Slashdot Mirror
The Sony Pictures Hack Was Even Worse Than Everyone Thought
An anonymous reader writes with today's installment of Sony hack news. "It's time to take a moment of silence for Sony Pictures, because more startling revelations about leaked information just came out and employees are starting to panic. BuzzFeed raked through some 40 gigabytes of data and found everything from medical records to unreleased scripts. This is probably the worst corporate hack in history. Meanwhile, Fusion's Kevin Roose is reporting on what exactly happened at Sony Pictures when the hack went down. The hack was evidently so extensive that even the company gym had to shut down. And once the hackers started releasing the data, people started 'freaking out,' one employee said. That saddest part about all of this is that the very worst is probably still to come. Hackers say they stole 100 terabytes of data in total. If only 40 gigabytes contained all of this damning information, just imagine what 100 terabytes contains."
I mean it seems likely they got everything. Even the model numbers of the kitchen sinks.
How long was the attack taking place? What kind of Internet connection does Sony Pictures have? To ex-filtrate 100 TB of data is going to take a while, no matter how you cut it. My guess is that number is significantly inflated.
100 terabytes of data is easily consumed by the raw uncut footage of a few movies, easily. So it could be a whole bunch of stuff that really hurts them or it could just be a couple movies that were shot by M. Night Shyamalan that suck so hard no one cares.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I'd really like to know where/how they're keeping that much data.
Maybe I'm just small time but 100TB seems like quite a bit for a, oh I don't know, 10-20 man team.
What is Sony doing with medical records?
There's a lot of talk going around right now, mainly from Sony itself, that North Korea is likely behind it. Seriously though - would expect a bunch of people who don't know what Internet is, who likely don't live and breathe IT, security - basically everything capitalism stands for, let alone having a pipe fast enough to rip 100TB of data...
Now I understand they could be trained and based elsewhere, but might as well say the Martians did it...
Did they use Sony's own software on them. If the hackers are caught will they fine them $7.50
Really? 20 people - each with 5TB drive? Thats 100TB.
They shrugged their shoulders when they got caught hacking customer's PCs. They downplayed the release of customer information because of their poor security. This seems a fitting situation for them to be in. F**k Sony. Hope it costs them plenty.
So Sony with its rookits and DRM get owned. Good. How does it feel, Sony? How does it feel?
Hope this causes massive losses for them and horrors for its employees.
Obvisouly a while but its not out of the question. Sony pissed off North Korea several months ago when they announced The Interview. If it takes a week to download ~100TB at ~1Gbps then a couple weeks/months is all they need for all that data.
http://en.m.wikipedia.org/wiki... TL, DNR: 9 years ago, Sony was root kitting the machines of people who bought their CDs, and living about it.
How long before we see Sony's flagship console jailbroken like the PS3?
For that matter... we'll probably see the PS3's keys brought up to the current version, as well.
Compete in "Who's the director now?"
Given a script, soundtrack music, multi-track voice & foley effects recording, and all the raw fortage.
Your challenge is to create the perfect "director's cut".
And after it's all done, cut it to a conventional movie runtime, without destroying the plot.
Then cut it again to TV censorship standards and time to allow commecials.
But don't worry to much, you have all week to do this.
And the contest runs all year. We have 100+ movies and yours will be chosen randomly.
Are you the next Spielberg or Ed Wood ?
That old "No Baloney Sony" ad campaign seems a bit ironic now... I have family that worked for them in the mid 90's. I wonder how it will impact folks from 20 years ago...
How did 100 TB get to North Korea over their dial up modem without anybody else noticing?
NSA sleeping that the wheel?
Five-eyes? All navel gazing?
Nobodies looking at the data going to North Korea?
More and more this seems like a false flag.
It BURNS!
As an insider of the SONY Dictatorship, I am shocked this has not happened earlier..
I truly hope this sheds some light on the Wrong doings of this conglomerate.
The time of taking advantage of your constituents in rude, unprofessional, and immature ways should be over..
While I will admit there are some good people inside, but unfortunately they are all covered up, trampled, or set aside for money, ego, fame and or plunder.
to get some background on the statements bade above, look at SCEA's shady past as one example of how the SONY juggernaut runs..
Thank you,
The sky is falling... everyone freakout!
pissed off the wrong person.
So, does this mean that the Supreme Leader is cutting the cord?
I've just been reading some of the articles, and it seems that in fact Sony has unfortunately been storing a lot of communication that contains discussion of medical issues amongst other things.
This is an example of where a company could have done a better job of assessing the risk of retained data becoming a liability and applied suitable retention policies and other risk mitigation strategies like encryped storage (some articles suggest most files were not meaningfully protected).
IT folks and legal departments in today's climate should be asking themselves what is being stored, what are thr benefits, what is a liability, what is the actual business need, what are the mitigation options.
Folks, this is 100 TERABYTES of data. At an organizational level, this could represent nearly all business data that makes Sony relevant as a company.
