28 comments

[ 5.8 ms ] story [ 71.2 ms ] thread
I couldn't tell from the OP and the previous story it linked to: is the spreadsheet of salaries and personal data straight from Sony's servers? Or is it a cracked database file that the hackers took time to convert to XLS for easier dissemination? I'm guessing the former, since the screenshots show the kind of spreadsheets that are lovingly hand-formatted and curated by the people tasked to maintain them.

It's kind of a fascinating look at how data is clumsily handled within corporations. I mean, how do they keep everything synced between the sheets that contain salaries/benefits, severance actions, etc.? (shudder)

Bloomberg reports, "The incident began when a picture of a skull appeared on company computer screens, the entertainment website Deadline.com reported yesterday." [1].

Also, the Reddit thread which seems to have started the media firestorm was entitled, "I used to work for Sony Pictures. My friend still works there and sent me this. It's on every computer all over Sony Pictures nationwide." [2] (refers to this picture: https://imgur.com/qXNgFVz).

This leads me to believe that the attacker compromised most/all corporate desktops and exfiltrated data directly from those machines. No better place to get that spreadsheet than directly from the workstation of the employee who works on it daily!

[1]: http://www.bloomberg.com/news/2014-11-24/sony-corp-computers... [2]: https://www.reddit.com/r/hacking/comments/2n9zhv/i_used_to_w...

> It's kind of a fascinating look at how data is clumsily handled within corporations. I mean, how do they keep everything synced between the sheets that contain salaries/benefits, severance actions, etc.? (shudder)

Email, of course!

Companies love to use sharepoint for this. There's decent integration with MS Office, but it's still huge pain to use. Usually it involves multiple full time sharepoint "developers" to make it do what you want.
>>I mean, how do they keep everything synced between the sheets that contain salaries/benefits, severance actions, etc.? (shudder)

From my years working with at&t's payroll system, Export-to-csv out of SAP(www.sap.com) to be manually looked at and/or imported into some other program was very common. If at&t were the target of this whole mess, I'd assume the Windows 2000 machines running crystal reports(www.crystalreports.com/) got compromised; which would generate very sensitive payroll files.

China, Russia, Iran--now North Korea is the "cyber boogeyman"? Attribution is an incredibly difficult problem. Color me skeptical. Does anyone know where the rumors of North Korean direction started?

Any explanation below seems more likely to me than it really was a North Korean operation (yes, pure rank speculation):

1) it was made up by Sony to make them look somehow less incompetent†,

2) it was made up by some media organization to drive clicks, or

3) the initial investigation revealed suspicious activity from IPs in/linked to North Korea--which could, among other explanations, just mean the attacker owned their boxes and launched attacks from there

† ...And boy does their image need improvement! The attackers were supposedly able to exfiltrate a rumored 100TB of extremely-sensitive corporate data before anyone noticed?! After the rootkit fiasco, the epic SOE break-in, and now this--I can't imagine anyone wants their data anywhere near Sony's networks (nor, perhaps, Sony's software anywhere near their networks).

So, I'm totally with you on all these foreign-boogeyman stories but this one is a bit different:

http://www.bbc.com/news/world-asia-30283573

>>"When asked if it was involved in the attack a spokesman for the North Korean government replied: "Wait and see."

EDIT: To be clear, I am aware NK likes to look tough and can totally be taking credit for something they did not do. It's just that ominous replies like this spokesman gave makes it appear slightly less boogeyman'ish as compared to how the media loves implicating China & Russia in every cyber-attack story without bothering inform the general public about stuff like proxies.

Consider the amount of time, money, and effort North Korea has invested in presenting the image of a rabid dog to foreign policymakers, in hopes of improving that nation's ability to maintain its sovereignty against the threats it perceives from all sides, and particularly from the United States. Given that, what else would you expect? Honesty?
Yeah, think about it. Who benefits from the idea that North Korea is behind this? Literally everyone.

Hell, they could even have contributed by donating VPN capacity to leave the tell-tale footprint or whatever without providing any of the actual talent to pull off this operation.

I'm skeptical anytime someone tries to attribute an attack to someone else without detailed explanation of why they believe that.
People seem to have been talking about that Seth Rogen movie coming out (The Interview), produced by Sony, which is pretty mocking about North Korea, at least if you just watch the trailer.

This seems pretty flimsy, but it kind of fits with the cartoon dictator-esque image we have of North Korea's leadership.

I agree that it's in line with what we would expect from North Korea, but I don't think that having a motive is itself evidence of the crime.

They haven't even admitted to it, they've instead made a statement of "maybe" that I would expect from an elementary school child. To me, that smells like they want us to think it might have been them but don't want to look stupid (weak?) if someone else claims attribution for the hack after-the-fact.

I know what you mean, but that idea started because apparently Sony Pictures released a movie that was critical of their regime.

