December 5th 2014
A number of details have emerged about the methodology behind, and outcomes of, last month's serious hack on Sony Pictures Entertainment.
The attackers have released various highly confidential employee data gained from the hack on the internet, including records of salaries and bonuses, dates of birth, social security numbers, performance reviews, criminal background checks, termination records and details of medical conditions. Also released so far have been film actors' and crews' passport and visa information, internal emails and unreleased motion pictures.
The ongoing FBI investigation reveals that the malware overwrites all data on the hard drives of computer – including the master boot record – preventing the machines from booting up. In a report, the bureau said: "The overwriting of the data files will make it extremely difficult and costly – if not impossible – to recover the data using standard forensic methods". It added that the malware uses Microsoft Windows components to propagate, shut down network services and receive instructions from its controllers.
Implications
A key implication of the FBI's findings is that businesses using Windows and Microsoft server software are vulnerable to similar hacks, especially if they are not using the latest versions of the software.
The bureau does suggest a way to detect the message used by the malware to communicate with its controllers, but detection occurs only after the malware been launched on the target network and begun overwriting data. It is hoped that further analysis of the malware will reveal a way to detect it before it receives the instruction to do so.
Windows vulnerability
The FBI reports that the malware, wrapped in an executable 'dropper', installs itself as a Windows service before wreaking havoc on infected PCs including creating a network file share pointing to Windows system files and gaining unrestricted access, spreading to other machines on the network, monitoring web traffic, replicating itself to trigger different parts of the code, making email inaccessible and finally wiping the hard drive.
Poor security practice
The hack highlights a number of poor information security practices apparently in place at Sony Pictures Entertainment, including storage of highly confidential data in unencrypted Excel and Word files which are labelled plainly so that anyone scanning them can guess the contents. Some files were password-protected, but it is believed that in most cases, these were accompanied by a folder containing the passwords.
Origins and rationale
Earlier reports that the attack was launched by North Korea in reprisal for a new film it regards as inflammatory, are being cast into doubt by industry commentators, who are saying that it does not exhibit the characteristics of a typical attacks backed by a nation state. It is more likely to be the work of a hacktivists or disgruntled employees. A group going under the name of Guardians of Peace has claimed responsibility, and someone claiming to be a member has hinted to the media that they had the assistance of insiders seeking equality (some of the leaked details revealed senior executives' pay and also, allegedly, discrepancies in what men and women are paid).
Best practice
– Ensure all sensitive data is encrypted.
– Do not store passwords in the same place as password-protected documents.
– Use two-factor authentication.
– Keep sensitive personal data separate from other data.
– Carry out regular external security checks.