Explainer: The Sony Pictures Hack

Much of what you’ll have seen in the mainstream media about the Sony Pictures hack is that copies of unreleased movies were leaked to the wild. The reason that’s been the focus is because that’s a relatively simple piece that someone without much technical experience can grasp. “Oh”, this person thinks to themself, “that’s going to hurt their box office take as people download it from the internet.” And that’s true. That will happen. But that’s also just about the smallest piece of the whole headache for Sony, and for the tech industry.

At the moment it’s probably safe to assume that there is no data on their network that did not get stolen. Movies, documents about movies, sensitive emails, contract negotiations, employee personal records including medical records… all stolen. Passwords too, and then to top it all off, the private key to Sony’s code signing certificate.

Since the leaks began, the data has been trickling out. Internal PowerPoint presentations covering movie marketing pitches have been mocked. Emails talking about recruiting this or that actor for a film have been released. Threats are now happening to some employees and their families, because their data is out there. To make things worse for Sony, the means by which the malicious package was delivered (overwritten on the master boot record so that even a format will re-introduce it) basically destroys all the computing equipment that’s been infected with it. All of it will have to be replaced. Until that’s been done, not a lot of business is going to be able to occur.

The FBI notes that this is similar to an attack that occurred in 2012, destroying some 30,000 computers.

This is all very bad for Sony. This is very bad for Sony’s employees as well, who are now suffering as a result and will do so for quite a while yet: I’d expect to see some large scale quitting going on over the next year or so. Their tech departments will be working overtime to recover, and that’s in addition to taking the blame for the hack in the first place. Misplaced blame, incidentally: after the 2011 hack (Sony hacks happen rather often, this one’s just very large) for which Sony was required to testify before the House of Representatives, executives promised greater security efforts. Guessing nothing happened there.

But this is going to set off some pretty large waves across the information security landscape as execs around the world begin to panic. Computer janitors the world over will be working overtime to try to get some sort of strategy implemented to prevent the same sort of thing from happening to their company on an equally large scale. So, job security for the folks who work in that industry, yay!

On the other hand, one piece of the Sony hack is getting a great deal more attention in security circles than it is elsewhere. It’s actually a very tiny little thing, fewer characters in the file than I’ve already typed out on this page, in fact. Their code signing certificate and its associated private key.

To explain this let’s go back to a security basic, and we’ll use web sites as an example because it’s more familiar to me to explain. If you were to hit up your bank’s website, you’ll probably (hopefully) see that little lock icon to tell you it’s a secure, trusted connection. This is critical, and it means two things are happening.

One, it means communications between your browser and your fictional bank’s website is encrypted, so that someone who is somehow between you and that website (referred to as “man in the middle”) can’t read your bank login or your details. Or at least it’s very much more difficult. And this is quite important, because behind the scenes, your connection will touch 20-30 pieces of network equipment trying to get from where you are to that bank’s website. If any one of those is somehow compromised, all your connection data could be easily read if it didn’t have that encryption.

Item two is the real kicker though. Not only is this effort securing your data, it’s making sure that your data is going to the people you think it’s going to. It hardly matters if your data is encrypted if the connection is sending you straight to some unknown Russian hacker. That certificate tells you “yes, we issued THIS certificate to THIS bank and you can trust anyone using it to be that bank.” You see? It’s about trust. This setup gets used for websites, it gets used for software so you know legitimate companies released trusted programs, it gets used for personal communication in some circumstances, etc.

Sony lost their certificate in the hack. The certificate, and the keys to it. Anyone with it can now pretend to be Sony, and anyone or any system that trusts Sony will now trust whomever uses it.

Guess what? It’s already been used to sign some pre-existing malware (shoutout to my infosec friend Colin who got a nod in the article!). As it happens, the signing of this malware was done as a joke between security researchers, but they were able to do this the same way anyone writing malware, viruses, etc., could do so.

Of course, the whole certificate system does have a contingency for this sort of thing called the certificate revocation list. It sort of sets a flag that lets systems know that certificate X or Y shouldn’t be trusted. Sony’s cert was revoked on December 7th, but systems already compromised or somehow unable to verify against the CRL may not pick that up. There’s still a lot of machines out there potentially at risk. And as the article notes at the end, Sony itself delayed over a week before that revocation happened. Given the potential severity of such a leak, this should have occurred as soon as they were aware it had leaked.

As I often say when I type this sort of thing up, I’m not an expert on this sort of shit. But this should give a sufficient overview of why it’s been an enormous fiasco. To be honest, the whole event has made for fascinating reading. I’m quite glad I got away from being a computer janitor a few years ago. I wouldn’t want to have to go through this myself.