Sony Still Trying To Recover From Attack

In the latest bit of news dribbling out of Sony Pictures, Reuters is reporting that Sony has requested an extension of the required financial filings from mid February to the end of March.

Sony is saying that their financial and accounting applications will not be working until early February.

For those of you keeping track, the attack started on November 24th of last year.  Early February will put the recovery at 10 or 11 weeks just to get the systems back online.  Then comes the task of catching up on 10+ weeks of lost work for thousands of employees.

Sony did say, according to Reuters, that they will hold a news conference on February 4th.  It will be interesting to see if they announce a charge against earnings for the cost of the breach at that time or if they wait until March 31st when they will file their financials.

The impact on a company of not having any financial systems – and likely many other systems – to manage their business for 2-3 months is significant and we will have to watch to see what the longer term effect is on Sony.

Mitch

Facebooktwitterredditlinkedinmailby feather

Defensive Best Practices For Destructive Malware

The NSA released a 5 page document last week on keeping malware out of your network.  5 pages with links to hundreds of pages of other NSA documents.  It would probably take a year just to read and absorb them.  Then you have to deal with implementing the suggestions.  Some are simple, some are hard.  As i always say, it is a matter of business risk management to decide what you want to do.  Then implementing it.  Then maintaining it.  Simple, huh?  Not quite, but with the right resources, it is possible.

Here is the condensed version of what the NSA is recommending.  Since they control their workforce completely, they can do all of this.  You, probably, will have to pick and choose.

Prevent, Detect and Contain

  • Segregate your network so that when an attacker does get in, he or she cannot roam your entire universe.  An example would be at Target – getting in to the vendor management network should not allow you access to the point of sale system.  In Target’s case, this was way to easy.  This can be a lot of work, but it has slight impact on your users once it is set up and almost no performance impact.
  • Protect and restrict administrative privileges.  Unfortunately, the NSA is the poster child for this one.  When Edward Snowden went rogue, he had way too much access.  This is transparent to your users and a pain in the rear for your administrators.  Still, they have the keys to the cookie jar, so you decide.
  • Deploy application whitelisting.  Whitelisting means that only approved versions of approved applications can be installed anywhere on your network.  This mostly impacts your users and I would rate the impact high.  If users cannot run downloaded software or infected versions of approved software, it makes the hackers job very hard.
  • Limit workstation to workstation communication.  This makes it harder for malware to spread.  I rate the impact low on users and medium on administrators.  I rate it difficult to implement.
  • Implement robust network boundary defenses such as firewalls.  This takes some effort to implement but when it is done, for the most part, the users won’t notice.  The US Government is working on this – they had thousands of connections to the outside world.  How do you protect that many connections?  How many connections do you have?  What about the ones you don’t know about like that wifi connection between someone’s laptop and their personal wifi hotspot that they bought from Verizon for $49?
  • Maintain and monitor host and network logging.  This one is completely transparent to the users but takes a lot of work and likely some money.  Every device on your network – from a server to the refrigerator needs to send it’s logs to a central server.  Then, those logs have to be crunched for unusual events.  Then people have to act on the alerts.  That is what really killed Target.  Their logging and alerting system generated an alert, IT reviewed it and bounced it up the food chain and management decided not to take any action.
  • Implement mitigations like PassTheHash and Microsoft Enhanced Mitigation Experience Toolkit.  I rate these high pain levels for both the users and administrators.
  • Implement Host Intrusion Prevention Systems (HIPS) to detect anomalous behavior.  I rate this low for the user; higher for the admins (to setup and monitor) and some cost depending on the solution chosen.
  • Finally, patch software in a timely manner so that known bugs cannot be easily exploited.  There is some pain to the user, although a lot of this can be automated with some work.  There is a lot of work for IT to find all the patches, figure out where they need to go, test all the affected systems and deploy the patches.

Prepare for incident response and recovery

  • Backup, backup, backup.  Then test.  If you cannot restore the backup to a bare metal box, it doesn’t solve the problem.  If new systems are added and not included in the backups, you have a problem.  I know of a company who’s backups hadn’t been successful for a year, but no one was checking.  When they had a problem, it suddenly became a huge problem.
  • Establish an incident response and recovery plan.  Then test it at least once a quarter.  When I was a kid, the regional hospital was affected by a big blackout that covered the whole east coast.  The hospital had generators to provide power.  Unfortunately, no one knew how to get them up and running.  That was embarrassing.  Luckily, no patients died before they did get the generators running.
  • At the conclusion of an incident, conduct a lessons learned exercise and actually learn from the experience.

I managed to reduce this to about one printed page.  Actually doing this requires person years of effort, including planning, implementing, testing, monitoring, training and documentation.  Your goal is to make it harder for the bad guys to attack your system than the one next door.  You don’t need to be perfect.  Just harder to attack than your neighbor.

This is a good checklist to review as part of your business risk mitigation efforts.

Mitch

Facebooktwitterredditlinkedinmailby feather

Adobe Flash – The Gift That Keeps On Giving

UPDATE:  As expected, Adobe did release a second patch emergency patch for this bug and expects it to be available for download this week.  Adobe has said that there are reports of vulnerability being “actively exploited”.

You can check what version of Flash you are running by going to this link at Adobe.com .

Adobe Flash – the software that Steve Jobs hated so much that he wouldn’t allow it on mobile i-devices and said, about Flash, that it had abysmal security – has another exploit in the wild.  The reason for Jobs’ hatred of Flash is controversial (see here) and maybe due to the fact that he could not control Adobe and there are many free Flash based games that aren’t sold (since they are free) by Apple.

