Schneier Explains How To Protect Yourself From Sony-Style Attacks (You Can't)

← Back to Stories (view on slashdot.org)

Schneier Explains How To Protect Yourself From Sony-Style Attacks (You Can't)

Posted by Soulskill on Friday December 19, 2014 @07:31AM from the just-look-less-hackable-than-the-schmuck-next-to-you dept.

phantomfive writes: Bruce Schneier has an opinion piece discussing the Sony attack. He says, "Your reaction to the massive hacking of such a prominent company will depend on whether you're fluent in information-technology security. If you're not, you're probably wondering how in the world this could happen. If you are, you're aware that this could happen to any company." He continues, "The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations—gossip, medical conditions, love lives—exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now. This could be any of us." Related: the FBI has officially concluded that the North Korean government is behind the attack.

22 of 343 comments (clear)

Min score:

Reason:

Sort:

Sure... by Mashiki · 2014-12-19 07:34 · Score: 2, Insightful

But you can mitigate the hell out of it, I suggest air gapping.

--
Om, nomnomnom...
1. Re:Sure... by mysidia · 2014-12-19 07:51 · Score: 2, Insightful
  
  Yes. Lets air-gap the email system. That would work well.
  No, foo. It's called basic common sense -- keeping confidential medical records, SSNs, and personnel files in paper format only, and not allowing them to be scanned or placed in a system connected to the general business intranet, or "the cloud".
2. Re:Sure... by EndlessNameless · 2014-12-19 08:08 · Score: 5, Insightful
  
  If you air gap email and financial systems, you're stepping right back into the mid-1900s. Back when it took an entire office of secretaries to process correspondence, and another office full of accountants to handle billing and ledgers. Because if those systems are disconnected, someone will have to transfer reams of data in and out of them. That is no longer feasible.
  Your suggestion is so completely impractical, I wonder why you joined slashdog in the first place. You clearly have no understanding of modern IT.
  
  --
  
  ---
  According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
3. Re:Sure... by the_B0fh · 2014-12-19 08:12 · Score: 4, Insightful
  
  Seriously? Keeping your personnel files on paper and not the computer? And you think getting checks is slow now? BWAHAHAHAHA
4. Re:Sure... by gweihir · 2014-12-19 08:14 · Score: 2, Insightful
  
  Remember RSA labs that kept the master keys to SecureID on their network? There is nothing simple or easy here and, of course, security costs money and in capitalism you only spend money if there is an expected gain. Unless people high up in management go to prison or the company is fined heavily on such events, nothing is going to change.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
5. Re:Sure... by mythosaz · 2014-12-19 08:16 · Score: 5, Insightful
  
  No, foo. It's called basic common sense -- keeping confidential medical records, SSNs, and personnel files in paper format only, and not allowing them to be scanned or placed in a system connected to the general business intranet, or "the cloud".
  Oh man, you had me going there for a second. I almost thought you were serious.
  Let's all go back to using a typewriter to file our taxes, and when my small-town radiologist wants a consulting opinion on my X-ray, lets have a courier drive it into metropolis for him. He can use a quill to write down his diagnosis and seal the letter with wax and a stamp from his ring.
6. Re:Sure... by Nutria · 2014-12-19 08:18 · Score: 5, Insightful
  
  Keeping your personnel files on paper and not the computer?
  Of course, there's always keep your personal shit off the company servers!!! And keep what you do write in company documents at a professional tone.
  That would sure have mitigated a whole lot of personal pain by these supposedly blameless Sony employees.
  
  --
  "I don't know, therefore Aliens" Wafflebox1
7. Re:Sure... by DougOtto · 2014-12-19 08:25 · Score: 5, Insightful
  
  Unfortunately, security is a cost center, not a profit center. That doesn't sit well with the MBA types. Security does not support the success of a business in any obvious way - so we have to use metrics to show value.
  
  --
  Solving Unix problems since 1989...
8. Re:Sure... by ColdWetDog · 2014-12-19 08:53 · Score: 4, Insightful
  
  Every. Fucking. Hospital. Everywhere.
  The only thing that keeps this from being a problem is that the gory details of most people's lives are really not interesting to anybody and they are hard to monetize. I would imagine that hospitals and clinics around Hollywood have been hit multiple times. If you are a 'high value target', ie, nobody here on Slashdot, I'd be worried.
  Very worried.
  
  --
  Faster! Faster! Faster would be better!
9. Re:Sure... by ColdWetDog · 2014-12-19 08:56 · Score: 4, Insightful
  
  Really. This. How hard is it NOT to flame people on a COMPANY EMAIL system? Even if some hacker doesn't get to you, your boss or some HR flunky might. Leave the immature conversations to places like Slashdot. It's what we do ....
  
  --
  Faster! Faster! Faster would be better!
10. Re:Sure... by lgw · 2014-12-19 09:29 · Score: 3, Insightful
  
  Look at the historical data.
  It should jump out at you that the past 10k years of relative climate stability is an anomaly, and that rapid (on geological scales) swings in temperature and CO2 are the norm. That whole system is not well understood, though I believe solar variation is the leading hypothesis right now. On a scale beyond a century, there's just no reason to expect climate stability in the first place.
  On a decade by decade scale, there's no evidence of warming in the 17 years of reliable satellite temperature data. The null hypothesis - that average temperatures aren't changing - has actually been the best predictor of climate data since the late 90s, odd as that may sound.
  The simple fact is: the atmosphere and oceans are chaotic systems, with a variety of positive and negative feedback loops, quite difficult to model, and you can't talk about climate change in a scientific way without doing so. There are no obvious conclusions to draw, as the system we live in is simply too complex for hand-wavy, back-of-the-envelope calculations to be interesting. We may simply lack the technology today to do this science properly. That's not a reason to stop - we built the LHC, proof we can do some fucking impressive technological advancement to achieve a scientific goal. But it is a reason to avoid arrogance.
  Climate science is at the phlogiston / aether / Freud stage right now. That's fine, every science must start that way, and the scientific method works given time. But for goodness sake the lay believers are very much like a religion right now, complete with a list of sins and a Hell to roast in, and that's taking it too far!
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
11. Re:Sure... by poetmatt · 2014-12-19 09:31 · Score: 1, Insightful
  
