rgbrock1

I wasn't sure if I would post this here or in JB but thought it more pertinent to do so here as it does have to do with computers.

As we all undoubtedly know by now, Sony Pictures Corp. here in the U.S. was badly hacked not too long ago and a lot of data compromised. Current thinking is that the NK's done it. Whether or not it was North Korea behind the whole sordid affair is one aspect of the issue. The other aspect is this: what kind of systems were hacked? What I mean by this is, were these MS Windows OS servers which were compromised? (Let alone bypassing firewalls. How does that even happen? Hint: I know nothing about hacking)

I'm not bringing this up in order to start a Windows vs. Mac OS flame war.
But my thinking is this: most people in I.T. (myself included) fully realize that MS Windows (Server or not) security leaves a bit to be desired at times. And 99.9% of all system compromises have been on Windows machines. Now I'm not saying other OS's like Mac OS X, Unix, Linux, Z-OS or even OpenVMS are unhackable BUT you would think by now, and in this current age of hacking everything possible, that some corporations might rethink about where they put sensitive data i.e., on which OS servers.

lomapaseo

My take is that there were multiple holes the size of barn doors in the front end.

Namely easily hacked E-mails with critical passwords being sent in open print back and forth at the highest level of Sony,

This was followed by easy phishing among other execs for additional keys to other barn doors, all under the sleeping oversight of their IT department.

Sony and their shareholders must now pay the price

I will leave it to the rest of the IT community to check their own barndoors for sloppy folks like myself.

PS

There's money to be made by folks like Mixture

rgbrock1

loma:

Thanks for the info, I should have figured it had something to do with user carelessness. Happens all the time.

mixture

I think what Sony demonstrates to us is the importance of regular penetration testing by a competent independent third-party contractor.

In regulated industries (e.g. finance and healthcare) pentests are largely becoming the norm because the alternative of the increasingly tech-savvy regulator breathing down your back and issuing eyewatering fines is not an attractive alternative.

In "unregulated" sectors, the extent and quality of pentesting and general IT security awareness varies widely.

When you get to an IT infrastructure the size of Sony, and especially if you are operating significant IT infrastructure under such an attractive brand, you do need to constantly work hard to keep on top of things .... both in terms of security itself as well as security related matters such as software updates and staff awareness. Its not impossible, but its hard work and requires buy-in from everyone board level down.

On one hand I feel sorry for Sony because I know just how easy it is for one small overlooked item to provide an exploitable point of entry. I've seen exploits at secure facilities where pentesters demonstrated an exploit leveraged over a WiFi network that was on a separate network to the main networks, they were able to show the board CCTV footage from the facility....all down to the pentesters making use of a vulnerability because someone hadn't updated software on something.

On the other hand given the financial and staff resources available to their CIO and CSO it is somewhat inexcusable ... ESPECIALLY as the Sony brand has already been attacked elsewhere in recent years (e.g. the Playstation saga), that should have been a bit of a wake up call.

gemma10

I dont wish to be rebutted for being an ignoramous, I`m reasonably pc literate,and read C&SI frequently, but this state of affairs I find concerning. Is there any written software by any industry that is not hackable?

crewmeal

If these hackers (where ever they come from) can get into Sony surely that will leave tablets phones DVD players TVs etc vulnerable to attack when customers upgrade software?

http://www.phonesreview.co.uk/2014/1...ive-sony-hack/

Another reason to avoid online banking on a phone or tablet.

mixture

It largely comes down to minimising the attack footprint and validating inputs correctly.

It also depends on your definition of "hackable", e.g. whether you include Denial of Service attacks, or hard-core chip-level firmware attacks in your definition.

But I would say that if you look at software that was formally designed and tested, written in something like Ada or Spark, and where a minimal interface is provided to local and and remote users ... that sort of thing is probably nearing "not hackable".

In the end, the best IT security is layered security ... and anything critical should be protected from the outside world by an air-gap or data-diode.

I've heard rumors that the hackers stole Sony's code signing keys, which would mean they would be able to sign software and make it look like it was kosher and came from Sony !

Keef

The basic problem is that the security bod has to think of all the ways the hacker might try. The hacker only has to find one hole.

When I was a working bunny, the simple principle I proclaimed was that nothing on a network was totally secure. I proved my point to the IT director by the simple expedient of telling him what his password was. I didn't tell him how I'd got hold of it, and when I retired the "hole" was still there.

With hindsight, I should probably have told him where the hole was, but I thought it would make his security folks work harder to try to find it. I hope they found and blocked lots of others.

mixture

Which is exactly why you don't leave it all to your internal security bod(s) and have regular independent pentesting.

cattletruck

Remember when the White House web site got hacked?

