Schneier Explains How To Protect Yourself From Sony-Style Attacks (You Can't) 343
phantomfive writes: Bruce Schneier has an opinion piece discussing the Sony attack. He says, "Your reaction to the massive hacking of such a prominent company will depend on whether you're fluent in information-technology security. If you're not, you're probably wondering how in the world this could happen. If you are, you're aware that this could happen to any company." He continues, "The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations—gossip, medical conditions, love lives—exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now. This could be any of us."
Related: the FBI has officially concluded that the North Korean government is behind the attack.
Sure... (Score:3, Insightful)
But you can mitigate the hell out of it, I suggest air gapping.
Re:Sure... (Score:5, Insightful)
If you air gap email and financial systems, you're stepping right back into the mid-1900s. Back when it took an entire office of secretaries to process correspondence, and another office full of accountants to handle billing and ledgers. Because if those systems are disconnected, someone will have to transfer reams of data in and out of them. That is no longer feasible.
Your suggestion is so completely impractical, I wonder why you joined slashdog in the first place. You clearly have no understanding of modern IT.
Re: (Score:3)
Re: (Score:3)
There was one project I worked on where there were people who's job was to go over each morning and pick up a pile of paper that had been printed out from one computer system and then go and type it into another computer system. There was enough push back from shitty little middle managers who realized that the project would end their little fiefdoms that the project got canceled. If your job can be r
Re: (Score:3)
There is a balance between going back to paper and double-entry books versus putting the whole thing so close to the Internet that a single compromised box can make it easy for an attacker to slurp everything down. There are also tools to help separate data, but yet allow people to do their daily jobs.
VDIs come to mind. If one can serve up apps from different desktops, a user can have an external Web browser, internal Web browser, E-mail, the internal finance application, with appropriate separation betwe
Re: (Score:3)
I don't know how Sony Pictures internal systems communicate, but I'm pretty sure they don't need to have direct access to world+dog in order to do so.
What seems to have happened here is that by network-based manipulation of external firewalls, direct communication routes were established between malilcious hosts on the Internet and internal systems. You can avoid that and still maintain e-mail communication by relaying your mail over something other than TCP/IP between your internal-facing and external-faci
Re: (Score:2)
Oh, if it's not air gapping, then it must be placed out on the public internet? Are you a fucking moron or do you just play one on slashdot?
Re: (Score:2)
Apparently the person I replied to, and the admin for sony's system is a "fucking moron" otherwise they wouldn't be in the mess in the first place right?
Re: (Score:3)
So your suggestion is, let's keep all of our super important stuff on a front-end facing system in the first place.
I never said that, but thanks for throwing an asinine straw man up there.
They can probably lock things down better than they did, but I don't work at Sony and I haven't seen their network diagrams so I can't really say. But the idea of air-gapping financial systems for a company of Sony's size is mind-boggling stupid.
Even something as simple as warranty work breaks down without automation. Every authorized repair depot needs some way to order parts, submit claims, and receive payment at an absolute minimum.
Re:Sure... (Score:5, Interesting)
And one of the aspects where I disagree with him:
He is phrasing it incorrectly. The attacks are scripted and BLIND. They don't attack X and skip Y if X is vulnerable. Or attack Y if X is not vulnerable. They attack A - Z regardless of the success or failure of any single attack.
And 100% agreement with your air gap recommendation.
He's got it right there. Once you are online you can be attacked by anyone anywhere. The only advantage you have is that you control the wire in your organization. Wireless is more of a pain. But you can see every packet moving on the wire.
In my experience, the problem is not money. The problem is EGO. Someone is always convinced that what they are doing is more important than following what the IT nerds say and they have the political clout within the company to force exceptions be made.
It is the exceptions that damage your security.
It is the exceptions that allow the easy-to-prevent attacks to get a foothold on your network. THEN the more advanced attacks are unleashed.
Re:Sure... (Score:5, Informative)
He is phrasing it incorrectly. The attacks are scripted and BLIND. They don't attack X and skip Y if X is vulnerable. Or attack Y if X is not vulnerable. They attack A - Z regardless of the success or failure of any single attack.
That's not entirely true. It's not clear how many other targets the miscreants who hit Home Depot, Target, etc had, but they did a lot more than scripted attacks (they used social reconnaissance, then spear phishing, then multiple point-of-entry probes, for starters) in order to get inside, and once inside they put a hell of a lot of work into pulling off their attack, and mixed that with a ton of luck in order to actually succeed. The Target hack actually would have been dead from the start if Target trusted their FireEye consultants who tried to warn them of the impending data theft.
