Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier Explains How To Protect Yourself From Sony-Style Attacks (You Can't)

Posted by Soulskill on from the just-look-less-hackable-than-the-schmuck-next-to-you dept.

phantomfive writes: Bruce Schneier has an opinion piece discussing the Sony attack. He says, "Your reaction to the massive hacking of such a prominent company will depend on whether you're fluent in information-technology security. If you're not, you're probably wondering how in the world this could happen. If you are, you're aware that this could happen to any company." He continues, "The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations—gossip, medical conditions, love lives—exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now. This could be any of us." Related: the FBI has officially concluded that the North Korean government is behind the attack.

67 of 343 comments (clear)

  1. Sure... by Mashiki · · Score: 2, Insightful

    But you can mitigate the hell out of it, I suggest air gapping.

    --
    Om, nomnomnom...
    1. Re:Sure... by mysidia · · Score: 2, Insightful

      Yes. Lets air-gap the email system. That would work well.

      No, foo. It's called basic common sense -- keeping confidential medical records, SSNs, and personnel files in paper format only, and not allowing them to be scanned or placed in a system connected to the general business intranet, or "the cloud".

    2. Re:Sure... by blackomegax · · Score: 2

      The KGB or whatever it's called nowadays literally went back to type-writers and paper.

    3. Re:Sure... by ArcadeMan · · Score: 3, Funny

      Yes. Let's air-gap the email system. That would work well.

      Anything that can block spam is a good thing.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    4. Re:Sure... by EndlessNameless · · Score: 5, Insightful

      If you air gap email and financial systems, you're stepping right back into the mid-1900s. Back when it took an entire office of secretaries to process correspondence, and another office full of accountants to handle billing and ledgers. Because if those systems are disconnected, someone will have to transfer reams of data in and out of them. That is no longer feasible.

      Your suggestion is so completely impractical, I wonder why you joined slashdog in the first place. You clearly have no understanding of modern IT.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    5. Re:Sure... by khasim · · Score: 4, Interesting

      And one of the aspects where I disagree with him:

      Low-focus attacks are easier to defend against: If Home Depot's systems had been better protected, the hackers would have just moved on to an easier target.

      He is phrasing it incorrectly. The attacks are scripted and BLIND. They don't attack X and skip Y if X is vulnerable. Or attack Y if X is not vulnerable. They attack A - Z regardless of the success or failure of any single attack.

      And 100% agreement with your air gap recommendation.

      With attackers who are highly skilled and highly focused, however, what matters is whether a targeted company's security is superior to the attacker's skills, not just to the security measures of other companies.

      He's got it right there. Once you are online you can be attacked by anyone anywhere. The only advantage you have is that you control the wire in your organization. Wireless is more of a pain. But you can see every packet moving on the wire.

      It is hard to put a dollar value on security that is strong enough to assure you that your embarrassing emails and personnel information won't end up posted online somewhere, but Sony clearly failed here.

      In my experience, the problem is not money. The problem is EGO. Someone is always convinced that what they are doing is more important than following what the IT nerds say and they have the political clout within the company to force exceptions be made.

      It is the exceptions that damage your security.

      It is the exceptions that allow the easy-to-prevent attacks to get a foothold on your network. THEN the more advanced attacks are unleashed.

    6. Re:Sure... by the_B0fh · · Score: 4, Insightful

      Seriously? Keeping your personnel files on paper and not the computer? And you think getting checks is slow now? BWAHAHAHAHA

    7. Re:Sure... by gweihir · · Score: 2, Insightful

      Remember RSA labs that kept the master keys to SecureID on their network? There is nothing simple or easy here and, of course, security costs money and in capitalism you only spend money if there is an expected gain. Unless people high up in management go to prison or the company is fined heavily on such events, nothing is going to change.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    8. Re:Sure... by mythosaz · · Score: 5, Insightful

      No, foo. It's called basic common sense -- keeping confidential medical records, SSNs, and personnel files in paper format only, and not allowing them to be scanned or placed in a system connected to the general business intranet, or "the cloud".

      Oh man, you had me going there for a second. I almost thought you were serious.

      Let's all go back to using a typewriter to file our taxes, and when my small-town radiologist wants a consulting opinion on my X-ray, lets have a courier drive it into metropolis for him. He can use a quill to write down his diagnosis and seal the letter with wax and a stamp from his ring.

    9. Re:Sure... by Nutria · · Score: 5, Insightful

      Keeping your personnel files on paper and not the computer?

      Of course, there's always keep your personal shit off the company servers!!! And keep what you do write in company documents at a professional tone.

      That would sure have mitigated a whole lot of personal pain by these supposedly blameless Sony employees.

