The Sony Hack: Thoughts & Observations from a Real Hacker
By now, nearly everyone with any type of media access is aware that Sony Pictures Entertainment was hacked on November 24th. Although there can be many interpretations and lessons drawn from this audacious act, there is one indisputable conclusion: it and its ripples across the globe underlines how important hacking has become in our all-digital 21st century.
As I have emphasized so many times in this column, hacking is the discipline of the future. From cybercrime to cyber intelligence to cyber warfare, hacking will shape the future of the world we live in.
Sony Pictures Entertainment, the U.S. arm of the Japanese media conglomerate, was hacked by an organization calling themselves the Guardians of Peace (GOP). The hackers went into the servers and extracted films that haven't been released yet, emails, personal information, and more. All told, they exfiltrated over 100 TB (100,000 GB) of data.
Initially, the unreleased movies were posted to torrenting sites, but most were withdrawn quickly after legal threat. Probably more damaging was the release of the internal email between Sony executives and some of their producers and stars. The exfiltrated data also included personal information of employees including their medical, personal communication, and salary records. Now, these employees are suiting Sony for not adequately protecting their information.
The amount of data exfiltrated from Sony raises interesting questions. To remove that much data in a very short amount of time would have required a very fast internet connection. Or, it could mean that the hack took place over a relatively long time, maybe days or even weeks. If the hackers had used the data infrastructure of North Korea, they might still be exfiltrating the data. Instead, it appears the hackers used a broadband connection from China.
Seth Rogen and James Franco had developed a film about a small time TV talk show host (played by Franco) who is approached by the leader of North Korea about interviewing him. When the CIA finds out that they will be traveling to North Korea to interview Kim Jong-un, they employ the talk show host and his producer (played by Rogen) to assassinate the "fearless" leader. It's not an implausible plot by any stretch of the imagination.
As you might imagine, the humorless leaders of North Korea did not get the joke. They apparently set out to intimidate Sony from releasing the picture; when Sony refused, they hacked into Sony's servers and were leaking out the data through various peer-to-peer file sharing sites.
The costs to Sony will likely be staggering. Remediation costs alone will be in the hundreds of millions, but more important is the loss of trust and good will. In the few days since the hack was revealed, the value of the Sony conglomerate has fallen by 287B JPY (that's about 2.42B USD). This is a not a trivial amount of money, even for a corporation the size of Sony.
The movie was scheduled to be released on Christmas Day, but when the hackers threatened to create a 9/11-type attack on the theaters showing the movie, the major theater chains backed down and refused to show the movie, presumably to spare their patrons a terrorist attack. Then Sony pulled back the release of the movie.
Many political and social pundits criticized Sony for acceding to the terrorists' demands, and even President Obama chimed in that he thought Sony had made a mistake in not releasing the movie. Many in the artistic and political arena are fearful that Sony's backing down to these hackers will have negative implications for freedom of speech and expression in the United States.
Maybe even more important will be the impact of this hack on foreign relations between the U.S. and North Korea and North Korea and its neighbors. It's kind of staggering to think that a hack can change world events and dynamics, emphasizing once again the importance of our profession.
Many people are pointing a finger of culpability at Sony for allowing this hack to take place. They probably deserve some blame (this isn't the first time around this block with Sony; remember the Sony online gaming hack of 2010?), but every corporation and institution with computers online is vulnerable to such an attack. There is no computer that is safe from being hacked, except one that is unplugged.
Given adequate skill, time, and motivation, any computer can be hacked. Most hackers have limited skills and are only capable of hacking low-hanging fruit, i.e., the relatively unprotected, unpatched computer systems. On the other hand, there are a number of hackers around the world with extraordinary technical skills, and when backed by a well-heeled client with deep pockets and enough time, they can violate any computer.
Attribution for any hack is problematic, at best. In some cases, it's impossible. In most cases, any visitor to a web server, or any server, will leave a trail. That trail includes their IP address. Knowing this, good hackers "bounce" their attacks off intermediary proxy servers and their trail will then only lead back to the last machine they were borrowing.
In cases where the evidence is a dead end (which is most cases), forensic investigators at the FBI or any of the private firms such as Mandiant, will search the victim system for the malware that made the hack possible. The malware itself can yield many clues as to the identity of the hackers. Once they have the malware, they then will begin a forensic analysis of the malware using tools such as Ida Pro or Ollydbg. These tools, originally designed as software debuggers, can disassemble the code and show each of its components/modules and the data flow as well as how it uses memory, registers, etc.
The screenshot below shows Ida Pro disassembling a virus. Notice that it is capable of disassembling each module and trace the data flow, giving us a clearer image of how the software actually functions (I'll be doing an article on Ida Pro in 2015, so stay tuned).
By using this type of analysis, the FBI and other forensic investigators can look for the fingerprint of the hackers.
Like any software development, hackers don't reinvent the wheel for each hack. They reuse existing code and repurpose it for a new hack. A skilled forensic analyst will disassemble the malware and then examine each module and compare it to known existing malware.
The screenshot below shows Ollydbg disassembling the same virus. Notice the list of executable modules in the upper right-hand window? These modules can provide the fingerprint of the hacker.
This is the process that led the FBI to conclude that the hack had come from North Korea. When they disassembled the malware, they found components that had been used by North Korean hackers in some of their recent cyber attacks on South Korea. Keep in mind, though, that although this type of analysis might be the best investigative tool in cases like this, it is circumstantial evidence. It does not provide a smoking gun, but says that the bullets found at the crime scene are the same type that the perpetrator had used in the past. This is far from conclusive, but it is strong circumstantial evidence.
Cyber attacks take place every day. There is nothing new about this attack other than the way Sony reacted and the worldwide reverberations. The ramifications are likely to be far-reaching into the world of international geopolitics, cyber warfare, first amendment rights, cyber intelligence, etc., but undoubtedly, it emphasizes how important hacking and cyber warfare will become in this beautiful, interconnected, brave new digital world.