Skip to content

Bit9

← Back to Blog
4 Jun 2011

Connecting the Sony, RSA and Google dots

Harry Sverdlove

It’s time for a serious heart to heart. Whether you are just a casual follower of technology or computer security is your business, you need to understand what is happening and what it means to you – because it does impact you.

In the few days since my last blog:

Sony Hacked Again
Sony was once again hacked, compromising the personal information of more than 1 million users. The hacker group LulzSec has claimed responsibility for the attack, and claims that they were able to steal customer emails, passwords, home addresses and birth dates with a simple SQL injection attack.

Let’s talk straight. Sony’s reputation is devastated at this point. If you have an account with Sony Pictures, the Playstation Network, or at this point, if you ever purchased a Sony Walkman, you should assume your personal information has been exposed. Time to change passwords, possibly email accounts, and while you’re at it, you might consider changing your birth date.

If you still want to be a netizen, an active participant in today’s interconnected world, it’s time to wake up. Think twice before you share your information with companies, and be smart about what information you share. You don’t give out your name and phone number to everyone you meet, you establish some level of trust first. Apply the same common sense when giving out information on the internet. And I know it’s a pain having so many passwords, but stop using the same password for everything. Do you really think the Sony hackers care about your Playstation account? They don’t. The danger is when they can use that same information to access your bank account; or your email or social networking accounts, which they can then use to spear-phish your friends, tricking them into installing some malicious program onto their computers. The average computer user has 18 online accounts. There is a good chance they don’t have 18 unique usernames and passwords.

If you’re a company that manages consumer data, stop treating security as an afterthought or annoyance. There are industry standards such as the Payment Card Industry’s Data Security Standard for managing customer sensitive data like credit card numbers, but quite honestly, those standards should be a starting point not an endgame for your security. My view is achieving compliance is an act of complacency – not a best practice for security. All customer data, not just credit cards, should be encrypted, or at the very least isolated from your other systems with strict access controls and limits. It’s not just your data that is at risk, it is your reputation. Stop waiting for a regulatory agency to tell you what minimum steps you should take to protect your network and start hiring expertise for yourself. If you don’t, consumers will choose with their pocketbooks, and sometimes their lawyers.

Sony’s saga is the direct result of their prosecution of individuals who were hacking PS3 consoles. Regardless of where you stand on whether it should be OK for someone to hack their own console, Sony grossly misread the situation and was woefully unprepared for the consequences. In their desire to protect their intellectual property (IP), their tactics drew the ire of the hacktivist community, and now both their IP and reputation have been damaged. Will the ultimate price tag Sony pays be worth the few dollars they appeared to have saved on security?

Lockheed Confirms Breach Involved RSA SecurID
A lot of speculation has been done regarding the recent news of cyber attacks at three of the largest defense contractors: Lockheed Martin, L-3 Communications, and Northrop Grumman. Thanks to the diligence of Christopher Drew, the New York Times has confirmed that the breach at Lockheed was at least partly based on data stolen from the RSA breach back in March. As I, and many others in the security community, had theorized, if the data stolen from RSA included the magic seed values that the SecurID tokens use to generate passcodes, it could nullify the efficacy of RSA’s two-factor authentication. This possibility now seems almost certain. While the attacks on L-3 and Northrop Grumman might not have involved data from the RSA breach, the fact remains that confidence in RSA SecurID technology is now seriously shaken. It is akin to losing the master key to a building with thousands of locks, except in this case, there are over 240 million locks that might be picked with such a key, and the doors lead to some of the most sensitive data our government and private companies manage.

The RSA attack was far more sophisticated than the spate of Sony hacks. It involved a well crafted spear-phishing email, a zero-day exploit, and a fairly advanced trojan capable of encrypting and then siphoning data out. I don’t believe this breach resulted from anywhere near the level of negligence of Sony, but RSA now has the same consumer confidence problem and it must take steps to repair and restore that trust. Lockheed is already replacing its 45,000 SecurID tokens, and Northrop is moving to alternative authentication technologies like smart cards. RSA is working behind the scenes with customers to help them protect their SecurID implementations, but now they need to make a more tangible public announcement to restore confidence. In the security business, information is critical, and without specific data, the only responsible thing to do is assume worst case scenarios.