      --
      "I don't know, therefore Aliens" Wafflebox1
    10. Re:Sure... by jeffmeden · · Score: 5, Informative

      He is phrasing it incorrectly. The attacks are scripted and BLIND. They don't attack X and skip Y if X is vulnerable. Or attack Y if X is not vulnerable. They attack A - Z regardless of the success or failure of any single attack.

      That's not entirely true. It's not clear how many other targets the miscreants who hit Home Depot, Target, etc had, but they did a lot more than scripted attacks (they used social reconnaissance, then spear phishing, then multiple point-of-entry probes, for starters) in order to get inside, and once inside they put a hell of a lot of work into pulling off their attack, and mixed that with a ton of luck in order to actually succeed. The Target hack actually would have been dead from the start if Target trusted their FireEye consultants who tried to warn them of the impending data theft.

    11. Re:Sure... by DougOtto · · Score: 5, Insightful

      Unfortunately, security is a cost center, not a profit center. That doesn't sit well with the MBA types. Security does not support the success of a business in any obvious way - so we have to use metrics to show value.

      --
      Solving Unix problems since 1989...
    12. Re:Sure... by Anonymous Coward · · Score: 2

      ...as opposed to figurative typewriters and figurative paper?

    13. Re:Sure... by ganjadude · · Score: 2

      on the other hand, that would take care of the unemployment problem!

      --
      have you seen my sig? there are many others like it but none that are the same
    14. Re:Sure... by khasim · · Score: 3, Informative

      From what I've read, the Target crack was funnelled through a 3rd party HVAC company that did not secure their systems sufficiently.
      http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

      They may have done more AFTER the scripts gave them access. But it appears that the scripts gave them the initial access.

    15. Re:Sure... by Bob+the+Super+Hamste · · Score: 2

      Don't knock it it creates more little middle managers who will fight to keep their meager power and title.

      There was one project I worked on where there were people who's job was to go over each morning and pick up a pile of paper that had been printed out from one computer system and then go and type it into another computer system. There was enough push back from shitty little middle managers who realized that the project would end their little fiefdoms that the project got canceled. If your job can be replaced by some wire and a router you really should have been retraining for a new job years ago.

      --
      Time to offend someone
    16. Re:Sure... by ColdWetDog · · Score: 4, Insightful

      Every. Fucking. Hospital. Everywhere.

      The only thing that keeps this from being a problem is that the gory details of most people's lives are really not interesting to anybody and they are hard to monetize. I would imagine that hospitals and clinics around Hollywood have been hit multiple times. If you are a 'high value target', ie, nobody here on Slashdot, I'd be worried.

      Very worried.

      --
      Faster! Faster! Faster would be better!
    17. Re:Sure... by ColdWetDog · · Score: 4, Insightful

      Really. This. How hard is it NOT to flame people on a COMPANY EMAIL system? Even if some hacker doesn't get to you, your boss or some HR flunky might. Leave the immature conversations to places like Slashdot. It's what we do ....

      --
      Faster! Faster! Faster would be better!
    18. Re:Sure... by mlts · · Score: 2

      There is a balance between going back to paper and double-entry books versus putting the whole thing so close to the Internet that a single compromised box can make it easy for an attacker to slurp everything down. There are also tools to help separate data, but yet allow people to do their daily jobs.

      VDIs come to mind. If one can serve up apps from different desktops, a user can have an external Web browser, internal Web browser, E-mail, the internal finance application, with appropriate separation between all of them.

      On a different level is putting assets behind Citrix or RDP. The user can manipulate them, but doesn't have access to fetch the files. This helps limit potential damage, the worst thing being RATs, next would be screenshot snappers/keyloggers, but again, the signature of a RAT should be detected by the network IDS/IPS, especially if that network doesn't allow access to the external Internet other than through an application.

      So, there is a balance between unfettered Internet access and a complete airgap, with security maintained. As an extreme, there is always moving back to a text terminal emulator and using SSH or even a 3270 emulator as opposed to going all the way back to paper and pencil.

    19. Re:Sure... by lgw · · Score: 3, Informative

      It's easy to be self-righteous. I used to see it all the time from member of the Christian religion- most of whom weren't really that familiar with scripture. It's no more appealing seeing the same attitude from members of the new Global Warming religion, most of whom aren't really that familiar with the science.

      Climate models may one day mature to something beyond the basket of hypotheses they are now, but none of them have yet been successful in predicting climate data, except where the null hypothesis also predicted that data. The science doesn't justify your arrogance. I wouldn't call it "pseudoscientific", but it's far from certain as well, and the actual predictive models (as opposed to hand-wavey claims) aren't yet well supported by actual data.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    20. Re:Sure... by lgw · · Score: 3, Insightful

      Look at the historical data.