Passwords are just one basic level of security, adding geographic location information, cryptographic keys, challenge/request, etc add to the onion skin layers of security.

But if someone is determined they will find a way to get in, and more often than not it would be too easy. Sony provoked (challenged) NK hackers with the subject matter of their up coming release of some kiddie game on PS4 (I hope I got that right) which is offensive to some in NK. So it could easily be viewed as Sony shot their own foot off.

When I was managing about 700 web sites I was surprised to learn just how low the reality of hacking is. Sure we had one or two sites compromised over the years but they were because of stupid things like using credentials like "admin"/"password" - and the site had been like that for years before it finally got hacked and the customer came crying to us.

I also remember one of our competitors getting hacked, the hole had been there for years before it finally got exploited. It wasn't the hack that put that company out of business it was their loss of reputation. Good riddance for being so stupid.

The Sony hack on the other hand was sophisticated and not by "drive-by" opportunists.

I recall a long time ago in guvmint there was a project worker who used to loan out his secretary whenever some executive's secretary called in sick. He instructed his secretary to data mine the computer she was working on. So much for having the best security technology available.

mixture

I would hazard a guess you were only managing run of the mill websites and nothing with any profile !

I suspect the likes of Amazon, Paypal etc would soon tell you otherwise how you are wrong in relation to the "low reality of hacking".

ExXB

It may depend more on your bank's security measures than your's. My bank allows me to access my account via my iPhone (iOS 7) and my iPad (iOS8). But to login I must respond to a challenge code they send me with an 8 alphanumeric response (generated from my own credit-card size device). Even then they will challenge me again if I attempt to make a large payment, or a payment to someone new.

This can still be thwarted by a 'man-in-the-middle' hack, but I always go to my bank via their App and not through a browser, and never via an e-mailed link. I may be too trusting that their App hasn't (yet) been hacked but ...

crewmeal

Slightly digressing, I received 2 scam emails purporting to be from HSBC asking me to click on the added link due to multiple log in errors. Needless to say I've never banked with HSBC using that email. When I tried reporting the scam the phishing email the bank gave didn't work and then using the contact number supplied from the web page I needed to give my 16 digit card number before I could go any further. Needless to say I couldn't proceed any further.

Keef

Hostile hackers are plentiful these days. My IP address gets "probed" so many times a day that I've turned off logging. I'm sure most of the source IPs of the probes are spoofed anyway.

Until I installed the callblocker, I was getting regular phone calls from "Microsoft" in India to tell me about the problems in my PC which they could fix for me. I don't know anyone who hasn't had the call - there must be thousands of staff in the phishing call centres.

I use a different e-mail address for banking from those I use for other purposes, which separates the "probably genuine" bank e-mails from the "definitely a scam" e-mails.

Must go: there's a nice lady in Benin wants to transfer $2,500,000.00 to my bank account.

Hey mixture - I've never thought of testing pens as a way to stop hackers. I must try that some time. When I worked for a living (last century), we had a team of devious folks who were encouraged to try to break system security in their spare time.

Ancient Observer

I've worked in a number of different companies. All had quite substantial IT spend. All employed very bright people. Of the 4 most recent, two had the habit of being flexible with their IT rules for members of the boss class. 2 had zero flexibility for anyone.
One of the second group were really controlling with their IT. Whilst that level of control pissed me off (a bit), I had to admire their persistence.

I imagine that Sony were of the flexible sort. Flexibility is nice, but.....Leaves all sorts of doors open.

Booglebox

Being strict with IT can be pretty difficult.
Bosses "need" particular things e.g. out-dated software, confidential documents on personal devices, confidential samples for potential clients etc. and a lot of this is against the rules but "has" to happen.
The only way to really fight this is to have a guy at the very top who agrees that IT should be strict, and backs IT up every time they have a problem imposing this.
However I've seen some outfits where tech-aware bosses are allowed to break the rules if they know exactly what they're breaking, and what the potential consequences are.

That said, with MDM and BYOD abilities in common devices (e.g. "bring your own phone and we'll automatically wipe the work stuff when you leave") getting better and better over time, this is slowly becoming less of an issue. Personal iPads are much less of a worry than some personal crappy laptop.
Win 10 in particular will be interesting, as it will be manageable via MDM instead of solely via Group Policy.

crewmeal

As North Korea Loses Internet, Anonymous, Others Question Whether It Really Hacked Sony


That's the best thing to happen in NK for a long time. However I believe it has been partially restored.