At my company, we have in the neighborhood of 50 million documents stored and, after compression, it still doesn't pass 10 TB of data.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Waiting for Obama's media to start blaming the phantom Russian hackers once again. The evil, evil Russian hackers.
In case anyone else was looking for the missing link in TFS, Kevin Roose's article at Fusion is here.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
At first they thought the data was fake; all the scripts read like movies everyone has seen already.
Seriously, how did they manage to steal "100TB" worth of data, without physically going there and copy a bunch of disks? You'd think SOMEONE would notice if there was an intruder downloading everything. 100TB can't exactly be downloaded in a few minutes there, it would take days, if not weeks. Even at 1Gbps, that's about 10TB a day, all day long, top speed. Surely, I'm not the only one who think Sony was highly negligent toward network security, again, here...
This is Sony Pictures. The raw video for movies that they are shooting are stored online for editing equipment. One or two movies could easily take up 100TB of disk.
Is there any information about how long it took hackers to steal this 100TB? Did no one notice the unusual amount of traffic? I have a 40Mbit connection at home and with overhead I can usually download at up to 4Mbytes/sec. At that rate 100TB is something like 300 days of 24/7 downloading. Even if I had a gigabit connection directly to sony that would take 12 days!
Like, with hats on and stuff.
I mean it seems likely they got everything. Even the model numbers of the kitchen sinks.
I would expect they also got some fairly damning privileged information--emails exchanged with lawyers on everything from sexual harassment to copyright infringement suits. It's a BIG firm.
Plus Patents. Sony files THOUSANDS of patents a year. If that patent information (or research that could be patented) is published to the wild before SONY patents it, you have a LOT of new prior art and a fortune in IP at risk... SONY would have to patent everything within a year in the US; I am not sure that you even have that grace period everywhere else.
(a) NOVELTY; PRIOR ART.—A person shall be entitled to a patent unless— (1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention ...
(b) EXCEPTIONS.— (1) DISCLOSURES MADE 1 YEAR OR LESS BEFORE THE EFFECTIVE FILING DATE OF THE CLAIMED INVENTION.—A disclosure made 1 year or less before the effective filing date of a claimed invention shall not be prior art to the claimed invention under subsection (a)(1) if—
(A) the disclosure was made by the inventor or joint inventor or by another who obtained the subject matter disclosed directly or indirectly from the inventor or a joint inventor; or
(B) the subject matter disclosed had, before such disclosure, been publicly disclosed by the inventor or a joint inventor or another who obtained the subject matter disclosed directly or indirectly from the inventor or a joint inventor.
Transferring 100 TB @ 100 Mbit/s would take about 12.5 days 1TB == 1048576 Mb
1048576 / 100 ==> +/- 10485 secs
104857 / 60 ==> +/- 174 mins
1747 / 60 ==> +/- 2.9 hours
That's just 1 TB, so multiply the last number by the number of TB.
I made this: http://www.bpftpserver.com
Y*AH F*CK S*NY
Why was all that shit stored where it could be hacked?
One word "convenience", if corps (and regular people) would get over "convenience" this crap wouldn't any near as often.
"If any question why we died, Tell them because our fathers lied."
Sorry, but this sort of thing stinks from the top, all the way to the bottom. If the Chief InfoSec Officer doesn't at least get fired, we at least know the minions will take the fall. This kind of data slip up doesn't happen over a night, or even a week. Information security there was poorly managed and implemented, and they got cooked. Hope whatever Chief Exec wanted IT's budget slashed is happy now!
Was this hack the result of poor security, or will every single company in the world now see what has happened, over-react, and unleash draconian security measures that far exceed the point of diminishing returns?
No matter what you think of Sony, this will not be good for the productivity of the corporate working world.
"Who are you?" "No one of consequence." "I must know." "Get used to disappointment."
With all the state-sponsored corporate & military espionage caused by China & Russia, with the never-ending probes from government agencies like the NSA/DHS/GCHQ/etc., with malware & ransomware attacks that can encrypt data in (generally) unbreakable forms, with criminal hacking organizations making off with millions of credit card numbers from retailers, with apparently no network controls as to how much data leaves company firewalls & where it goes, and so on, why aren't there more internal air-gapped networks in companies???
This has hit the point of absurdity. If you are working on military plane designs, working on your next corporate acquisition, or even making movies or music worth tens of millions of $$$, why would you put your prized, unreleased digital files on computers that have Internet access? What kind of batshit stupidity is that? What, so your employees can browse Facebook & check Outlook e-mail at the same time? Such an air-gapped network would easily become an island--one that doesn't need Windows Updates, can stay on an old service pack, gets no software updates that solves 2 problems and but makes a new one (e.g. we know the bugs), and the like. And if those employees really need their Outlook e-mail, IM, or the Inter-Webs where they work, they can have a 2nd very low-end PC, connected to the main network, with a KVM between the two. Might even increase efficiency, given the mind's inability to multitask well. Or give them freaking iPads on a wireless network that's not connected to their "sensitive" work computer.
It boggles the mind that given all these problems, which are increasing in frequency & cost every day, we still have little more than software firewalls & hardware routers between a company's most highly-sensitive assets (files & computers) and the big-bad-Wild-West-no-holds-barred-Internet.
Windows 3.1x calc: 3.11 - 3.10 = 0.00
I see they talked about the Sony hack on the podcast I'm listening to now (Unfilter by Jupiter Broadcasting). Funny, they played some clips from the press basically pushing the movies that were stolen, where the newscaster was announcing the date the movies would be out.
Tired of three paragraph write-ups on Gizmodo and Buzzfeed. Anything of depth out there?
How do you steal 100 TB of sensitive data without any network, database or IDS alerts going off?
I'm pretty sure sony ships out it's films via network to the theaters these days. When a new release comes out, and they dump a terabyte or so to a few thousand theatres... 100 TB could easily be missed or ignored.
"Upon analysis of the same WIPALL malware family, its variant BKDR_WIPALL.D drops BKDR_WIPALL.C, which in turn, drops the file walls.bmp in the Windows directory. The .BMP file is as pictured below: link
What Sony lacks in ethics it makes up for with incompetence.
It isn't just convenient, it is cheap. Investing in proper security measures has real costs in terms of hardware, roll out, maintenance, and engagement. You skip that to come in under-budget and on time.
Every business in the world faces direct incentives to go cheap on security and cross their fingers.
If only 40 gigabytes contained all of this damning information, just imagine what 100 terabytes contains
The same thing 2,500 times?
Sony has 140,000 employees; 40 gigabytes is already 280K per employee, so there's probably not much left to reveal just based on quantity alone.
Have you read my blog lately?
Well, it is probably linked to the fact most of these companies are international companies with employees all over the world needing some form of interaction with the data.
If you really want to get an internal network that is disconnected from the internet, it means that you will need an army of monkey copying data using memory sticks to feed the data bank and bringing reports back to the employee that needs it. And that induces super high latency in the system.
The problem seems difficult to me. Completely isolated networks might have an unreasonnable operational cost. (Though a massive data breach might just be as bad.)
Remember how Sony used to hack *us* with rootkits, they phoned home without informing us, escalated the copy protection war, and then lied to us as if we were stupid? While I am not a proponent of ever exposing data related to workers, I sure didn't shed a tear when I heard Sony got mega-hacked.
I know there's a Soviet Russia/Sony hacks you joke in there somewhere.
This is a hacked account, for which the owner can not be held responsible.
Ignore, undoing a stray bad mod click.
Hello all!
I'm an inventor and I've made this nifty magic vault, which magically allows you to access anything in it from anywhere on earth! Why not put ALL your valuables in it? It'll be totally safe because no one can open it without a key!
Sound familiar? Think Sony learned anything about keeping sensitive information on the interwebs from this?
sony pictures tried to keep me out of the data i bought for them in the form of movie cassettes unless i bought their betamax player. Then they tried to take the data i bought from them unless i bought i laserdisc player. Then they realized they couldn't not bait me because dvds were smaller, so they tried with something smaller than dvs, but i was too smart to fall for minidisc. Then they tried with a mp3 player named after their old walkman that only played their format and was not a usb mass storage like all the others (what do they take me for? an apple customer? insulting). Later they tried with blueray. and this time they at least sold licenses for players from other brands and are managing to keep lots of other people away from their media.
now only if the hackers would hack my betamaxes and laserdiscs i bought from sony pictures and release it for me.
Maybe this information can undo some of the damage you've done TO YOUR CUSTOMERS.
* Undo the malware drm you put on peoples PC's.
* Restore the ability to run Linux on game consoles that you wrongfully stole back AFTER you sold it.
* Unlock the bootloaders on your android phones.
Who knows what else. Probably a LOT of good can come from this. But the most important? Don't piss off your customers!
This sig intentionally left blank.
I'm not a big fan of Sony (although I like their electronic products because of their high quality) or big companies in general. However, a breach of this size could literally destroy the company if the amount of information that leaked yet to be revealed is even worse than what has already been revealed. The litigation nightmare this could cause in the US is appalling in itself but that could just be the tip of the iceberg because of all the corporate secrets that are now out in the open (or will be).
It's really quite a simple choice: Life, Death, or Los Angeles.
now let us all hurry up and move our entire digital lives to the Cloud!
I can assure you, the best way to get rid of dragons is to have one of your own.
The assumption people seem to be making is that all of this stuff was just there. One SQL injection, and it's all stolen. This was a sophisticated attack believed to have originated from chinese professionals working for North Korean state actors. We don't know the specifics of the attack. It is very likely that all the most sensitive data was not just sitting there available to for any script kiddie, but was safely stored with best practices, and despite that, was still taken. This attack might very well have involved industrial saboteurs and spies physically within Sony Pictures. Remember the likely suspect is North Korea. The Kims have an obsession with hollywood.
"In the letter, Sony defended its decision to wait five days to admit its security had been compromised and called on the government to help make the internet safer."
They asked for outside help (expected the government to stop it) and apparently took security a bit lax in one area.
"In the letter, Sony defended its decision to wait five days to admit its security had been compromised and called on the government to help make the internet safer." http://www.buzzfeed.com/tomgar...
I did get two free simple games over that one, I expect money this time they need to take their security a bit more serious. I mean even shutting down the gym (who knows why, terminals?
Once burnt twice shy, not something Sony is familiar with.
I'm so glad I didn't take a job at Sony after my last time being interviewed by them....
I employ people in the USA in small IT and EE/IC specialty design shops. Most expert-level employees seem to come with white or grey hair. One of my IT geeks is a "MT Dew Diabetic." Avoiding the maintenance of medical records is simply not an option in the USA, given our laws and court rulings. We have to comply with ADA (Americans with Disabilities Act), keep records of workman's comp medical restrictions, including very specific information, on what an employee may and may not do as well as provide emergency information to first responders. While often inconvenient, these are requirements I cannot avoid. Some of my employees have medical conditions (heart conditions, organ replacement, severe allergies, diabetes, unusual prescriptions of controlled sumstances, etc.) that they want known and available to first responders showing up at the office if they collapse clutching their heart or go into a sugar coma. Complicating this, if one of your customers is a Federal agency or Defense, you must, by law, have a "zero tolerance policy" for controlled substances. All this requires records to prove or excuse. For government accusations, corporations are "effectively guilty" until they prove themselves innocent with appropriate record keeping. Making this even more difficult, USA court rulings say we're also not allowed to store this information in their personal files, but must keep it in a separate, access controlled file, otherwise we could get sued if that person missed a pay raise or promotion because it was available to anyone reviewing their service and discipline records. The separate files seem silly when the teams are small enough that everyone knows each other very well anyway. Also, what if the employee who first greets the medics from the ambulance don't have easy access the secured medical files? Isn't that an even worse problem? Sued if you do. Sued if you don't. Sued if you didn't do it the nuanced way a team of $300/hr attorneys thinks you should have half-way done it. Nuisance suits are common in the USA.
As a practical matter, a lot of valuable talent is not healthy. Many experts are experts because they have been at a speciality for 30-60yrs. If you have an employee that has an epileptic seizure, you don't want the rest of the team to stand there confused and gawking. You want them to recognize it and intervening to protect that individual's head and spine from injury. I had an employee with mental health issues under the care of a psychiatrist. While she was physically 100% capable (she was young and athletic) yet she was restricted from certain emotionally triggering situations. You want their supervisor trained know what those are and how to avoid it. You want a written record, periodically refreshed, that her supervisor knows and understands. You could say "I don't want to deal with that" but then you lose out on some great talent. Imagine a physics institute that didn't want to deal with maintaining medical records for Stephan Hawking.
I kinda feel bad for Sony. Getting everything (and it seems everything) that was on computer got stolen. On the other hand, Sony *should* have had a bit more security. Sony has been known to put root kits into products. Sony has been known to rip functionality out of products (hello PS3). Sony has a history of making products that are paths to oblivion: they make a product that isn't compatible with anything else, and when market share starts to falter, they discontinue product *and* support, leaving customers high and dry. They sure taught George Hotz about messing around with anything Sony. They don't mind treating a customer like a criminal. Now if it was a Chevrolet, GM wouldn't care about all the aftermarket stuff you do, but take a Sony product apart and you are clearly an industrial espionage criminal and deserve 50 years hard labour on the far side of the moon. I wasn't buying or intending to ever buy Sony again because of their bad behaviour. So while I feel for a company that just lost $100 million worth of value, because it's Sony and they have behaved so badly for so long, I don't feel *that* badly for them. Also, because they are supposed to be a technology company, their internet security sucks very badly. I've worked for 3 letter government agencies. If its important, lan is better than wan, and work hard to maintain the air gap and Faraday cages.
I "almost" feel bad for Sony.
No. No I don't. Could not have happened to a more deserving corporation.
I do feel bad for the employees though so I'm not completely heartless.
So, when do corporations start taking all important data off the net and only allowing access through air gapped, internal systems? I'd sure feel a lot better if power grid control systems were isolated.
And there we have it. All those bazillions of taxpayer dollars wasted listening in on Aunt Tilly's scintillating description of the quilting bee and they totally missed the biggest ever hacking of a corporate system by a hostile foreign power.
Their faces would be beet red if they weren't so shameless.
Putting on my IT geek hat, I'd say the term "system" or "same system" is rapidly losing its meaning in the age of "server fabric" and virtualized computing resources. You have systems of systems. Accessing everything from video editing apps to timecard and budgeting submission apps or web-pages from the same workstation, possibly at your home, on the day you telecommuted, using your "federated security credential" on your key-logging terminal. The key-logging pretty much by-passes all security from full-disk encryption, VPNs and secure sockets to compartmentalization and containment schemes, all of which become irrelevent. You don't even need to infect or access the target workstation to key-log it to gain access to bigger systems. Many of the attack techniques have been published or hinted at by security firms, ars technica and commented on by slashdotters over the years. In some of the more interesting techniques, attackers use your smartphone's microphone or your Xbox's Kinnect features.
I don't actually know, but I would speculate that a state-sponsored actor, such as North Korea, can point a low-power laser at your window as you type on your keyboard and a small, crude app can statistically deduce which keys are being struck by both the rhythm, frequency and a differential analysis of the resonant frequency signatures inherent in each keystroke. Don't believe it's possible? Try this simple test. Listen carefully to the tap of your ~tilde key in the upper left corner. Now tap a "home" key such as D, F, J or K. They don't sound EVEN CLOSE in tone of click...do they? Precise tonal frequency differentiation is trivial for a low-end 80's era microphone and 80's era processor. While North Korea likely didn't create the acoustic key-logging technology, they likely can get their hands on it as long as the share the "intelligence take" with their Chinese or middle-eastern eavesdropping equipment suppliers, who most likely also hate Sony even more than some of Sony's consumers.
North Korea has it in for anything Japanese. Strict middle-eastern religions include some great electrical engineering types and are likely outraged by the hot women in Sony's movies. who typically don't cover up in Burkas and have the audacity to drive themselves in cars and argue with men. China wants control of the Asian-Pacific region and wants all the intel, server access and compromised foreigners it can manage to obtain without upsetting its western-civilization consumers of Chinese-made goodies like Lenovo Thinkpads and Apple iPhones.
Maybe a trick to hide small theft, so that the small stuff isn't noticed?
I don't care if the hackers publish all the 100TBytes, and I wonder why anyone might be interested in this at all ..
Get somebody's SSN, birthdate, name, sex, employer, home address, etc, and identity theft becomes much easier.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
My condoleances.
On the other hand, it's very beneficial for our society that this sort of data now becomes a matter of public record simply because I'm pretty sure that the extent of data that is collected on employees hasn't been documented quite so clearly and unequivocally before.
Besides which, it's well-documented that law-makers and public opinion generally aren't pro-active on basis of insight, intelligence, or commonsense. No, it always requires one or two actual cases of things going totally wrong to get people's attention. And even then it takes a couple of repeats before the shoot-the-messenger reflex can be bypassed and the underlying issues addressed.
In addition, the release of business information gives a valuable historical reference on how the corporate world works in a way that transcends books and even court records (which are usually sealed anyway where commercial interests are concerned).
So, in this respect, society as a whole benefits from this example of computer-burglary. Now if we could only make the data available in its entirety, or at least in coherent chunks ...
What I would do as a big company at this point is kill BYOD. Use smartcards for login. Compartmentalize everything and access compartments through dedicated VMs. Yeah hypervisors still presents a huge attack surface but it's at least a little smaller than Windows 8.
The most critical compartments should simply have dedicated systems altogether, an admin doesn't need to be able to browse the web on the same laptop he can fuck over your entire company with.
Maybe such a prime target like Sony ought to lay off the whole 'cloud storage' thing and go a bit luddite. Use paper instead of e-mails, tape instead of digital--older mediums of information. Heck, use typewriters again. Sure, their offices may wind up looking like something out of Brazil, but a lot harder to hack. It certainly is awful what Sony did with their DRM spyware on consumers and some may call it karma. Perhaps this can be a learning experience and a way for Sony to take a new approach. Then again, maybe Sony will watch the end of Brazil and want to go that route with consumers instead.
"SO we bide our time, waiting for a purer kick to bloom and the future is still bleak, uncertain and beautiful" -GSYBE
Saying the attack in from korea just because the attack came from a korean IP and/or there are korean files there, is saying like I was mugged by Stevie Wonder because "I just called..." was playing on the radio. Technical people know better than listening to political propaganda drivel.
and the name of the Operation should be called "OP GEOHOT". Gibson would be proud.
Hackers say they stole 100 terabytes of data in total
Indeed. At, say, 100 Mbps (~ 10MB/s) on the Internet - that's fast - that would take 10 million seconds, or 116 days full time...
Slashdot, fix the reply notifications... You won't get away with it...
Am i missing something? The article does not seem to explain how the information is damning to Sony. Does it reveal corruption or any other shenanigans at Sony? Would be mentioned if it would, wouldn't it? Maybe the author misused a word.
http://www.zdnet.com/article/b...
There's been plenty of wakeup calls since the movie "The computer who wore tennis shoes" came out, or maybe even before. Taking the easy and lazy way out is seen as better than waking up and doing something sensible.
Just the fact this was done and so cleanly should make every business sit up and take notice. This was not just some person taking some credit card numbers or accessing just a small part of a server network. This was a clean it out and destroy everything kind of event. This is why the FBI will have a difficult time proving fault. Because so much is destroyed not much is left to follow the trail. Just imagine waking up and your computer is basically giving you a "no OS found" prompt upon boot up. Plus, the drive is now so corrupted with rogue encryption that you cannot even do anything with the drive. Let's hope no other company has pissed off whoever did this.
