Wednesday, December 3, 2014

Last Call For A Picture Perfect Heist

Doing some digging, I've found that it's looking more and more like that Sony Pictures hack I referenced in today's StupidiNews wasn't a North Korean attack after all and is actually far worse than anyone thought, to the point where this may be an inside job that could put Sony Pictures down for the count.

On November 24 the world found out that Sony Pictures Entertainment was hacked and had disabled its entire corporate network, including locations that spanned Culver City, New York, and overseas. 
This breach has very few analogues in history, outside of the Snowden documents, to any other type of breach on record. The combined corporate intellectual property,financial and legal information, contact databases and health records, passwords and encryption keys for Sony Pictures Entertainment can’t be compared to a breach of a retailer’s email or credit card database. 
Home Depot said that 53 million email addresses were swiped in its recent data breach, where 56 million credit card accounts were also compromised. 
But in the case of Sony’s compromise, individual files can be spreadsheets with multiple records each. Some of the 38 million (known) files exfiltrated in this carefully planned attack are entire databases. 
This is comparative to source code being leaked. Unpublished scripts for movies, contract negotiations, NDA’s (thousands are listed), secret terms for payment schemes, the very information Sony uses to keep its entire company relevant, are in the stolen files
The benefits to Sony Pictures Entertainment competitors — Universal, Warner, Disney — in terms of competitive intel, is priceless.

The group behind this is calling itself the "Guardians of Peace".  What they want is simple: Sony changes its corporate culture (it's not like Sony's super nice or anything) or they keep drip-drip-dripping out secrets.  And when your entire company is built on intellectual property, well...you can see where this is going.  They've already distributed a partial release to let everyone know just how serious this is:

Salted Hash reported, “GOP says they’ve accessed private key files; source code files (CPP), password files (including passwords for Oracle and SQL databases), inventory lists for hardware and other assets, production outlines and templates, as well as production schedules and notes.” 
The file hit Reddit, and commenters noted they’d found over 9,000 passport scans listed in the file (including Angelina Jolie, Daniel Craig and Cameron Diaz). There are over 3,800 files named ‘password.’ 
If you’ve ever worked with, or even tangentially for, Sony Pictures Entertainment, this crew and anyone who gets ahold of these files have all of your personal information, your private information, and anything else Sony touched
There are filenames listing over 8,000 non-disclosure agreements (NDA’s), and over 6,000 files named MPAA. There are files with Pirate Bay in the title, as well as MEGA (Megaupload). Some file names are specific, like the ‘MPAA piracy project lunch receipt’ filename. Financials on pirated media losses dating back as far as 2006. One Redditor found the file for his Imageworks letter of resignation, dating back to 2005.
Basically, if you’ve ever had a tangle with Sony Pictures, or Sony Entertainment ever thought about putting you in its legal crosshairs you’re in there, too. 
GOP left an interesting clue in its communication with media outlets after this release; this hacking crew appears to welcome press inquiries, though we can only hope the journos emailing GOP have half a clue about operational security. 
The attackers said they had physical access. Communicating with Salted Hash Tuesday morning, GOP’s ‘Lena’ said, “I’ve already contacted the UK register with details.” 
However I’ll tell you this. We don’t want money. We want equality. Sony left their doors unlocked, and it bit them. They don’t do physical security anymore.”

So yeah, these guys are quite serious about wrecking Sony Pictures and they don't give a damn about how many lives get destroyed in the process.  You can call them what you want to, but if you were a Sony employee and your personal info was just leaked to every hacker on the net, the next several years of having to fight identity theft would probably not make you want to consider these guys heroes or anything.

No comments:

Post a Comment