Slashdot Mirror
Schneier Explains How To Protect Yourself From Sony-Style Attacks (You Can't)
phantomfive writes: Bruce Schneier has an opinion piece discussing the Sony attack. He says, "Your reaction to the massive hacking of such a prominent company will depend on whether you're fluent in information-technology security. If you're not, you're probably wondering how in the world this could happen. If you are, you're aware that this could happen to any company." He continues, "The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations—gossip, medical conditions, love lives—exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now. This could be any of us."
Related: the FBI has officially concluded that the North Korean government is behind the attack.
Nobody mentioned "The Interview" or North Korea until days after the attack, then it simply appeared from nowhere and asserted itself as the truth. The emails from the hackers are in the stash, and reputable sources who have time to read such things have reported that not a single email from GOP prior to the release mentioned The Interview, only demands for money.
and throw in some mass drops of MP3 players loaded with Sony tunes on the country.
There's no call for such drastic and morally questionable measures, yet; let's just try airstrikes first.
it happened to the blameless random employees who were just using their company's email system. Because of that, they've had their most personal conversations -- gossip, medical conditions, love lives -- exposed
If you were using your company's Exchange server for gossiping and thought it was safe (i.e. the IT department would never have access to this, oh no) then you're stupid and deserve whatever fate you get.
I can sympathize with the people whose SS numbers were stolen out of no fault of their own. But Amy Pascal making Obama black jokes on company email was just stupid as hell and she deserves whatever scorn people will heap on her.
Security is not easy, but it can be done
Probably not. Do you think your Linux box has no vulnerabilities? (hint: it does). Even if you run OpenBSD (which still has vulnerabilities), are the employees at your company going to use a browser? That will have vulnerabilities, too.
Which brings us to the biggest security vulnerability, employees. Remember that the most valuable information a company has isn't the root password, it's the documents and emails the employees are working on and have access to.
So not only do you need to have a perfectly secure operating system (which doesn't exist), you're also going to need secure employees. Good luck at that.
"First they came for the slanderers and i said nothing."
I'd be interested in knowing the details of the attack. Was it a "social engineering" attack of some kind (ie. a virus-laden email that someone with high privileges opened)? Was it a vulnerability in their networks? I've heard someone with high level admin privileges had their account hacked, but in what way was it done?
The organization I work for is a contractor for the government of a North American jurisdiction, and yesterday morning I started getting reports that some sort of virus-laden emails were flowing out of this government's networks. Sure enough, within a half an hour, I got emails from a contact I have within this particularly agency, with an attached ZIP file with an SCR file inside. That has to be one of the oldest ways that malware has been transmitted in Windows system, I saw my first virus-laden SCR file somewhere around 1997-1998.
Apparently this critter is so new that by the time we checked, only a few AV companies had caught on to it. Even worse in some ways is that it appears that it made its debut on the very government servers in question, making me think this was a targeted attack. So you have a combination of a brand new virus of some kind that won't get caught by the scanners, lax email rules that allow the opening and execution of executable file types (not that blocking EXE variants doesn't mean some bastard won't be firing off a compromised PDF at an unpatched system), and users who through a combination of laziness and ignorance happily take the final step.
With this particular attack, there would have been no problem if Outlook had been configured not to open these kinds of attachments, and in an Active Directory environment, that's pretty trivial, so some of the blame has to go to this government agency's IT team. But still, even with the best safeguards, where users just happily click on any old attachment, it doesn't exactly take a rare alignment of the stars to have malware planted in a network. Sure, it won't have root privileges and won't be able to propagate itself via more sophisticated means, but it appears in this case it didn't need to.
So I do agree to some point that there are finite limits to what any person or organization can do to secure itself against a determined and directed attack. But there are ways to make such attacks much more difficult, and more quickly captured before they wreak too much harm.
The world's burning. Moped Jesus spotted on I50. Details at 11.
While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:
* Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
* The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
* Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
"First they came for the slanderers and i said nothing."
If you air gap email and financial systems, you're stepping right back into the mid-1900s. Back when it took an entire office of secretaries to process correspondence, and another office full of accountants to handle billing and ledgers. Because if those systems are disconnected, someone will have to transfer reams of data in and out of them. That is no longer feasible.