  Security very much is a profit center. Go ask how much this hack is costing sony (supposedly millions just from the production costs alone), and then ask how much actual security would cost.
  The difference is in zeroes. Many of them.
12. Re:Sure... by mythosaz · 2014-12-19 09:41 · Score: 3, Insightful
  
  Costs would increase and quality of care would decrease.
  You're clearly onto something here.
13. Re:Sure... by ZeroPly · 2014-12-19 10:11 · Score: 4, Insightful
  
  No. Security is NOT a profit center. If you think it is, then you are not understanding what the term "profit center" means. A profit center for a decentralized business generates revenues as well as incurs expenses. Most IT departments are not profit centers BY DEFINITION.
  
  --
  Support microSD: in a post 9/11 world, it is unwise to carry your data on media that you cannot comfortably swallow.
Official Conclusion by Anonymous Coward · 2014-12-19 07:38 · Score: 5, Insightful

Nobody mentioned "The Interview" or North Korea until days after the attack, then it simply appeared from nowhere and asserted itself as the truth. The emails from the hackers are in the stash, and reputable sources who have time to read such things have reported that not a single email from GOP prior to the release mentioned The Interview, only demands for money.
1. Re:Official Conclusion by xaotikdesigns · 2014-12-19 07:43 · Score: 4, Insightful
  
  Step one: Extort a hell of a lot of money Step two: Wait for the press to guess who is behind it all Step Three: Take their wild guesses and run with them. Cause as much chaos as you can. Step four: While everybody is looking at the wrong people, gather up all the money/info you can sell, and disappear.
  
  --
  XDInd
2. Re:Official Conclusion by NetNed · 2014-12-19 09:35 · Score: 1, Insightful
  
  Add to it that Sony is NOT an American company, that the scripts used had HARD CODED passwords and network routes in it, plus the amount of people Sony laid off this year. The whole thing is utter bullshit and the FBI latched on to it for some reason, most likely PR or to use it as an excuse to stomp on US citizens rights. I can't believe on so many tech site that have people that have knowledge of networks and security you still have people that believe the whole thing and investigate it very little.
  
  Now we have douche bags like Bruce Schneier and Kevin Mitnick saying that the technology doesn't exist to stop these attacks. The author of Applied Cryptography first main point is that they shouldn't have made racist comments about President Obama or insulted its starsor (what ever the fuck that means)???? WTF???? How is that even part of the story of a so call security expert talking on the attacks? Gee wouldn't the first logical conclusion be that if they used simple encryption on their emails then even if stolen the attackers would have found the email files useless?
  
  I'm sorry, I'm sick of the "experts" insulting our intelligence with stupid comments that are pretty easy to see as nonsensical. The are either paid shills or make comments like those to keep their business revenue flowing.
Don't use your company email for personal business by Anonymous Coward · 2014-12-19 07:42 · Score: 3, Insightful

Ding! Problem solved!
Blameless employees? by Spy+Handler · 2014-12-19 07:47 · Score: 4, Insightful

it happened to the blameless random employees who were just using their company's email system. Because of that, they've had their most personal conversations -- gossip, medical conditions, love lives -- exposed
If you were using your company's Exchange server for gossiping and thought it was safe (i.e. the IT department would never have access to this, oh no) then you're stupid and deserve whatever fate you get.
I can sympathize with the people whose SS numbers were stolen out of no fault of their own. But Amy Pascal making Obama black jokes on company email was just stupid as hell and she deserves whatever scorn people will heap on her.
Re:You can stop those type of attacks by phantomfive · 2014-12-19 07:54 · Score: 5, Insightful

Security is not easy, but it can be done
Probably not. Do you think your Linux box has no vulnerabilities? (hint: it does). Even if you run OpenBSD (which still has vulnerabilities), are the employees at your company going to use a browser? That will have vulnerabilities, too.

Which brings us to the biggest security vulnerability, employees. Remember that the most valuable information a company has isn't the root password, it's the documents and emails the employees are working on and have access to.

So not only do you need to have a perfectly secure operating system (which doesn't exist), you're also going to need secure employees. Good luck at that.

--
"First they came for the slanderers and i said nothing."
Re:You can at least make it hard for them by thoriumbr · 2014-12-19 08:22 · Score: 3, Insightful

He knows what he is saying. He said that if you are targetted in a high-skill, high-focus attack, it's basically game over.

It's like defending yourself from a random mugging on the streets and surviving a professional hitman. You can make it harder to be attacked by a random hacker or a unfocused hacker, but it's impossible to defend yourself from all kinds of attacks of a very skilled hacker focused on attacking you.
Re:Why the FBI thinks it's North Korea by Anonymous Coward · 2014-12-19 08:30 · Score: 2, Insightful

Here's the underlying problem, despite all this: You have to trust the FBI. Sorry to say, as a common American, I don't! As an IT professional, it's plausable, but until these sources and evidence are validated by independent 3rd parties, N.K., like every other possible culprit, is just that. A suspect.