Slashdot Mirror
Schneier Explains How To Protect Yourself From Sony-Style Attacks (You Can't)
phantomfive writes: Bruce Schneier has an opinion piece discussing the Sony attack. He says, "Your reaction to the massive hacking of such a prominent company will depend on whether you're fluent in information-technology security. If you're not, you're probably wondering how in the world this could happen. If you are, you're aware that this could happen to any company." He continues, "The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations—gossip, medical conditions, love lives—exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now. This could be any of us."
Related: the FBI has officially concluded that the North Korean government is behind the attack.
But you can mitigate the hell out of it, I suggest air gapping.
Om, nomnomnom...
We are talking a proportional response right?
Or maybe we can just send a few bloviating politicians over and throw in some mass drops of MP3 players loaded with Sony tunes on the country.
Nobody mentioned "The Interview" or North Korea until days after the attack, then it simply appeared from nowhere and asserted itself as the truth. The emails from the hackers are in the stash, and reputable sources who have time to read such things have reported that not a single email from GOP prior to the release mentioned The Interview, only demands for money.
"blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations—gossip, medical conditions, love lives—exposed."
If you had personal conversations—gossip, medical conditions, love lives in your work email, then it was not private anyway.
Something not much discussed, if outsiders were able to liberate "terabytes" of data from Sony Pictures, just how good was the corporation's computer security? There's been a lot of outrage over the data theft, but did it happen despite Sony's protective measures, or because of them.?
Security is not easy, but it can be done. But most companies like security theater it's cheaper, until something like this happens.
Ding! Problem solved!
Likewise, how long does it take to download 100TB of data? I'm guessing that this was probably something that took a bit of time to pull off, and they probably should have found something while all this data was flying out of their system.
XDInd
it happened to the blameless random employees who were just using their company's email system. Because of that, they've had their most personal conversations -- gossip, medical conditions, love lives -- exposed
If you were using your company's Exchange server for gossiping and thought it was safe (i.e. the IT department would never have access to this, oh no) then you're stupid and deserve whatever fate you get.
I can sympathize with the people whose SS numbers were stolen out of no fault of their own. But Amy Pascal making Obama black jokes on company email was just stupid as hell and she deserves whatever scorn people will heap on her.
I ask the same question again, why put this stuff online at all? Why are critical systems for infrastructure online? Why is anything of any importance for our government and nation available to the general Internet?
The only answers I've come up with are either cost related or they want them to be targets.
"If any question why we died, Tell them because our fathers lied."
Yeah, because Flash drives are such a secure way to move data...
The world's burning. Moped Jesus spotted on I50. Details at 11.
While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:
* Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
* The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
* Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
"First they came for the slanderers and i said nothing."
If they have nothing to hide, they shouldn't worry. Who cares about their boring lives?
... said the Coward who posted anonymously.
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
For all we know, Sony did invite this attack and opened its doors wide for anybody wanting in. At the very least you can make this hard for the attacker and add a high risk if early detection. Saying "you can't protect yourself" is sending entirely the wrong message.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Because Sony Pictures is an American subsidiary of the Japanese conglomerate, which was based in the US and the majority of the affected employees were US citizens or at least Residents?
Complete nonsense.
I keep reading about this attack, like it was magical...
Then there's an article on Slashdot today about programming being a superpower?
I'm starting to think this entire thing was designed to have this very affect.
So what's next? The government protects us? We need more electronic surveillance?
Hacks based on Zero-day exploits are hard to protect against. But they are smash and grabs, and once you see the data leaving, you shut things down until you can patch. But this Sony thing? They had basically complete control over their entire infrastructure. No hack would ever result in that kind of control unless Sony basically had no protection or planning at all. Which is what I think this was... Sony being completely irresponsible. The fault here is with Sony. Yea, the hackers are bad guys to... but there's absolutely no reason they should have gotten what they did. In particular the Executive that had the entires companies Salary in an XLS document on their hard-drive should be fired immediately.
The other advantage of the air-gapped network is that you no longer "need" to update the computers within the network with most of the security updates that come across Windows Update. Build them from DVDs & SPs with known hash values, never having connected them. Who cares if those PCs are still stuck on Win7-SP1 or Win8.1 RTM. Their primary attack vector (e.g. the big bad Internet) is unavailable. Even if these machines are built with malware, the worst that could happen is that they get erased, but the data still doesn't go out.
But what about e-mail? IM? Interwebs? Facebooking? Really??? Buy a 2nd, low end PC, wirelessly connect it to the corporate network, and volia! Hell, you could even use a KVM for this purpose, if you'd rather not spring for the expensive $400 laptops. Don't take the easy approach of connecting the networks in a way that only allows for RDP sessions--a determined hacker with unlimited funds (e.g. state sponsors) would figure that one out.
But what about Adobe Cloud or whatever program needs to connect to the Internet? Most such programs have alternative options for air-gapped networks (e.g. a license server), and a company like Adobe could be brow-beat by a company like Sony into disabling phone home. For high-risk applications where you can't talk your vendor out of phone-home, it's time to look for a new vendor...