Re:Sure... (Score:4, Informative)
From what I've read, the Target crack was funnelled through a 3rd party HVAC company that did not secure their systems sufficiently.
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ [krebsonsecurity.com]
They may have done more AFTER the scripts gave them access. But it appears that the scripts gave them the initial access.
Re: (Score:3)
From what I've read, the Target crack was funnelled through a 3rd party HVAC company that did not secure their systems sufficiently.
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ [krebsonsecurity.com]
They may have done more AFTER the scripts gave them access. But it appears that the scripts gave them the initial access.
Where did it actually say that? They know the credentials given to Fazio were used to access the Target systems as the point of entry, but they don't know how the miscreants came into possession of them. The most likely method was a spear phishing attack that allowed a keylogger on to one of the PCs at Fazio. It's simply too far fetched to think that someone trolling with a script happened across Fazio, then just realized they could use it as a backdoor into Target, and then also be in possession of some
No real need for updates, either... (Score:3)
Re: (Score:3, Insightful)
Yes. Lets air-gap the email system. That would work well.
No, foo. It's called basic common sense -- keeping confidential medical records, SSNs, and personnel files in paper format only, and not allowing them to be scanned or placed in a system connected to the general business intranet, or "the cloud".
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
...as opposed to figurative typewriters and figurative paper?
Re: (Score:2)
Data protection is off the table. How about data obfuscation? A nationwide program to hash SSN's. Mandatory'expiration dates' to delete old emails. Providing an im option that doesn't logmuch, so employees can have those random convos that shouldn't go by email. Even an offsite company for the most sensitive stuff, like an external lockbox for medical records.
Re:Sure... (Score:5, Insightful)
Every. Fucking. Hospital. Everywhere.
The only thing that keeps this from being a problem is that the gory details of most people's lives are really not interesting to anybody and they are hard to monetize. I would imagine that hospitals and clinics around Hollywood have been hit multiple times. If you are a 'high value target', ie, nobody here on Slashdot, I'd be worried.
Very worried.
Re:Sure... (Score:5, Insightful)
Seriously? Keeping your personnel files on paper and not the computer? And you think getting checks is slow now? BWAHAHAHAHA
Re:Sure... (Score:5, Insightful)
Keeping your personnel files on paper and not the computer?
Of course, there's always keep your personal shit off the company servers!!! And keep what you do write in company documents at a professional tone.
That would sure have mitigated a whole lot of personal pain by these supposedly blameless Sony employees.
Re: Sure... (Score:2)
A million times THIS.
Re:Sure... (Score:5, Insightful)
Really. This. How hard is it NOT to flame people on a COMPANY EMAIL system? Even if some hacker doesn't get to you, your boss or some HR flunky might. Leave the immature conversations to places like Slashdot. It's what we do ....
Re: (Score:2)
That is completely different from air gapping any SSN type information. Nobody disagrees that you should only be professional in your conduct at work.
Re: (Score:2)
Nobody disagrees that you should only be professional in your conduct at work.
Nobody except all of the Sony employees who weren't!!!!
Re: (Score:3)
Re: (Score:3)
Re: (Score:3, Insightful)
Remember RSA labs that kept the master keys to SecureID on their network? There is nothing simple or easy here and, of course, security costs money and in capitalism you only spend money if there is an expected gain. Unless people high up in management go to prison or the company is fined heavily on such events, nothing is going to change.
Re:Sure... (Score:5, Insightful)
Re: (Score:3)
And those zeros are differences in the cost of (a lack of) security to Sony. Unless you're selling security, it does not generate revenue (and thus profit). Hence cost center [wikipedia.org] vs profit center [wikipedia.org].
Re:Sure... (Score:5, Insightful)
Re: (Score:3)
This could actually be a good thing. The existence of security breach insurance would necessarily require quantifying how much risk a particular organization creates. The insurer is now a third party that has an incentive to make sure the company is following best practices and the ability to punish companies that don't (through denial of coverage or through increased premiums).
Re: (Score:3)
More than likely, in a world without PHP, another language with similar benefits and drawbacks to PHP would likely have been invented.
Re:Sure... (Score:5, Insightful)
No, foo. It's called basic common sense -- keeping confidential medical records, SSNs, and personnel files in paper format only, and not allowing them to be scanned or placed in a system connected to the general business intranet, or "the cloud".
Oh man, you had me going there for a second. I almost thought you were serious.
