Hey, Crow, how you doing?

You know how I'm doing.

I'm running around. Yes. Well, hi. Hello, everyone. I thought, well, you know, it's obviously Thanksgiving weekend and we decided that we weren't going to put anything out, right? We're going to take a break.

Well, you decided.

Well, you seemed really busy. You're dashing off everywhere.

Yeah, I'm busy. No, no, no, we decided. We decided. I'm just being polite. Yeah. I'm late for a date in Manchester, man. I'm ironing. What?

Okay.

Yeah.

Okay. So you're prepared for your talk? You're ready for that? Are you?

Yeah, yeah, yeah. Fine, fine.

Yeah. Rock it. Right. Excellent. So I thought, you know, it's a bit sad for our listeners that they're not getting to hear your lovely tones this week. And maybe we should just—

Are you recording this? They do get to hear our lovely— Oh, but only— yeah, we did this special for the Patreon. We did do this special for the Patreon. We did do this Patreon special.

We did. So we put out some bonus content for them all about Sony hack.

Why don't we get a bit of it to our everyday listeners?

I thought we could just have a recording of you doing your ironing and racing around packing your suitcase instead.

It's just a joke, man. Look, I had a party, everything got moved, everything is now being moved back and I don't know where anything is.

It's not my fault. Well, all right. As we can't record a regular episode this week, let's put out some of the special which we've just done for our patrons on the regular feed.

I think that's a really cool idea. So everyone take a listen. If you hear what you like, you can always become a supporter, right?

We'll put out the full thing to our patrons. So if you go to patreon.com and find us up there. Yeah, because they're supporting us.

They're supporting us, they're helping us do more shows, right?

All right, right.

That means I wouldn't—

All right, enough chitchat. Let's get on with it. Come on, get off. You've got to get to Manchester. Clear off.

Bye.

Bye. These were passwords that they had set up for people and they were keeping a record of.

For real?

Banana1. Wow. Right, now you're on my side. Smashing Security, episode 156. Better safe than Sony with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security episode 156. My name is Graham Cluley.

And I'm Carole Theriault.

Hi, Carole. How you doing?

I'm great, thanks. How are you?

Not too bad. We don't have a guest this week, do we?

But we thought we would do something a little bit special.

We thought we'd talk about one particular topic rather than having different topics. And as we don't have a guest, it's a special. Yeah, and we won't do Pick of the Week, but we'll look back on a momentous period of cyber history, a particular hacking incident, and rummage through it and see what comes out because it is the 5th anniversary. Did you know that, Carole? It's the 5th anniversary of Sony Pictures getting hacked.

It's been just about two weeks since word broke of cyber criminals hacking into Sony Pictures, and each day seems to bring more damaging, embarrassing, or worrisome revelations. The hackers always— Yeah, you know, when you first suggested doing this, I was thinking, oh, that's a bit lazy, right? Doing a 5-year-old hack. But the thing is, when hacks happen, you don't have the full picture at all. You're in crisis mode if you're the one being attacked. You're reacting to the press, you're reacting to your customers, you're reacting to the employees, you're trying to lock down systems, and you have no idea where it's coming from or what it's doing or what they want. You know, it's pretty high energy.

And in this particular case, it's a bit of a tangled tale as well.

It was a big hack.

Well, it's certainly an interesting story. So what we'll do is we'll tell the story from the beginning, more or less.

And that will be really useful for me because, as you know, I'm quick on my feet, but I have a sieve for a memory.

So you're saying I'm not quick on my feet? What do you say?

You know, we've walked together before. And no, but you have a much better memory than me. I think that's why we work well together. So you go through and I actually won't remember many things, so I'm going to ask a lot of questions. That's okay.

5 years ago this week, November the 24th, 2014, just before American Thanksgiving holiday, employees at Sony Pictures went to work that Monday morning. They turned on their computers. And they were greeted by an image. And the image was of this sort of ghoulish skeleton leering at you out of the screen alongside a claim that the company's data had been stolen and would be released if undisclosed demands were not met. And it claimed that the computers had been hacked by a group called the GOP.

So, okay, can we pause for a second here? So say this happens to average Joe Schmo employee. If you put yourself in their head, don't you think some of them are going to go, ooh, this is going to be an exciting day today?

Oh, yeah. Get the camera out. Take a screenshot. Post it on Twitter. Look what's going on at Sony today.

Yeah.

You may well do that. That's right.

Because if it was happening in your house, you'd be in full-fledged panic mode.

Oh, yeah. It would be horrible if it happened. I mean, it's a bit like getting ransomware in a way, isn't it?

