Sony hip to security deficiencies long before GOP attack
Sony Pictures said the cyber attack on its internal systems was “unprecedented,” but internal company files have revealed that the Hollywood giant knew about the security vulnerabilities in its network several months prior to the attack.
Re/code discovered an email that shows general counsel for Sony Pictures, Leah Weil, communicating with representatives from PricewaterhouseCoopers regarding a security audit of the company’s computer systems. At one point during the exchange, the auditors mentioned their discovery of an unmonitored firewall and over a hundred other devices that were not being supervised by Sony’s corporate security team, which is responsible for monitoring IT infrastructure.
The audit, which was conducted for a two week period from the middle of July to the beginning of August, found that Sony Pictures had neglected to make its security team aware of the new devices after transferring from a third-party provider.
The PricewaterhouseCoopers auditors warned, “Security incidents raising these network or infrastructure devices may not be detected or resolved timely.”
Additionally, the email exchanges indicate that there was a discrepancy between the list of devices that the security team was instructed to monitor and the list of devices it was actually monitoring. According to PricewaterhouseCoopers, Sony may have omitted certain network devices, including “critical security devices,” causing them not to be monitored.
In Sony’s reply to the report, on September 25th, the company said it did not apply “the same level of rigor” to devices such as web servers and routers because it wanted to focus on perimeter devices.
The report’s timing couldn’t be worse for Sony Pictures, as the company is still dealing with the aftermath of a major cyber attack that was allegedly carried out by a hacktivist group calling themselves Guardians of Peace (GOP). The attack disabled the company’s entire computer system and allowed the hackers to access large quantities of sensitive information that they appear to be slowly leaking via file-sharing sites.
A source cited by the Times of London said that partners of Sony Pictures are cancelling shootings indefinitely because the company is unable to process payments due to problems with Sony’s payments processing system, and that the problems are a result of the breach.
Among the leaked emails are some uncouth, and now embarrassing, exchanges between Sony’s upper-ranking executives, wherein the executives insult everyone from President Barack Obama to Angelina Jolie. Movie producer Scott Rudin, who produced the Academy Award-winning No Country for Old Men, made derogatory comments about Angelina Jolie, referring to her as a “minimally talented spoilt brat” with a “rampaging ego.”
One particular exchange between Scott Rudin and Sony co-chairperson, Amy Pascal, exposed the duo indulging in racist banter with regards to President Obama. Pascal asked Rudin if she should ask President Obama whether he liked Django, a reference to the Quentin Tarantino film, Django Unchained. Rudin replied, “12 years” before he and Pascal continued to exchange references to films featuring African American actors. Rudin also remarked, “I bet he likes Kevin Hart.”
It was also discovered that Sony CEO, Michael Lynton, called Kevin Hart a “whore” because he requested compensation for promotional tweets.
Since getting caught and being publicly shamed, Rudin and Pascal have apologized for their behavior. Pascal admitted her comments were “insensitive and inappropriate” and said, “Although this was a private communication that was stolen, I accept full responsibility for what I wrote and apologize to everyone who was offended.”
Aside from exposing the true colors of Sony’s top brass, the GOP have leaked myriad documents, including four unreleased films and private data concerning employees of Sony Pictures. The content of the documents included Social Security numbers, private residence addresses and identifiable health information of employees and their families.
Director of NGO, Patient Privacy Rights, Deborah Peel expressed her concerns, “This is a thousand times worse that that other stuff; health information is the most sensitive information about you. This stuff will haunt all those people the rest of their lives. Once it’s up on the internet it is up in perpetuity.”
The U.S. Federal Bureau of Investigation (FBI) is involved in the investigations but hasn’t revealed suspects, while Sony hired FireEye security firm’s Mandiant unit to restore order. Various media outlets have cited sources who are close to the investigation as saying North Korea is responsible for the attack, but the GOP identifies themselves as a hacktivist group that is in no way affiliated with any government.
The paranoia about North Korea is partially linked to Kim Jong-Un’s outrage about a new Hollywood movied called The Interview, which is a comedy about the CIA plotting to assassinate Kim Jong-Un. North Korea denied taking part in the Sony Pictures attack, but they have spoken out against the movie, and allegedly stated that teh country is pleased that their “supporters and sympathizers” are backing its war against “U.S. imperialism.”
In addition to North Korea’s disdain for the new movie, director of labs at AlienVault, Jaime Blasco, said that the four files he examined look to have been created on a machine that was operating in the Korean language.
Sony has refused to pull out The Interview before it debuts in American theaters on Christmas Day.