Ever since the GOP (Guardians of Peace) released corporate emails and data from Sony, there’s been huge amounts of speculation. Both by media and by security professionals alike. To sum it up, there are two lines of thought that have come up:

1. North Korea is behind this (Media & FBI)
2. It’s an inside job (IT Security experts)

But one thing has been on my mind, if it’s true that the GOP really has 100 Terabytes of files from Sony, how long would it take them to actually get it from Sony via the Internet?

If we look into North Korea’s Internet infrastructure, they’re connected to the net via a satellite and via a ground link through China (STAR JV). The internal North Korean Intranet is built around fiber optic cables, but the backbone’s speed is about 2.5 gbps, and ISPs there offer up to 100 mbps connections locally. Even though North Korean perpetrators may have not had to copy the files to local servers in North Korea, let’s see as a thought experiment how long would it take?

100 Terabytes -> 100,000 Gigabytes -> 100,000,000 Megabytes
2.5 gbps -> 2500 mbps -> 312.5 MBps
100,000,000 / 312.5 = 320,000 seconds = 5,333.33 minutes = 88.89 hours = 3 days, 16 hours, 53 seconds

This is if the transfer went through, and remained connected through the backbone, which is unlikely. But the it’s fast enough to get all the data in a small enough time frame that might be within the reaction time of Sony employees.

Let’s look at some other options though. In Japan, Sony is actually an ISP (So-net), and offers up a 2 gbps internet connection with 1 gbps upload speeds for about $51 a month. If we do the same calculations as before, the 100 Terabyte transfer will take 4 days, 15 hours, 7 seconds in total. Still not bad, a day more than the North Korean backbone.

Early on in the investigation, there was talk about the attack originating at the St. Regis Bangkok hotel. While they don’t specify the internet access speed in the rooms, they do specify it regarding the business center (30 mbps). Let’s do the math once again. The end result if the data was dowloaded via the hotel, 308 days, 15 hours, 24 minutes, 27 seconds. While North Korea can have a pretty decent budget, a 309 day stay at about 220 dollars a night (cheapest rate for the hotel that I can find), is about $68,000 for the stay (not counting food, internet access and other stuff). Quite the sum, and quite conspicuous if a Korean was living there for almost a year and constantly working on the computer. Heck, even Howard Hughes couldn’t hide in a hotel penthouse without rumors spreading.

While these calculations are simplistic and don’t really underscore any problems with Sony’s corporate Internet connection, the fact that data transfers never happen in the estimated time, and that bandwidth really isn’t guaranteed among ISPs. The other problem with all these attacks seem to be the time frame and the fact they would all cause very large, and continuous transfers of data through and out of Sony’s Intranet. A transfer of 100TB of data would post so many red flags on Sony’s systems for anomalous network activity that they would realize quite soon what was happening.

Other bloggers have posted information regarding the use of a USB 2.0 drive, we can look at those claims too. USB 2.0 handles 480mbps, or about 60MBps. Using the same math once again, we get 19 days, 6 hours, 57 minutes, 47 seconds. But if it’s done via USB 2.0, you can’t really leave a USB drive hanging from the front panel of a server for 19 days without it being seen by other employees, so it’s not outside a logical leap that an employee would remove the drive after their shift ends. Considering the standard 40 hour work week, you get 57 work days, 6 hours, 57 minutes, 47 minutes, or roughly two months to remove the files. But there’s one other limiting factor, the external drive capacity. Highest capacity USB powered drives arrive at about 2TB in capacity, and at USB 2.0 speeds, you’d fill one up completely in 9 hours, 15 minutes, 33 seconds. Or you’d need more time to copy 2TB of data than you have in a standard 8 hour shift.

For a realistic 8 hour shift, you’d probably have 7 hours 45 minutes of time to transfer data, or enough time for 1,674 GB. At these limits, 100TB can be transferred in about 59 days, 5 hours, 53 minutes and 50 seconds, or about two extra days needed over the ideal solution.

But if the attack was an inside job, and we’re presuming that the perpetrator had access to Sony’s server hardware and Internal network, wouldn’t it just be easier to fake a raid failure, and steal the hard drives? SAS hard drives reach up to 6TB, and at 1.72 lbs each drive, you can put a good number away in your backpack, and bring in a few old drives to be destroyed in their place. If you manage to steal a good portion of the raid drives, you can possibly reconstitute the data at home by replicating the hardware configuration (quite possible if you’re the one responsible for maintaining the servers). You can take home 8 drives and still have them weigh less than 10 lbs, and that means you get away with around 48 GB of internal data. Two, three days of this and you should have the same amount of data stolen as was in the attack. And at this point, what matters is the limiting factor of physical security at either a Sony owned and operated data center, or at a co-located data center that Sony might have been using.