Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Sony Security

Schneier Explains How To Protect Yourself From Sony-Style Attacks (You Can't) 343

phantomfive writes: Bruce Schneier has an opinion piece discussing the Sony attack. He says, "Your reaction to the massive hacking of such a prominent company will depend on whether you're fluent in information-technology security. If you're not, you're probably wondering how in the world this could happen. If you are, you're aware that this could happen to any company." He continues, "The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations—gossip, medical conditions, love lives—exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now. This could be any of us." Related: the FBI has officially concluded that the North Korean government is behind the attack.
This discussion has been archived. No new comments can be posted.

Schneier Explains How To Protect Yourself From Sony-Style Attacks (You Can't)

Comments Filter:
  • Sure... (Score:3, Insightful)

    by Mashiki ( 184564 ) <mashiki@gmTEAail.com minus caffeine> on Friday December 19, 2014 @03:34PM (#48636809) Homepage

    But you can mitigate the hell out of it, I suggest air gapping.

    • Re:Sure... (Score:5, Insightful)

      by EndlessNameless ( 673105 ) on Friday December 19, 2014 @04:08PM (#48637181)

      If you air gap email and financial systems, you're stepping right back into the mid-1900s. Back when it took an entire office of secretaries to process correspondence, and another office full of accountants to handle billing and ledgers. Because if those systems are disconnected, someone will have to transfer reams of data in and out of them. That is no longer feasible.

      Your suggestion is so completely impractical, I wonder why you joined slashdog in the first place. You clearly have no understanding of modern IT.

      • on the other hand, that would take care of the unemployment problem!
      • Don't knock it it creates more little middle managers who will fight to keep their meager power and title.

        There was one project I worked on where there were people who's job was to go over each morning and pick up a pile of paper that had been printed out from one computer system and then go and type it into another computer system. There was enough push back from shitty little middle managers who realized that the project would end their little fiefdoms that the project got canceled. If your job can be r
      • by mlts ( 1038732 )

        There is a balance between going back to paper and double-entry books versus putting the whole thing so close to the Internet that a single compromised box can make it easy for an attacker to slurp everything down. There are also tools to help separate data, but yet allow people to do their daily jobs.

        VDIs come to mind. If one can serve up apps from different desktops, a user can have an external Web browser, internal Web browser, E-mail, the internal finance application, with appropriate separation betwe

      • I don't know how Sony Pictures internal systems communicate, but I'm pretty sure they don't need to have direct access to world+dog in order to do so.

        What seems to have happened here is that by network-based manipulation of external firewalls, direct communication routes were established between malilcious hosts on the Internet and internal systems. You can avoid that and still maintain e-mail communication by relaying your mail over something other than TCP/IP between your internal-facing and external-faci

    • Re:Sure... (Score:5, Interesting)

      by khasim ( 1285 ) <brandioch.conner@gmail.com> on Friday December 19, 2014 @04:10PM (#48637205)

      And one of the aspects where I disagree with him:

      Low-focus attacks are easier to defend against: If Home Depot's systems had been better protected, the hackers would have just moved on to an easier target.

      He is phrasing it incorrectly. The attacks are scripted and BLIND. They don't attack X and skip Y if X is vulnerable. Or attack Y if X is not vulnerable. They attack A - Z regardless of the success or failure of any single attack.

      And 100% agreement with your air gap recommendation.

      With attackers who are highly skilled and highly focused, however, what matters is whether a targeted company's security is superior to the attacker's skills, not just to the security measures of other companies.

      He's got it right there. Once you are online you can be attacked by anyone anywhere. The only advantage you have is that you control the wire in your organization. Wireless is more of a pain. But you can see every packet moving on the wire.

      It is hard to put a dollar value on security that is strong enough to assure you that your embarrassing emails and personnel information won't end up posted online somewhere, but Sony clearly failed here.

      In my experience, the problem is not money. The problem is EGO. Someone is always convinced that what they are doing is more important than following what the IT nerds say and they have the political clout within the company to force exceptions be made.

      It is the exceptions that damage your security.

      It is the exceptions that allow the easy-to-prevent attacks to get a foothold on your network. THEN the more advanced attacks are unleashed.

      • Re:Sure... (Score:5, Informative)

        by jeffmeden ( 135043 ) on Friday December 19, 2014 @04:24PM (#48637343) Homepage Journal

        He is phrasing it incorrectly. The attacks are scripted and BLIND. They don't attack X and skip Y if X is vulnerable. Or attack Y if X is not vulnerable. They attack A - Z regardless of the success or failure of any single attack.