      It should jump out at you that the past 10k years of relative climate stability is an anomaly, and that rapid (on geological scales) swings in temperature and CO2 are the norm. That whole system is not well understood, though I believe solar variation is the leading hypothesis right now. On a scale beyond a century, there's just no reason to expect climate stability in the first place.

      On a decade by decade scale, there's no evidence of warming in the 17 years of reliable satellite temperature data. The null hypothesis - that average temperatures aren't changing - has actually been the best predictor of climate data since the late 90s, odd as that may sound.

      The simple fact is: the atmosphere and oceans are chaotic systems, with a variety of positive and negative feedback loops, quite difficult to model, and you can't talk about climate change in a scientific way without doing so. There are no obvious conclusions to draw, as the system we live in is simply too complex for hand-wavy, back-of-the-envelope calculations to be interesting. We may simply lack the technology today to do this science properly. That's not a reason to stop - we built the LHC, proof we can do some fucking impressive technological advancement to achieve a scientific goal. But it is a reason to avoid arrogance.

      Climate science is at the phlogiston / aether / Freud stage right now. That's fine, every science must start that way, and the scientific method works given time. But for goodness sake the lay believers are very much like a religion right now, complete with a list of sins and a Hell to roast in, and that's taking it too far!

      --
      Socialism: a lie told by totalitarians and believed by fools.
    21. Re:Sure... by poetmatt · · Score: 2

      You're talking about air gapping the wrong system.

      There needs to be an air gap between executives and computers. They need to never be allowed to breach it, because they are completely fucking stupid. Sony is so inept I don't even get how they are allowed to do business. This is such a lack of security compliance for a for profit that I imagine compliance auditors are drooling by now.

      Is it unique to them? not even remotely. Is it their own fault? about 99.9%. 56 hacks in 12 years is not a company who understands technology. It's a company with about as much technical knowhow as the musical artists they represent.

    22. Re:Sure... by mythosaz · · Score: 3, Insightful

      Costs would increase and quality of care would decrease.

      You're clearly onto something here.

    23. Re:Sure... by skids · · Score: 2

      People just cannot resist the ease of communication. Email is the crack cocaine of IT security.

      I've always maintained the most devastating payload a worm could have would be forwarding random things from sent-mail to random receipients in the contacts list, considering how so many lead incredibly dishonest lives.

      --
      Someone had to do it.
    24. Re:Sure... by chihowa · · Score: 2

      And those zeros are differences in the cost of (a lack of) security to Sony. Unless you're selling security, it does not generate revenue (and thus profit). Hence cost center vs profit center .

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    25. Re:Sure... by ZeroPly · · Score: 4, Insightful

      No. Security is NOT a profit center. If you think it is, then you are not understanding what the term "profit center" means. A profit center for a decentralized business generates revenues as well as incurs expenses. Most IT departments are not profit centers BY DEFINITION.

      --
      Support microSD: in a post 9/11 world, it is unwise to carry your data on media that you cannot comfortably swallow.
    26. Re:Sure... by orgelspieler · · Score: 2

      Except my medical insurance is provided by my company, so all of my insurance claims are filed here at work via email. Employees have access to a benefit network that includes divorce/marriage/psych/legal counseling. Registration for these services goes through our local servers before getting to the service provider. so much for your sage advice.

    27. Re:Sure... by Anonymous Coward · · Score: 2, Funny

      Mandatory 'expiration dates' to delete old emails.

      Didn't the IRS recently institute a policy similar to this with the date being "whenever someone asks if we're breaking the law"?

    28. Re:Sure... by Stormy+Dragon · · Score: 2

      This could actually be a good thing. The existence of security breach insurance would necessarily require quantifying how much risk a particular organization creates. The insurer is now a third party that has an incentive to make sure the company is following best practices and the ability to punish companies that don't (through denial of coverage or through increased premiums).

    29. Re:Sure... by dbIII · · Score: 2

      With respect, the phlogiston theory worked apart from the oxidation of iron. Noticing this shortcoming was one of the things that led to the discovery of oxygen.
      However using it as a comparison to the current state of climate science, which more than a century ago got as far as identifying El Nino/La Nina, is a gross insult that I'm sure you wouldn't want applied to your field (or I to mine, which is not anything to do with climate just like yours is not). What's worse is it looks like you are just repeating second hand from a fucking economist that calls his field a science yet pretends that a long established geoscience is not.
      We went to the poles a century ago to understand more about climate. That's a lot of resources to do something like that and a science needs to be taken seriously for that to happen, and it was. It's apparently all about refining models these days and not a stab in the dark like the political talking points suggest.

    30. Re:Sure... by dbIII · · Score: 2

      The Bagel worm came close in that it resent old email - sort of amusing seeing people's reactions to that when something they had dealt with months ago appeared to resurface. It also sent empty print jobs to every printer it could find.
      Walking in to a place with all the printers spewing out blank paper and several people arguing that they had already done something so why the nagging by email reinforced my view that MS were selling toys that people were mistakenly deploying in offices.

    31. Re:Sure... by jeffmeden · · Score: 2

      From what I've read, the Target crack was funnelled through a 3rd party HVAC company that did not secure their systems sufficiently.
      http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

      They may have done more AFTER the scripts gave them access. But it appears that the scripts gave them the initial access.

      Where did it actually say that? They know the credentials given to Fazio were used to access the Target systems as the point of entry, but they don't know how the miscreants came into possession of them. The most likely method was a spear phishing attack that allowed a keylogger on to one of the PCs at Fazio. It's simply too far fetched to think that someone trolling with a script happened across Fazio, then just realized they could use it as a backdoor into Target, and then also be in possession of some very sophisticated malware that, oh gee look, matches the Target POS systems exactly down to the firmware rev number.

    32. Re:Sure... by demonlapin · · Score: 2

      They have to use it to report your income to the IRS so that you can be properly credited for your Social Security earnings and taxes withheld on your behalf. I'm all in favor of eliminating withholding and forcing everyone in the country to pay quarterly estimated taxes, but we all know that isn't going to happen.

    33. Re:Sure... by dbIII · · Score: 2

      Your ire is aimed at something that was well established when Thatcher spoke about it. It used to be supported by the conservative side of politics until it became politically expedient to pretend that an evidence based approach was inferior to gut feeling.

      Once again, pretending that experts in a very long established field, well over one century in this case, in some way have nothing that they can assert is real calls into question the idea of expertise in general. That's the road to mediocrity that we are following. First it was denouncing educated clergy versus anyone that could pick up a bible, be loud, charismatic and declare the San Francisco earthquake to be the judgement of God, then it was geologists for suggesting the earth has changed since creation, then biologists for daring to suggest life has changed since creation, now climate scientists for daring to suggest that it hasn't been dry in Texas forever and that changes have been observed. Such loonies made up the numbers and were grafted onto conservative politics and suddenly it wasn't conservative any more. I get that you want to cheer for your team and that all team dogma must be accepted without question, but it does make otherwise intelligent people pushing their politics into other people's science look bad in a variety of ways.
      It's become a mindless proxy for politics just like gun control and abortion. The issues are not considered at all, once you've chosen a side the dogma is defined. If voting in the USA was compulsory you'd have more choices, they'd be less polarisation and less need to stick with party dogma on key issues. If that happens less of the posters on this site would look like hopelessly naive idiots with no idea about the issues they say they are discussing.

    34. Re:Sure... by iluvcapra · · Score: 2

      Sony is so inept I don't even get how they are allowed to do business. This is such a lack of security compliance for a for profit that I imagine compliance auditors are drooling by now.

      I work at Sony Pictures on and off, ironically about two years ago the studio went through a huge ISO 27001 compliance audit, it was a huge deal at the time. I've worked at all the major Hollywood studios and I'd probably characterize Sony as having the best physical security. I didn't work in IT so I don't know all the ins and outs of the computer system but FWIW only the PCs on the lot were affected by the hack, all the Macs and unix-like machines are still running business-as-usual over there.

      "Security compliance" obviously isn't going to be enough because widespread industry standards are woefully inadequate.

      56 hacks in 12 years is not a company who understands technology. It's a company with about as much technical knowhow as the musical artists they represent.

      That's if you count every company called "Sony." The movie studio, the music label, the games units, the different web and streaming sites, and the different electronics divisions are all basically different companies from an IT perspective (which is fortunate, considering how much damage this hack could have done if they WERE all just one IT establishment.) And this is just speaking of Sony America, which is the parent of Sony Picture Entertainment Group, Sony Music... Sony's a huge international conglomerate, you can't boil it down to some personification that's either stupid or smart.

      --
      Don't blame me, I voted for Baltar.
    35. Re:Sure... by cardpuncher · · Score: 2

      I don't know how Sony Pictures internal systems communicate, but I'm pretty sure they don't need to have direct access to world+dog in order to do so.

      What seems to have happened here is that by network-based manipulation of external firewalls, direct communication routes were established between malilcious hosts on the Internet and internal systems. You can avoid that and still maintain e-mail communication by relaying your mail over something other than TCP/IP between your internal-facing and external-facing systems, for example.

      And there are actuallly very good productivity reasons for restricting Internet browsing to dedicated computers on physically separate networks - it considerably reduces the amount of the day your staff spend on facebook and amazon.