Let's all go back to using a typewriter to file our taxes, and when my small-town radiologist wants a consulting opinion on my X-ray, lets have a courier drive it into metropolis for him. He can use a quill to write down his diagnosis and seal the letter with wax and a stamp from his ring.
Re: (Score:2)
Costs would increase, but so would employment of less skilled but competent workers.
Re:Sure... (Score:4, Insightful)
Costs would increase and quality of care would decrease.
You're clearly onto something here.
Re:Sure... (Score:4, Informative)
It's easy to be self-righteous. I used to see it all the time from member of the Christian religion- most of whom weren't really that familiar with scripture. It's no more appealing seeing the same attitude from members of the new Global Warming religion, most of whom aren't really that familiar with the science.
Climate models may one day mature to something beyond the basket of hypotheses they are now, but none of them have yet been successful in predicting climate data, except where the null hypothesis also predicted that data. The science doesn't justify your arrogance. I wouldn't call it "pseudoscientific", but it's far from certain as well, and the actual predictive models (as opposed to hand-wavey claims) aren't yet well supported by actual data.
Re: (Score:2)
Re:Sure... (Score:4, Insightful)
Look at the historical data. [wikipedia.org]
It should jump out at you that the past 10k years of relative climate stability is an anomaly, and that rapid (on geological scales) swings in temperature and CO2 are the norm. That whole system is not well understood, though I believe solar variation is the leading hypothesis right now. On a scale beyond a century, there's just no reason to expect climate stability in the first place.
On a decade by decade scale, there's no evidence of warming in the 17 years of reliable satellite temperature data. The null hypothesis - that average temperatures aren't changing - has actually been the best predictor of climate data since the late 90s, odd as that may sound.
The simple fact is: the atmosphere and oceans are chaotic systems, with a variety of positive and negative feedback loops, quite difficult to model, and you can't talk about climate change in a scientific way without doing so. There are no obvious conclusions to draw, as the system we live in is simply too complex for hand-wavy, back-of-the-envelope calculations to be interesting. We may simply lack the technology today to do this science properly. That's not a reason to stop - we built the LHC, proof we can do some fucking impressive technological advancement to achieve a scientific goal. But it is a reason to avoid arrogance.
Climate science is at the phlogiston / aether / Freud stage right now. That's fine, every science must start that way, and the scientific method works given time. But for goodness sake the lay believers are very much like a religion right now, complete with a list of sins and a Hell to roast in, and that's taking it too far!
Re: (Score:3)
However using it as a comparison to the current state of climate science, which more than a century ago got as far as identifying El Nino/La Nina, is a gross insult that I'm sure you wouldn't want applied to your field (or I to mine, which is not anything to do with climate just like yours is not). What's worse is it looks like you are just repeat
Re: (Score:3)
Once again, pretending that experts in a very long established field, well over one century in this case, in some way have nothing that they can assert is real calls into question the idea of expertise in general. That's the road to mediocrity that we
Sure, I'll dispute your "CO2 blanket analogy" (Score:3)
Partially, yes, for three reasons:
Re: (Score:3)
People just cannot resist the ease of communication. Email is the crack cocaine of IT security.
I've always maintained the most devastating payload a worm could have would be forwarding random things from sent-mail to random receipients in the contacts list, considering how so many lead incredibly dishonest lives.
Re: (Score:3)
Walking in to a place with all the printers spewing out blank paper and several people arguing that they had already done something so why the nagging by email reinforced my view that MS were selling toys that people were mistakenly deploying in offices.
Re:Sure... (Score:4, Funny)
Anything that can block spam is a good thing.
Re: (Score:2)
Re: (Score:2)
Why not? You could batch program it for delivery twice a day.
All inter-company email slowed to twice a day batches. Every exchange with an external consultant or contractor; every conference call meeting confirmation, everything... goes out at noon and 5 pm?
What issue exactly would twice a day batches even solve?
In a company where you were in charge upper management would literally crucify you, and the regular employees would cheer them on.
Re: (Score:3)
You're talking about air gapping the wrong system.
There needs to be an air gap between executives and computers. They need to never be allowed to breach it, because they are completely fucking stupid. Sony is so inept I don't even get how they are allowed to do business. This is such a lack of security compliance for a for profit that I imagine compliance auditors are drooling by now.
