There is growing skepticism in the cyber security and hacktivist crowd about North Korea being to blame for the recent Sony hack, supposedly involving “The Interview” film.
One thing the mainstream media gets wrong is calling Sony Pictures “an American corporation.” It's a Japanese company, with an American division. What makes this a sensitive issue is that Japan committed war crime atrocities against Korea (and China) during World War 2.
So a film by a Japanese company portraying the assassination of the North Korean ruler stirs up the old animosities. It is also, even though humorously, advocating the violation of the Geneva Conventions.
We must also understand that Sony Pictures had horrible cyber-security in place. It was like leaving piles of cash on your front porch and hoping nobody comes by and steals it. Or leaving the front door of your home unlocked with a sign that says "Unlocked Door."
You just can't get any more stupid that having "password" as your password and storing password files in unencrypted files titled "passwords." Sony Pictures is looking more and more ridiculous as the details about their easy-to-hack computer network are revealed.
Cyber security expert S. Cobb made this remark about corporate cluelessness in response to George Clooney (who was trying to get other Hollywood types to sign a petition against North Korea):
In my own work I have seen the way in which multinational companies generate billions of dollars in profits by applying digital technology to improve productivity.
My job has been, for the better part of two decades, advising companies on how to defend this highly profitable digital technology that they deploy.
Sadly, time and again, too many times to count, my fellow security professionals and I run into companies and company executives who reject our advice as too costly to implement, as an unreasonable burden on their business. When we say that the path they are taking comes with a large amount of risk, they either don't believe us or they say, "fine, we'll risk it."
The result? America's corporate ecosystem, like those of many other countries, suffers from systemic cyber weakness to the point where no company today can afford to say "bring it on". Why? Because they know they are not impervious to potentially crippling hacking attacks.
I used to be in the penetration testing business, that's where you pretend to be bad guys in order to test another company's cybersecurity; our guys had a 100% success rate. They always found a way in, and they didn't even break the law to do it. Every pen tester I've ever spoken to has a similar record.
The problem is that if you tighten your network security too much, it becomes difficult for vendors and employees to use it. Cyber security experts say you can't really defend yourself 100% against cyber attacks. If someone wants to break into your network, they'll eventually find a way to do it. What's important is having the ability to recover quickly after an attack.
The controversy about whether or not it was really North Korea who is responsible for the Sony Pictures hack involves how cyber attackers will spoof their origins and it's time-consuming to trace an attack back to it's real source.
Here's a list of more links to information you can explore. Take the time to read these, especially if you're a CEO, CIO, business owner, or IT person.
Wired “The Evidence That North Korea Hacked Sony is Flimsy.”
Gawker “Cyber Security Firm Says Sony Hack Was Likely an Inside Job by a Woman”
Associated Press “Stolen Emails Reveal Lapses in Sony Security Practices”
Risk Based Security “A Breakdown and Analysis of the December 2014 Sony Hack” (This is a highly detailed analysis and in-depth rundown for technical IT people to enjoy. Everyone can learn a lot from it.)
New York Times “Sony Attack Was First a Nuisance But Swiftly Became a Firestorm”
S. Cobbs “Why the Sony Hack is NOT Cyber War”
Kryp3tia “Winners and Losers in the Sony Hack”
TechDirt “Ridiculousness of Calling the Sony Hack the 9-11 of Cyber Security”
Mark W. Rogers “Why the Sony Hack is Unlikey to Be the Work of North Korea”
Motherboard “Sony Hack Should Not Be an Excuse to Pass Bad Cyber Security Laws”
NY Times “US Defense Secretary Leon Panetta Warns of Dire Threat of Cyber Attack”
Ars Technica “State Sponsored or Not, Sony Pictures Malware Bomb Used Simple, Buggy Code”
Motherboard “Sony Hack Proves We Need to Replace Email”
Motherboard “Best Thing We Can Do About Sony Hack is Calm Down”
Business Insurance “Sony Hack is Cyber Security Game Changer”
CNN Politics “Government Hacks and Security Breaches Skyrocket”
Huffington Post (2011 article) “Cyber Security Experts Slam Sony for Not Fixing Vulnerabilities”
LinkedIn Pulse: “Why Sony's Breach Matters for All Companies”
CBS News “Hacking after Sony: What Companies Need to Know”
BoingBoing “Obama Admin Sanctions North Korea Anyway”
CNN: “Norse Responds to Sony Hack Questions”
Norse Cyber Security “Marketing Departments Are More Vulnerable to Hackers”
USA Today “Maybe North Korea Wasn't Behind the Sony Pictures Hack”
CNN “Experts Doubt North Korea Behind Sony Hack”
The Daily Beast “No, North Korea Didn't Hack Sony”
TrendMicro “WIPALL Malware Leads to GOP Warning in Sony Hack”