        That's not entirely true. It's not clear how many other targets the miscreants who hit Home Depot, Target, etc had, but they did a lot more than scripted attacks (they used social reconnaissance, then spear phishing, then multiple point-of-entry probes, for starters) in order to get inside, and once inside they put a hell of a lot of work into pulling off their attack, and mixed that with a ton of luck in order to actually succeed. The Target hack actually would have been dead from the start if Target trusted their FireEye consultants who tried to warn them of the impending data theft.

        • Re:Sure... (Score:4, Informative)

          by khasim ( 1285 ) <brandioch.conner@gmail.com> on Friday December 19, 2014 @04:42PM (#48637523)

          From what I've read, the Target crack was funnelled through a 3rd party HVAC company that did not secure their systems sufficiently.
          http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ [krebsonsecurity.com]

          They may have done more AFTER the scripts gave them access. But it appears that the scripts gave them the initial access.

          • From what I've read, the Target crack was funnelled through a 3rd party HVAC company that did not secure their systems sufficiently.
            http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ [krebsonsecurity.com]

            They may have done more AFTER the scripts gave them access. But it appears that the scripts gave them the initial access.

            Where did it actually say that? They know the credentials given to Fazio were used to access the Target systems as the point of entry, but they don't know how the miscreants came into possession of them. The most likely method was a spear phishing attack that allowed a keylogger on to one of the PCs at Fazio. It's simply too far fetched to think that someone trolling with a script happened across Fazio, then just realized they could use it as a backdoor into Target, and then also be in possession of some

    • The other advantage of the air-gapped network is that you no longer "need" to update the computers within the network with most of the security updates that come across Windows Update. Build them from DVDs & SPs with known hash values, never having connected them. Who cares if those PCs are still stuck on Win7-SP1 or Win8.1 RTM. Their primary attack vector (e.g. the big bad Internet) is unavailable. Even if these machines are built with malware, the worst that could happen is that they get erased, b
  • by Anonymous Coward on Friday December 19, 2014 @03:38PM (#48636841)

    Nobody mentioned "The Interview" or North Korea until days after the attack, then it simply appeared from nowhere and asserted itself as the truth. The emails from the hackers are in the stash, and reputable sources who have time to read such things have reported that not a single email from GOP prior to the release mentioned The Interview, only demands for money.

  • Security is not easy, but it can be done. But most companies like security theater it's cheaper, until something like this happens.
    • by phantomfive ( 622387 ) on Friday December 19, 2014 @03:54PM (#48637045) Journal

      Security is not easy, but it can be done

      Probably not. Do you think your Linux box has no vulnerabilities? (hint: it does). Even if you run OpenBSD (which still has vulnerabilities), are the employees at your company going to use a browser? That will have vulnerabilities, too.

      Which brings us to the biggest security vulnerability, employees. Remember that the most valuable information a company has isn't the root password, it's the documents and emails the employees are working on and have access to.

      So not only do you need to have a perfectly secure operating system (which doesn't exist), you're also going to need secure employees. Good luck at that.

      • by gweihir ( 88907 )

        All you need is security good enough to keep the attackers out. The trick is to find what level that requires. Asking for "absolute security" just shows that you have no clue how security works.

        • All you need is security good enough to keep the attackers out. The trick is to find what level that requires.

          Against a targeted, skilled attack, there is no level that is good enough to keep them out.

    • by gweihir ( 88907 )

      Indeed, it can. You do not need to have absolute security at all (which is what amateurs routinely demand), just enough to demotivate attackers and make them go looking someplace else.

  • by Anonymous Coward on Friday December 19, 2014 @03:42PM (#48636899)

    Ding! Problem solved!

  • by xaotikdesigns ( 2662531 ) on Friday December 19, 2014 @03:46PM (#48636969) Homepage Journal
    I thought they got the admin credentials. If they got the admin credentials, then it's probably someone's fault for not ensuring that there was a good password policy, or that they made sure that only the right users had any kind of admin rights.

    Likewise, how long does it take to download 100TB of data? I'm guessing that this was probably something that took a bit of time to pull off, and they probably should have found something while all this data was flying out of their system.

    • With the amount of data moving in/out of Sony daily, I doubt it would be noticeable. If done right nobody would see this happening at all

      As for admin password policies and picking the right people... it's all rubbish. You can never pick the right people. You can only pick the least at risk people if that's even your choice as a CIO. Sometimes the worst person to give admin passwords to are the leaders, yet if they come to you asking for it you'll hand it over.