Meantime, consumers of SecurID technology need to review their security posture. Whether or not you replace your tokens, you need to review the security of your computers that connect to your network. If you have remote workers or contractors, you should be requiring a level of security be present on those systems before they are allowed to even log into your network. Simply requiring more passwords or even longer, more complex, passwords for your users will do nothing against this attack vector. For someone to breach the SecurID authentication, they need either the serial number of the token or the time sensitive passcodes generated by the token. The easiest way to do that is to place a keystroke logger or backdoor on a system and watch a user enter that information; and at that point, they’ll capture any password no matter the complexity or length. You need to prevent the malware from getting on the system in the first place. Advanced security technologies like application whitelisting are the most effective means of stopping these types of targeted attacks. Monitoring user login activity is another useful technique – it is reactive, but better than nothing. For example, if a user logs in from New York, and a few hours later that same account logs in from Brazil, you might want to take notice.

Unlike the Sony breach, where the hackers proudly announced their identity and their motives, no one is going on record with respect to the identity of the attackers of these sensitive private and government networks. And I find this the most disturbing aspect of the story. To paraphrase from the ancient Chinese (and yes, the pun is intended) military treatise, The Art of War: Know Your Enemy. In fact, it’s useful to understand the more complete translation of this proverb:

So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss.

If you only know yourself, but not your opponent, you may win or may lose.

If you know neither yourself nor your enemy, you will always endanger yourself.

Which brings me to the final piece of these week’s puzzle…

The Enemy Has a Name; FBI to Investigate Gmail Attacks
The FBI is being tasked to investigate Google’s recent claim that attacks on the gmail accounts of senior government officials, and hundreds of others, originated from Jinan, China. This is the same location identified in the highly publicized and sophisticated Aurora attacks that hit Google, Adobe, Intel and others in late 2009. Jinan is the home of the Lanxiang vocational school, which reportedly has military links. My hats off to Google for putting a name to the face, amidst the flurry of news regarding cyber security, advanced threats, and generically named “nation-states.” Either you have to assume that Google’s forensic capabilities exceed that of the government and defense contractors, or that Google is simply not under the same political pressure to keep that information secret. It is the latter. Both civilian and public institutions are under constant cyber attack from China, and the organizations being attacked are more often than not able to trace the sources. But officially, few are willing to go on record with this information. It is ironic that China is trying to hide and censor the result of Google searches while Google is trying to reveal the source of breaches.

When an embassy is bombed or there is some sort of physical attack on infrastructure, the attackers are identified by name as soon as possible. This information helps us understand the motivations, improve our defenses, and develop appropriate responses. Should it be that different simply because the attacks are electronic? We need our government to demand more disclosure about the nature and origins of cyber attacks so we can develop appropriate defenses. We need our government to develop policy responses as well, because this level of organized attack rises above singular criminal acts. The military spends billions of dollars on developing new defense technology and that technology can be stolen with the click of a mouse. Moreover, by targeting private corporations and individuals, these attacks are not solely the problem of governments. We are watching as these attacks cause serious economic damage, and this impacts all of us. We must all be responsible for defending against these threats.

In his recent news letter, Mark Anderson, CEO of the Strategic New Service, said it most starkly and most alarmingly: “What Americans, and perhaps Europeans, even at the Presidential level, continue to miss, is that this ongoing transfer of IP is not the result of a cultural mismatch, nor is it something the Chinese are ‘working on;’ to the best of my understanding, it is the centerpiece of the Chinese economy. They cannot afford not to continue, or the model breaks.”

National Geographic recently released the “typical” human face and it was a 28-year-old Han Chinese man. It’s time for a serious heart to heart.

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US