Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Tech News > Sony ignored security evaluation before GOP hack, more data coming

Sony ignored security evaluation before GOP hack, more data coming
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Dec 14, 2014, 04:11 PM
 
Months before the hacker intrusion on Sony Pictures' network, analyst firm PricewaterhouseCoopers (PWC) performed an analysis on the company's security, and found it lacking. More than 100 devices were found to be unmonitored by corporate security following an incomplete transition from a private security firm to an in-house team. As a result, any Sony response to network intrusion would be, in the words of the auditors, "slow, fragmented, and incomplete, if it would even happen at all." However, corrective actions proposed by PWC seemingly went undone, which left the doors to the company open, sometimes literally, facilitating the attack.

Hackers thought to be operating out of North Korea took over and raided large portions of Sony Pictures' internal computer systems, and have been slowly releasing films, internal memos and emails, focus group studies and other material ranging from banal to sensitive for the studio. The group even posted sensitive financial and personal details of 47,000 employees, vendors, and actors who do or have worked for the company as far back as 1955. Last week, things took a turn for the sinister, when many employees who's information was leaked received a threatening email (though the GOP later denied they were behind that).

Sony had moved from a third party to in-house security teams in September 2013. The transition was anything but smooth, with the 100 devices cited by PWC not properly turned over to the staff. Most of the unmonitored, and unpatched, devices were web servers and managed routers.

The analyst firm warned Sony Pictures of the problem, saying that "security incidents impacting these network or infrastructure devices may not be detected or resolved [in a] timely [fashion]" on September 25. Ironically, the security evaluation was released in the hack group's last data dump.

Ex-employees confirm the lackadaisical attitude toward Internet security. One employee reported to Fusion that "one of our Central European website managers hired a company to run a contest, put it up on the TV network's website and was collecting personally-identifying information without encrypting it. A hack of our file server about a year ago turned out to be another employee in Europe who left himself logged into the network in a cafe."

Security firm Mandiant was hired to assess the damage and scope of the penetration by the GOP hacking group. Mandiant CEO Kevin Mandia told Sony Pictures that "the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public. The bottom line is that this was an unparalleled and well-planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared."

Corrective actions as a result of PWC's analysis were promised to be completed by October 31, 2014. There is no evidence that anything was actually completed by the in-house security team. Despite Mandiant's assurances to Sony that nobody could have been prepared for the attack, it is clear that Sony failed to perform even the most basic due diligence to prevent the breach.

Another former employee says that corporate culture is the root cause of the security lapses. He noted that the real problem with Sony Pictures' network security was "there was no real investment in, or real understanding of what information security is," pointing to the vast amount of sensitive data gleaned by the hackers that was stored unencrypted. Employees of Sony Pictures for the last 15 years were listed in the leaked documents. Sony's offer of credit monitoring and identity theft protection does not extend to former employees at this time.

The GOP is spreading word of a "Christmas gift" release of more data. A PasteBin post claims to contain "larger quantities of data" saying that "it will be more interesting. The gift will surely give you much more pleasure and put Sony Pictures into the worst state." The GOP claims that employees can "opt out" of the upcoming data release that may involve them, but they have to email the group to make this happen.

Angelina Jolie with Sony Pictures
Angelina Jolie with Sony Pictures' Anne Pascal last week, after unflattering emails were leaked by GOP.

( Last edited by NewsPoster; Dec 17, 2014 at 08:27 AM. )
     
chimaera
Dedicated MacNNer
Join Date: Apr 2007
Status: Offline
Reply With Quote
Dec 14, 2014, 06:23 PM
 
I'm less sympathetic to Sony the longer this has gone on. Come on now - leave your car unlocked with key in the ignition - unattended in your driveway for a few months? Then complain if it's stolen?
     
Ham Sandwich
Guest
Status:
Reply With Quote
Dec 14, 2014, 07:19 PM
 
Hey you never know, could be a rigged key


*walks away...*
     
climacs
Senior User
Join Date: Sep 2001
Location: in front of my computer
Status: Offline
Reply With Quote
Dec 15, 2014, 01:40 AM
 
but you can trust CurrentC with your SSN, birthdate and bank account #.
     
climacs
Senior User
Join Date: Sep 2001
Location: in front of my computer
Status: Offline
Reply With Quote
Dec 15, 2014, 01:44 AM
 
"He noted that the real problem with Sony Pictures' network security was "there was no real investment in or real understanding of what information security is" pointing to the vast amount of sensitive data gleaned by the hackers that was stored unencrypted."

just like the effing Sony Gaming Network or whatever, that was several years ago, Sony was storing customer data like credit card numbers in unencrypted plain text files. Not even a cursory effort at encrypting this data. Apparently either Sony learned nothing or just did not give a shit.
     
rtamesis
Dedicated MacNNer
Join Date: Jan 2000
Status: Offline
Reply With Quote
Dec 15, 2014, 12:45 PM
 
Bet they run Windoze on their hacked computers.
     
coffeetime
Grizzled Veteran
Join Date: Nov 2006
Status: Offline
Reply With Quote
Dec 15, 2014, 03:26 PM
 
Sony has always been an hardware company. Software is not their thing since day 1 and on top of that they accused everyone else being lazy a-s-s. This is why XBOX took over and this is why Sony is going down hill ever since.
( Last edited by coffeetime; Dec 15, 2014 at 11:24 PM. )
     
Grendelmon
Senior User
Join Date: Dec 2007
Location: Too F'ing Cold, USA
Status: Offline
Reply With Quote
Dec 16, 2014, 12:25 PM
 
Sony isn't a hardware company, either. They're an insurance business.
     
Jawbone54
Posting Junkie
Join Date: Mar 2005
Location: Louisiana
Status: Offline
Reply With Quote
Dec 16, 2014, 02:58 PM
 
Originally Posted by coffeetime View Post
Sony has always been an hardware company. Software is not their thing since day 1 and on top of that they accused everyone else being lazy a-s-s. This is why XBOX took over and this is why Sony is going down hill ever since.
Is Sony as a whole going downhill? Sure.

But you're referencing the gaming division, which is doing amazing right now.

Originally Posted by NewsPoster View Post
Let's be honest...

The best part of that picture is the lady in the background looking ready to tap someone out.
     
ElectroTech
Dedicated MacNNer
Join Date: Nov 2008
Status: Offline
Reply With Quote
Dec 21, 2014, 05:26 PM
 
@Chimaera: I agree that it would be nice if Sony had 'locked their doors' better but it is the hackers who are irresponsible and should be punished. Blaming the victim is an old and outdated practice. We should all have enough respect to leave other people's things alone.

In developing nations, they all live behind thick solid fences topped with broken glass or razor wire, have bars on all the doors and windows and are afraid to leave their homes. Sounds like a prison, right? It is the criminals who roam free while the good people live behind bars. Justice must prevail and we must put more effort into stopping rogue states and actors from making victims of us all. Stop blaming women of being raped and stop blaming IT departments for being hacked.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 12:41 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,