back to article Sony Pictures hack is Hollywood's 'Snowden moment' say infosec bods

Hackers obtained system administrators' passwords to pull of the mega-hack against Sony Pictures' servers, according to reports. This will come as no surprise to IT professionals. Purloined administrator credentials gave miscreants calling themselves Guardians of Peace broad latitude to access systems and sensitive data; that …

  1. Mitoo Bobsworth

    Alternative hypothesis

    The collective heads of Sony Pictures are as stupid, selfish, short-sighted and negligent as you think they are.

    (Just thinkin' out loud...)

    1. Androgynous Cupboard Silver badge

      Re: Alternative hypothesis

      No two factor auth, for sysadmins, on a Fortune 100? Wow. This one was always coming, it was just a matter of time.

      1. Anonymous Coward
        Anonymous Coward

        Re: Alternative hypothesis

        No two factor auth, for sysadmins

        I was actually thinking of what you might call "n-factor" auth. Use a secret sharing scheme to guard the most important passwords and hand them out to your most-trusted staff. The crypto bit makes sure that unless a certain threshold of trusted users all present their key material, nothing can be unlocked.

        Bonus points if you have "poisoned" keys that will always raise an alarm if used. A few fake personnel records in various database and you've got a nice honey pot.

        1. Version 1.0 Silver badge

          Re: Alternative hypothesis

          Honeypots work if the attackers are outsiders - they are generally useless if the attacker has administrative access because the administrator can usually see them for what they are.

  2. oldtaku

    Snowden Moment

    So, a couple months of panic and outrage, then back to business as normal.

    1. Mark 85 Silver badge

      Re: Snowden Moment

      Exactly. One would have thought that the Target, Home Depot, etc. might have woke some C-suite types up... but no. They stuck their heads in the sand and continued to reduce costs by cuts in the IT cost center. It'll keep happening.

      The only way is for the C-suite occupiers and the board to change their thinking. IT spending may reduce profit in the short term but it keeps the profit flowing.

      1. Anonymous Coward
        Anonymous Coward

        Re: Snowden Moment

        Oh, come on - Execs don't mandate Admin access controls and policies, and putting effective controls in place wouldn't even register in the average IT budget. The truth is that all too often the people responsible for putting access controls in place don't want the hassle of having their own access constrained. That applies to Admins every bit as much as Execs - but you'd expect an IT pro to know better.

        1. Anonymous Coward
          Thumb Up

          Re: Snowden Moment

          One of my policies as a system administrator, or actually any of my hats, was I had to eat the same dog food as well. Yes, it was a pain in the ass, especially when the brain isn't as agile after a long night of partying, but it kept the complaints down to a grumble whether on the line or in the C-suite. This isn't (necessarily) about IT, it's about any job where you have some authority over another. One of those leadership things but I didn't get it from schools or training. It seemed obvious. Guess it's not {sigh}.

  3. tfewster Silver badge
    Flame

    > system administrators and their credentials are the most dangerous threat to companies today,” said Eric Chiu

    ODFO, Eric. I know you're just jumping on a bandwagon to sell your products, but we're incredibly loyal considering how we get treated like shit, How about manglement and HR working to improve staff conditions rather than treat us as probable criminals?

    E.g. where I'm working we're implementing a Unix/Linux login management system (similar to LDAP plus sudo); Information security are paying for the project as it has obvious benefits for them, but I'm all for it as it means I only have to remember and change one password. So I'll be more productive, less frustrated and happier as a result.

    1. Anonymous Coward
      Anonymous Coward

      @tfewster - You're only half way there!

      Admin rights on production systems should only be given to System admins for a limited time and strictly based on a specific need (incident resolution or planned changes). Two-factor authentication compulsory for access to critical systems. You should address the question on who's in charge with managing sysadmin rights and privileges for each system judged to be critical. Use a relatively low-tech team to grant those accesses as needed and make sure this team can't access the production systems (hint, use scripts to grant rights and jump-points to control access). On top of it, log every access and audit systems periodically. Add continuous user education to the mix.

      You're still vulnerable but will make it a lot harder for intruders.

      Keep in mind that a sysadmin frustrated by security policies is still preferable to a gratified intruder.