      I'm amazed the "Internet of Everything" mentality still prevails. It was a utopian dream of the 1980s and 1990s but we now have very clear evidence of what happens in practice with universal connectivity - a dystopian nightmare in which governments and criminals are in competition to gain the most effective control over people and commerce.

      Perhaps we can ask Sony Pictures how their present productivity is looking compared to, say, RKO?

    36. Re:Sure... by EndlessNameless · · Score: 2

      So your suggestion is, let's keep all of our super important stuff on a front-end facing system in the first place.

      I never said that, but thanks for throwing an asinine straw man up there.

      They can probably lock things down better than they did, but I don't work at Sony and I haven't seen their network diagrams so I can't really say. But the idea of air-gapping financial systems for a company of Sony's size is mind-boggling stupid.

      Even something as simple as warranty work breaks down without automation. Every authorized repair depot needs some way to order parts, submit claims, and receive payment at an absolute minimum. If you air-gap the systems for that, guess what happens to time and cost of warranty repairs? And this is just one facet of the business.

      So right there, you have network-accessible procurement, payment, and personally-identifiable information (customer name/address and product serial number are typically included in warranty documentation). Waving the magical air-gap wand as a security fix means nothing if it fundamentally breaks the way the business operates.

      So yes, Sony probably fucked up somewhere. If they're like most businesses, there are probably multiple problems with their infrastructure. But pretending there's a simple answer is just ignorant and does absolutely nothing to advance the discussion or solve any real-world problems.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  2. Official Conclusion by Anonymous Coward · · Score: 5, Insightful

    Nobody mentioned "The Interview" or North Korea until days after the attack, then it simply appeared from nowhere and asserted itself as the truth. The emails from the hackers are in the stash, and reputable sources who have time to read such things have reported that not a single email from GOP prior to the release mentioned The Interview, only demands for money.

    1. Re:Official Conclusion by xaotikdesigns · · Score: 4, Insightful

      Step one: Extort a hell of a lot of money Step two: Wait for the press to guess who is behind it all Step Three: Take their wild guesses and run with them. Cause as much chaos as you can. Step four: While everybody is looking at the wrong people, gather up all the money/info you can sell, and disappear.

      --
      XDInd
    2. Re:Official Conclusion by Serenissima · · Score: 4, Funny

      Someone should hack Sony and then release The Interview online. I'd laugh.

      --
      Give a man a fire and he'll be warm for a day. But light a man on fire and he'll be warm for the rest of his life.
  3. Re:So which building will they blow up? by halivar · · Score: 5, Funny

    and throw in some mass drops of MP3 players loaded with Sony tunes on the country.

    There's no call for such drastic and morally questionable measures, yet; let's just try airstrikes first.

  4. You can stop those type of attacks by mrlinux11 · · Score: 2

    Security is not easy, but it can be done. But most companies like security theater it's cheaper, until something like this happens.

    1. Re:You can stop those type of attacks by phantomfive · · Score: 5, Insightful

      Security is not easy, but it can be done

      Probably not. Do you think your Linux box has no vulnerabilities? (hint: it does). Even if you run OpenBSD (which still has vulnerabilities), are the employees at your company going to use a browser? That will have vulnerabilities, too.

      Which brings us to the biggest security vulnerability, employees. Remember that the most valuable information a company has isn't the root password, it's the documents and emails the employees are working on and have access to.

      So not only do you need to have a perfectly secure operating system (which doesn't exist), you're also going to need secure employees. Good luck at that.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:You can stop those type of attacks by phantomfive · · Score: 2

      All you need is security good enough to keep the attackers out. The trick is to find what level that requires.

      Against a targeted, skilled attack, there is no level that is good enough to keep them out.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:You can stop those type of attacks by gweihir · · Score: 2

      You said "no level". Ever talked to somebody that handles highly classified data in some TLAs? No, did not think so. Sure, it is expensive, but you can keep any and all types of attackers out if you invest enough and have the right people defining processes and implementing controls, except for those attackers that can come to you and break down your door or those that can plant people with you long-term. This "there is no way to protect yourself" meme is just BS for the uninformed and has nothing to do with professional risk-management.

      What Schneier is talking about is the setting of a large, commercial enterprise that must be profitable. And even there you can keep all that would find your data commercially valuable out, you just need to understand the business aspects of security. True, against resourceful fanatics, that may not be enough. But Sony did clearly not even have the basic level of protection they needed in place. My take is this was some random group of big-ego-mediocre-skill hackers that got lucky and that are now grand-standing. Remember LulzSec? If they were still active, this would be right up their alley.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  5. Don't use your company email for personal business by Anonymous Coward · · Score: 3, Insightful

    Ding! Problem solved!

  6. Blameless Random Employees? by xaotikdesigns · · Score: 3, Informative
    I thought they got the admin credentials. If they got the admin credentials, then it's probably someone's fault for not ensuring that there was a good password policy, or that they made sure that only the right users had any kind of admin rights.

    Likewise, how long does it take to download 100TB of data? I'm guessing that this was probably something that took a bit of time to pull off, and they probably should have found something while all this data was flying out of their system.

    --
    XDInd
    1. Re:Blameless Random Employees? by Malizar · · Score: 2

      I am sure their password policy is one of those "You have to change your password weekly, cannot use the same password you ever used before, must contain a random assortment of letters, numbers and symbols." kind of policies that makes people write their passwords down on a note under their keyboard.

    2. Re:Blameless Random Employees? by speedlaw · · Score: 2

      or throw the keyboard against the office wall...and then write the password on a post it note pinned to the screen

  7. Blameless employees? by Spy+Handler · · Score: 4, Insightful

    it happened to the blameless random employees who were just using their company's email system. Because of that, they've had their most personal conversations -- gossip, medical conditions, love lives -- exposed

    If you were using your company's Exchange server for gossiping and thought it was safe (i.e. the IT department would never have access to this, oh no) then you're stupid and deserve whatever fate you get.

    I can sympathize with the people whose SS numbers were stolen out of no fault of their own. But Amy Pascal making Obama black jokes on company email was just stupid as hell and she deserves whatever scorn people will heap on her.

  8. Re:Sony security: strong or weak? by MightyMartian · · Score: 5, Interesting

    I'd be interested in knowing the details of the attack. Was it a "social engineering" attack of some kind (ie. a virus-laden email that someone with high privileges opened)? Was it a vulnerability in their networks? I've heard someone with high level admin privileges had their account hacked, but in what way was it done?

    The organization I work for is a contractor for the government of a North American jurisdiction, and yesterday morning I started getting reports that some sort of virus-laden emails were flowing out of this government's networks. Sure enough, within a half an hour, I got emails from a contact I have within this particularly agency, with an attached ZIP file with an SCR file inside. That has to be one of the oldest ways that malware has been transmitted in Windows system, I saw my first virus-laden SCR file somewhere around 1997-1998.

    Apparently this critter is so new that by the time we checked, only a few AV companies had caught on to it. Even worse in some ways is that it appears that it made its debut on the very government servers in question, making me think this was a targeted attack. So you have a combination of a brand new virus of some kind that won't get caught by the scanners, lax email rules that allow the opening and execution of executable file types (not that blocking EXE variants doesn't mean some bastard won't be firing off a compromised PDF at an unpatched system), and users who through a combination of laziness and ignorance happily take the final step.

    With this particular attack, there would have been no problem if Outlook had been configured not to open these kinds of attachments, and in an Active Directory environment, that's pretty trivial, so some of the blame has to go to this government agency's IT team. But still, even with the best safeguards, where users just happily click on any old attachment, it doesn't exactly take a rare alignment of the stars to have malware planted in a network. Sure, it won't have root privileges and won't be able to propagate itself via more sophisticated means, but it appears in this case it didn't need to.

    So I do agree to some point that there are finite limits to what any person or organization can do to secure itself against a determined and directed attack. But there are ways to make such attacks much more difficult, and more quickly captured before they wreak too much harm.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  9. Why the FBI thinks it's North Korea by phantomfive · · Score: 5, Informative
    We shouldn't just believe the FBI, but here's what they've revealed of their evidence so far:

    While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:

    * Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
    * The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
    * Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Why the FBI thinks it's North Korea by Anonymous Coward · · Score: 2, Insightful

      Here's the underlying problem, despite all this: You have to trust the FBI. Sorry to say, as a common American, I don't! As an IT professional, it's plausable, but until these sources and evidence are validated by independent 3rd parties, N.K., like every other possible culprit, is just that. A suspect.

  10. Re:What? by mccrew · · Score: 3, Funny

    If they have nothing to hide, they shouldn't worry. Who cares about their boring lives?

    ... said the Coward who posted anonymously.

    --
    Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
  11. Re:Isn't Sony a foreign company? by bsDaemon · · Score: 2

    Because Sony Pictures is an American subsidiary of the Japanese conglomerate, which was based in the US and the majority of the affected employees were US citizens or at least Residents?

  12. Re:You can at least make it hard for them by thoriumbr · · Score: 3, Insightful

    He knows what he is saying. He said that if you are targetted in a high-skill, high-focus attack, it's basically game over.

