Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Sony Hacked By N. Korea, Hacktivists, Ex-Employee, Or All Of The Above?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
ODA155
50%
50%
ODA155,
User Rank: Ninja
1/6/2015 | 2:36:35 PM
Re: So confuised
@Kelly Jackson Higgins...

After this new revaluation about an "ex-Sony employee(s)" came out I started thinking about a few things, first of all my initial feelings that regardless who was responsible, Sony still bears the blame and we should not lose sight of their (Sony's) responsibility to protect their resources.

That said, I started thinking about the company that I work for... so I'm comfortable that our SIEM is collecting the information, but are we looking in the right places? What if WE lose someone with specific admim privileges to a lay-off or if that person is fired or even if they leave on good terms, are we revieiwing everything they do/did (administratively) and are we making sure that it's all within his\her job?

The first thing I pulled out was a report that I generate quarterly (maybe I should force it to monthly)... that does not come from the SIEM, "WHO ARE THE PEOPLE WITH ADMIN\ROOT\SCHEMA ACCESS"? I use PowerGui Administrative Console to get this information for our Windows systems, unfortunately I have to rely on the UNIX\Linux Manager to get this information from those systems (but I'm working on that) too.

Then I reviewed the list of reports that I get and from the SIEM:

 - Account Creation
 - Privilege Escalation
 - Admin UserID Usage
 - Admin Database Access, Usage and Queries
 - Admin Access to Servers, DB's and Applications that are compliance applicable
 - Admin via Remote Access
 - Login Source
 - Admin Accounts with Failed Login Attempts & Locked Accounts
 - Admin Accounts with non-Expiring Passwords

This list started to get very long when I compared what I was looking at to what I wasn't. Then I started going through our security policies and I stopped at our policy that specified how "Terminations" should be handled. I recommended that we make the following changes:
  • Prior to any planned termination a review of administrative activity for a period of at least 120 days be performed.
  • Upon receipt of resignation a review of administrative activity for a period of at least 120 days be performed.
  • Manager of employee and security must review\compare all work conducted by employee to a valid Change Management Request (CMR)
  • HR\Legal notification to former employee that this internal investigation is being conducted and that employee will be held liable (legally) for any discrepancies created using their admin UserID.
  • Notify ALL administrators and managers this is the policy going forward.

I know this sounds like I'm paranoid, but I am and I don't mind because it's what they pay me for and if I don't do it nobody will... besides my boss will be the first person raked over the coals if we get hit by CRYPTOLOCKER, so if we were hacked, they'd come looking for us both with pitchforks and torches, so why not put the onus on "them" and give someone else the opportunity to say NO?
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
1/5/2015 | 4:17:59 PM
Re: So confused
@Kelly  Yeah, I feel like there were multiple groups involved, possibly working together, possibly not. If the N.K. government was at the root of it, it seems like they must have hired independent attackers to carry the thing out. Maybe one of those attackers was a disgruntled insider. Who knows?!
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
1/5/2015 | 4:14:41 PM
Re: So confuised
I hear ya, @Sara!

I still think this was not just one attack, but multiple attacks/layers by different actors that everyone is trying to understand as one big breach, which is why it's hard to wrap your head around it as a classic insider attack, hacktivist attack, or nation/state attack. It's not just one of those, really.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
1/5/2015 | 4:10:28 PM
So confuised
I wonder if this will be one of these things that the government will classify and we'll learn the truth 50 years from now. The people I've spoken to have said everything from "an insider MUST be involved" to "no insider would be needed at all, and probably wasn't."

The whole thing just seemed too snarky to me to not include an insider somewhere in the process. Also, the North Korea connection was not acknowledged by Lena -- at least not at the beginning. In November Lena was quoted saying that NK was NOT involved. It's all very perplexing.

 
SamsonY579
50%
50%
SamsonY579,
User Rank: Apprentice
1/5/2015 | 3:54:47 PM
Petition the Whitehouse to allow an independent review of the evidence.
On November 24th, 2014 Sony Pictures Entertainment, was the victim of a cyber-attack, and on January 2nd, 2015, the Treasury imposed sanctions against the Democratic People's Republic of Korea, more commonly known as North Korea.

The premise of the sanctions is the assertion by the FBI that the cyber-attack was committed by North Korea, an assertion that has been publicly refuted by computer security experts based on information available to them.

To avoid a repeat of the "WMDs in Iraq" debacle, the President could allow a well-respected, non-partisan, independent audit by a cyber-security firm, of the evidence linking North Korea to the cyber-attack as the FBI's "just trust us" stance is insufficent, especially in the face of North Korea's denial of their involvement.

If you agree with this, please sign my petition at whitehouse.gov.

Since URLs are blocked the URL is: wh dot gov slash iggO4

wh.gov/iggO4
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
1/5/2015 | 8:11:52 AM
Re: Ongoing
Thank you, @fpdesignco. You are spot on: the bottom line is we really don't know what the FBI knows. 
Eric Kruse
50%
50%
Eric Kruse,
User Rank: Apprentice
1/4/2015 | 1:17:00 PM
Ongoing
Kelly.

 

First off way to be the first person who I have seen that actually wrote a decent article on this.  Going to take a piece of the writing out and write a opinion.

      "differentiating state-integrated, state-executed, state-ordered, or state-coordinated activity. If a state has any of those roles, the FBI may consider the state 'responsible,' " he says."

 

This is exactly what most poeple dont understand.  I love reading the articles by every major media outlet that talks to some cyber-security research firm who all have conflicting opinions about attribution.  The thing it, you do not know how the FBI (Intelligence Community in general) came to that conclusion.  For a company to say that makes me very weary of adding a talking point to selling their product with respective customers.  

 

I'd place a little bit of faith in the intelligence community on this one as no one is really looking for another black eye and congressional inquiry on a topic like this.  
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
12/31/2014 | 4:49:31 PM
Re: N Korea .. Much better movie
Yeah, but only to us.

Not going to make $1M the first day of release, either.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
12/31/2014 | 12:47:51 PM
Re: Title of movie about all this
:-) #epic
BertrandW414
50%
50%
BertrandW414,
User Rank: Strategist
12/31/2014 | 12:10:09 PM
Title of movie about all this
@kelly - I think the title of the movie should be "EPIC BREACH". ;-)
Page 1 / 3   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41163
PUBLISHED: 2021-10-20
Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed versions of Discour...
CVE-2021-42299
PUBLISHED: 2021-10-20
Microsoft Surface Pro 3 Security Feature Bypass Vulnerability
CVE-2021-42771
PUBLISHED: 2021-10-20
Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.
CVE-2021-42764
PUBLISHED: 2021-10-20
The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to cause a denial of service (delayed consensus decisions), and also increase the profits of individual validators, via short-range reorganizations of the underlying consensus chain.
CVE-2021-42765
PUBLISHED: 2021-10-20
The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to leverage network delay to cause a denial of service (indefinite stalling of consensus decisions).