Windows 3.1x calc: 3.11 - 3.10 = 0.00
... email, and anything else you do on the internet or with your cell is not private.
Never put anything in email, or text messages, or twitter or random internet forums that could potentially embarrass you or anyone you care about.
Sad that this needs to be pointed out, but clearly it does.
XML is a known as a key material required to create SMD: Software of Mass Destruction
He forgot the next step, always burn the flash drive afterwards.
That's why they're called flash drives right?
XML is a known as a key material required to create SMD: Software of Mass Destruction
From TFA: "Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable."
Sounds like a good followup to Schneier's Law
This could be any of us. We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.
Bullshit. There's always a choice. It's often less convenient, but that's a far cry from not having one.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
One way to increase that "expected gain" is to take a slightly wider view of what security is. Security is more than just locks and passwords - it includes defense against denial of service attacks, for example. A useful definition of system security is:
A secure system is one that continues to work properly, even in the face of attack.
An example is one of the most common security issues, SQL injection. My work place had a typical example:
INSERT INTO users SET fname='$fname', lname='$lname';
From a traditional security perspective, we worry about an attacker entering a "name" that includes quotes marks and such. However, the same issue also meant that things broke nicely when Tom O'Reilly tried to register, using his real name.
Fixing that issue meant that attackers couldn't mess up the system - and the "random" errors in the system stopped.
As another example, we provide a service called Clonebox. With Clonebox, if a customer's web server is hacked or otherwise damaged, we can switch it over to a ~read-only mirror. Sure that protects against hackers, and some customers have been hacked and used the protection. More often, customers simply screw up and delete important files or databases. Either way, they are protected - our customers' web sites keep working, even when they screw up, even when hardware fails, and even when they are hacked.
So the pitch, and the cost/benefit calculation is this:
How much is it worth to have systems that just keep working, that don't screw up, that handle any input gracefully?
It can be good to ask that question right around the time some executives are cursing the current system.
they are if you encrypt them with pre-shared (in person) keys
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
SQL injection. My work place had a typical example:
INSERT INTO users SET fname='$fname', lname='$lname';
Apart from the fact that you're mixing UPDATE syntax with INSERT syntax, substitution is perfectly valid so long as each string has been sanitized in the correct manner for a particular database connection (that is, not addslashes()). For the MySQLi client library, it looks like this:
Don't get me wrong; it's bad practice to escape manually unless you're using operator IN on a database client library that supports neither array parameters nor named placeholders (such as MySQLi). But code that correctly uses $db->escape_string() (or the equivalent for other languages or database drivers) should be safe from SQL injection, just as code that correctly uses htmlspecialchars() should be safe from script injection.
With Clonebox, if a customer's web server is hacked or otherwise damaged, we can switch it over to a ~read-only mirror. Sure that protects against hackers, and some customers have been hacked and used the protection. More often, customers simply screw up and delete important files or databases.
But how long do you keep these mirrors around, in case there's a screw-up that goes undiscovered for a while?
... anything.
TFA is a waste of time.
There's no best practice revelations or stuff.
It's just a repeat of what every news site and pundit has said already.
It little behooves the best of us to comment on the rest of us.
> Apart from the fact that you're mixing UPDATE syntax with INSERT syntax
Works in MySQL and MS SQL, ymmv for any other RDMS.
In regards to both escape_string() and htmlspecialchars(), two words: character sets.
They are not fundamentally any better than addslashes(). They just have a bit more duct tape.
the FBI has officially concluded that the North Korean government is behind the attack.
Due to the sensitive nature of the investigation, you'll have to trust us on this, just like with that other big thing 13 years ago.
“He’s not deformed, he’s just drunk!”
I for one am waiting to hear what Bennett Haselton has to say.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Like you, I want the facts. I have seen no facts that implicate the DPRK over the people who claimed responsibility initially (GOP). Wired had an article on it two days ago when the first stories started to attempt to pin the hack on the DPRK which has been ignored by all US and UK media. Not only have all US media outlets jumped on the "it was those dirty North Koreans" bandwagon, but the BBC has become complicit in this as well.
I fairness, I was able to do some digging to find more information on the BBC that I could not in US media. Let me go through the evidence. and comment on each after that.
Before doing so, let me explain something critical. In order to teach hacking, a person has to have access to the internet. This is a huge dilemma for the DPRK who has to risk any Internet access with the knowledge that the person with access _WILL_ see information damaging to their loyalty to the DPRK. There are no computer cafe's in North Korea where guys can go learn to hack to make a couple extra bucks, in fact unless you have explicit Government approval you can not have a computer. Even if you are a "tourist" you must have permission and you will not be able to take your laptop wherever you wish.
This means that the only hacking that could come from the DPRK is Government sponsored, and the amount of hackers they have would be tiny. They don't have the money for "new" or unique equipment either, so any computer hardware they have is going to be 2nd hand junk that China no longer wants. What the Military has for hacking tools would be 2nd hand script kiddie tools or, provided by China.
Not only does an extraordinary claim require extraordinary proof, but in this case US Politicians have lied so often I don't trust a damn thing I'm told any longer. Our "media" follows the scripts they are handed just like the politicians, and I don't trust them either. So here is the claim summary.
