Re: Sony Hack / Knee Jerk Reaction Mitigation (Looking for input)
- From: William Muriithi <william.muriithi@xxxxxxxxx>
- To: phil@xxxxxxxxxx
- Date: Mon, 15 Dec 2014 12:40:09 -0500
Phillip,
> The Sony escapade could have been largely prevented. What really screwed
> them was the following:
>
> "Even more interestingly, BuzzFeed reports that data shared online by
> hackers includes a file directory titled “Password,” which includes “139
> Word documents, Excel spreadsheets, zip files, and PDFs containing thousands
> of passwords to Sony Pictures’ internal computers, social media accounts and
> web service accounts.” Individual file names are “plainly labeled with
> titles like ‘password list.xls’ or ‘YouTube login passwords.xlsx.’"
>
> Without those lists of passwords, I doubt things would have been so bad...
I doubt it. May have made it a bit harder but once they are inside
your network, its just a matter of time before they find a single
username/password from someone with root/admin permission. After
that, they will be all over the systems. IF you doubt that, look at
these two cases. I am suspecting they were more careful
http://mobile.businessweek.com/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas
https://firstlook.org/theintercept/2014/12/13/belgacom-hack-gchq-inside-story/
To me, I think its better to patch the applications, deploy selinux
and mod-security and encryption of data so that when they do get in,
they can only destroy the systems, but would have embarrassing data to
post online.
In another work, in most companies, you just need one password and
username and should be able to go fishing.
William
--
//www.freelists.org/webpage/oracle-l
Other related posts:
