Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

6 Ways The Sony Hack Changes Everything
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/23/2015 | 2:46:21 PM
Tipping Point
While we may have reached a Tipping Point with regard to Software Secuirty I don't think the Sony Hack by itself could be sufficient to have forced that.   Consider the financial penalty being assesed against Target.   There's more: what about Home Deport?   or Heartland Payment Systmes?   Tax Fraud?

the list goes on, as you know, and then on and on. and it doesn't take a genius to figure out: Unless we turn over a new leaf and mend the error in our ways hacking will continue to get worse.   Will you be next ?

the solution is available,-- and has been. First it is essential to use a secure operating system.   A secure Operating system is one which will not allow itself to be corrupted by the activity of an application program.

second: we need to take up the practice of authenticating transmittals.    transmittals include not just eMails but also software downloads and financal instruments of every sort, -- Forms 1040, online puchasing, and the like.    The broadcast system used with x.509 certificates is a start but the bradcasting is too susceptible of intrusion as hackers have demonstrated in their attacks on Diginotar, RSA, and Comodo.   x.509 certificates should be sent with marginal trust only.    each of us needs to use PGP or the Gnu Privacy Guard (GPG) to countersign those x.509 certificates that we actually need to trust.   this will dramatically reduce the attack surface against x.509

to do this we all need a copy of PGP or GPG --and local services such as Credit Unions need to provide the needed authentication service for our Public Keys.

Today we are forced to conduct busines in a compromised environment: all our usual credentials, such as SocSec Number, name, address, Date of Birth, dog's name etc -- have all been compromised and are easily available to crooks operating from the DarkNet market ( See Brian Krebs article on SuperGet ).  

to conduct business in this compromised environment we need s a signature such that can be offered and verified (authenticated) in public -- but which we can retrain control of the use of privately.    this is precisely what PGP or GPG does; it's what that software was created to do.   we should use the new Eliptic Curve option with PGP and GPG.

these are initial steps; refinement will be needed and in particular, change in product liability law -- as has been noted by Bruce Schneier.  

where is the "Tipping Point" ? 

when it is no longer economical for merchants to just shrug off hacking as "part of he cost of doing business" then action will have to be taken.    we all need to note carefully: passwords are NOT the problem: Hacking is facilitated by un-authorized programming.

Un-Authorized Programming, often called "Malware", or "Computer Virus" are changes to the programming in a victim's computer.  Examples would include the BLACKPOS or BACKOFF malware that was inserted into the Point of Sale terminals in merchants who have bveen recently victims of credit card theft.   malware is generaly inserted into a victim by making advantage of a weakness in an operating system or by "phishing".   "Phishing" involves sending fake messages to persons having update authority.   Proper authentication of messages such as eMail will make "phishing" much more difficult.  Today,-- "phishing" is trivial.

these un-authorized programs do not need you password: they operate AFTER the victim computer is running and use the victim's credentials to do their Dirty Deeds.
User Rank: Apprentice
3/15/2015 | 11:26:59 PM
Re: I disagree that anything will change
True, but in response laws are on the books due to enron they have SOX Sarbanes oxley. SOX can mean jail time or heavy fines but for some reason they rarely ever use it. until they bring that back and start holding people liable stuff like that will continue to happen and CEOs  will not take it seriously.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 11:08:35 AM
Re: I disagree that anything will change
I think there isa greater chance for change, assuming that John's final point  (that cybersecurity execs and board members start paying attention comes to fruition. It would like to believe that "Savvy CEOs and concerned outside board members are well-suited to ask tougher questions about cybersecurity risk more frequently." But I don't see that much evidence of that right now...

User Rank: Guru
3/12/2015 | 9:29:05 AM
I disagree that anything will change
After reading the Quartz article "Sorry Consumers, companies have little incentive to invest in better cybersecurity" it is clear that the cost, after insurance and (can you believe it tax reduction for having inadequate security and zero executive buy in to improve?!) tax reduction, the cost is probably less than they spend on the exectuive cafateria and "entertainment" yearly.

Until there is serious legal risk associated with negligent leadership (and i mean either jail time or multi-year profit level fines to incentivize shareholders to fire negligent executives), the disgraceful level of spending on cybersecurity will continue as normal business, no risk, no budget.
User Rank: Apprentice
3/11/2015 | 3:30:34 PM
They made an earlier business decision
I think that we also learned that theft of confidential information at Sony is an example of a company that is wide open and did not encrypt sensitive information. They made an earlier business decision to not secure their databases.  

Unfortunately, current security approaches can't tell you what normal looks like in your own systems and the situation is getting worse according to Verizon. Verizon is reporting that this a growing issue. Less than 14% of breaches are detected by internal security tools according to the annual international breach investigations report by Verizon.  

Attackers will always figure out how to get around defenses, so you need to lock down the data that they want to steal. So we need to protect our sensitive data itself with modern data centric security technology.  

Ulf Mattsson, CTO Protegrity

COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...