How many times have we said in the last 14 months “this is really unprecedented”?
Ahead of this week’s webcast, where we will talk about the top five stories of the year, one story has crashed in with massive media coverage about security failings. Microsoft MVP and security researcher Troy Hunt told me that the Sony Pictures story is “like something out of a movie script”, as it combines all of the factors needed for a dramatic story.
“What I don’t understand is the motive,” Hunt said. “On the one hand, it is very hacktivist-like in terms of the imagery, communication and bravado, and on the other hand, unless I have missed something, there is no motivation apart from fairness and treating people right.”
He admitted that there indicators consistent with nation-state style attacks, but the cause seems to be “we don’t like the theme of your movie!”
Looking at the exfiltration of around 100TB of data; Hunt said he wondered how it was accessible, and on the other hand, it did not surprise him when he saw how easy it is to access data within organisations.
I asked him if he felt it was common for a company to have 100TB of data, Hunt said it depends on the company, as a Hollywood studio would have that in a video. He said: “Certainly that amount of data would be there with that sort of information held, network attached storage (NAS) can have 10TB so it is feasible, so the larger question is what exposure did that data have, and how did you get it out? You cannot take it away on a USB drive, or pass it under the firewall.”
Hunt admitted that it is easier to retain than purge, but as it is a broad set of data, you are going to have a long tail of employee data, so there is a question of whether it needed to be accessible to whatever or whoever it was that pulled it down.
As for the most notorious part of the leak, the file containing passwords, Hunt said that it is “enormously inconvenient” to have such a file on the database, but working in an organisation where you have multiple passwords that need to be shared and stored, most organisations either do not have any kind of enterprise vault implementation, or are not aware of it if they do.
The main area of interest for me has been claims that this was an “unparalleled and well planned crime”, which Kevin Mandia (from FireEye Inc’s Mandiant forensics unit) said in an email to Michael Lynton, chief executive of Sony Pictures Entertainment. Mandia said that this sort of attack could not “have been fully prepared” for by Sony Pictures or other companies.
I asked Hunt what he thought of this claim. He said that it was time we stopped using words like “unprecedented”, but in terms of sophistication, the likes of Flame and Duqu were sophisticated, but he would be surprised if the goal of a nation-state was to dump stuff publicly for fun, as you wouldn’t launch something that intelligent unless it was frivolous.
“I’ve no doubt it was clever and with the amount of data that they got, that they got it out of the organisation is clearly very clever,” he said. However he said that he didn’t think that it will be as “recognised” as those bigger attacks, saying that the lack of a motive to the effort of the attack “just doesn’t reconcile with me”.
In my view, the only instance that I can recall of attackers throwing their entire arsenal at a target was when Anonymous hit
Stratfor in 2011, but Hunt pointed out that in that instance there was motive, and in the case of Sony Pictures there is some motivation, but this is clearly targeted at an organisation as the evidence clearly suggests that someone wanted them, and have explicitly targeted them too.
Asked if businesses would or should be more prepared in response to what has happened here, Hunt said that the reality of it is that there are degrees – had Sony not retained all of the medical data of previous employees they would not have lost it, and that would have been a mitigation. He said: “There are lots of things that they could have done socially and technically that could have mitigated the impact of the risk, and that is clearly something others can learn from.
“In terms of other organisations, frankly the biggest thing that I see is nonchalance as businesses would say ‘this is not something we see as a serious risk, we are focused on other things like winning business’ and it remains a hypothetical risk.
“Frankly in my experience, the number of times people don’t take it seriously until something goes drastically wrong is worrying. People weigh security up in terms of cost and resources, and de-prioritising other resources against the risk, so it gets put on the back burner and not taken seriously until it does go wrong.”
Let’s not forget that this is not the first time Sony Pictures has experienced a security incident, with the attack by LulzSec in 2011 capturing the personal information of more than one million users.
Hunt said: “I don’t buy the fact that it is undefendable in any sort of state, and to me it comes to the fact that we are technology people who like to think in binary terms, but that data was sitting in their file shares or attached to whatever malware with an identity that had excessive access rights.
“There are inevitably going to be layers upon layers of mistakes on the Sony end, but surely they could have significantly mitigated the effect to which that software had access to resources? “I don’t see any way in which they could have reduced the impact, so I don’t buy the ‘undefendable’ headline, as glorious as it does look on a masthead. What do you take away from this? Are you saying that they should not have done anything differently, of course they should have.”
Hunt said that if anything is learned from this, it is that the amount of information stored on intranets and colleague identities, and the number of permissions through to open folder shares.
“People forget that these are discoverable, and I’ve written software to identify open file shares and that is very trivial,” he said. “It only takes a small amount of probing to realise that there is a whole bunch of stuff out there that shouldn’t be exposed. So at the least you should expect anyone taking this seriously to be creating automated inventories of what is accessible.”
Troy Hunt, security researcher was talking to Dan Raywood
Listen to the next webcast, “Four minds, five stories in security of 2014” on Thursday at 2pm GMT here