Pattern matching can go wrong in all sorts of interesting ways! :)

Well, North Korea is upset about the upcoming Sony Pictures comedy involving James Franco and Seth Rogen being sent to NK to assassinate Kim Jong Un. So that country's government certainly has a motive, even if it's a bad one.
So the average salary was $119K? I'd love to know what the median is, the average is probably highly skewed by a few big numbers at the top.
Yeah, and I'd like to see what the average salary for VFX artists are.
I'm surprised that Sony didn't increase their defenses when North Korea first warned them months ago as they were promoting the new movie "The Interview". Given that North Korea can be a credible threat, it would have made a lot of sense to beef up security or at minimum increase monitoring.
This article isn't great. The data is from Sony. I guess if fusion is a news site they need to 'confirm'. But it's impossible for the data to be anything else. I've never seen one faked spread sheet, let alone millions.

The leaked data so far is in a 35 gig multipart rar. The list of files only(No directories or metadata) is 400meg -> 1 gig uncompressed. Both are on PB.

The NK angle seems to be there was Korean comments in the malware. But there's also a theory it was insiders angry about the restructure.

The hackers were using the Sony PlayStation network to seed these latest torrents. IE they still had some control days later.

This sort of thing is pretty hard to stop. Security kills productivity, you won't be rewarded for lowing output with no proof you didn't anything useful, that's the nature of the issue.

Limits on stolen data in the old days was more about getting it out, not security. With the huge pipes in and out these days this will become more common. The only thing stopping people doing this everywhere currently is they can't be bothered.

[edit] This is also a good lesson on why you should never put anything in writing you don't want everyone to know.

> This article isn't great.

Could have stopped there. This is just a list of a couple of key points in the data with pretty banal reactions. And if it's the most interesting parts of the data then it's not all that exciting.

Just feels like someone wanted to strike while the iron was hot.

After what Sony did to Geohot, I must say that I have zero sympathy for them (as an organization) here. Obviously, the leak of personal data (SSNs, etc.) is a different story.
See also their rootkited CDs [0]. They lost my respect a long time ago.

[0] http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...

I'm right behind you in boycotting anything Sony.

It raises the question though, what would it take for a company with a reputation as tarnished as Sony's to earn back your respect and patronage?

For me, the answer to that is not only maintaining a history of not attacking your customers (rootkit in CDs), but would also require an established track record of going above and beyond what other companies do to respect customer privacy.

Purely as a thought experiment, what would it take for you to reevaluate your stance on Sony?

I kind of see two separate questions here, so I'll answer both.

> [The breach] raises the question though, what would it take for a company with a reputation as tarnished as Sony's to earn back your respect and patronage?

Certainly it's a hard problem for companies to assure users that their privacy is being respected, their data is safe, and their products are wholesome. The common response involving phrases like "we are working closely with law enforcement"[0] might assuage most laypeople, but this canned answer is not satisfying for the technical crowd who understand how challenging infosec is.

Unfortunately, operational security is a critical aspect of respecting customer privacy, and the bar is not very high at many companies where the standard response is anything less than rebuilding from the ground up. Obviously, most companies do not do that, even after a severe intrusion. That is not practical unless your infrastructure allows (cold backups, all workstations are thin clients or easily flashed, etc.), so there's really no way to go "above and beyond" other companies in that aspect.

So really, what we are left with is: since we can't trust any given company to have complete omnipotence and control over its network, especially where many networks may be covertly compromised[1], what is a company to do from a PR perspective in order to assure users that doing business with them is no more harmful than doing business with another company?

If I were faced with this question in a vacuum, I would have to concede that I couldn't fault Sony for having been hacked - it could happen to any company, respectable or not. But we're not in a vacuum.

> [Sony's past behavior] raises the question though, what would it take for a company with a reputation as tarnished as Sony's to earn back your respect and patronage?

Sony is actively hostile to the consumer[2][3] and operationally negligent[4]. Full stop. Quite frankly, these behaviors are inexcusable and it would take a massive organizational change for me to even consider patronizing Sony[5]. Their attitude towards their customers is completely orthogonal to how a company should behave - at this point, it's not constructive for me to rant, so I will spare the rest of my opinion. But when a company is inevitably compromised and realizes it needs to regain the trust of its customers and partners, its past will precede it, and in this case Sony's past precludes forgiveness.

[0] http://www.businessinsider.com/sony-execs-hack-response-empl...

[1] http://arstechnica.com/security/2014/12/critical-networks-in...

[2] http://en.wikipedia.org/wiki/OtherOS

[3] http://en.wikipedia.org/wiki/Sony_Computer_Entertainment_Ame...

[4] http://en.wikipedia.org/wiki/PlayStation_Network_outage#Unen...

[5] I feel that your question may be hitting on "what exactly would that organizational change have to be?" - if this is the case, I couldn't tell you. I have no idea who calls the shots at Sony, but a good first start would be to replace them. I'd also like to see more companies active in areas where they contribute to open-source ecosystems, have bug bounties, encourage tinkerers to hack on their hardware and developers to modulate their software, the list goes on. Really, the answer could be the same as the answer to "What makes Mozilla...

Weak article. I'd like to see a link to a thorough analysis of the leaked data.
According to the top comment on this post at the moment, a file that is nothing more than a list of all the files in this dump is about one gig, uncompressed.

I think a thorough analysis of this is going to take a while.

I wish the private keys used by the ps4 are part of the leak. Would seem only right after Sony's behavior when it came to Geohot.