That being said, there is another zero day exploit (see here) for which there is a “kit” available to use the exploit.

Right now, the target seems to be Windows and Internet Explorer (yet another reason not to use IE), but the bug also exists in the Mac and Linux version of Flash. Windows Chrome and Firefox users are safer, but should update anyway.

Worse yet, the patch that Adobe released may not fix the problem – or the problem may really be two problems.  In any case, get ready for a second patch soon.

The fact that there is an exploit kit that hackers can use without having to develop it, means it will show up sooner in a hacked web site near you.

The new version of Flash is available at get.adobe.com/flashplayer.

Mitch

Facebooktwitterredditlinkedinmailby feather

It’s 10 P.M. – Do You Know Where Your Permissions Are?

To paraphrase an old public service announcement (It’s 10 P.M. – Do you know where your kids are?), you grant way too many online permissions and likely do not keep track of them and revoke them.

To use today’s answer – We have an app for that.  Seriously.

MyPermissions.org is a combination of a web site and a couple of apps that allow you to lasso in those permissions.

With the web site, it guides you to the permissions pages of all of the common apps – facebook, twitter, google, yahoo, linkedin, etc. It does not collect all your passwords – you have to log in yourself – but you can then quickly see what permissions you have given to whom – maybe years ago – and revoke them if you choose.

The app generates alerts when an app accesses your data in real time and allows you to execute that app – virtually – so it cannot do that any more.  It also generates reminders for you to clean up your permissions mess.

The app runs on Android and iOS;  the web site runs, of course, in any browser.

Note – I don’t have any relationship with these guys and I am not vouching for them, but they seem to have gotten a lot of press coverage – from Wired to Mashable – all linked to on their home page.

No rocket science here, but making life easier is not a bad thing.  Visit http://www.mypermissions.org to check it out.

 

Mitch

Facebooktwitterredditlinkedinmailby feather

Reduce Your Credit Card Fraud Exposure

Here is a really, really simple tip for you to reduce (not eliminate) your exposure to credit card fraud.

This is for you as a credit card user  – not as a business accepting credit cards.

I use it and I can tell you from personal experience, it works.

Most banks offer the option to send you a text message EVERY SINGLE TIME your credit or debit card is used.  If yours doesn’t, whine at them till they do or change banks.  It happens in real time.  Here is how I use it.

If I go to a restaurant, for example, and pay by credit card, the server takes the card and runs it through the restaurant’s POS terminal.  Literally, before the server gets back to the table with the receipt for me to sign, I have gotten a text message that tells me the name of the establishment running the charge and the amount.

If I am somewhere and I get a text from my bank, and I don’t recognize the merchant, it has my interest.  In my case, since some of my cards are shared with my wife, I call or text her and ask if this was her.  If she says no, I am on the phone with my bank.  Not later.  Not tomorrow.  Now!  Shut down the card, get a new one.  The new one is free.  For most banks, if you press them, they will Overnight Express the new card to you.  For many banks, even that is free.

I had a charge pop up a few months ago from Babies R Us in Philadelphia for about $300.  Since I have not been in Philly in ten years and we don’t have any little kids, I called my wife to see if, maybe, she bought a gift for someone.  Nope.  Not the case.  On the phone with Wells (in this case) and poof that card was toast.  In a day or two we had new cards.

I am sure the crook was disappointed, but I don’t care and the bank is actually happy that you did it.

If you have cards with a spouse or kid and the cards have different numbers on them, you can have the text messages go to each family member.  If the cards all have the same number, then there is no way to split them out.  In my family, I watch the charges, so I get all the text messages.

To me, it seems simple.  You reduce your pain and anguish.  You don’t have to review the bank statements which would give the crook 30 days of play time.  You don’t have to keep logging on to your bank’s web site or app to check for charges.

And, it reduces your exposure to one charge.  Which the bank will eat anyway.

Free and simple.  Which I like.

Mitch

 

Facebooktwitterredditlinkedinmailby feather

Sony – The Story That Just Never Ends

The New York Times is reporting that the NSA has been inside North Korea’s network since 2010 and that is how they knew that the Sony attack came from North Korea.  Hopefully, this is one NSA spying activity that no one in the U.S. is going to complain about.

The Times article said that North Korea had stolen the credentials of a Sony administrator, but the NSA didn’t realize that until after the attack.

General Clapper, the U.S. Director of National Intelligence went to North Korea in November as part of a secret plan to seek the release of two Americans being held there.  His host, Kim Yong-chol, head of the Reconnaissance General Bureau, Clapper says, later oversaw the Sony attack.

That information certainly adds some more credibility to the statement that North Korea is responsible for the attack and is an example of how sometimes, the government makes statements, leaving out facts for various reasons, and as a result, they don’t sound as credible as they would like.

Obviously, the downside of the Times article – disclosing “sources and methods” – which are generally very highly classified (There is a link in the Times article to a Der Spiegel leaked NSA document that is marked TOP SECRET//SI/TK//REL TO USA, FVEY.  For those of you who are familiar with the DoD classification markings, that document is definitely highly classified), will likely shut down the entry the NSA has into North Korea as the Koreans scramble to figure out how to deal with the leak of information.  Just as likely, the NSA is trying to (or maybe already has) figure out how to deal with this leak.

Mitch

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed