Slashdot Mirror
The Sony Pictures Hack Was Even Worse Than Everyone Thought
An anonymous reader writes with today's installment of Sony hack news. "It's time to take a moment of silence for Sony Pictures, because more startling revelations about leaked information just came out and employees are starting to panic. BuzzFeed raked through some 40 gigabytes of data and found everything from medical records to unreleased scripts. This is probably the worst corporate hack in history. Meanwhile, Fusion's Kevin Roose is reporting on what exactly happened at Sony Pictures when the hack went down. The hack was evidently so extensive that even the company gym had to shut down. And once the hackers started releasing the data, people started 'freaking out,' one employee said. That saddest part about all of this is that the very worst is probably still to come. Hackers say they stole 100 terabytes of data in total. If only 40 gigabytes contained all of this damning information, just imagine what 100 terabytes contains."
100 terabytes of data is easily consumed by the raw uncut footage of a few movies, easily. So it could be a whole bunch of stuff that really hurts them or it could just be a couple movies that were shot by M. Night Shyamalan that suck so hard no one cares.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
http://en.m.wikipedia.org/wiki... TL, DNR: 9 years ago, Sony was root kitting the machines of people who bought their CDs, and living about it.
Sony Pictures is likely sending out huge amounts of data as it is. It's the movie industry. Their daily backups could be 100 TiB.
SONY would have to patent everything within a year in the US; I am not sure that you even have that grace period everywhere else.
No..... 1 year following lawful disclosure.
The unlawful disclosure of confidential information by criminals is subject to adjudication by the courts.
The unlawfully disclosed material may very well be deemed to be a condition that allows Sony to continue to pursue the patents, and publications made from unlawfully disclosed materials may be excluded from valid prior art.
Don't forget disputed insurance claims, and new employee paperwork with medical and life insurance applications with records of pre-existing conditions.
With all the state-sponsored corporate & military espionage caused by China & Russia, with the never-ending probes from government agencies like the NSA/DHS/GCHQ/etc., with malware & ransomware attacks that can encrypt data in (generally) unbreakable forms, with criminal hacking organizations making off with millions of credit card numbers from retailers, with apparently no network controls as to how much data leaves company firewalls & where it goes, and so on, why aren't there more internal air-gapped networks in companies???
This has hit the point of absurdity. If you are working on military plane designs, working on your next corporate acquisition, or even making movies or music worth tens of millions of $$$, why would you put your prized, unreleased digital files on computers that have Internet access? What kind of batshit stupidity is that? What, so your employees can browse Facebook & check Outlook e-mail at the same time? Such an air-gapped network would easily become an island--one that doesn't need Windows Updates, can stay on an old service pack, gets no software updates that solves 2 problems and but makes a new one (e.g. we know the bugs), and the like. And if those employees really need their Outlook e-mail, IM, or the Inter-Webs where they work, they can have a 2nd very low-end PC, connected to the main network, with a KVM between the two. Might even increase efficiency, given the mind's inability to multitask well. Or give them freaking iPads on a wireless network that's not connected to their "sensitive" work computer.
It boggles the mind that given all these problems, which are increasing in frequency & cost every day, we still have little more than software firewalls & hardware routers between a company's most highly-sensitive assets (files & computers) and the big-bad-Wild-West-no-holds-barred-Internet.
Windows 3.1x calc: 3.11 - 3.10 = 0.00
Certainly legal. There's nobody who can't hold your medial information. .
Wrong.
HIPAA regulations are pretty strict about this. The company I work for does everything through a 3rd party because of this.
When I told my boss I had to have time off for surgery I was given the phone number for the 3rd party company and they handled everything. They contacted my doctor and obtained all the necessary medical information to verify that I was off work for a legitimate medical reason. When I was ready to return to work, I went to a doctor who examined me and then reported to the 3rd party company that I was OK. The third party company then notified my employer that I was OK to return to work. At no time was my employer ever given any medical information about me.
Your employer could have held the information, but every system involved with access & storage would have to meet physical and electronic security requirements. Outsourcing is cheaper, and a business structured around PHI-compliance would have an interest in minimizing their liability.
Not a lot, actually. The most important aspect of real security is compartmentalization—ensuring that you don't have any high-value individual targets:
None of those things should cost significant amounts of money. They're just simple policy decisions. And with a scheme like the above, you typically wouldn't see attacks like this being successful in the absence of a massive zero-day remote kernel exploit.
If you want added security, you could write a piece of software in a few minutes that logs all traffic by IP address and port, then compares it with traffic requested by the user's web browser (by continuously reading the browser's history and uploading any new locations every couple of minutes), and flags anything that doesn't match. Automatically ignore any automatic updates by software that your IT department installed, plus any known addresses owned by your OS manufacturer. If you see any other traffic, shut off the port immediately, and contact the user to verify that the traffic is expected. If so, whitelist that IP and port after verifying that the software the user is running is legit.
Finally, add mail server rules that sanity check any email attachments, and similar rules for your HTTP proxy. If someone receives a disk image, ZIP archive, or other archive, extract the contents and ensure that there are no executables within it. If there are, allow the attachment if the executable is signed by a trusted authority. Otherwise, store a copy of the attachment in a secure location, and either filter it from the mail archive or refuse to send the final packet of data to the web browser. Flag it for review.
Like the two guys running away from the grizzly bear, security doesn't have to be flawless; it just has to be robust enough to convince the attacker to go after an easier target.
Check out my sci-fi/humor trilogy at PatriotsBooks.
RAID doesn't really work like this.
Imagine you have a 6 disks raid6 - you need 4 to have the array working in a degraded state. Unless you steal 4 disks *at once* you won't be able to rebuild it offsite. Unless you get drives from RAID1 arrays you're better off smuggling in a 2tb 2.5 usb drive. If their physical security is any close to the IT security you can probably smuggle a f-ing NAS inside and nobody would care.