Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
6 Ways The Sony Hack Changes Everything
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
3/23/2015 | 2:46:21 PM
Tipping Point
While we may have reached a Tipping Point with regard to Software Secuirty I don't think the Sony Hack by itself could be sufficient to have forced that.   Consider the financial penalty being assesed against Target.   There's more: what about Home Deport?   or Heartland Payment Systmes?   Tax Fraud?

the list goes on, as you know, and then on and on. and it doesn't take a genius to figure out: Unless we turn over a new leaf and mend the error in our ways hacking will continue to get worse.   Will you be next ?

the solution is available,-- and has been. First it is essential to use a secure operating system.   A secure Operating system is one which will not allow itself to be corrupted by the activity of an application program.

second: we need to take up the practice of authenticating transmittals.    transmittals include not just eMails but also software downloads and financal instruments of every sort, -- Forms 1040, online puchasing, and the like.    The broadcast system used with x.509 certificates is a start but the bradcasting is too susceptible of intrusion as hackers have demonstrated in their attacks on Diginotar, RSA, and Comodo.   x.509 certificates should be sent with marginal trust only.    each of us needs to use PGP or the Gnu Privacy Guard (GPG) to countersign those x.509 certificates that we actually need to trust.   this will dramatically reduce the attack surface against x.509


to do this we all need a copy of PGP or GPG --and local services such as Credit Unions need to provide the needed authentication service for our Public Keys.

Today we are forced to conduct busines in a compromised environment: all our usual credentials, such as SocSec Number, name, address, Date of Birth, dog's name etc -- have all been compromised and are easily available to crooks operating from the DarkNet market ( See Brian Krebs article on SuperGet ).  

to conduct business in this compromised environment we need s a signature such that can be offered and verified (authenticated) in public -- but which we can retrain control of the use of privately.    this is precisely what PGP or GPG does; it's what that software was created to do.   we should use the new Eliptic Curve option with PGP and GPG.

these are initial steps; refinement will be needed and in particular, change in product liability law -- as has been noted by Bruce Schneier.  

where is the "Tipping Point" ? 

when it is no longer economical for merchants to just shrug off hacking as "part of he cost of doing business" then action will have to be taken.    we all need to note carefully: passwords are NOT the problem: Hacking is facilitated by un-authorized programming.

Un-Authorized Programming, often called "Malware", or "Computer Virus" are changes to the programming in a victim's computer.  Examples would include the BLACKPOS or BACKOFF malware that was inserted into the Point of Sale terminals in merchants who have bveen recently victims of credit card theft.   malware is generaly inserted into a victim by making advantage of a weakness in an operating system or by "phishing".   "Phishing" involves sending fake messages to persons having update authority.   Proper authentication of messages such as eMail will make "phishing" much more difficult.  Today,-- "phishing" is trivial.

these un-authorized programs do not need you password: they operate AFTER the victim computer is running and use the victim's credentials to do their Dirty Deeds.
tbruch320
50%
50%
tbruch320,
User Rank: Apprentice
3/15/2015 | 11:26:59 PM
Re: I disagree that anything will change
True, but in response laws are on the books due to enron they have SOX Sarbanes oxley. SOX can mean jail time or heavy fines but for some reason they rarely ever use it. until they bring that back and start holding people liable stuff like that will continue to happen and CEOs  will not take it seriously.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 11:08:35 AM
Re: I disagree that anything will change
I think there isa greater chance for change, assuming that John's final point  (that cybersecurity execs and board members start paying attention comes to fruition. It would like to believe that "Savvy CEOs and concerned outside board members are well-suited to ask tougher questions about cybersecurity risk more frequently." But I don't see that much evidence of that right now...

 
mistersilver134
50%
50%
mistersilver134,
User Rank: Guru
3/12/2015 | 9:29:05 AM
I disagree that anything will change
After reading the Quartz article "Sorry Consumers, companies have little incentive to invest in better cybersecurity" it is clear that the cost, after insurance and (can you believe it tax reduction for having inadequate security and zero executive buy in to improve?!) tax reduction, the cost is probably less than they spend on the exectuive cafateria and "entertainment" yearly.

Until there is serious legal risk associated with negligent leadership (and i mean either jail time or multi-year profit level fines to incentivize shareholders to fire negligent executives), the disgraceful level of spending on cybersecurity will continue as normal business, no risk, no budget.
anon7282095628
50%
50%
anon7282095628,
User Rank: Apprentice
3/11/2015 | 3:30:34 PM
They made an earlier business decision
I think that we also learned that theft of confidential information at Sony is an example of a company that is wide open and did not encrypt sensitive information. They made an earlier business decision to not secure their databases.  

Unfortunately, current security approaches can't tell you what normal looks like in your own systems and the situation is getting worse according to Verizon. Verizon is reporting that this a growing issue. Less than 14% of breaches are detected by internal security tools according to the annual international breach investigations report by Verizon.  

Attackers will always figure out how to get around defenses, so you need to lock down the data that they want to steal. So we need to protect our sensitive data itself with modern data centric security technology.  

Ulf Mattsson, CTO Protegrity


News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...