No Respite for Sony

Since the hacker group calling itself “Guardians of Peace” announced its attack on Sony Pictures Entertainment late last month, things have gone downhill for the company.

After confidential documents were leaked to the Internet over several days, a denouement of sorts was reached last week, when a security company examining the stolen data discovered nearly 50,000 Social Security numbers of current and former employees.

The Social Security information was not encrypted, and it appears Sony exercised very little control over the sensitive information.

“The number of copies of Social Security numbers is truly astounding,” said Todd Feinman, founder, president and CEO of Identity Finder, which examined the Sony documents.

“We saw multiple spreadsheets that had lists of 10,000 or more Social Security numbers copied over and over and over again,” he told TechNewsWorld.

Identity Finder found 1.1 million copies of employee Social Security numbers in the Sony documents it analyzed.

“Some of these celebrities and former employees are going to be very frustrated to know that there are multiple copies of spreadsheets that say why they were terminated, what their salary was, their home address, their Social Security number and their full name,” Feinman noted.

“Those people are going to be at risk for identity theft for the rest of their lives, and there’s nothing they can do about it,” he added. “This data will never be deleted from the Internet. It’s always going to be publicly accessible until the end of the Internet.”

Humorless North Koreans

This data breach isn’t the first incident of Sony being targeted by hackers in a spectacular fashion. Its gaming operations were nailed in 2011 — and again this week.

There are notable similarities between the Sony Pictures attack and the earlier PSN hack, said Kevin Bocek, vice president, security strategy and threat intelligence, atVenafi.

In the 2011 assault on Sony’s PlayStation Network, which compromised 77 million user accounts, the theft of asymmetric encryption keys allowed the attackers to enter Sony’s gaming kingdom, he explained.

In the Sony Pictures breach, “cybercriminals successfully gained access to dozens of SSH private keys,” he told TechNewsWorld. “Once these keys are stolen, the attackers can get access to other systems — and then it just goes from bad to worse.”

Although the hacker group Guardians for Peace is claiming credit for the Sony attack, classified sources reportedly have said North Korea may be behind the foray. North Korea has protested Sony’s release of a comedy — The Interview, starring Seth Rogen and James Franco — about a plot to assassinate the country’s leader.

One of the documents stolen from Sony and posted to the Internet by the Guardians is the 210-page production budget for The Interview.

The North Korean connection is questionable, though, according to Identity Finder’s Feinman.

“All indications are this was done by cybercriminals as opposed to a nation-state,” he said.

Murky Alert

Meanwhile, the FBI, which, along with the U.S. Department of Homeland Security, is investigating the Sony Pictures breach, released a confidential flash warning about a destructive form of malware aimed at U.S. businesses.

Although the FBI asked recipients of the alert not to share it with anyone, it was leaked to the press. The warning reportedly described a form of malware that rendered computer systems inoperable, as well as destroying data by overwriting it.

The malware had been used in an attack on a U.S. company, the FBI noted, but it did not identify the company.

It’s widely suspected that Sony was the company targeted by the malware.

“The main news story in the FBI advisory is the abrupt shift from theft to destructive vandalism,” said Mike Lloyd, CTO of RedSeal Networks.

In most recently publicized breaches, the main objective has been the stealth of valuable data.

“However, the attack on Sony appears to be quite distinct. While some theft of movie content did occur, the main attack was destructive,” Lloyd told TechNewsWorld.

“The main reason most cyberthieves do not destroy assets is because they cannot make money by doing so,” he explained. “There are evidently other adversaries who do see benefit in that kind of vandalism.”

Breach Diary

  • Dec. 1. FBI issues confidential flash warning to U.S. businesses alerting them of malware that destroys data on systems it infects.
  • Dec. 1. The New York Times reports a group of cybercriminals have been stealing email correspondence from publicly traded healthcare and pharmaceutical companies in order to get a market edge in those industries.
  • Dec. 2. Federal judge rejects Target’s motion to dismiss lawsuit brought against retailer by banks seeking damages from data breach last year in which some 40 million credit cards were compromised.
  • Dec. 2. Trend Micro reports United States accounted for 30 percent of the point-of-sale malware infections in the world, followed by Taiwan, the Philipines and Italy, each with 6 percent.
  • Dec. 3. American Residuals & Talent, which processes residual payments for actors, discloses data breach that could affect sensitive information of “thousands” of actors. It said breach occurred on Oct. 18 when an intruder accessed its systems for less than two hours.
  • Dec. 3. Google announces new No Captcha reCaptcha scheme that substitutes simple questions for distressed text as a means of screening out robot logins at websites.
  • Dec. 5. Identity Finder discovers 47,000 Social Security numbers of current and former employees of Sony Pictures Entertainment were compromised in Nov. 24 data breach.
  • Dec. 5. Women’s retailer Bebe confirms data breach affecting payment card information for an undisclosed number of customers. Breach occurred during two-and-a-half period in November.

Upcoming Security Events

  • Dec. 16. Dyre Malware Successfully Attacking Banks: Is Your Institution at Risk? 11 a.m. ET. Webinar sponsored by IBM Security Systems. Free with registration.
  • Jan. 19, 2015. B-Sides Columbus. Doctors Hospital West, 5100 W Broad St., Columbus, Ohio. Fee: US$20.
  • March 24-27, 2015. Black Hat Asia 2015. Marina Bay Sands, Singapore. Registration: before Jan. 24, $999; before March 21, $1,200; after March 20, $1,400.
  • April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels