Sony Pictures, Lax Security, and Passwords

David A. Wheeler

2015-04-18 (originally 2014-12-20)

Sony Pictures Entertainment (SPE) has endured a disastrous computer security breach. As a result, a lot of damaging information has been revealed, and thousands of its computers have been rendered inoperable. Employees and former employees have had health records and private emails revealed. Some emails showed “how the movie industry... had hired the former attorney general from Mississippi... to put pressure on [Mississippi Attorney General Jim] Hood to go after [Google, and] orchestrated [a] lobbying campaign to press state attorneys general not only to question Google, but to subpoena and perhaps sue the company.” Some of it is so ironic that you just have to laugh. SPE even had pirated ebooks on its servers. That is notable because, as the Daily Dot explained, “Sony has engaged in aggressive and even illegal anti-piracy actions in the past” - and to increase the irony, the pirated books are educational books about cyber attacks.

However, until recently there has been little information about how their 2014 security disaster happened. That matters, because it’s important for people to learn from past problems, and we can only learn when there is enough detailed information about what happened.

We now know more. It now appears that Sony was remarkably lax about its security, in particular how it handled authentication information (such as passwords). Sony is now reaping the results of its lax security posture.

I think it is important to examine what we know, in particular what the attack was and why it was so damaging, so that the rest of us can learn from their woes.

What was the attack?

We finally have US-CERT alert TA14-353A. They did not mention Sony Pictures by name, but this alert is obviously about them. This alert was described further in SecurityWeek. This material reveals that Sony Pictures was attacked (at least in part) using an “SMB Worm Tool” with multiple modules. Many of its modules could perform attacks once privileges were granted, including destruction of data on hard drives. But how were those privileges gained in the first place? A key mechanism the tool uses for gaining privileges is “a brute force authentication attack to propagate via Windows SMB shares... [it] attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.” In short, a key part of the attack was simple password guessing. This may not be the full story, but this is the best information available, and it is consistent with what is known elsewhere.

To me, this is immediately interesting. Such an attack would not work well in an environment with good basic countermeasures such as requiring strong passwords, requiring good protections of authentication mechanisms (like passwords), and stronger authentication mechanisms (like two-factor mechanisms) when important information is involved. Gaining passwords should be hard, and should not get everything anyway. There should also have been damage reduction mechanisms (like encryption) to prevent revelation of the most sensitive materials. In addition, there should have been detection and response mechanisms to detect and counter such a massive exfiltration. Why did Sony Pictures endure so much damage?

We also got an interesting discussion of the poor quality of the attack code itself from Ars Technica’s review of the malware, in particular an analysis by researchers at Cisco’s Talos Security Intelligence and Research Group. They found that the attack software was “full of bugs and anything but sophisticated”, “the software equivalent of a crude pipe bomb”, the “code is simplistic, not very complex, and not very obfuscated”, the code was of an “unprofessional nature” and “looks like something hobbled together from a well-worn malware kit bought off an underground web forum”. But this raises even more questions; why should such a simple attack system cause so much damage?

Why was it so damaging?

By connecting up the new information on the tools used, with public information about Sony itself, we can suddenly get an interesting (and disturbing) view of what happened, and why it was so damaging.

It appears that Sony Pictures has been extraordinarily lax in its computer security, making them an especially easy target that was relatively easy to penetrate, stay undetected, and that Sony did not have effective ways to limit their damage. In particular, Sony (overall) has a long history of being bad at managing passwords and other critical data.

Kashmir Hill’s “Sony Pictures hack was a long time coming, say former employees” states that former employees report that Sony Pictures has had a “long-running lax attitude toward security” - employees even “highlighted specific vulnerabilities on company websites and systems that were never addressed”. For example, there was a case where they were “collecting personally identifying information without encrypting it.” In particular, Sony did not seem to treat any authentication mechanisms with care. People routinely stored passwords online, with filenames containing “password”. Their information security team is small and top-heavy; out of 7,000 employees they had three information security analysts, even though their primary business involves information. Those three were overseen by three managers, three directors, one executive director and one senior-vice president (!).

Mashable listed some of the passwords used at Sony Pictures. They snarkily noted, “if you’re working at a high-profile studio like Sony, perhaps you should choose a better password than ‘s0ny123’ or ‘password’”. In a few cases critical files were encrypted with passwords, but the passwords were sometimes stored as plaintext in files in same directory, often with filenames containing the word password. Some passwords are not important (and thus not worth protecting), but if you care enough about a file to encrypt it, then its decryption keys need to be elsewhere and better-protected.

Gizmodo’s “Sony Execs Knew About Extensive IT Flaws Two Months Before Leaks” reported that an internal IT assessment, dated 2014-09-25 (two months before all this data was exposed), showed that its internal security was in shambles. They had a “plague” of unmonitored devices and a serious lack of accountability. One problem was that until September 2013 (the year before), Sony Pictures Entertainment had “outsourced its IT security to a third party security service... [but in 2013 they] decided to put its Global Security Incident Response Team (GSIRT) in charge of overseeing core responsibilities and general monitoring for the company’s various subsidiaries, including Sony Pictures. While GSIRT would monitor security overall, the third-party team that SPE had been using was still responsible for implementing various security measures (firewalls, intrusion prevention systems, etc.)...” Sony was aware that they left a significant number of devices unmonitored, yet they did not rapidly reconcile them or establish a process to prevent its recurrence. As Gizmodo noted, even though these problems existed and were known, “Sony was so slow to react to them [that it] indicates a culture that failed to prioritize information security.” Gizmodo also noted that Sony stored thousands of passwords in a document named “passwords” - not just low-value passwords, but important ones like major motion picture social accounts.

This laxness has been going on for a long time. In 2007 Jason Spaltro, then executive director of information security at Sony Pictures Entertainment, crowed to CIO magazine about “good-enough compliance”. He specifically crowed that when a Sarbanes-Oxley audit had found insufficiently strong access controls, and in particular that they used poor passwords (many passwords were easy to guess), that he had fought the auditor. After some debate, the auditor agreed not to note “weak passwords” as a Sox failure. Requiring good passwords is relatively easy to do; their cost is relatively trivial, while the damage caused by total exfiltration of all that data is massive. Jason Spaltro not only stayed, but his 2014 salary is now well over $300,000.

Haven’t we heard about Sony and bad password management before? Yes, we have - the disastrous PlayStation Network breach. In April 2011 the PlayStation Network was attacked (using SQL injection, a well-known attack type that is trivially countered by prepared statements). As noted by Cnet and Sony, user passwords were stored as unsalted cryptographic hashes. This was absurdly bad, and is not much different than storing passwords as cleartext. Attackers can easily take a database like this and use brute-force attacks (along with dictionaries and rainbow tables) to quickly find an astonishing number of passwords. Any password database (as I teach my students) must be, at a bare minimum, stored using cryptographic hashes with per-user salt. Indeed, they should be using stronger hash functions (such as bcrypt or PBKDF2) and a large number of rounds, as noted by Dennis Mirante and Justin Cappos.

Dennis Mirante and Justin Cappos also note that different units of Sony have had many serious problems with securing user information and passwords, and should have learned something before 2014:

  1. Sony PlayStation Network (between April 17 and 19, 2011): LulzSec group, using a SQL injection attack, obtained and dumped password database online. Sony stated passwords were “transformed using a cryptographic hash function”, but as noted above, Sony failed to apply per-user salt, so it was easy for attackers to find many passwords.
  2. Sony Online Entertainment (May 2, 2011): LulzSec group used an undisclosed attack method to obtain an old password database. Sony claimed that the passwords were “hashed and salted”, though it was criticized for leaving this old data around.
  3. Sony Pictures (June 2, 2011): LulzSec used a SQL Injection to obtain and dump user information. In this case, the passwords were plaintext (as opposed to using per-user salt and cryptographically hashed); this was confirmed by Mirante and Cappos. You would think Sony Pictures would have learned from this in particular.

Sony Pictures hired Kevin Mandia (CEO of Mandiant) to investigate the breach, and then produced this statement from him as a result: “This attack is unprecedented in nature. The malware was undetectable by industry standard antivirus software...” But that is rediculous. Most malware is not detectable at first by “industry standard antivirus software”! Forbes immediately came to the conclusion that, “Mr. Mandia was simply providing a carefully worded statement to a fat client who was looking for cover and believing the rest of the world would take him at face value” (see Forbes’ article “Instead Of A Real Response, Perennially Hacked Sony Is Acting Like A Spoiled Teenage”). It appears that Sony Pictures thinks that “industry standard antivirus software” is a sufficient defense against attackers - or that at least many others might think that. Of course, that is rediculous, and it suggests that they do not understand even the basics of how to secure their organization.

This lax security was further hobbled by Sony Pictures’ thin level of internal IT staff. There had been a “reduction in the amount of IT support from corporate parent Sony Corporation of America and poor support team training”, and they were already having repeated problems with just their email service on their heavily outdated Microsoft Exchange 2007 infrastructure.

I do want to make something else clear: I think this incident does not meet the definition of “use of force” under the UN charter and international law, at least not as the US government has typically defined it. Here I depend on a widely-cited US Department of State definition given in 2012 by Harold Hongju Koh (Legal Advisor to the U.S. Department of State) at the USCYBERCOM Inter-Agency Legal Conference, who stated that “Cyber activities may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the UN Charter and customary international law. In analyzing whether a cyber operation would constitute a use of force, most commentators focus on whether the direct physical injury and property damage resulting from the cyber event looks like that which would be considered a use of force if produced by kinetic weapons. Cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force... if the physical consequences of a cyber attack work the kind of physical damage that dropping a bomb or firing a missile would, that cyber attack should equally be considered a use of force” (emphasis mine). Since there was no death, injury, or significant destruction, by many definitions this Sony incident was not a “cyber attack”. As Panayotis A. Yannakogeorgos noted in “Keep Cyberwar Narrow”, people often conflate “cyber attack” with “cyber exploitation” or “denial of service disruption” - but such broad definitions risk “treating crime and espionage as threats to peace”.

What should you do?

Sony is a victim; their poor security practices do not justify the attack. So it is absolutely true that we should not “blame the victim” for an attack performed by someone else.

However, attacks are inevitable; complaining that there are attackers does not eliminate them. Organizations need to step up to (1) prevent attacks from succeeding (where they can), (2) detect successful attacks or malicious attacks when they happen, and (3) reduce damage when they are not prevented or detected in time. Below are a few simple steps that I think would have helped. I map these steps to the SANS Critical Security Controls (CSC) version 5, a short list of critical controls. NIST 800-53 is a more comprehensive set of controls; what is disturbing is that even just the shorter critical subset identified by SANS is likely to have helped counter the attack or reduced its damage, never mind a comprehensive set of controls.

So here are a few obvious steps that are likely to have prevented (by countered the attack or reducing damage), detected, and/or responded to the attack, along with a mapping to the SANS list of controls:

  1. Require strong passwords for important tasks (such as login) when passwords are used. A SOX audit found this problem in Sony Pictures years ago; the person who was supposed to lead their security crowed about this, instead of fixing it. Computer systems (at least important ones) should normally prevent setting bad passwords, and force users to use good ones. This is part of SANS CSC #16, “account monitoring and control” (especially CSC 16-8).
  2. Use multi-factor identification for important privileges. Passwords will not disappear any time soon, because they are cheap and portable. But passwords are also easier to compromise. For important functions, use multi-factor identification (say, a smartcard and a PIN). This is part of SANS CSC #16, “account monitoring and control” (especially CSC 16-14).
  3. Keep patches up-to-date. I have heard unsubstantiated claims that Sony Pictures did a really bad job keeping patches up-to-date. Since they couldn’t seem to do other simple basic tasks (like run an email server), that seems plausible, but I have yet to find any direct source to justify this. In any case, keeping systems up-to-date is important for making systems harder to attack.
  4. Have stronger protections for important data. In many cases the “crown jewels” should not be on the normal network at all; isolated networks are best. If you cannot fully isolate the networks, isolate them to the maximal extent (e.g., with containers, restricted accounts, and so on). Encrypt your crown jewels, both in motion and at rest, and make sure their passwords are not stored with them. Specifically looking for efforts to exfiltrate important data is helpful too. This is part of SANS CSC #17, “Data Protection “ (especially CSC 17-3).
  5. Maintain backups. Sony may have been doing this, but it’s worth emphasizing.
  6. Have a working detection and response process in place. Someone should be monitoring your network; it should be hard to exfiltrate over a terabyte of data without detection and examination. You should know what is expected, and be suspicious of the rest. There should be all sorts of alarms for suspicious activity. I am a big fan of honeypot-like systems (e.g., bait): include in your environment some honeypots (unused systems that if used indicate attack), bogus/bait users (bogus users that no one should be logging in as), and bogus/bait data (data that no one should be trying to load/read). Then have several responses ready if something really bad is detected. This is part of SANS CSC #14, “maintenance, monitoring, and analysis of audit logs”.

Of course, I can only comment on publicly-available information. Sony Pictures may have been doing many (or all) of these things, and perhaps all of them would not have been enough. But the information publicly available strongly suggests that they were extremely lax about security, especially about passwords. It is certainly clear that a lot of damage was done because of what they chose to not do. The US CERT has a longer list of suggestions. I note the SANS Critical Security Controls (CSC) list in part because it is not comprehensive. The CSC is merely intended to be a “must do first” list for organizations. An organization like Sony Pictures, whose primary focus is information, should be beyond these basics.

The US FBI stated on 2014-12-19 that the North Korean government is responsible, and lists some evidence for it. If this is true, then this is a concerning turn of events. In the end, few or no companies can withstand a direct attack from a nation-state if the nation-state truly puts its full strength into it. Indeed, cyberattacks are the only kind of attack I know of where we expect that private companies will be able to defend against nation-states. To be fair, a lot of people are skeptical that North Korea was involved. But that in itself is interesting; as Bruce Schneier points out, “What’s both amazing - and perhaps a bit frightening... [is that] we’re living in a world where we can’t easily tell the difference between a couple of guys in a basement apartment and the North Korean government with an estimated $10 billion military budget.”

But nation-states, just like everyone else, have limited resources. Specific cyberattacks often stop being effective once they are used, so attackers need to choose their attacks carefully. No matter who the attacker was, all the evidence available suggests that this attack did not require the resources of a nation-state. The publicly-available data suggests that Sony made themselves an easy target, and that the attackers (possibly North Korea) simply took advantage of them. And, since Sony was woefully unprepared for attacks (including successful attacks), the damage was unusually severe. No one is invulnerable to attack. They key is that organizations should not make attacks easy, or let the damage be so severe.

The steps to counter these attacks are not new. Steps like “require good passwords” are considered the basics at most organizations. Sadly, it appears that Sony’s lax security posture led to unusually grave consequences. My hope is that others will learn from Sony Pictures’ misfortune.


If you enjoyed this paper, you might also enjoy the entire suite of related papers in my essay suite Learning from Disaster. This includes similar papers on Heartbleed, Shellshock, POODLE, and the Apple goto fail vulnerability.

Feel free to see my home page at http://www.dwheeler.com. You may also want to look at my paper Why OSS/FS? Look at the Numbers! and my book on how to develop secure programs.

(C) Copyright 2014 David A. Wheeler.