Is it unique to them? not even remotely. Is it their own fault? about 99.9%. 56 hacks in 12 years is not a company who unders
Re: (Score:3)
I work at Sony Pictures on and off, ironically about two years ago the studio went through a huge ISO 27001 compliance audit, it was a huge deal at the time. I've worked at all the major Hollywood studios and I'd probably characterize Sony as having the best physical security. I didn't work in IT so I don't know all the in
Official Conclusion (Score:5, Insightful)
Nobody mentioned "The Interview" or North Korea until days after the attack, then it simply appeared from nowhere and asserted itself as the truth. The emails from the hackers are in the stash, and reputable sources who have time to read such things have reported that not a single email from GOP prior to the release mentioned The Interview, only demands for money.
Re:Official Conclusion (Score:5, Insightful)
Re:Official Conclusion (Score:5, Funny)
You can stop those type of attacks (Score:2)
Re:You can stop those type of attacks (Score:5, Insightful)
Security is not easy, but it can be done
Probably not. Do you think your Linux box has no vulnerabilities? (hint: it does). Even if you run OpenBSD (which still has vulnerabilities), are the employees at your company going to use a browser? That will have vulnerabilities, too.
Which brings us to the biggest security vulnerability, employees. Remember that the most valuable information a company has isn't the root password, it's the documents and emails the employees are working on and have access to.
So not only do you need to have a perfectly secure operating system (which doesn't exist), you're also going to need secure employees. Good luck at that.
Re: (Score:2)
All you need is security good enough to keep the attackers out. The trick is to find what level that requires. Asking for "absolute security" just shows that you have no clue how security works.
Re: (Score:3)
All you need is security good enough to keep the attackers out. The trick is to find what level that requires.
Against a targeted, skilled attack, there is no level that is good enough to keep them out.
Re: (Score:3)
You said "no level". Ever talked to somebody that handles highly classified data in some TLAs? No, did not think so. Sure, it is expensive, but you can keep any and all types of attackers out if you invest enough and have the right people defining processes and implementing controls, except for those attackers that can come to you and break down your door or those that can plant people with you long-term. This "there is no way to protect yourself" meme is just BS for the uninformed and has nothing to do wit
Re: (Score:2)
Re: (Score:2)
Indeed, it can. You do not need to have absolute security at all (which is what amateurs routinely demand), just enough to demotivate attackers and make them go looking someplace else.
Don't use your company email for personal business (Score:3, Insightful)
Ding! Problem solved!
Blameless Random Employees? (Score:4, Informative)
Likewise, how long does it take to download 100TB of data? I'm guessing that this was probably something that took a bit of time to pull off, and they probably should have found something while all this data was flying out of their system.
Re: (Score:2)
With the amount of data moving in/out of Sony daily, I doubt it would be noticeable. If done right nobody would see this happening at all
As for admin password policies and picking the right people... it's all rubbish. You can never pick the right people. You can only pick the least at risk people if that's even your choice as a CIO. Sometimes the worst person to give admin passwords to are the leaders, yet if they come to you asking for it you'll hand it over.
The fact is that until you get targeted by an el
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Blameless employees? (Score:5, Insightful)
it happened to the blameless random employees who were just using their company's email system. Because of that, they've had their most personal conversations -- gossip, medical conditions, love lives -- exposed
If you were using your company's Exchange server for gossiping and thought it was safe (i.e. the IT department would never have access to this, oh no) then you're stupid and deserve whatever fate you get.
I can sympathize with the people whose SS numbers were stolen out of no fault of their own. But Amy Pascal making Obama black jokes on company email was just stupid as hell and she deserves whatever scorn people will heap on her.
Re: (Score:2)
Re: (Score:2)
There are legitimate requests made via email that can be problematic for the individuals. Please don't dilute the legitimacy email because a few odd emails go offside.
FYI. By default only the user can view/edit his emails on Exchange UNLESS the IT grants himself permission. This is why large corporations perform security auditing to see if their own admins are granting themselves access to restricted data.
Why the FBI thinks it's North Korea (Score:5, Informative)
While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:
* Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
* The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
* Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
Re: (Score:2, Insightful)
Here's the underlying problem, despite all this: You have to trust the FBI. Sorry to say, as a common American, I don't! As an IT professional, it's plausable, but until these sources and evidence are validated by independent 3rd parties, N.K., like every other possible culprit, is just that. A suspect.
You can at least make it hard for them (Score:2)
For all we know, Sony did invite this attack and opened its doors wide for anybody wanting in. At the very least you can make this hard for the attacker and add a high risk if early detection. Saying "you can't protect yourself" is sending entirely the wrong message.