Although ironically, I think actually that would be a bit silly of employees to think that because obviously many people use work email and work systems to send private stuff.

Yeah, true. But you're probably also thinking, oh, thank goodness, I won't be able to get to my email. I won't have— I can go out for lunch.

Exactly. My boss is going to be busy.

It's a bit like when it snows a lot and school is closed. It's like, fantastic. Apparently, when people were arriving at their offices, in the London office, for instance, there was a sign in the lift saying, do not turn your computers on when you get to your desks and do not connect to the Wi-Fi because they didn't want more people—

Just sit there and look at the wall. No, wait.

Further instructions.

Okay, so everyone gets in a panic, right?

So the message said that they had been hacked by a group called GOP, not to be mixed up with any other GOP who may be causing mischief. This was the Guardians of the Peace.

And what do we know about them?

Well, this was the first time that we had heard of them, but they also hacked a number of Sony Twitter accounts. You know, when they have a new movie to promote, they quite often will set up a Twitter account specifically for the movie.

Right, right.

And it was those accounts which seemed to get and a message again was displayed. And the message was this time having a go at Sony Entertainment's chief executive officer, a chap called Michael Linton, saying he will surely go to hell and calling them criminals and saying nobody can help you.

And so, okay, so is your immediate reaction, oh, it must be personal? Or why? Is that unusual that they would go after a CEO like that?

It feels a little bit odd to me, don't you think?

Well, yeah, I think so. But you know more about these things because you read, you know, you remember stuff.

Well, I remember, for instance, when the Ashley Madison breach happened.

Yeah.

Which felt a little bit personal as well.

Okay. How so? How so?

The extortion message against Ashley Madison was sort of specifically targeting a few employees as well as claiming that, you know, that they were destroying lives. You know, it felt like it wasn't just a breach which was designed to make money or something like that. It was someone who really disliked the company and had a grudge against it. And if you start mentioning by name the chief executive officer of the company that you've hacked, it does begin to make you think, well, you know, could this be an employee? Could this be someone with a grudge, someone who's, you know, maybe met him at a cocktail party and he trod on their toes? You don't know. It's going to be something like that.

If, again, if I were an employee and I got some kind of communication that mentioned the CEO of my company by name, I would actually think it would make it more serious for me because, A, when you work in a company, you're often in an echo chamber and you think you're the navel of the universe and your company and the CEO is really, really important, even though no one outside really knows who they are. On one side, but also it means they know a lot about us and they may have a lot more information. I mean, it's easy to know who the CEO is though, too, right?

It's not hard to find out who the CEO is. Personally, I would find that rather juicy. And I'd think, oh my goodness.

Right. So back to my first point, you're rubbing your hands together now and you've got the microwave popcorn, the microwave's just spinning around, spin the popcorn around.

Okay. Well, sources at Sony Pictures told the press that 11 terabytes of data had been stolen by the hackers.

And it was communicated at that time?

Well, that leaked out from Sony Pictures. Sony Pictures themselves were only describing it as they were experiencing a system disruption, which they were working diligently to resolve. But of course, their network really came to a halt.

Right. They were probably in the, oh, fuck, oh, fuck, oh, fuck, oh, fuck moment, right? So when you're— it's okay. No, I'm fine.

I'm just looking forward to beeping it out, that's all.

They were at the— So, yeah, so they knew that something really bad had happened, but they were trying to hold back before telling everybody because they didn't have a whole picture.

Exactly. I think when a hack first occurs, when you first discover it, you don't know the whole picture. And so you can be quite nervous about what you say to the press until you know your facts, because you don't necessarily want to say, "Oh, there's been a problem against one subdomain, and 100 records were stolen." If you then discover it's actually much, much bigger, that's a harder message to go out to the media.

Unless you are forced by some kind of regulation to tell everybody, I think a lot of companies would think very carefully before they announce it because it's really hard on the reputation, right? It's hard on shareholders. It's hard on stock prices. It's hard on a lot of things.

Yeah. And your partners and people doing business with you. I mean, literally a company of this size, if you lose a day's work, you are losing millions, aren't you?

So most companies in this situation would be completely STFU unless they were obligated to go forward. There'd be a tiny handful that would come forward, but they would be few and far between.

STFU, shut the front umbrella. What is that? Never mind. Yes, exactly. So within a couple of days, however, it became very apparent that the hackers had stolen a significant amount of data from Sony Pictures because some of it began to leak onto the internet.

Of course. So I remember that a bit. So basically, they're told, "We have a lot of your data." And you're like, "Well, maybe you do, but you have to kind of prove it." And then they do.

