Slashdot Mirror
Schneier Explains How To Protect Yourself From Sony-Style Attacks (You Can't)
phantomfive writes: Bruce Schneier has an opinion piece discussing the Sony attack. He says, "Your reaction to the massive hacking of such a prominent company will depend on whether you're fluent in information-technology security. If you're not, you're probably wondering how in the world this could happen. If you are, you're aware that this could happen to any company." He continues, "The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations—gossip, medical conditions, love lives—exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now. This could be any of us."
Related: the FBI has officially concluded that the North Korean government is behind the attack.
Likewise, how long does it take to download 100TB of data? I'm guessing that this was probably something that took a bit of time to pull off, and they probably should have found something while all this data was flying out of their system.
XDInd
While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:
* Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
* The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
* Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
"First they came for the slanderers and i said nothing."
Complete nonsense.
I keep reading about this attack, like it was magical...
Then there's an article on Slashdot today about programming being a superpower?
I'm starting to think this entire thing was designed to have this very affect.
So what's next? The government protects us? We need more electronic surveillance?
Hacks based on Zero-day exploits are hard to protect against. But they are smash and grabs, and once you see the data leaving, you shut things down until you can patch. But this Sony thing? They had basically complete control over their entire infrastructure. No hack would ever result in that kind of control unless Sony basically had no protection or planning at all. Which is what I think this was... Sony being completely irresponsible. The fault here is with Sony. Yea, the hackers are bad guys to... but there's absolutely no reason they should have gotten what they did. In particular the Executive that had the entires companies Salary in an XLS document on their hard-drive should be fired immediately.
He is phrasing it incorrectly. The attacks are scripted and BLIND. They don't attack X and skip Y if X is vulnerable. Or attack Y if X is not vulnerable. They attack A - Z regardless of the success or failure of any single attack.
That's not entirely true. It's not clear how many other targets the miscreants who hit Home Depot, Target, etc had, but they did a lot more than scripted attacks (they used social reconnaissance, then spear phishing, then multiple point-of-entry probes, for starters) in order to get inside, and once inside they put a hell of a lot of work into pulling off their attack, and mixed that with a ton of luck in order to actually succeed. The Target hack actually would have been dead from the start if Target trusted their FireEye consultants who tried to warn them of the impending data theft.
From what I've read, the Target crack was funnelled through a 3rd party HVAC company that did not secure their systems sufficiently.
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
They may have done more AFTER the scripts gave them access. But it appears that the scripts gave them the initial access.
I'd be interested in knowing the details of the attack. Was it a "social engineering" attack of some kind (ie. a virus-laden email that someone with high privileges opened)? Was it a vulnerability in their networks? I've heard someone with high level admin privileges had their account hacked, but in what way was it done?
I can't find the story, but if i recall correctly, the short version is that the hackers probed Sony, couldn't get in, then started targeting affiliated companies until they found a remotely exploitable vulnerability.
Once they breached that company's network, they found cached(?) credentials for a top Sony sys admin account and used that to access the US Sony intranet.
They mapped the intranet, spread malware all over the place, exfiltrated ~100TB over the course of a ~year, then changed everyone's screensaver and went nuclear with the wiper attack.
[Fuck Beta]
o0t!
It's easy to be self-righteous. I used to see it all the time from member of the Christian religion- most of whom weren't really that familiar with scripture. It's no more appealing seeing the same attitude from members of the new Global Warming religion, most of whom aren't really that familiar with the science.
Climate models may one day mature to something beyond the basket of hypotheses they are now, but none of them have yet been successful in predicting climate data, except where the null hypothesis also predicted that data. The science doesn't justify your arrogance. I wouldn't call it "pseudoscientific", but it's far from certain as well, and the actual predictive models (as opposed to hand-wavey claims) aren't yet well supported by actual data.
Socialism: a lie told by totalitarians and believed by fools.