Re:You can at least make it hard for them (Score:4, Insightful)
It's like defending yourself from a random mugging on the streets and surviving a professional hitman. You can make it harder to be attacked by a random hacker or a unfocused hacker, but it's impossible to defend yourself from all kinds of attacks of a very skilled hacker focused on attacking you.
Re: (Score:2)
Perhaps, but if you're doing the tech equivalent of flashing large bills around while walking through the bad part of town, you'll be vulnerable to a lot more people than if you actually have a clue.
BS (Score:2, Informative)
Complete nonsense.
I keep reading about this attack, like it was magical...
Then there's an article on Slashdot today about programming being a superpower?
I'm starting to think this entire thing was designed to have this very affect.
So what's next? The government protects us? We need more electronic surveillance?
Hacks based on Zero-day exploits are hard to protect against. But they are smash and grabs, and once you see the data leaving, you shut things down until you can patch. But this Sony thing? They had b
Re: (Score:2)
No hack would ever result in that kind of control
Disagree.
Lets face it the reality is lots and lots of BIG companies use things like Active Directory. Lots of this BIG companies might even have only a tiny handful of Enterprise Admins, who may even be very good at what they do. Chances are they have centralized and integrated the authentication against AD. Its not uncommon for Network infrastructure administrative interfaces to use an authentication gateway like say NPS (RAIDUS for AD).
So if you could get that Enterprise Admin access, well it might b
And the lesson is... (Score:2)
... email, and anything else you do on the internet or with your cell is not private.
Never put anything in email, or text messages, or twitter or random internet forums that could potentially embarrass you or anyone you care about.
Sad that this needs to be pointed out, but clearly it does.
Re: (Score:2)
(I recently pointed out to someone whose mother I know that they wouldn't want their mother reading their twitter feed.)
BS (Score:3)
This could be any of us. We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.
Bullshit. There's always a choice. It's often less convenient, but that's a far cry from not having one.
Excerpt from BSG (Score:3)
"... But I will not allow a networked, computerized system to be placed on this ship while I am in command."
We live in a world of Cylons.
Re:So which building will they blow up? (Score:5, Funny)
and throw in some mass drops of MP3 players loaded with Sony tunes on the country.
There's no call for such drastic and morally questionable measures, yet; let's just try airstrikes first.
Re: (Score:2)
Oh, then you are just as stupid as these guys who think capital punishment is going to be a deterrent for drug kingpins. As if drug kingpins didn't live their day to day lives under the possibility of execution, and their executions are a lot less dainty than ours and tend to take place without the bother and expense of due process. So, my friend, if you want to start using American military strength as the arm of the Lord, you can do that. We're the only superpower left. You can conquer the world, like Cha
Re: (Score:2)
Or maybe we can just send a few bloviating politicians over and throw in some mass drops of MP3 players loaded with Sony tunes on the country.
There's a North Korean who escaped to South Korea. He now sends balloons across the border with various messages. He's stated that he's planning on sending balloons with DVDs of the movie [hollywoodreporter.com].
Re: (Score:3)
Why MP3 players? Drop Sony CDs on NK to install a rootkit on every computer in the country.
Re:Sony security: strong or weak? (Score:5, Interesting)
I'd be interested in knowing the details of the attack. Was it a "social engineering" attack of some kind (ie. a virus-laden email that someone with high privileges opened)? Was it a vulnerability in their networks? I've heard someone with high level admin privileges had their account hacked, but in what way was it done?
The organization I work for is a contractor for the government of a North American jurisdiction, and yesterday morning I started getting reports that some sort of virus-laden emails were flowing out of this government's networks. Sure enough, within a half an hour, I got emails from a contact I have within this particularly agency, with an attached ZIP file with an SCR file inside. That has to be one of the oldest ways that malware has been transmitted in Windows system, I saw my first virus-laden SCR file somewhere around 1997-1998.
Apparently this critter is so new that by the time we checked, only a few AV companies had caught on to it. Even worse in some ways is that it appears that it made its debut on the very government servers in question, making me think this was a targeted attack. So you have a combination of a brand new virus of some kind that won't get caught by the scanners, lax email rules that allow the opening and execution of executable file types (not that blocking EXE variants doesn't mean some bastard won't be firing off a compromised PDF at an unpatched system), and users who through a combination of laziness and ignorance happily take the final step.
With this particular attack, there would have been no problem if Outlook had been configured not to open these kinds of attachments, and in an Active Directory environment, that's pretty trivial, so some of the blame has to go to this government agency's IT team. But still, even with the best safeguards, where users just happily click on any old attachment, it doesn't exactly take a rare alignment of the stars to have malware planted in a network. Sure, it won't have root privileges and won't be able to propagate itself via more sophisticated means, but it appears in this case it didn't need to.