They actually, in that image which was displayed on people's screens, contained some links where you could download a sample of the data. But more and more began to leak out. And it was all pretty embarrassing stuff. A whole wide variety of data was stolen from Sony Pictures. One of the most damaging things was actually their email archive for communications between the bosses, basically. And those were obviously sometimes very sensitive conversations about people they were working with, their partners, discussions. So there's things, for instance, Carole, when we worked together at the same company, you might send me an email which you wouldn't necessarily want others in the company to see, or maybe certainly not people outside the company.

Of course, you expect it to be a private communication, right?

And so if we, for instance, if we were in the habit of working with a colleague, let's call her for the sake of argument Angelina Jolie, and we were discussing her in our email, we wouldn't want that email describing her as a "minimally talented spoiled brat" to end up in the public domain. Is that what they published? Yeah, that's right, as an example. So those kind of conversations going on between Sony executives are not going to make Angelina feel warmly about working with you on her next movie project.

I think when I saw, if I were the employee that had seen this message on my screen, that's the point where the popcorn kernel would get stuck in my throat. Because if they have the emails from the C-levels, guess what?

They're not using a separate server. Yeah, maybe they've got access to lots of other people's emails, including not only work-related emails like that one, but also personal stuff.

And it's not been unheard of that the entire data could just find itself somewhere on the darkweb or on Pastebin or whatever.

So it wasn't just the email archive, but also trade secrets, documents, spreadsheets, budgets for the movies.

We're going to use this new camera. Well, yeah, I'm sure there are some. I'm sure there are some.

I know nothing about trade secrets. Mobile phone numbers of celebrities, even their pseudonyms when they checked into hotels. So I mean, you've been speaking at a couple of events recently, Carole, and you've been checking into hotels. I would imagine.

I go in by Cher. That's the name I use. Right.

So you check in and you go, I don't know why I did an Elvis impression. For some reason I mix up Cher and Elvis. They have a similar tone, don't they? But yeah, so they— So that kind of thing, which could be useful for stalkers and the press and the paparazzi. Salary differences between stars. So, you know, if a guy and a girl were appearing in the same movie and the guy is getting paid $15 million more, then it's all revealed. Awkward.

Interesting though, because maybe that's a good thing that it came out. That's a bit of a whistleblowing move, right? Because, well, personally, I don't think it's very fair if women are paid not as much as men for the same job.

Oh yeah, of course.

Yeah. So that's interesting. So that's a silver lining perhaps.

By the way, Carole, how much are you getting paid for this podcast today? Oh, I don't know, about a million quid.

What about you?

I didn't think I was getting paid anything. Now, very helpfully, WikiLeaks, as is their wont, they actually published this entire email archive online because that's the kind of helpful thing that they do. May I ask a question? Yes, you may.

Did they redact it?

Hang on a minute, maybe you missed the word WikiLeaks.

No, I just want to underline that that's the big issue with WikiLeaks for me, right? It's not so much that they're trying to share information, it's that they put people in danger and embarrass people that are victims by not redacting the information they put out.

And all kinds of innocent personal communications would have been included there. You know, people emailing their mums at work or whatever.

Talking about their cancer diagnosis with the employee, HR messages, right? So if you had sent me a message, for example, complaining about Roberto's trousers that day, he would know, right? Because he would see it. He could go to the huge archive and find—

I'm not in the habit of making trouser complaints, but I'm sure if I had, then yes, that would now be up on WikiLeaks.

Right. Okay. So nightmare for everybody at Sony that had been impacted by this. Well, everybody. Everyone who used the emails, you know, that used the email servers.

Do you want to hear about another slight problem? Because another piece of data which got leaked— This is huge, eh?

Oh yeah. I forgot how big it was.

I mean, this was absolutely fantastic if you were working in the tabloid press, because every day there'd be some other revelation or tittle-tattle or element of this Sony Pictures breach, which would just feed the headlines once again. But the next one is security related because there were databases and spreadsheets which leaked out, which contained password dumps of their internal passwords. So they would have a little Word document or whatever containing the passwords for all of their different applications inside the IT department.

Just for our listeners, just know that even 5 years ago, which can seem a lifetime in technology space, it was still considered bad to put passwords into plain text into some database. Or to have, you know, cat123. So, you know, we've been banging on about that for a long time in the industry.

Right. So surprising how many of Sony Pictures servers and apps were protected with the same password. Passwords like, I've got them in front of me actually, bubba7. They used that one a few times. banana1 was very popular. They never changed it to banana2 or banana3. pandagirl. I don't know if someone was really into pandas. There's a whole variety of passwords which are surprise, surprise, password. Honestly, or days of the week.

