Posted on 12/20/2014 1:18:13 AM PST by Spktyr
'Christmas dump' incoming with more 'interesting' Sony Pictures data
Months before the hacker intrusion on Sony Pictures' network, analyst firm PricewaterhouseCoopers (PWC) performed an analysis on the company's security, and found it lacking. More than 100 devices were found to be unmonitored by corporate security following an incomplete transition from a private security firm to an in-house team. As a result, any Sony response to network intrusion would be, in the words of the auditors, "slow, fragmented, and incomplete, if it would even happen at all." However, corrective actions proposed by PWC seemingly went undone, which left the doors to the company open, sometimes literally, facilitating the attack.
Hackers thought to be operating out of North Korea took over and raided large portions of Sony Pictures' internal computer systems, and have been slowly releasing films, internal memos and emails, focus group studies and other material ranging from banal to sensitive for the studio. The group even posted sensitive financial and personal details of 47,000 employees, vendors, and actors who do or have worked for the company as far back as 1955. Last week, things took a turn for the sinister, when many employees who's information was leaked received a threatening email (though the GOP later denied they were behind that).
Sony had moved from a third party to in-house security teams in September 2013. The transition was anything but smooth, with the 100 devices cited by PWC not properly turned over to the staff. Most of the unmonitored, and unpatched, devices were web servers and managed routers.
The analyst firm warned Sony Pictures of the problem, saying that "security incidents impacting these network or infrastructure devices may not be detected or resolved [in a] timely [fashion]" on September 25. Ironically, the security evaluation was released in the hack group's last data dump.
Ex-employees confirm the lackadaisical attitude toward Internet security. One employee reported to Fusion that "one of our Central European website managers hired a company to run a contest, put it up on the TV network's website and was collecting personally-identifying information without encrypting it. A hack of our file server about a year ago turned out to be another employee in Europe who left himself logged into the network in a cafe."
Security firm Mandiant was hired to assess the damage and scope of the penetration by the GOP hacking group. Mandiant CEO Kevin Mandia told Sony Pictures that "the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public. The bottom line is that this was an unparalleled and well-planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared."
Corrective actions as a result of PWC's analysis were promised to be completed by October 31, 2014. There is no evidence that anything was actually completed by the in-house security team. Despite Mandiant's assurances to Sony that nobody could have been prepared for the attack, it is clear that Sony failed to perform even the most basic due diligence to prevent the breach.
Another former employee says that corporate culture is the root cause of the security lapses. He noted that the real problem with Sony Pictures' network security was "there was no real investment in, or real understanding of what information security is," pointing to the vast amount of sensitive data gleaned by the hackers that was stored unencrypted. Employees of Sony Pictures for the last 15 years were listed in the leaked documents. Sony's offer of credit monitoring and identity theft protection does not extend to former employees at this time.
The GOP is spreading word of a "Christmas gift" release of more data. A PasteBin post claims to contain "larger quantities of data" saying that "it will be more interesting. The gift will surely give you much more pleasure and put Sony Pictures into the worst state." The GOP claims that employees can "opt out" of the upcoming data release that may involve them, but they have to email the group to make this happen.
How ironic. Management always wants to be “On the Line”. It’s free!!! Well it ain’t free. Anyone here think management will get the message?
If I owned the Firewalls, yes I could. Unfortunately the people who own/run/manage them don't report to me. Yet.
Once they do, then it's a whole new ballgame and a bunch of them are going to find themselves on the street.
Thanks for the inside baseball on this stuff.
It is fascinating.
The scope and tenacity of hackers is not to be underestimated.
I'll trade you developers tips if you don't already know them.
You set the standards, so I bet you could push the issue.
Once they do, then it's a whole new ballgame and a bunch of them are going to find themselves on the street.
When they do, contact me. I will follow your lead and requirements and be a valued and trusted servant.
Only requirement is that I can stay in Hotlanta. I effing love this town.
Bro, I flunked Java for Dummies. You'll be wasting your time trying to teach me development. My application development days are so far back in my rear view mirror I can't even see them anymore.
Ok, well, there’s got to be something I can offer in exchange. Let’s get on the phone someday soon, if you like. The way I learn best is by mentoring.
Very true. Where there's a will, there's a way has never been more true than with Chinese, Russian, Iranian, etc.. hackers. They are highly skilled, adapt quickly and as much as I hate to say it, typically ALWAYS a half-step ahead of us.
The best Information Security folks can do is prevent hacking BEHAVIOR from penetrating and compromising our networks. This mean understanding hacking PATTERNS and the behavior of each PATTERN. Once you understand the pattern, the behavior/hacking attempt can be stopped. Fortunately, many of today's hacking attempts fall into well documented patterns.
The problem is in the Organization's ability to recognize those patterns and prevent them upfront, or respond to them quickly enough to prevent massive damage.
I'll bet the farm that Sony's network administrators, IT folks, etc.. really didn't have much of a clue on how to secure their network, systems and information assets. That's typically why these things happen in the first place.
Better, but not secure in my opinion. I know a few things about the power grid networks having felt with their nation communications networks, and believe there are deficits in parts of that enterprise topology.
Banks are better but I had several security contracts and found branch level banking to be full of holes. The primary processing companies like Visa were nearly rock solid. (Visa debit and some credit processing is here in Colorado.) The reason Visa is good is because they have the proper auditing and reconciliation processes in place and that actually use them.
I'd be interested in chatting with you on this topic.
The primary processing companies like Visa were nearly rock solid. (Visa debit and some credit processing is here in Colorado.) The reason Visa is good is because they have the proper auditing and reconciliation processes in place and that actually use them.
Sometimes their fraud detection algorithm's are "too good." I'll give you an example.
Last Saturday I was at the local Menards picking up a few things for projects I needed to complete around the house. As I went through the checkout process, my credit card was declined with a specific code. The cashier gave me my card back and said to call the credit card company with that code.
Unbeknownst to me, my wife had given our oldest son her credit card for him to get online and purchase two PC Games from STEAM/Origin. One for his computer, one for his younger brothers.
While I shopped at Menards, oldest son was able to buy and download the first game to his computer. He then went to his brother's computer to do the same thing. Mastercard declined the transaction. Oldest son tried again, and was again declined. He went on and did this SIX MORE TIMES.
By the time I got to the register, the card was "locked" and I had to call MasterCard, who proceeded to ask me about the online video game purchases. I texted my wife who confirmed our son was buying video games with our credit card. It took about five minutes in total to confirm those charges, the previous five charges and have MasterCard unlock my credit card so I could go back inside Menards to pay for the items I needed.
The algorithms that monitor my spending habits on my credit card, combined with the online fraud detection on same credit card both kicked in and locked my card when those algorithms detected what they believed to be fraudulent purchases.
In one way, I'm "glad" they're preventing fraud with my credit card, on the other hand it really gives me the creeps that computer algorithms "learn" and "know" my spending habits and alert to anything that's outside the norm.
These algorithms are often "too tight." It used to be that if my wife and I both filled up our vehicles on the same day, our credit card would lock. That was REALLY annoying when she was in Michigan at her parents home with our two kids and I was in Nebraska for an amateur radio antenna contest and we both needed gas. As soon as I swiped my credit card in Nebraska at a gas station ... LOCKED! Later same day, same thing happened to her and we both had to explain to the credit card company that we were really both in two different places.
It's getting to the point that any time I go on vacation now or go somewhere without the family I almost have to "check in" with my credit card company and get 'approval' to put charges on my credit card so it doesn't get locked. Sheesh!!
Said on another thread that I'd bet the farm that Sony's internal Computer Information Systems Security/Data Security was woefully lacking/practically non-existant. Honestly it didn't take much to make that statement and know it's true.
BTW: PWC has an EXCELLENT Information Security Audit team and they literally find EVERYTHING that can possibly go wrong up to and including something as simple and basic as having a written InfoSec security policy.
Any actor or ANYONE for that matter who works for Sony and has had their personally identifiable information (PII) exposed should sue the living daylights out of Sony, and at this point Sony truly deserves to go out of business.
I have one question a what if.
What if someone hacked into an electric company and got luck and turned off lights(is that even possible) how long before we could get the lights back on?
If is was software-only, server-disabling, stuff like that, no worries. Reboot, restore, plug the security hole, and you are on your merry way.
If the hacking went on to destroy equipment through malicious software control, then there might be an issue.
Very interestingly, and pinging usc and TM to it, as I was posting this, I was probed. I have a pretty secure home setup. I think the Norks are watching even this thread.
Laz are you pulling my leg?
I also have a few other security measures that make my home system a little less hackable than usual.
Of course it hasn't. Because the same thing could be said of just about every company in the US. If the media points their finger at Sony, they will also be setting themselves up for criticism. Do not expect this to be touted at all.
The simple truth is that this could happen to any and all companies.
I have:
1. Three tier security;
2. Proxy Server & Reverse Proxy Server;
3. Firewall appliance device configured to not allow packets into my network that do not have a corresponding outbound packet.
Probes to my network are literally dropped. It's as if nothing is even here.
Interesting. I may replicate this configuration, which is better than my current 2-tier hardware-firewalled with some of the better Anti’s watching.
Hey boys, looks pretty chilly there in Pyongyang tonight. The Colts are a 3-point road dog at Dallas, I'm thinking go with the under at 55. Any opinions?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.