So I do agree to some point that there are finite limits to what any person or organization can do to secure itself against a determined and directed attack. But there are ways to make such attacks much more difficult, and more quickly captured before they wreak too much harm.
Re:Sony security: strong or weak? (Score:5, Informative)
I'd be interested in knowing the details of the attack. Was it a "social engineering" attack of some kind (ie. a virus-laden email that someone with high privileges opened)? Was it a vulnerability in their networks? I've heard someone with high level admin privileges had their account hacked, but in what way was it done?
I can't find the story, but if i recall correctly, the short version is that the hackers probed Sony, couldn't get in, then started targeting affiliated companies until they found a remotely exploitable vulnerability.
Once they breached that company's network, they found cached(?) credentials for a top Sony sys admin account and used that to access the US Sony intranet.
They mapped the intranet, spread malware all over the place, exfiltrated ~100TB over the course of a ~year, then changed everyone's screensaver and went nuclear with the wiper attack.
Re: (Score:3)
Re: (Score:3)
What this shows yet again is that anti-virus scanners are a flawed methodology. There will always be a delay between a virus being released and the signature updates getting to the clients. It's inherent in the concept.
Unfortunately, some early technology journalists were partially responsible for this because, in reviews, they ranked anti-virus products that identified threats by signature higher
Re: (Score:2)
This is the right question to ask! IT security st Sony must have been exceptionally bad. Large flows of data from inside to outside is what is most interesting. Competent attackers will only export the minimal amount of data needed, because data export ("data leakage") is the activity with by fas the highest risk of being detected. That "terabytes" were exported shows that there basically was no working security in place and also that the attackers were not very good at this as they did some very risky thin
Re: (Score:3)
You do have to cut them a little slack, here. If we were talking about a coal mining company or something and terabytes of data going out the door would be pretty unusual, and SEIM systems would be trained to flag that sort of thing.
This is Sony Pictures, though, terabytes probably go out the door all the time. I mean that might be less than a few hours of uncompressed video going to a contractor for post processing or something.
No my bigger question having done this kind of thing for a living now for som
Re: (Score:2)
There is also the fact that this isn't Sony's first time on this ride. Shouldn't they have doubled-down on security after PSN got hacked?
You're supposing that "Sony" is a single massive thing -- it's not. It's a conglomerate with many separate units that share relatively little other than a name and some discounts at the Sony Store.
Proof: The hackers have done nothing outside of Sony Pictures. If there'd been interoperability in the layer that they got into, we'd be seeing data from other "Sony"s out there as well.
SOE/SMSS/SNEI learned a lot after what happened in 2011. But a movie studio that deals mainly with corporate accounting to pay ac
Re: (Score:2)
Something not much discussed, if outsiders were able to liberate "terabytes" of data from Sony Pictures, just how good was the corporation's computer security?
How many bytes of data did Snowden liberate from the CIA? If the CIA couldn't stop it, then this does not inherently say anything bad about Sony's corporate security.
That's Schneider's point -- NO organization can totally prevent data hacks and folks skilled in security know this.
I wish I had mod points... I'd mod you up.
Re: (Score:2)
I'm assuming that Sony, being a very large multinational company, has a very large Intranet, which means at various points its going to be traversing the open Internet at various points.
Unless you're advocating Sony lay down its own fiber and then turn off its gateway routers....
Re: (Score:2)
I ask the same question again, why put this stuff online at all? Why are critical systems for infrastructure online? Why is anything of any importance for our government and nation available to the general Internet?
Because that's how the information gets from (wherever it is stored) to (the people who need to access it). The Internet is popular for a reason, and that reason is that it helps people get things done quickly and cheaply.
The alternative, of course, is to have the information and the people physically co-located, so that they can access the information only via an isolated network (or by physically sitting at the computer the information is stored on).
However, the benefits of remote access are so great tha
Re: (Score:2)
Re: (Score:2)
Yeah, because Flash drives are such a secure way to move data...
Re: (Score:3)
He forgot the next step, always burn the flash drive afterwards.
That's why they're called flash drives right?
Re:What? (Score:4, Funny)
If they have nothing to hide, they shouldn't worry. Who cares about their boring lives?
... said the Coward who posted anonymously.
Re: (Score:3)
Because Sony Pictures is an American subsidiary of the Japanese conglomerate, which was based in the US and the majority of the affected employees were US citizens or at least Residents?
Re: (Score:2)