Posts Tagged: Sony Pictures Entertainment

Jan 16

Sources: Security Firm Norse Corp. Imploding

Norse Corp., a Foster City, Calif. based cybersecurity firm that has attracted much attention from the news media and investors alike this past year, fired its chief executive officer this week amid a major shakeup that could spell the end of the company. The move comes just weeks after the company laid off almost 30 percent of its staff.

Sources close to the matter say Norse CEO Sam Glines was asked to step down by the company’s board of directors, with board member Howard Bain stepping in as interim CEO. Those sources say the company’s investors have told employees that they can show up for work on Monday but that there is no guarantee they will get paid if they do.

A snapshot of Norse's semi-live attack map.

A snapshot of Norse’s semi-live attack map.

Glines agreed earlier this month to an interview with KrebsOnSecurity but later canceled that engagement without explanation. Bain could not be immediately reached for comment.

Two sources at Norse said the company’s assets will be merged with Irvine, Ca. based networking firm SolarFlare, which has some of the same investors and investment capital as Norse. Neither Norse nor SolarFlare would comment for this story. Update, Feb. 1, 12:34 p.m. ET: SolarFlare CEO Russell Stern just pinged me to say that “there has been no transaction between Norse and SolarFlare.”

Original story: The pink slips that Norse issued just after New Years’s Day may have come as a shock to many employees, but perhaps the layoffs shouldn’t have been much of a surprise: A careful review of previous ventures launched by the company’s founders reveals a pattern of failed businesses, reverse mergers, shell companies and product promises that missed the mark by miles.


In the tech-heavy, geek-speak world of cybersecurity, infographics and other eye candy are king because they promise to make complicated and boring subjects accessible and sexy. And Norse’s much-vaunted interactive attack map is indeed some serious eye candy: It purports to track the source and destination of countless Internet attacks in near real-time, and shows what appear to be multicolored fireballs continuously arcing across the globe.

Norse says the data that feeds its online attack map come from a network of more than eight million online “sensors” — honeypot systems that the company has strategically installed at Internet properties in 47 countries around the globe to attract and record malicious and suspicious Internet traffic.

According to the company’s marketing literature, Norse’s sensors are designed to mimic a broad range of computer systems. For example, they might pretend to be a Web server when an automated attack or bot scans the system looking for Web server vulnerabilities. In other cases, those sensors might watch for Internet attack traffic that would typically only be seen by very specific machines, such as devices that manage complex manufacturing systems, power plants or other industrial control systems.

Several departing and senior Norse employees said the company’s attack data was certainly voluminous enough to build a business upon — if not especially sophisticated or uncommon. But most of those interviewed said Norse’s top leadership didn’t appear to be interested in or capable of building a strong product behind the data. More worryingly, those same people said there are serious questions about the validity of the data that informs the company’s core product.


Norse Corp. and its fundamental technology arose from the ashes of several companies that appear to have been launched and then acquired by shell companies owned by Norse’s top executives — principally the company’s founder and chief technology officer Tommy Stiansen. Stiansen did not respond to multiple requests for comment.

This acquisition process, known as a “reverse merger” or “reverse takeover,” involves the acquisition of a public company by a private company so that the private company can bypass the lengthy and complex process of going public.

Reverse mergers are completely legal, but they can be abused to hide the investors in a company and to conceal certain liabilities of the acquired company, such as pending lawsuits or debt. In 2011, the U.S. Securities and Exchange Commission (SEC) issued a bulletin cautioning investors about plunking down investments in reverse mergers, warning that they may be prone to fraud and other abuses.

The founders of Norse Corp. got their start in 1998 with a company called (pronounced “psycho”). According to a press release issued at the time, “ was a New Mexico based firm established to develop a network of cyber companies.”

“This site is a lighthearted destination that will be like the ‘People Magazine’ of the Internet,” said Richard Urrea, Cyco’s CEO, in a bizarre explanation of the company’s intentions. “This format has proven itself by providing Time Warner with over a billion dollars of ad revenue annually. That, combined with the CYCO.NET’s e-commerce and various affiliations, such as, could amount to three times that figure. Not a portal like Yahoo, the CYCO.NET will serve as the launch pad to rocket the Internet surfer into the deepest reaches of cyberspace.”

In 2003, acquired Orion Security Services, a company founded by Stiansen, Norse’s current CTO and founder and the one Norse executive who is actually from Norway. Orion was billed as a firm that provides secure computer network management solutions, as well as video surveillance systems via satellite communications.

The Orion acquisition reportedly came with $20 million in financing from a private equity firm called Cornell Capital Partners LP, which listed itself as a Cayman Islands exempt limited partnership whose business address was in Jersey City, NJ.

Cornell later changed its name to Yorkville Advisors, an entity that became the subject of an investigation by the U.S. Securities and Exchange Commission (SEC) and a subsequent lawsuit in which the company was accused of reporting “false and inflated values.”

Despite claims that was poised to “rocket into the deepest riches of cyberspace,” it somehow fell short of that destination and ended up selling cigarettes online instead. Perhaps inevitably, the company soon found itself the target of a lawsuit by several states led by the Washington state attorney general that accused the company of selling tobacco products to minors, failing to report cigarette sales and taxes, and for falsely advertising cigarettes as tax-free.


In 2005, changed its name to Nexicon, but only after acquiring by stock swap another creation by Stiansen — Pluto Communications — a company formed in 2002 and whose stated mission was to provide “operational billing solutions for telecom networks.” Again, Urrea would issue a press release charting a course for the company that would have almost no bearing on what it actually ended up doing.

“We are very excited that the transition from our old name and identity is now complete, and we can start to formally reposition our Company under the new brand name of Nexicon,” Urrea said. “After the divestiture of our former B2C company in 2003, we have laid the foundation for our new business model, offering all-in-one or issue-specific B2B management solutions for the billing, network control, and security industries.”

In June 2008, Sam Glines — who would one day become CEO of Norse Corp. — joined Nexicon and was later promoted to chief operating officer. By that time, Nexicon had morphed itself into an online copyright cop, marketing a technology they claimed could help detect and stop illegal file-sharing. The company’s “GetAmnesty” technology sent users a pop-up notice explaining that it was expensive to sue the user and even more expensive for the user to get sued. Recipients of these notices were advised to just click the button displayed and pay for the song and all would be forgiven.

In November 2008, Nexicon was acquired by Priviam, another shell company operated by Stiansen and Nexicon’s principals. Nexicon went on to sign and several entertainment studios as customers. But soon enough, reports began rolling in of rampant false-positives — Internet users receiving threatening legal notices from Nexicon that they were illegally sharing files when they actually weren’t. Nexicon/Priviam’s business began drying up, and it’s stock price plummeted.

In September 2011, the Securities and Exchange Commission revoked the company’s ability to trade its penny stock (then NXCO on the pink sheets), noting that the company had failed to file any periodic reports with the SEC since its inception. In June 2012, the SEC also revoked Priviam’s ability to trade its stock, citing the same compliance failings that led to the de-listing of Nexicon.

By the time the SEC revoked Nexicon’s trading ability, the company’s founders were already working to reinvent themselves yet again. In August 2011, they raised $50,000 in seed money from Capital Innovators to jump-start Norse Corp. A year later, Norse received $3.5 million in debt refinancing, and in December 2013 got its first big infusion of cash — $10 million from Oak Investment Partners. In September 2015, KPMG invested $11.4 million in the company.

Several former employees say Stiansen’s penchant for creating shell corporations served him well in building out Norse’s global sensor network. Some of the sensors are in countries where U.S. assets are heavily monitored, such as China. Those same insiders said Norse’s network of shell corporations also helped the company gain visibility into attack traffic in countries where it is forbidden for U.S. firms to do business, such as Iran and Syria. Continue reading →

Dec 14

FBI: North Korea to Blame for Sony Hack

The FBI today said it has determined that the North Korean government is responsible for the devastating recent hack attack against Sony Pictures Entertainment. Here’s a brief look the FBI’s statement, what experts are learning about North Korea’s cyberattack capabilities, and what this incident means for other corporations going forward.

In a statement released early Friday afternoon, the FBI said that its investigation — along with information shared by Sony and other U.S. government departments and agencies — found that the North Korean government was responsible.

The FBI said it couldn’t disclose all of its sources and methods, but that the conclusion was based, in part, on the following:

-“Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”

-“The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”

-“Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.”

The agency added that it was “deeply concerned” about the destructive nature of this attack on a private sector entity and the ordinary citizens who work there, and that the FBI stands ready to assist any U.S. company that is the victim of a destructive cyber attack or breach of confidential information.

“Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States,” the FBI said. “Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt—whether through cyber-enabled means, threats of violence, or otherwise—to undermine the economic and social prosperity of our citizens.”

SPE was hit with a strain of malware designed to wipe all computer hard drives within the company’s network. The attackers then began releasing huge troves of sensitive SPE internal documents, and, more recently, started threatening physical violence against anyone who viewed the Sony movie “The Interview,” a comedy that involves a plot to assassinate North Korean leader Kim Jong Un. Not long after a number of top movie theater chains said they would not show the film, Sony announced that it would cancel the movie’s theatrical release.

Apparently emboldened by Sony’s capitulation, the attackers are now making even more demands. According to CNN, Sony executives on Thursday received an email apparently from the attackers said they would no longer release additional stolen Sony Pictures data if the company announced that it would also cancel any plans to release the movie on DVD, Netflix or elsewhere. The attackers also reportedly demanded that any teasers and trailers about The Interview online be removed from the Internet.


Little is publicly known about North Korea’s cyber warfare and hacking capabilities, but experts say North Korean leaders view cyber warfare capabilities as an important asymmetric asset in the face of its perceived enemies — the United States and South Korea. An in-depth report (PDF) released earlier this year by HP Security Research notes that in November 2013, North Korea’s “dear leader” Kim Jong Un referred to cyber warfare capabilities as a “magic weapon” in conjunction with nuclear weapons and missiles.

“Although North Korea’s limited online presence makes a thorough analysis of their cyber warfare capabilities a difficult task, it must be noted that what is known of those capabilities closely mirrors their kinetic warfare tactics,” HP notes. “Cyber warfare is simply the modern chapter in North Korea’s long history of asymmetrical warfare. North Korea has used various unconventional tactics in the past, such as guerilla warfare, strategic use of terrain, and psychological operations. The regime also aspires to create viable nuclear weapons.”

Sources familiar with the investigation tell KrebsOnSecurity that the investigators believe there may have been as many as several dozen individuals involved in the attack, the bulk of whom hail from North Korea. Nearly a dozen of them are believed to reside in Japan.

Headquarters of the Chongryon in Japan.

Headquarters of the Chongryon in Japan.

According to HP, a group of ethnic North Koreans residing in Japan known as the Chongryon are critical to North Korea’s cyber and intelligence programs, and help generate hard currency for the regime. The report quotes Japanese intelligence officials stating that “the Chongryon are vital to North Korea’s military budget, raising funds via weapons trafficking, drug trafficking, and other black market activities.” HP today published much more detail about specific North Korean hacking groups that may have played a key role in the Sony incident given previous such attacks. Continue reading →

Dec 14

In Damage Control, Sony Targets Reporters

Over the weekend I received a nice holiday letter from lawyers representing Sony Pictures Entertainment, demanding that I cease publishing detailed stories about the company’s recent hacking and delete any company data collected in the process of reporting on the breach. While I have not been the most prolific writer about this incident to date, rest assured such threats will not deter this reporter from covering important news and facts related to the breach.

A letter from Sony's lawyers.

A letter from Sony’s lawyers.

“SPE does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the Stolen information, and to request your cooperation in destroying the Stolen Information,” wrote SPE’s lawyers, who hail from the law firm of Boies, Schiller & Flexner.

This letter reminds me of one that I received several years back from the lawyers of Igor Gusev, one of the main characters in my book, Spam Nation. Mr. Gusev’s attorneys insisted that I was publishing stolen information — pictures of him, financial records from his spam empire “SpamIt” — and that I remove all offending items and publish an apology. My lawyer in that instance called Gusev’s threat a “blivit,” a term coined by the late, great author Kurt Vonnegut, who defined it as “two pounds of shit in a one-pound bag.”

For a more nuanced and scholarly look at whether reporters and bloggers who write about Sony’s hacking should be concerned after receiving this letter, I turn to an analysis by UCLA law professor Eugene Volokh, who posits that Sony “probably” does not have a legal leg to stand on here in demanding that reporters refrain from writing about the extent of SPE’s hacking in great detail. But Volokh includes some useful caveats to this conclusion (and exceptions to those exceptions), notably:

“Some particular publications of specific information in the Sony material might lead to a successful lawsuit,” Volokh writes. “First, disclosure of facts about particular people that are seen as highly private (e.g., medical or sexual information) and not newsworthy might be actionable under the ‘disclosure of private facts’ tort.” Continue reading →

Sep 11

Arrested LulzSec Suspect Pined for Job at DoD

A 23-year-old Arizona man arrested on Thursday in connection with the hack of Sony Pictures Entertainment last May was a model student who saw himself one day defending networks at the Department of Defense and the National Security Agency.’s Threat Level, the Associated Press, and other news outlets are reporting that Tempe, Ariz. based Cody Andrew Kretsinger is believed to be a member of the LulzSec group, an offshoot of the griefer collective Anonymous. According to the indictment against Kretsinger, he was involved in executing and later promoting the high-profile and costly attack on Sony’s networks. Sony estimates that the breaches would cost it more than $170 million this year.

UAT interview with Kretsinger

Kretsinger is a network security student at Tempe, Ariz. based University of Advancing Technology, according to Robert Wright, director of finance for UAT.  A cached page from UAT’s Web site shows that Kretsinger was named student of the month earlier this year. That page, which indicates Kretsinger was to graduate from the institution in the Fall semester of 2011, includes an interview with the suspected LulzSec member. In it, Kretsinger says he would like to work at the DoD after graduating.

Where do you want to work after graduation?

“I hope that I’ll be able to work for the Department of Defense. From what I hear, they’re pretty good at what I want to do.

Where do you see yourself in 5 years?

“Traveling, doing Network Security as a profession with the Department of Defense. While I wouldn’t mind being a penetration tester, I think it’s a lot more fun to try to build and secure a network and its devices from the ground up. I suppose I wouldn’t mind being in management, either.”

Continue reading →