> Meanwhile, Fusion's Kevin Roose is reporting
This is how Kevin Roose describes himself: "I grew up in the ultimate secular/liberal family (my parents are Quakers who used to work for Ralph Nader), and I went to Brown University - a school known for its lefty politics and nude parties."
Have a look at fusion.net. I wouldn't be surprised if all his anonymous sources were made up, and all his articles written only to make a big evil corporation look bad, and show how the lowly downtrodden workers are made to suffer through discrimination.
People should read "The Prince", by Machiavelli -- there is a discussion about Turkey (IIRC) and France and how the latter is way more secure because power (and defense, and security etc.) is decentralized. You know, it must be even free now.
At work, I used Firefox to achieve greater security than IE (6 back then, now it seems to be 8). Security progressively tightened the grip, and while Chrome was made available, I don't know (and this is important) if NoScript can be used with it (and if it can, for how much long? Is it one of the NPAPI plugins?)
My point is security must act with the help of everyone, not against everyone. NO SECURITY DEPARTMENT CAN MAKE IT HAPPEN ALONE. People at high places cannot live with this concept, because they won't be able to punish someone and look "serious" in the end. As a result, everyone is not responsible and the only department who is held responsible cannot really do it on its own.
I now use Chrome with much less security... I just avoid doing internet banking at work. With phones based on Linux, there is hope for the foreseeable future that I will be able to make sure I have the same security I enjoy with Linux at home.
Urrm why does a North Korean agent need to be in North Korea. Surely they would be on a fast connection in the west somewhere and then just post some tapes back to HQ.
Right, because the NSA would want to acknowledge its monitoring and level of monitoring of NK to protect a company, let alone a company with most foreign interest.
Give up a major example of how we know what they are doing with nukes ... So Sony doesn't have leaks of some shitty movie that was going to be on Pirate Bay well before it hit the theaters anyway.
I can't answer that for Sony in particular, but I can tell you with absolute certainty why it happens at smaller companies that could easily segregate such sensitive systems from the general corporate network...
"Damnit, $peon, I don't give a damn about HIPAA or PCI or SOX! Make it so I can get to all the files I want, from my desk computer, or I'll find someone who can. Don't worry about it, just keep the bad guys off our network, and we'll have no problems. What??? No you can't lock down my computer so I can't browse por... er... financial news sites at lunch!"
The problem comes from the people who do legitimately need access to such data considering themselves "too important" (and naturally, infallible) to follow the policies and procedures required to maintain meaningful access limitations. That, and the people who actually understand the need for an air gap almost never having the authority to say "tough, you work for this company, and this company requires that you do it this way".
"Do you know who I am???"
After all, all we care about is hacked nude selfies.
Sony pictures is a company that is part of the MPAA who fine peoples millions of $ thus completly ruining
their lives over sharing a movie. Karma is a bitch huh?
Air gaps work great and are cheap when they are only 3 feet wide- everywhere along the circumference of the inner "island".
When your "island" has to cover multiple states and time zones at the same time, it becomes very unwieldy to strictly maintain that air-gap. Why do you think the DOD classified networks cost so much and have so many regulations concerning them? Have you ever priced what REAL hardware encryptors cost?
- speaking only for myself, as always
I guess Sony shouldn't have taken away Linux from PS3 customers. The Linux crowd is one you do NOT want to mess with. They are more knowledgeable than anyone in the I.T. world. What goes around comes around I say.
And you've just failed security 101.
Airgapping does not make you immune to everything. e.g. Windows Updates. A lot of those updates are to fix patches against physical exploits. And by airgapping you've increased your attack vector (because I am assuming here with your basic statement that you didn't think of how data will get in and out of the network including security patches). Then you're also assuming that the reason there was no airgap was due to Outlook and Facebook rather than
Airgapping is rarely ever the answer. Understanding and breeding a culture of corporate security is. Knowing how to design networks with layered protection so that the computers themselves remain useful is.
I have yet to see any evidence of this. Are we really assuming this based on the theme of a movie Sony is coming out with??
So how did companies handle such networks 20+ years ago, where employees in "other offices" (cities, other locations in the same city, etc.) could access files, databases, etc., without any vector out to the Internet? Wouldn't be that hard to create a disconnected network island "war room" in each office--disconnect some ports & buy new routers. The real issue ultimately becomes that you now might want to consider multiple such air-gappped networks (e.g. R&D, HR, Finance, etc.)
I have to assume that data breaches are much worse cost... This one has lost sales, lost goodwill, lawsuits, potential government fines (e.g. HR data), network design changes, etc. Even a $10 million air-gapped network would have been a bargain compared to this mess...
I'm still waiting for a massive Salesforce data breach... That'll be interesting when it happens.
