The Sony Hack and North Korea
The FBI is saying that the Sony hack was definitely the work of North Korea, based on evidence of NK attacks on South Korea, such as samples of the code that was preserved, encryption techniques, etc. So I guess I have to revise my previous opinion.
Bruce Schneier has an interesting editorial that appeared in the Wall Street Journal. He said that attacks should be viewed along two axis: skill and focus. Spam attacks are low focus and low skill: they blast out millions of email knowing that someone, somewhere, will open the mail and click on a link to a poisoned web site. Malware writers are high skill, low focus. Script kiddies are low skill, but higher focus. The attackers of Target and Home Depot were high skill low focus: they didn't care who they hit, they just wanted a big enough retailer to result in a big credit card theft, which is why they don't target Bob's Pizzaria. The Sony hack? High skill, high focus. Schneier liked it unto the Anonymous attack on HBGary Federal, an internet security firm.
The FBI went on to say that 90% of corporations could not have withstood the attack. Which is not encouraging, and should greatly concern them.
The worst thing about this attack is that so much personal employee information was violated. In fact, there are two class-action law suits against Sony Pictures for not sufficiently safeguarding their information. The result of those will be quite interesting. But my take on this is DON'T SEND PERSONAL INFORMATION OR GOSSIP THROUGH WORK EMAIL SYSTEMS IF YOU DON'T HAVE TO! If you're going to gossip, do it face-to-face or over the phone. If you're going to send rude jokes, DON'T. Sony executives are looking like idiots for doing this, and deservedly so.
The full article: https://www.schneier.com/blog/archives/2014/12/lessons_from_th_4.html
Bruce Schneier has an interesting editorial that appeared in the Wall Street Journal. He said that attacks should be viewed along two axis: skill and focus. Spam attacks are low focus and low skill: they blast out millions of email knowing that someone, somewhere, will open the mail and click on a link to a poisoned web site. Malware writers are high skill, low focus. Script kiddies are low skill, but higher focus. The attackers of Target and Home Depot were high skill low focus: they didn't care who they hit, they just wanted a big enough retailer to result in a big credit card theft, which is why they don't target Bob's Pizzaria. The Sony hack? High skill, high focus. Schneier liked it unto the Anonymous attack on HBGary Federal, an internet security firm.
The FBI went on to say that 90% of corporations could not have withstood the attack. Which is not encouraging, and should greatly concern them.
The worst thing about this attack is that so much personal employee information was violated. In fact, there are two class-action law suits against Sony Pictures for not sufficiently safeguarding their information. The result of those will be quite interesting. But my take on this is DON'T SEND PERSONAL INFORMATION OR GOSSIP THROUGH WORK EMAIL SYSTEMS IF YOU DON'T HAVE TO! If you're going to gossip, do it face-to-face or over the phone. If you're going to send rude jokes, DON'T. Sony executives are looking like idiots for doing this, and deservedly so.
The full article: https://www.schneier.com/blog/archives/2014/12/lessons_from_th_4.html