The Sony Hack and North Korea
Dec. 20th, 2014 09:39 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneThe FBI is saying that the Sony hack was definitely the work of North Korea, based on evidence of NK attacks on South Korea, such as samples of the code that was preserved, encryption techniques, etc. So I guess I have to revise my previous opinion.
Bruce Schneier has an interesting editorial that appeared in the Wall Street Journal. He said that attacks should be viewed along two axis: skill and focus. Spam attacks are low focus and low skill: they blast out millions of email knowing that someone, somewhere, will open the mail and click on a link to a poisoned web site. Malware writers are high skill, low focus. Script kiddies are low skill, but higher focus. The attackers of Target and Home Depot were high skill low focus: they didn't care who they hit, they just wanted a big enough retailer to result in a big credit card theft, which is why they don't target Bob's Pizzaria. The Sony hack? High skill, high focus. Schneier liked it unto the Anonymous attack on HBGary Federal, an internet security firm.
The FBI went on to say that 90% of corporations could not have withstood the attack. Which is not encouraging, and should greatly concern them.
The worst thing about this attack is that so much personal employee information was violated. In fact, there are two class-action law suits against Sony Pictures for not sufficiently safeguarding their information. The result of those will be quite interesting. But my take on this is DON'T SEND PERSONAL INFORMATION OR GOSSIP THROUGH WORK EMAIL SYSTEMS IF YOU DON'T HAVE TO! If you're going to gossip, do it face-to-face or over the phone. If you're going to send rude jokes, DON'T. Sony executives are looking like idiots for doing this, and deservedly so.
The full article: https://www.schneier.com/blog/archives/2014/12/lessons_from_th_4.html
Bruce Schneier has an interesting editorial that appeared in the Wall Street Journal. He said that attacks should be viewed along two axis: skill and focus. Spam attacks are low focus and low skill: they blast out millions of email knowing that someone, somewhere, will open the mail and click on a link to a poisoned web site. Malware writers are high skill, low focus. Script kiddies are low skill, but higher focus. The attackers of Target and Home Depot were high skill low focus: they didn't care who they hit, they just wanted a big enough retailer to result in a big credit card theft, which is why they don't target Bob's Pizzaria. The Sony hack? High skill, high focus. Schneier liked it unto the Anonymous attack on HBGary Federal, an internet security firm.
The FBI went on to say that 90% of corporations could not have withstood the attack. Which is not encouraging, and should greatly concern them.
The worst thing about this attack is that so much personal employee information was violated. In fact, there are two class-action law suits against Sony Pictures for not sufficiently safeguarding their information. The result of those will be quite interesting. But my take on this is DON'T SEND PERSONAL INFORMATION OR GOSSIP THROUGH WORK EMAIL SYSTEMS IF YOU DON'T HAVE TO! If you're going to gossip, do it face-to-face or over the phone. If you're going to send rude jokes, DON'T. Sony executives are looking like idiots for doing this, and deservedly so.
The full article: https://www.schneier.com/blog/archives/2014/12/lessons_from_th_4.html
no subject
Date: 2014-12-26 10:51 pm (UTC)no subject
Date: 2014-12-30 01:13 pm (UTC)Here's an amazing thing that I read yesterday: the hack was initiated by the attackers spearphishing one IT admin. That's all it took, and they were literally handed the keys to the kingdom. In previous jobs I've had two logins: normal and admin. The admin login didn't have email, and was used via a virtual machine for doing sysadmin work. We were never hacked, but the lack of a negative doesn't prove a positive. Still, I think it's a good defensive measure.
Latest belief among the serious security researchers is that the language footprint (the way non-English speakers use English) makes them believe that it was Russian hackers that tore Sony apart. I haven't read anything identifying who took North Korea's internet down, but the people who shut down the Sony Playstation and Xbox networks down on Christmas Day were a bunch of punk misanthropes DDOSing for lulz, according to Krebs.