Yeah, but we've seen this, we've seen this.

I know, Carole, I know we've seen it before, but still it makes me want to bang my head against the wall and say, for goodness' sake, just, you know, when you're asked for a password, just choose a better one. You generate it inside a password generator.

I need you to take a deep breath because it's unfair. Just because you live in the nucleus of password and cybersecurity world, you have to understand What do you understand about your car? Nada, right? Even though you drive one and take it to get fixed and all that, and they tell you to do oil changes and stuff, and I bet you never do them.

Yes, but this wasn't the head of marketing at Sony who was choosing these passwords. This was the IT security team, the people— What, they were choosing these passwords?

Or they didn't have any stops in place to stop people from choosing stupid ones?

No, these were passwords that they had set up for people. And they were keeping a record of. For real? Banana One. Wow. Right, now you're on my side.

Now I'm on your side. Yes, I am. I'm now on your side. Tsk, tsk, tsk, Sony IT people.

And potentially, of course, this could have an impact of millions of dollars. Well, the Guardians of Peace, the hackers who did all this, they then began to leak movies, movies which had not yet been released. Thus, potentially, you know, costing Sony hundreds of millions.

So what, they were putting out the whole movie or just putting out a little—

You could go and download movies. Like I've got a little list here. And to be honest, I haven't heard of most of these. Mr. Turner, Still Alice. It doesn't sound very exciting. Someone standing very still. To Write Love on Her Arms. What's that about? Working titles, I see. Oh, here's one you may actually know. Annie, of course. Annie, Little Orphan Annie. So they must have been making a remake of Annie. And that was leaked by the hackers. Huh.

So this sounds to me like they are desperately trying to get Sony executive attention for what, a payoff? Right? Do they want money? Why are they doing this? Are they just trying to torture them or is there a financial play here?

Well, this was the thing in the communications that have been released to date. It wasn't really incredibly clear. As to what these hackers were after. Now, it did turn out, because WikiLeaks and others had released the email archive, that 3 days before the actual hack, somebody had sent an email to Sony executives, which they had ignored, saying something bad is about to happen and you are going to pay for it, and we have the capability to destroy you and cause all kinds of problems.

So Okay, so did Sony piss somebody off and he or she or they decided, okay, we're going to teach them a lesson and embarrass the eff out of them?

Clearly, this isn't a random attack. It sounds like someone is particularly upset.

So it's not a ransomware play? No, as far as we know.

No, it wasn't ransomware. They did lock the computers and they did install a variant of Shamoon, which was wiping data from Sony systems as well. But it didn't seem to be a traditional ransomware kind of play. It seemed that they might have some other kind of motivation. And this is where things begin to get particularly odd. Because fingers began to be pointed in the direction of hackers coming from North Korea. And why might North Korea have an interest in hacking Sony Pictures? Well, the theory that was maybe Kim Jong-un is a real fan of Annie, right? And he wanted to see the movie.

Find me Annie. I'm not waiting for the release date. I want it now.

Yes, possibly not a North Korean accent, but anyway, regardless of that.

Sorry, I forgot how you're so good at them.

Thank you. I wouldn't know what a North Korean accent sounded like, so I don't know. But anyway, a theory began to be shared online that maybe North Korea, or North Korean hackers at the very least, had hacked Sony in retaliation for a comedy movie that they had coming out called The Interview.

3 weeks from tonight, I will be traveling to Pyongyang, North Korea, to interview President Kim Jong-un. What you gonna do? What you gonna do? What you gonna do? What you gonna do? Mr. Rapoport, I'm Agent Lacey with Central Intelligence.

You two are going to be in a room alone with Kim, and the CIA would love it if you could take him out. Hm?

Take him out. For coffee? Dinner? For kimchi?

No, take him out. You want us to kill the leader of North Korea? The Interview was a movie made by Seth Rogen, starring James Franco as a TV news anchor who gets recruited by the CIA to do an— Do you remember David Frost back in the '70s interviewed What are you— are you still at your house? You haven't left yet? Yeah, I'm still recording. Yes, I'm recording. I'm recording. They've just heard the first half of the special bonus episode.

Oh, I wonder if they liked it. Please let us know if you thought it was good or if you thought you had some improvements or if you thought it was amazing.

And if you want to hear the rest, just make sure that you're one of our patrons at patreon.com/

Right? Isn't that the message, Carole? I might put the whole thing on the wires in a month or so though. Because I'm nice. I'm the nice one. Yeah. Maybe we will.

Maybe we won't. Who knows? We'll discuss it. All right. You better get to the train station.

No, I really do. Bye.

Bye.