    It's like defending yourself from a random mugging on the streets and surviving a professional hitman. You can make it harder to be attacked by a random hacker or a unfocused hacker, but it's impossible to defend yourself from all kinds of attacks of a very skilled hacker focused on attacking you.

  13. No real need for updates, either... by BUL2294 · · Score: 2

    The other advantage of the air-gapped network is that you no longer "need" to update the computers within the network with most of the security updates that come across Windows Update. Build them from DVDs & SPs with known hash values, never having connected them. Who cares if those PCs are still stuck on Win7-SP1 or Win8.1 RTM. Their primary attack vector (e.g. the big bad Internet) is unavailable. Even if these machines are built with malware, the worst that could happen is that they get erased, but the data still doesn't go out.

    But what about e-mail? IM? Interwebs? Facebooking? Really??? Buy a 2nd, low end PC, wirelessly connect it to the corporate network, and volia! Hell, you could even use a KVM for this purpose, if you'd rather not spring for the expensive $400 laptops. Don't take the easy approach of connecting the networks in a way that only allows for RDP sessions--a determined hacker with unlimited funds (e.g. state sponsors) would figure that one out.

    But what about Adobe Cloud or whatever program needs to connect to the Internet? Most such programs have alternative options for air-gapped networks (e.g. a license server), and a company like Adobe could be brow-beat by a company like Sony into disabling phone home. For high-risk applications where you can't talk your vendor out of phone-home, it's time to look for a new vendor...

    --
    Windows 3.1x calc: 3.11 - 3.10 = 0.00
  14. Re:So which building will they blow up? by Dracos · · Score: 2

    Why MP3 players? Drop Sony CDs on NK to install a rootkit on every computer in the country.

  15. Re:You can for the most part. by H0p313ss · · Score: 2

    He forgot the next step, always burn the flash drive afterwards.

    That's why they're called flash drives right?

    --
    XML is a known as a key material required to create SMD: Software of Mass Destruction
  16. Re:Sony security: strong or weak? by DarkOx · · Score: 2

    You do have to cut them a little slack, here. If we were talking about a coal mining company or something and terabytes of data going out the door would be pretty unusual, and SEIM systems would be trained to flag that sort of thing.

    This is Sony Pictures, though, terabytes probably go out the door all the time. I mean that might be less than a few hours of uncompressed video going to a contractor for post processing or something.

    No my bigger question having done this kind of thing for a living now for some time is why would a basically purely IP organization not have effective controls in place, to know what kind of data is going out the door and to put a hard stop to it the moment something that should not be there is spotted.

    Ok you can't maybe do that with the aforementioned video data, but you certainly can watch for byte patterns that look like address, SS numbers, e-mails in usually great quantity etc on the wire.

    You certainly do not allow anything encrypted to go out unless you MITM it. Could an attacker do something like slap some mpeg headers on top a big encrypted data stream? probably, but they'd have to know to do it.

      If my entire world was IP like Sony Pictures id probably take it a few steps further make sure my firewall devices knew the common container formats for various media types and continued to make sure sync bytes and frame markers occur where they ought to, anytime more than a hanful of megabytes of something I can't recognize flowed it would alert and some form the CERT team would pick up the phone a call whoever it was associated with that source IP. No attribution shut it down, no explanation shut it down.

    The hardware and software to do this is commercially available, more or less off the shelf and has been for at least five or seven years now.

       

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  17. Re:Sony security: strong or weak? by TubeSteak · · Score: 5, Informative

    I'd be interested in knowing the details of the attack. Was it a "social engineering" attack of some kind (ie. a virus-laden email that someone with high privileges opened)? Was it a vulnerability in their networks? I've heard someone with high level admin privileges had their account hacked, but in what way was it done?

    I can't find the story, but if i recall correctly, the short version is that the hackers probed Sony, couldn't get in, then started targeting affiliated companies until they found a remotely exploitable vulnerability.

    Once they breached that company's network, they found cached(?) credentials for a top Sony sys admin account and used that to access the US Sony intranet.

    They mapped the intranet, spread malware all over the place, exfiltrated ~100TB over the course of a ~year, then changed everyone's screensaver and went nuclear with the wiper attack.

    --
    [Fuck Beta]
    o0t!
  18. BS by Fnord666 · · Score: 2
    From the FTA:

    This could be any of us. We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.

    Bullshit. There's always a choice. It's often less convenient, but that's a far cry from not having one.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  19. Re:Sony security: strong or weak? by NetNed · · Score: 2

    This tells a lot about what was first reported and how the actual claim of it being North Korea was fabricated. Most interesting is the line "Among the more than 11,000 newly-released files are hundreds of employee usernames and passwords as well as RSA SecurID tokens and certificates belonging to Sony". Ahhhh yea I'm going to say North Korea wasn't involved in the least in this......... Former employee(s) seem about a million times more likely.

  20. Re:Sony security: strong or weak? by whoever57 · · Score: 2

    Apparently this critter is so new that by the time we checked, only a few AV companies had caught on to it.

    What this shows yet again is that anti-virus scanners are a flawed methodology. There will always be a delay between a virus being released and the signature updates getting to the clients. It's inherent in the concept.

    Unfortunately, some early technology journalists were partially responsible for this because, in reviews, they ranked anti-virus products that identified threats by signature higher than ones that identified threats through behaviour -- and this was because signature analysis also provided a name to the threat. In other words, the flawed idea that if you tell the user a name for the threat, you provide better protection than if you just block it. This reinforced the concept of signature analysis and slowed down research of identification of threats based on generic behavioural patterns.

    --
    The real "Libtards" are the Libertarians!
  21. Sure, I'll dispute your "CO2 blanket analogy" by Crazy+Taco · · Score: 2

    Look, CO2 is like a blanket on the bed. Making it thicker makes you warmer. You wish to deny this?

    Partially, yes, for three reasons:

    1. Your body is a heat source. Cover it with a blanket and you get warmer because the heat energy is trapped and cannot easily escape, and you body is constantly adding additional heat energy. By contrast, the Earth is not a heat source in that same way. Any heat it has is generated by an external body: the sun. It's like a rock sitting next to a fireplace with a blanket over it. Take away the fire, and rock is ice cold regardless of the blanket. Same with the Earth. This makes the CO2/blanket analogy very flawed, because the climate can be totally independent of the thickness of the blanket, and get much colder or much warmer based almost entirely on the current energy output of the sun.
    2. Secondly, CO2 is a tiny trace gas in our atmosphere. This is not Venus where it makes up the majority of the atmosphere. Our atmosphere is 78% nitrogen and 21% oxygen, and everything else is a trace gas. People like to claim there has been a dramatic rise in CO2, but zoom the scale of your graph out, and you see that the "big jump" is considerably less than a fart in a windstorm. Right now CO2 makes up 0.04% of our atmosphere. 100,000 years ago it is estimated that it was 0.03%. So even assuming humans are 100 percent responsible for the 0.01% increase, it is extremely tiny. In your blanket analogy, you claim that making the blanket thicker makes you warmer. I would dispute that and say that it does not make you warmer if the blanket is negligibly thin. If a human is covered by a blanket that is 0.03% the width of an average thread, and you "thicken" it to 0.04% the width of an average thread, I submit to you that that is so negligible that you do not, in fact, find yourself feeling warmer from the thickening of the blanket. We really do need to keep our perspective on CO2 percentage and not commit fallacies based on graphs of CO2 concentration that are far too zoomed in to show context.
    3. Thirdly, we do not understand all the interacting, chaotic systems on our planet at all. We see clearly that CO2 percentage and temperature have both varied considerably over the course of the planet's history, but frankly, we really don't know why. Why should there be a difference between 100,000 years ago and 50,000 years ago? We certainly know humans didn't have anything to do with that. And because we can't say what the causes are, we can't say definitively that thickening the so called blanket leads to warming. Historically, we know that CO2 increased only to find that in later eras it decreased. This would suggest the planet has some kind of feedback/absorbtion systems that can at times remove CO2 and thin the blanket. We also know temperature can increase or decrease by large amounts naturally with no involvement from humans, and that temperature does not always move in sync with CO2 concentrations historically. In short, we don't understand the relationships between the CO2, temperature, and the systems on this planet, so even though a CO2 increase may lead to a temperature increase in an isolated system, we don't know that CO2 increase leads to predictably higher temperatures (or even permanently higher CO2 levels) in the highly complex planetary system of Earth.

    4. So yes, I wholeheartedly dispute your blanket analogy on the grounds that is a flawed analogy, and that we don't know enough about our planet to make any intelligent predictions or models at this time. Indeed, every model we have, when fed historical temperature data, says we should be at much higher temperatures than we are now. Most assume some kind of blanket model, but since none match our measured results, we can conclude that a simple blanket model does not match the complex reality of the systems on Earth.

    --
    Beware of bugs in the above code; I have only proved it correct, not tried it.
  22. Excerpt from BSG by cookiej · · Score: 2

    "Galactica is a reminder of a time when we were so frightened by our enemies that we literally looked backward for protection..."

    ... and, of course ...

    "... But I will not allow a networked, computerized system to be placed on this ship while I am in command."

    We live in a world of Cylons.

  23. Re:PHP itself by tepples · · Score: 2

    More than likely, in a world without PHP, another language with similar benefits and drawbacks to PHP would likely have been invented.