Windows 3.1x calc: 3.11 - 3.10 = 0.00
Remember back a few years ago, when Sony decided the best way to combat piracy was to install a rootkit on the machines of anybody who played one of their CD's?
I hope I can be forgiven for reminding them of a couple of good old adages. Adages like, "What goes around comes around", "Karma's a bitch", and "Sauce for the goose is sauce for the gander".
And I hope they'll forgive me for my complete lack of sympathy.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Wasn't Lockheed hacked a couple of years back? My understanding is that quite a good amount of data regarding a variety of weapons systems, including data on the F-35, was stolen. I don't know how the volume of data stolen compares, but it seems to me like a far more significant hack than stealing a bunch of shitty film scripts and some employee data.
How did companies do things 20 years ago?
They racked up lots of frequent flyer miles, spent hours on long distance calls, and made FedEx a household name (and very profitable). Did I mention the conference calls where people on the East coast had to stay at work late to talk to people on the West Coast?
- speaking only for myself, as always
I suspect that because Sony is a Japanese company, and has their headquarters in Japan, likely has most of their important datacenters in Japan, which unlike the USA, has incredible internet speed, and because Sony is a tech monster, likely has some pretty serious connections to their stuff.
Now couple that with what we have already seen of general network incompetence with the last huge Sony breach to their Playstation network, due to them simply not updating their software to a version several years out of date, I don't think it is all that surprising.
However you are right, 100TB is nothing to sneeze at, and would take some time, and likely multiple connections to work. I suspect that Sony was clueless about what was going on, until someone complained about slow network connectivity, and eventually some sysadmin started looking at things, and started to see connections, and bandwidth saturation, and then trying to figure out who was doing it, and on finding it wasn't Sony, needed approval about severing the connections (if even technically that easy)... and once approvals and technical fix were done, well 100TB is gone.
I suspect with the amount of interconnectedness of distributed networks, it wasn't as simple as walking outside with an axe.
If you know a company booby-traps its products, and you still choose to work for them or buy their products, you're saying they still deserve to be in business despite these actions. Just because they're sooooo pooooor relative to "higher-ups" doesn't absolve them of moral accountability any more than the executives who are earning a living too.
To avoid Godwintards, please refer to the Death Star contractors discussion from the film "Clerks".
This.
I worked at a Healthcare firm many years ago when the Blaster worm brought down the Hospital Networks. There was serious discussion of an air-gapped network as a security response, until we thought about it. Virtually every system we had checked in with a vendor, was networked to other equipment at other sites, or had the ability to pump data into central systems. Our 6 Hospitals and dozens of clinics were spread all over the state & needed connectivity with each other to share data & allow patients to transfer between them or see specialists that only worked at a given clinic. Even had we bought separate links for critical and non-critical info that separation would have still relied on about a dozen external vendors never "crossing the streams". That was in 2003, now a days the medical records system can talk to the scheduling system to coordinate patient appointments and can even send out emails about lab results.
And an army of Flash-Drive monkeys copying data is just the illusion of security. Either those drives will themselves be infected with malware or someone will hack whatever system tells those monkeys what to copy and where to send it. The idea that you could leave the air-gapped network less secure, unpatched, or on older versions of known-compromised applications & OSes is just asking for trouble when you have *any* exchange of *any* kind with the outside world. One slipup anywhere by any of your employees and you have malware owning your wide-open system.
Explain how airgapping doesn't make you immune to Windows Updates? If your PC can't talk to Microsoft, and unless you're going old-school sneakernet with flash drives, how is it going to get updates? Most Windows updates solve some sort of security hole, usually caused by the execution of malicious software or some sort of security hole that's exploitable from the Internet. Take away "the Internet" and lock down what people can execute on their PCs within "the island" and problem solved. Yes, you now have a known unpatched security hole--but one that can't be exploited without access to the Internet. No malicious links, attachments, unauthorized software, browser toolbars, etc. Just people using limited specific software & specific versions on (for example) Windows 7-SP1.
As has been proven by Stuxnet and this breach, unlimited state-sponsored funds ALWAYS beats "networks with layered protection". Big-name companies that spend shitloads of money on security still get breached. 15+ years of "breeding a culture of corporate security" also hasn't worked. But if you require the network to have a physical presence, then you've eliminated your primary attack vector.
Windows 3.1x calc: 3.11 - 3.10 = 0.00
Easy.
Systemic flaw in business culture (And by extension business procedure and workflow)
No security policy, no matter how comprehensive and robust, can withstand the attack of a slightly annoyed c-level exec that wants to get his email with "no excuses" That, or, a beancounter looking to earn a bonus by cutting "cost centers" - (Why do we have all these networks that can't talk to eachother!? There is no synergy in that!)
Porn, possibly?
Such an air-gapped network would easily become an island--one that doesn't need Windows Updates, can stay on an old service pack, gets no software updates that solves 2 problems
Well, only assuming you keep all your employees from plugging in any unapproved devices to any of the machines. Whoops instant virus (although still contained), made much worse by your internal security patches being way out of date.