Your suggestion is so completely impractical, I wonder why you joined slashdog in the first place. You clearly have no understanding of modern IT.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
And one of the aspects where I disagree with him:
He is phrasing it incorrectly. The attacks are scripted and BLIND. They don't attack X and skip Y if X is vulnerable. Or attack Y if X is not vulnerable. They attack A - Z regardless of the success or failure of any single attack.
And 100% agreement with your air gap recommendation.
He's got it right there. Once you are online you can be attacked by anyone anywhere. The only advantage you have is that you control the wire in your organization. Wireless is more of a pain. But you can see every packet moving on the wire.
In my experience, the problem is not money. The problem is EGO. Someone is always convinced that what they are doing is more important than following what the IT nerds say and they have the political clout within the company to force exceptions be made.
It is the exceptions that damage your security.
It is the exceptions that allow the easy-to-prevent attacks to get a foothold on your network. THEN the more advanced attacks are unleashed.
Seriously? Keeping your personnel files on paper and not the computer? And you think getting checks is slow now? BWAHAHAHAHA
No, foo. It's called basic common sense -- keeping confidential medical records, SSNs, and personnel files in paper format only, and not allowing them to be scanned or placed in a system connected to the general business intranet, or "the cloud".
Oh man, you had me going there for a second. I almost thought you were serious.
Let's all go back to using a typewriter to file our taxes, and when my small-town radiologist wants a consulting opinion on my X-ray, lets have a courier drive it into metropolis for him. He can use a quill to write down his diagnosis and seal the letter with wax and a stamp from his ring.
Keeping your personnel files on paper and not the computer?
Of course, there's always keep your personal shit off the company servers!!! And keep what you do write in company documents at a professional tone.
That would sure have mitigated a whole lot of personal pain by these supposedly blameless Sony employees.
"I don't know, therefore Aliens" Wafflebox1
He is phrasing it incorrectly. The attacks are scripted and BLIND. They don't attack X and skip Y if X is vulnerable. Or attack Y if X is not vulnerable. They attack A - Z regardless of the success or failure of any single attack.
That's not entirely true. It's not clear how many other targets the miscreants who hit Home Depot, Target, etc had, but they did a lot more than scripted attacks (they used social reconnaissance, then spear phishing, then multiple point-of-entry probes, for starters) in order to get inside, and once inside they put a hell of a lot of work into pulling off their attack, and mixed that with a ton of luck in order to actually succeed. The Target hack actually would have been dead from the start if Target trusted their FireEye consultants who tried to warn them of the impending data theft.
Unfortunately, security is a cost center, not a profit center. That doesn't sit well with the MBA types. Security does not support the success of a business in any obvious way - so we have to use metrics to show value.
Solving Unix problems since 1989...
Every. Fucking. Hospital. Everywhere.
The only thing that keeps this from being a problem is that the gory details of most people's lives are really not interesting to anybody and they are hard to monetize. I would imagine that hospitals and clinics around Hollywood have been hit multiple times. If you are a 'high value target', ie, nobody here on Slashdot, I'd be worried.
Very worried.
Faster! Faster! Faster would be better!
Really. This. How hard is it NOT to flame people on a COMPANY EMAIL system? Even if some hacker doesn't get to you, your boss or some HR flunky might. Leave the immature conversations to places like Slashdot. It's what we do ....
Faster! Faster! Faster would be better!
I'd be interested in knowing the details of the attack. Was it a "social engineering" attack of some kind (ie. a virus-laden email that someone with high privileges opened)? Was it a vulnerability in their networks? I've heard someone with high level admin privileges had their account hacked, but in what way was it done?
I can't find the story, but if i recall correctly, the short version is that the hackers probed Sony, couldn't get in, then started targeting affiliated companies until they found a remotely exploitable vulnerability.
Once they breached that company's network, they found cached(?) credentials for a top Sony sys admin account and used that to access the US Sony intranet.
They mapped the intranet, spread malware all over the place, exfiltrated ~100TB over the course of a ~year, then changed everyone's screensaver and went nuclear with the wiper attack.
[Fuck Beta]
o0t!
No. Security is NOT a profit center. If you think it is, then you are not understanding what the term "profit center" means. A profit center for a decentralized business generates revenues as well as incurs expenses. Most IT departments are not profit centers BY DEFINITION.
Support microSD: in a post 9/11 world, it is unwise to carry your data on media that you cannot comfortably swallow.