuable than a few million credit card and bank numbers, while putting on a huge show to make sure everyone knows just how badly their victim is being hurt? Whoever it is, and however much worse Sony’s security may be than every company that hasn’t been similarly humiliated so often in so short a time, the risk involved in a simple data breach are a lot more serious than they were a month or so ago.

Back then you could only lose information that could ruin your customers’ lives. Now you can lose your company.