Sony; A Year After the Hack

It’s been just over a year since Sony experienced a significant breach that saw incredible amounts of executive’s emails spilled out on the Internet. By February, 2015, much of the excitement had passed, and seemingly all of the interesting or relevant analysis had been done. Accusations had been made against North Korea and others, but ultimately the person(s) responsible for the breach were never brought to justice.

In the past days, two separate things caught our eye regarding Sony that brings this incident back to our minds. First, an article by Kim Zetter at Wired explores the idea that the hackers behind the Sony breach are still active, and hacking additional high profile targets since. Based on data collected by Juan Andrés Guerrero-Saade of Kaspersky and Jaime Blasco of AlienVault Labs presented at the Kaspersky Security Analyst Summit recently, they maintain the hackers have been active and leaving a steady trail of clues that allowed the researchers to link different hacks to the same group. Using a variety of techniques and examining different aspects of the tools and resulting signatures left behind, Guerrero-Saade said “I think we’ve gotten quite accurate and good at finding the work of these guys”. Despite the research, neither will explicitly attribute the campaign and attacks to a country, including North Korea.

The other thing that caught our eye was a Tweet from Richard L. (@RichDevX) pointing out that a Sony computer in Taiwan appeared to have an insecure configuration, allowing for remote VNC connections.

richdevx-tweet

Looking at Shodan’s data on the host in question, it appears to be a Linux-based system with two services available, one being the notoriously open VNC (Virtual Network Computing) that allows a remote user to attach to the graphical desktop of the system running it. Shodan captures a wide variety of systems with VNC open, and will frequently show a screenshot of what is running on the remote host.

shodan-sony-host

This type of configuration and allowing remote VNC connections is well-known to be a security nightmare among Information Security professionals. Yet, even after what many described as a catastrophic data breach, this Sony server appears to be just waiting for someone to poke around it.  An initial reaction could be that it appears even a year later, Sony is still not meeting the basic standards of securing their infrastructure and leading many to wonder further just how much their security posture has improved in that time. The other viewpoint is that information security is hard, and even harder when trying to secure a large global organization. Even just one host that slips through the cracks and is left open can be the entry point into a company, leading to a data breach.

In reviewing Cyber Risk Analytics, fortunately for Sony, they have not appeared to have suffered a breach since the 2014 hack; at least, not one that resulted in information being disclosed publicly.