Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

6 Ways The Sony Hack Changes Everything
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/23/2015 | 2:46:21 PM
Tipping Point
While we may have reached a Tipping Point with regard to Software Secuirty I don't think the Sony Hack by itself could be sufficient to have forced that.   Consider the financial penalty being assesed against Target.   There's more: what about Home Deport?   or Heartland Payment Systmes?   Tax Fraud?

the list goes on, as you know, and then on and on. and it doesn't take a genius to figure out: Unless we turn over a new leaf and mend the error in our ways hacking will continue to get worse.   Will you be next ?

the solution is available,-- and has been. First it is essential to use a secure operating system.   A secure Operating system is one which will not allow itself to be corrupted by the activity of an application program.

second: we need to take up the practice of authenticating transmittals.    transmittals include not just eMails but also software downloads and financal instruments of every sort, -- Forms 1040, online puchasing, and the like.    The broadcast system used with x.509 certificates is a start but the bradcasting is too susceptible of intrusion as hackers have demonstrated in their attacks on Diginotar, RSA, and Comodo.   x.509 certificates should be sent with marginal trust only.    each of us needs to use PGP or the Gnu Privacy Guard (GPG) to countersign those x.509 certificates that we actually need to trust.   this will dramatically reduce the attack surface against x.509

to do this we all need a copy of PGP or GPG --and local services such as Credit Unions need to provide the needed authentication service for our Public Keys.

Today we are forced to conduct busines in a compromised environment: all our usual credentials, such as SocSec Number, name, address, Date of Birth, dog's name etc -- have all been compromised and are easily available to crooks operating from the DarkNet market ( See Brian Krebs article on SuperGet ).  

to conduct business in this compromised environment we need s a signature such that can be offered and verified (authenticated) in public -- but which we can retrain control of the use of privately.    this is precisely what PGP or GPG does; it's what that software was created to do.   we should use the new Eliptic Curve option with PGP and GPG.

these are initial steps; refinement will be needed and in particular, change in product liability law -- as has been noted by Bruce Schneier.  

where is the "Tipping Point" ? 

when it is no longer economical for merchants to just shrug off hacking as "part of he cost of doing business" then action will have to be taken.    we all need to note carefully: passwords are NOT the problem: Hacking is facilitated by un-authorized programming.

Un-Authorized Programming, often called "Malware", or "Computer Virus" are changes to the programming in a victim's computer.  Examples would include the BLACKPOS or BACKOFF malware that was inserted into the Point of Sale terminals in merchants who have bveen recently victims of credit card theft.   malware is generaly inserted into a victim by making advantage of a weakness in an operating system or by "phishing".   "Phishing" involves sending fake messages to persons having update authority.   Proper authentication of messages such as eMail will make "phishing" much more difficult.  Today,-- "phishing" is trivial.

these un-authorized programs do not need you password: they operate AFTER the victim computer is running and use the victim's credentials to do their Dirty Deeds.
User Rank: Apprentice
3/15/2015 | 11:26:59 PM
Re: I disagree that anything will change
True, but in response laws are on the books due to enron they have SOX Sarbanes oxley. SOX can mean jail time or heavy fines but for some reason they rarely ever use it. until they bring that back and start holding people liable stuff like that will continue to happen and CEOs  will not take it seriously.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 11:08:35 AM
Re: I disagree that anything will change
I think there isa greater chance for change, assuming that John's final point  (that cybersecurity execs and board members start paying attention comes to fruition. It would like to believe that "Savvy CEOs and concerned outside board members are well-suited to ask tougher questions about cybersecurity risk more frequently." But I don't see that much evidence of that right now...

User Rank: Guru
3/12/2015 | 9:29:05 AM
I disagree that anything will change
After reading the Quartz article "Sorry Consumers, companies have little incentive to invest in better cybersecurity" it is clear that the cost, after insurance and (can you believe it tax reduction for having inadequate security and zero executive buy in to improve?!) tax reduction, the cost is probably less than they spend on the exectuive cafateria and "entertainment" yearly.

Until there is serious legal risk associated with negligent leadership (and i mean either jail time or multi-year profit level fines to incentivize shareholders to fire negligent executives), the disgraceful level of spending on cybersecurity will continue as normal business, no risk, no budget.
User Rank: Apprentice
3/11/2015 | 3:30:34 PM
They made an earlier business decision
I think that we also learned that theft of confidential information at Sony is an example of a company that is wide open and did not encrypt sensitive information. They made an earlier business decision to not secure their databases.  

Unfortunately, current security approaches can't tell you what normal looks like in your own systems and the situation is getting worse according to Verizon. Verizon is reporting that this a growing issue. Less than 14% of breaches are detected by internal security tools according to the annual international breach investigations report by Verizon.  

Attackers will always figure out how to get around defenses, so you need to lock down the data that they want to steal. So we need to protect our sensitive data itself with modern data centric security technology.  

Ulf Mattsson, CTO Protegrity

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Practical Network Security Approaches for a Multicloud, Hybrid IT World
The report covers areas enterprises should focus on for their multicloud/hybrid cloud security strategy: -increase visibility over the environment -learning cloud-specific skills -relying on established security frameworks -re-architecting the network
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-05-09
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
PUBLISHED: 2022-05-09
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to tra...
PUBLISHED: 2022-05-08
ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
PUBLISHED: 2022-05-08
marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.
PUBLISHED: 2022-05-08
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.