Ann Arbor Area Business Monthly
Small Business and the Internet
The Sony Hack
By Mike Gould
Regular readers of mine (both of you) may recall that a scant one year ago I wrote about habits of secure business people (URL below). I guess Sony didn’t get their issue of BizMo that month, ‘cause boy howdy, did they ever leave their servers unlocked, ready to be burgled, bamboozled, and blowed up real good.
This is being written in the middle of December ’14, and by the time you read this, there will be even more revelations, reactions, and general on-line reveling in the disclosures and the juicy tidbits therein. But here is what we know so far, along with my thoughts as to how the concerned small businessperson should consider all this.
…is today’s vocabulary booster: it is a German word meaning “pleasure derived from the misfortunes of others”, according to our old pal, Wikipedia. There is something gloat-worthy in observing the downfall of a mighty entity, especially one that has done so much to shoot itself in the foot in so many ways, online and -off. And one that is universally loathed by large swaths of gamers, hackers, and the general digerati.
To make things even more delicious, the massive breach revealed thousands of emails between other industry people, most notably the Motion Picture Association of America (MPAA). The emails exposed an ongoing war with Google over online piracy. They included plans to bribe states attorney’s general to go after Google whenever things appear online that the MPAA doesn’t like. There’s enough dirt here (URL below) to fill a couple of outraged articles, but let’s keep our focus on Sony for the moment.
The Facts of the Hack
A group calling themselves the Guardians of Peace (GOP) sent an email to Sony Pictures CEO Michael Lynton on November 21 of this year. They demanded money and threatened to release terabytes of data they had stolen from Sony’s servers.
On Nov. 24, the website of Sony was hacked with a similar threat. No response was forthcoming from Sony, so the hackers unleashed a barrage of once-confidential Sony data, unreleased movies, and emails. Among the data were salaries of Sony execs, movie stars, and just plain Joes and Janes, along with their SSNs and email addresses. Also bared were marketing plans for upcoming movies, and, most interesting to other hackers, all the plain-text passwords and online security certificates used to access data on other servers and services.
Sony initially blamed North Korea (DPRK) for the hack, as that nation had previously threatened the movie maker over the upcoming release of The Interview, a movie starring Seth Rogan and James Franco in which a plot to kill dictator Kim Jong-un is featured. DPRK denied the charge, but praised the hack.
The FBI has been investigating, and latest reports indicate that they don’t think the DPRK is behind this. Rumor has it that the attack was launched from a hotel in Bangkok, which means anyone could be behind it. The FBI has declared the attack “unprecedented” and unique enough that the agency issued a flash alert to warn other organizations of the threat. So instead of a state-sponsored attack, which would be bad enough, we seem to be watching a bunch of pissed-off hackers, or fairly advanced cyber-criminals, attempting to hold a major corporation for ransom. The ransom wasn’t paid, and havoc ensued.
You’ll Never Work In This Town Again
And by havoc I mean that Sony may be toast. They currently can’t pay their studio bills because their accounting software isn’t working, their networks are broken, and they have experienced a PR nightmare that is making A-list movie stars run screaming from their lots. Sony may never be trusted again as far as confidential dealings with other industry entities who have had their skirts lifted, exposing seamy underbellies and all that. And the hackers are promising a “Christmas present” in a couple of weeks of even more terabytes of revelations.
Even more interesting will be the effect this all has on business as usual in tinsel town. Long notorious for “Hollywood accounting”, the entertainment business is built on smoke and mirrors as far as reporting profits, compensating its recording and other artists, and other financial shenanigans. This hack has outed just about everything there is to know about how a major movie maker does its business with its peers and competitors. This data is now out there, and it will be mined for years to come by those seeking redress of bad faith contracts, phony financial reports, and general greed. Lawyers, start your engines…
Most of this can be laid at the feet of Sony executives who ignored the first signs of the break-ins back in February. And those in the company who mandated minimum mojo in the form of corporate security on the cheap. Everyone is talking about how this could have happened to any corporation; everyone but the security industry professionals who are systematically analyzing how the attack went down, and the steps that could have been taken to minimize the vulnerability of the networks and servers involved.
Why Should I Care?
After all, I’m just a person in Southeast Michigan, with a small business, maybe a small network, far from the nonsense that is Hollywood, secure in my own little world. What’s there to fear?
Well, you saw what just happened to one of the largest, most monied corporations out there: their business was pretty much destroyed by an as-yet unidentified cabal with a grudge against Sony. What if one of your competitors goes to the dark side, or a disgruntled former network admin develops an attitude, or maybe you had some passwords on file with Sony because you sell them office supplies or something? A lot of “little people” became collateral damage because they worked in Sony’s orbit.
I am not an expert on business security, but given the post-Sony world we live in now, I would seriously advise that you review all aspects of your computer-related business, and, depending on how paranoid/cautious/concerned you are, think about hiring professional help.
Secure habits article: http://mondodyne.com/b2b/smbiznet.191.shtml
Mike Gould keeps his data off of the cloud, was a mouse wrangler for the U of M for 20 years, runs the MondoDyne Web Works/Macintosh Training/Digital Photography mega-mall, builds laser display devices, performs with the Illuminatus 3.0 Laser Lightshow, and welcomes comments addressed to firstname.lastname@example.org.