Sony's Spies in Anonops
2
1 From: Reitinger, Philip Sent: Thursday, January 12, 2012 9:16 AM To: Rice, Carolyn, Sony Music; Williams, Michael T (Law); '[email protected]'; '[email protected]'; Weil, Leah; Traymore, Anthony (Legal); Takei, Natsuko; Gardner, Thomas; '[email protected]'; Spaltro, Jason; Patel, Ajay; Delorenzo, Mark (SGS); Schwab, Ray; McLaughlin, Bob; Bernard, Stevan; Harkins, Jason; Leak, Wade, Sony Music; Russell, Riley (SCEA); Sterner, Charles; Wahlin, Brett; bblank (@soe); Podorowsky, Gary; Marong, Guy; Soulia, Sheila; Matsumoto, Keiichi; Shigenari, Masanobu; Seligman, Nicole; Ciesla, John Subject: RE: PRIVILEGED and CONFIDENTIAL - threat data Jan 11`` Attachments: EAS Privileged and Confidential Please do not distribute. Please note that this new report references an attacker assertion that Sony.com has been compromised too, along with sonypictures.com and sonyatv.com. There is additional information about several possible vulnerabilities. There is also some possible information about the source of the threat -do not distribute this. Note also some red information about an older (I think) issue with sony.com - http://www.sony.com/utilities/printable.php?page=/etc/passwd possible rfi? -- this should be checked. If there is a possible RFI, a shell could be uploaded Cursory glance of the page returned 403 error. This was checked in more detail today by one of the analysts. PHP could be used to read password file if appropriate permissions are not set for the PHP processes. ICG recommends checking this. Last, below is the information we received from the consultant. Phil Verification is not complete, however what was learned is contained in the SPOTREP. We engaged who we have assessed to be the two main skilled hackers for the last 9 hours as they have been available and responsive. This is a tedious process and not proceeding expeditiously as expected. This resulted in increased information and access to a new private paste pad, and private IRC channel and also what is alleged to be one of the attack platforms. New information is contained in the report and attached for your review. Summary of findings to date: 1. One of the two hackers, MonsteR, machines geo-locates in the Netherlands. We were able to connect to his machine by IP address. That said, the owner claims he lives in the UK and is apparently using a remote host in the Netherlands. 2. The vulnerability we previously reported on the Sony site in the Middle East appears to be accurate. In spite of this, the server has NOT yet been compromised but it is vulnerable. The exact vulnerability is included in the report and the location on the server that is vulnerable is listed as well. If there are other sites hosted there they may be vulnerable as well. In spite of early promises to reveal information yesterday, all other claims remain unverified presently with promised information and access still forthcoming. We do have significantly increased access and have formed a stronger relationship with the two hackers. We are to meet online again today when exchange of additional attack details is promised to ensure there is no duplication of efforts. Therefore, we should have more details as the day progresses.
-
Upload
edward-shelton -
Category
Documents
-
view
24 -
download
0
description
Sony's Spies in Anonops
Transcript of Sony's Spies in Anonops
-
1From: Reitinger, Philip
Sent: Thursday, January 12, 2012 9:16 AM
To: Rice, Carolyn, Sony Music; Williams, Michael T (Law); '[email protected]';
'[email protected]'; Weil, Leah; Traymore, Anthony (Legal); Takei, Natsuko;
Gardner, Thomas; '[email protected]'; Spaltro, Jason; Patel, Ajay;
Delorenzo, Mark (SGS); Schwab, Ray; McLaughlin, Bob; Bernard, Stevan; Harkins, Jason;
Leak, Wade, Sony Music; Russell, Riley (SCEA); Sterner, Charles; Wahlin, Brett; bblank
(@soe); Podorowsky, Gary; Marong, Guy; Soulia, Sheila; Matsumoto, Keiichi; Shigenari,
Masanobu; Seligman, Nicole; Ciesla, John
Subject: RE: PRIVILEGED and CONFIDENTIAL - threat data Jan 11``
Attachments: EAS
Privileged and Confidential
Please do not distribute. Please note that this new report references an attacker assertion that Sony.com has been compromised too, along with sonypictures.com and sonyatv.com.
There is additional information about several possible vulnerabilities. There is also some possible information about the source of the threat -do not distribute this.
Note also some red information about an older (I think) issue with sony.com -
http://www.sony.com/utilities/printable.php?page=/etc/passwd possible rfi? -- this should be checked. If there is a possible RFI, a shell could be uploaded Cursory glance of the page returned 403 error. This was checked in more detail today by one of the analysts. PHP could be used to read password file if appropriate permissions are not set for the PHP processes. ICG recommends checking this.
Last, below is the information we received from the consultant.
Phil
Verification is not complete, however what was learned is contained in the SPOTREP. We engaged who we have assessed to be the two main skilled hackers for the last 9 hours as they have been available and responsive. This is a tedious process and not proceeding expeditiously as expected. This resulted in increased information and access to a new private paste pad, and private IRC channel and also what is alleged to be one of the attack platforms. New information is contained in the report and attached for your review.
Summary of findings to date: 1. One of the two hackers, MonsteR, machines geo-locates in the Netherlands. We were able to connect to his machine by IP address. That said, the owner claims he lives in the UK and is apparently using a remote host in the Netherlands.
2. The vulnerability we previously reported on the Sony site in the Middle East appears to be accurate. In spite of this, the server has NOT yet been compromised but it is vulnerable. The exact vulnerability is included in the report and the location on the server that is vulnerable is listed as well. If there are other sites hosted there they may be vulnerable as well.
In spite of early promises to reveal information yesterday, all other claims remain unverified presently with promised information and access still forthcoming. We do have significantly increased access and have formed a stronger relationship with the two hackers. We are to meet online again today when exchange of additional attack details is promised to ensure there is no duplication of efforts. Therefore, we should have more details as the day progresses.
-
2Black_risker is ADAMANT, however, that he has already rooted SonyPictures.com and Sony.com; we have gotten him to promise to show/explain what/how, but are still waiting as indicated above.
Finally, due to easy access of anyone joining the irc.anonops.li #opsony channel, there is a colorful and many times unreliable array of users in that channel. If independently monitoring that chatter it is recommended that information there be verified in some form or fashion. There was an antagonist/prankster in that channel last night suggesting that OpSony attack was imminent. That was a false assertion and the individuals motivation is unclear. They are fully aware that monitoring is going on in those channels and sometimes they provide disinformation for that very reason. There are key nicks associated with various parts of the plan or in overall control as we have noted. We can PM these nicks if clarification is needed, however the statements seen last night should originate from one of those nicks when execution actually occurs. Finally, they have seemed adamant since the start that their advertised timeline was a priority component they were unwilling to compromise.
More updates today as further information is available
Attachments: SONY SPOTREP 01112012.pdf (895168 Bytes)