First, the FBI says its analysis spotted distinct similarities between the type of malware used in the Sony Pictures hack and code used in an attack on South Korea last year.
So we turn to another, better clue: IP addresses - known to be part of "North Korean infrastructure" - formed part of the malware too. This suggests the attack may have been controlled by people who have acted for North Korea in the past.
That's it folks, that is all we have. The "Hacks" last year (actually since 2009) which were never tracked to the DPRK are the first reason they believe this hack was. Wow, that's quite a leap in logic. DarkSeoul is still anonymous and there is no evidence that links them to North Korea. Lots of claims that China is training and letting the DPRK use their resources, but no evidence that the group is even operating out of China. Finally we have IP addresses, which any Script kiddie knows to spoof with someone's IP address you hate! I'm positive that the FBI can not be that goddamn dumb, they have to realize IPs can be spoofed too!
Ok, time to get off my soap box...
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Rule No. 1 of corporate life:
if you don't know everybody to know about it, don't put it in writing, ever. Yes, SMS/chat/whatever is writing. Even talking on mobile phone could be "writing".
It's very easy these days to have all the accounting software on a separate machine to the one that downloads infected emails - consider remote desktop, citrix, VNC and X windows. If you had "understanding of modern IT" you would have considered them wouldn't you?
I agree with everything except the telecommuting bullet-point (with which I am in *qualified* disagreement. My qualification is that working from home should be OK, but only on company-issued hardware, with the restrictions you listed (e.g., disabled USB ports) and I would add the use of something like a Sonicwall connected downstream from your home ISP's gateway.
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
The ones where there is only a URL and no payload astonish me - somehow just clicking on the link and letting IE loose on it is enough for the user to infect their machine with a virus. No "do you really want to run this thing as admin" box or anything - immediate infection with no other user interaction. Microsoft have been dealing with the internet for nearly two decades and such a thing can still happen with their software.
Partially, yes, for three reasons:
So yes, I wholeheartedly dispute your blanket analogy on the grounds that is a flawed analogy, and that we don't know enough about our planet to make any intelligent predictions or models at this time. Indeed, every model we have, when fed historical temperature data, says we should be at much higher temperatures than we are now. Most assume some kind of blanket model, but since none match our measured results, we can conclude that a simple blanket model does not match the complex reality of the systems on Earth.
Beware of bugs in the above code; I have only proved it correct, not tried it.
"Galactica is a reminder of a time when we were so frightened by our enemies that we literally looked backward for protection..."
... and, of course ...
"... But I will not allow a networked, computerized system to be placed on this ship while I am in command."
We live in a world of Cylons.
MediaWiki is written in PHP. Would you really prefer a world without Wikipedia?
How about paying a substantial fraction of what the CEOs get. Won't stop hacking, but while prevention is half the game, motivation would go quite a bit, I think. Personally, I am pretty sure a lot of these 'hacks' are just former employees that got screwed and was offered a whole bunch of money for very little knowledge by someone else. An NDA isn't Captain America's shield when the employee was pretty much broke anyways.
Never play chicken with a passive aggressive.
Or at least your company can. Any network is vulnerable in the sense of someone wondering around campus and finding an an unlocked PC, but what you can do from there varies tremendously. Ideally, the company itself doesn't have employees' SSNs or banking information anywhere on it's network. Rather, this is handled by a payroll vendor that specializes in handling just that task securely and nothing else. Now you have a much smaller and constantly audited target to hit. Likewise, highly sensitive projects can be siloed in a way that most employees or intranet can not access them any easier than a random outsider.
Mr. Gingrich obviously never read Schneier's informative and professional response. Doing things like that would only slow mr. Ginrich down.
No. Mr. Ginrich has made up his mind already and frames as war what is basically a combination of poor security (both protection and response were found to be sub-par), unprofessional conduct (mean-spirited, abusive, and racist comments), user stupidity (entrusting highly personal information to a company email system), and bad luck (being targeted by a persistent and capable attacker).
The only way Mr. Ginrich can achieve his national cyberspace defense "Defending America against foreign enemies is the duty of the United States government." is to monitor all traffic entering and leaving the US plus all internal traffic, and being able to selectively cut any of it off on basis of suspicion alone. To use mr. Ginrich's words: "No one should kid themselves.". This is the only possible outcome if his ideas are adopted.
It's like the NSA's dream come true. Not only will they be allowed to tap into everything, Mr. Ginrich's ideas (if adopted) mean that they will now actually be tasked to do that. Plus they get to design and implement some fine-grained kill-switch. Oh, can encrypted communications by private individuals be tolerated? Risky, that. Any non-government or non-whitelisted corporate entity that uses encryption could be a hostile nation in disguise, eh? best to put a stop to that right now. Or err risk "loosing the cyber war".
How to protect yourself from Sony-style attacks:
Step 1. Don't be Sony.
encouragement of corruption
Or encourages corrupt behaviour.
People resorting to criminal acts to get around new restrictions that were probably not worth implementing in the first place.