      1. tfewster Silver badge

        Re: @tfewster - You're only half way there!

        Eric, you're missing my point. The Login Management mechanism is an enabler as well as a security tool. Feel free to log and audit what I do, but don't get in my way*.

        e.g. today I had a problem on a Production system that was querying a failed DNS server. Easy workaround, check another Prod system on the same subnet for a good list of DNS servers and copy the config file to the system that had a problem. Follow up by writing a quick script** to check 700 systems for which DNS servers they are using and remove any bad entries. Result: many minor performance issues resolved quickly and cheaply, many thousands of dollars savings in time for the systems users who had got used to a slight but annoying delay.

        Your idealised version of login management would make it virtually impossible to get the required access to a second system to check the config, let alone the rest of the estate.

        *Management understand that in general if you give someone Responsibility for an issue, you should give them the Authority to fix that issue. Accountability comes after the fact.

        **Yes, this could have been done using a Configuration Management system such as Puppet, or writing a custom Nagios plugin to check configs, but that just shifts the problem of trust and adds cost.

  4. Destroy All Monsters Silver badge

    I see! Or not.

    The other theory – backed by most IT security bods – is that disgruntled ex-employees are the most likely culprits.

    I humbly suggest this article should be accompanied by an enormous picture of Disgruntled Internet Cat.

  5. Anonymous Coward
    Anonymous Coward

    Unfortunately not news ...

    While working at a large Swiss bank for some reason we required root access to server we were working on.

    We were told that it was not possible because all servers in the UK had the same root password. ......

    1. Rabbit80

      Re: Unfortunately not news ...

      Sure, because having different passwords for different servers requires an excel spreadsheet to record the server/username/password for each one. How about they create a temporary username/password on that server for you instead?

      1. Anonymous Coward
        Anonymous Coward

        @Rabbit80 - Re: Unfortunately not news ...

        Even better, create a second login name for those who need root access (separate from the regular one they use to access their email and Internet) and elevate the privileges of that login, on a specified server only, for a limited time and only based on a change/incident ticket.

        1. Frumious Bandersnatch

          Re: @Rabbit80 - Unfortunately not news ...

          for a limited time

          But 'cp /bin/bash /some/user/.randomapp/randomfile followed by 'chmod 04755 !$' hardly takes any time and the effects can last indefinitely unless detected...

          1. phil dude
            Boffin

            Re: @Rabbit80 - Unfortunately not news ...

            http://www.camlcity.org/knowledge/kb_003_disable_setuid.html

            This used to be how DCE/DFS did things I think.

            This is not my area of expertise, just my interest...so if those that know could pipe up..?!

            P.

  6. Version 1.0 Silver badge

    "Come to Jesus" moment?

    While Snowden was interesting, he was mostly ignored from a security point of view - all the attention was on the information that he released and the external collection methods by NSA et. al. Home Depot and Target were simply retailer attacks and only different in scale to what has been done before and while they were inconvenient for the credit card companies, the overall effects were limited.

    I feel that this hack at Sony however is different - unlike the prior attacks this has the potential to destroy the company. Discovering just how this was done will be interesting but it needs to wake us all up to the fact that it can happen to all of us.

    Sure, it sounds like Sony's IT security was crap, and I guess we can say the same for Home Depot, Target and the NSA? But that's four very different entry vectors, each of which succeeded to a devastating extent - any admin who's thinking that, "This can't happen to me" needs a good beating with the cluestick,

    And here's my stock tip for the new year: Invest in companies with good Penetration Testing reputations.

  7. Anonymous Coward
    Anonymous Coward

    The good news...

    ...like Snowden the perps will wish they had used better judgment.

  8. herman Silver badge

    SMB

    According to CNN, the hackers got in via SMB. I guess they had ports 137 to 139 open and WORKGROUP and p@ssw0rd set as well...

    It sounds to me like a comedy of errors, not a sophisticated attack as some people are trying to make it.

  9. Old Handle

    Seems like a slightly odd comparison, since Snowden was a legit sysadmin while this was apparently an outside job.

  10. David Roberts Silver badge
    Coat

    Get the picture?

    I liked the bit about "looking for bad actors on the network"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021