      The fact is that until you get targeted by an el

    • by Malizar ( 553281 )
      I am sure their password policy is one of those "You have to change your password weekly, cannot use the same password you ever used before, must contain a random assortment of letters, numbers and symbols." kind of policies that makes people write their passwords down on a note under their keyboard.
      • or throw the keyboard against the office wall...and then write the password on a post it note pinned to the screen
    • And who isn't to say that, as part of the hack, once they found someone high enough with the right credentials, they didn't create a couple of AD accounts? In mid-size organizations, identity management is dealing with thousands of accounts, having to create numerous exceptions for specific people and applications (oh, this Task Scheduler task can't allow for the account to change--and it needs super-duper-Admin rights to these particular servers; this Windows Service that runs on the production CRM server
  • by Spy Handler ( 822350 ) on Friday December 19, 2014 @03:47PM (#48636983) Homepage Journal

    it happened to the blameless random employees who were just using their company's email system. Because of that, they've had their most personal conversations -- gossip, medical conditions, love lives -- exposed

    If you were using your company's Exchange server for gossiping and thought it was safe (i.e. the IT department would never have access to this, oh no) then you're stupid and deserve whatever fate you get.

    I can sympathize with the people whose SS numbers were stolen out of no fault of their own. But Amy Pascal making Obama black jokes on company email was just stupid as hell and she deserves whatever scorn people will heap on her.

    • by itzly ( 3699663 )
      Social security numbers should never have been used as secure tokens.
    • There are legitimate requests made via email that can be problematic for the individuals. Please don't dilute the legitimacy email because a few odd emails go offside.

      FYI. By default only the user can view/edit his emails on Exchange UNLESS the IT grants himself permission. This is why large corporations perform security auditing to see if their own admins are granting themselves access to restricted data.

  • by phantomfive ( 622387 ) on Friday December 19, 2014 @03:59PM (#48637081) Journal
    We shouldn't just believe the FBI, but here's what they've revealed of their evidence so far:

    While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:

    * Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
    * The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
    * Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Here's the underlying problem, despite all this: You have to trust the FBI. Sorry to say, as a common American, I don't! As an IT professional, it's plausable, but until these sources and evidence are validated by independent 3rd parties, N.K., like every other possible culprit, is just that. A suspect.

  • For all we know, Sony did invite this attack and opened its doors wide for anybody wanting in. At the very least you can make this hard for the attacker and add a high risk if early detection. Saying "you can't protect yourself" is sending entirely the wrong message.

    • by thoriumbr ( 1152281 ) on Friday December 19, 2014 @04:22PM (#48637325) Homepage
      He knows what he is saying. He said that if you are targetted in a high-skill, high-focus attack, it's basically game over.

      It's like defending yourself from a random mugging on the streets and surviving a professional hitman. You can make it harder to be attacked by a random hacker or a unfocused hacker, but it's impossible to defend yourself from all kinds of attacks of a very skilled hacker focused on attacking you.
      • Perhaps, but if you're doing the tech equivalent of flashing large bills around while walking through the bad part of town, you'll be vulnerable to a lot more people than if you actually have a clue.

  • BS (Score:2, Informative)

    Complete nonsense.
    I keep reading about this attack, like it was magical...
    Then there's an article on Slashdot today about programming being a superpower?
    I'm starting to think this entire thing was designed to have this very affect.

    So what's next? The government protects us? We need more electronic surveillance?

    Hacks based on Zero-day exploits are hard to protect against. But they are smash and grabs, and once you see the data leaving, you shut things down until you can patch. But this Sony thing? They had b

    • by DarkOx ( 621550 )

      No hack would ever result in that kind of control

      Disagree.

      Lets face it the reality is lots and lots of BIG companies use things like Active Directory. Lots of this BIG companies might even have only a tiny handful of Enterprise Admins, who may even be very good at what they do. Chances are they have centralized and integrated the authentication against AD. Its not uncommon for Network infrastructure administrative interfaces to use an authentication gateway like say NPS (RAIDUS for AD).

      So if you could get that Enterprise Admin access, well it might b

  • ... email, and anything else you do on the internet or with your cell is not private.

    Never put anything in email, or text messages, or twitter or random internet forums that could potentially embarrass you or anyone you care about.

    Sad that this needs to be pointed out, but clearly it does.

    • (I recently pointed out to someone whose mother I know that they wouldn't want their mother reading their twitter feed.)

  • by Fnord666 ( 889225 ) on Friday December 19, 2014 @05:04PM (#48637721) Journal
    From the FTA:

    This could be any of us. We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.

    Bullshit. There's always a choice. It's often less convenient, but that's a far cry from not having one.

  • by cookiej ( 136023 ) on Saturday December 20, 2014 @01:36AM (#48640107)
    "Galactica is a reminder of a time when we were so frightened by our enemies that we literally looked backward for protection..."

    ... and, of course ...

    "... But I will not allow a networked, computerized system to be placed on this ship while I am in command."

    We live in a world of Cylons.

The absent ones are always at fault.

Working...