Or does nobody actually write malware for just plain destroying data anymore? Maybe not.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
Plus you could presumably go old-school and just download and burn the updates to CD or something (after SHA-1'ing them etc.), couldn't you?
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
NSA is about industrial espionage, insider trading and tapping the communications of lawyers and politicians. I think the hack was performed by a big rival company.
So how did companies handle such networks 20+ years ago, where employees in "other offices" (cities, other locations in the same city, etc.) could access files, databases, etc., without any vector out to the Internet?
Thank you, that's a good question. Companies used to pay for their own, dedicated network connections between various offices - think T1s, T3s, ISDN, etc. Yes, they were much more expensive, which is why they mostly went away. The bean-counters probably saw dollar signs flash in front of their eyes when internet connections became cheap and VPN and other tunneling solutions were worked out that made it possible to replace the old dedicated connections, and that was that.
Another possibility, however, is that the internet made the business need to be interconnected so great (i.e. email, web, saas, etc) that it just became too difficult to justify having duplicate machines on everyone's desks. Remember that IT is a cost center for businesses, so eternally being squeezed to be more efficient and cost-effective.
Was the movie that North Korea doesn't want seen - The Interview - one of the 5 movies leaked to the public?
Good move. After all, employing three times the staff to cover for the lost productivity and constantly training new hires after you've sacked people for breaching processes is definitely going to make you competitive with companies that take a more balanced risk based approach to their security.
Incidentally just what the fuck are you installing on the virtual machines if it isn't an operating system (e.g. Windows 8).
Company can setup private VPN network and no Internet access on that same network?
I still have not forgiven them for the rootkit and other more recent sins. And no, employees are not innocent. You work for a corrupt company, you are complacent. Just like NSA employees, you don't get a free pass because you are following orders. If 60% of NSA employees quit, it would have forced change a lot faster then anything going on now.
Is it confirmed that it is internet-facing or could this have been done by gaining physical access?
The 100 TB probably contains a lot of pirated copies that employees swapped around of movies from other studios or whatever.
You misunderstood. No surprise I didn't write it very well.
Airgapping your network only protects you from network attacks. It only protects you if people don't expand your network without authorisation. It also by itself is quite useless unless you have systems in place to do things like get Windows Updates onto the machine.
If you think Stuxnet showed that this breach had anything to do with layered networks then you are very very misinformed. Stuxnet entered their systems on a closed network via internal breaches and replicated via USB. It is actually a perfect example of how airgapping doesn't solve problems.
What I mean with "a culture of security" is that the whole picture is taken into account. I've worked at a lot of industrial plants and I've seen everything work, and I've seen it all fail too. One of the refineries we were at had a great airgapped system using sneakernet (burning CDs, no USB sticks as per policy) to get data on and off the network. A major breach was discovered when an operator had plugged a 3G modem into the back of a control systems machine so he could access the internet from his workstation. This is an example of airgapping without a culture of corporate security. Best of all there were no penalty for the operator. The plant was also way behind on security patches and the likes because they aren't connected to anything so why need security right?
On the other hand the plant where I work now has a layered security approach with 3 distinct networks between the internet and the control system. The last layer is a one-way (I hate the term Data-Diode but that seems to be what they are calling it these days) isolation which pushes data to an external box on another network which the 3rd network can access via a firewall. But far more importantly is the view on security. You won't get operators plugging 3G modems into the PC not because the boxes are locked (which they are), but because someone sat down and thought through things like the bored users scenario and they have a second PC off the network which they can do with what they want (within policy). Oh and if this happened at my current work place the operator would be dragged to the gate by his ears and told never to come back.
Airgapping as a security solution typically fails due to lack of security by other means, bored or idiotic users (especially if there's a nightshift), and the management problem where some genius decides it would be great if they can see what's going on in the network and the network grows arms and legs till it eventually gets plugged into something it shouldn't.
A tiered approach on the other hand typically requires careful thought. Don't get me wrong this can be done VERY poorly, but for the most part the tiered network implementations I've seen and what comes with them I would consider to be far more secure because they have gone through a thorough design stage. By contrast the airgap solutions I've seen have typically been an afterthought where "airgap is the security so what else would you need".
Oh also the Windows Update was just an example of something that is typically done poorly. Airgapped networks I have seen have let their software rot from a security point of view. But solutions exist and in the case of Windows Update it's running a WSUS server on the closed network and feeding it the necessary update by some means. This can be done both well and poorly regardless of which method is used, but is almost universally done poorly when the approach to security becomes, "just unplug it".
Any one remember this?
http://en.wikipedia.org/wiki/S...
no matter how good it is, it is human nature always wants to make things better
"In the letter, Sony [...] called on the government to help make the internet safer." http://www.buzzfeed.com/tomgar...
How does the government doing anything to "the internet" help secure private data on a private corporate network?
I worked down the road for many years at WB and I was able to get 1 Gbits both directions as recently as last year (my nic/ office net could have been the limiting factor). I suspect Sony has the same or better...