Protect ya Neck, The VirtualPBX Security Serial – Sony Hack Redux
In this series of blogs we will examine all topics under the information security umbrella. From corporate blunders to rogue state attacks to the occasional celebrity hack, we believe there is something for businesses and individuals to learn from any cyber security event. We also believe that, while experience is the best teacher, sometimes it’s best to let other people make the mistakes for you.
Sony Suffers Self-Inflicted Wound
With 1.2 million downloads of the box-office hit, Fury, and millions more of the not-yet-released Annie, Still Alice, Mr. Turner, and To Write Love on her Arms also circulating online, this whole, “on-demand,” thing is really taking off, isn’t it? Too soon? If you haven’t heard by now, Sony was the latest corporation to be the victim of a cyber attack early last week, and the total damages are still piling up. This is not the first time that hackers have attacked the media giant, but in light of some documents from the company’s internal servers, it’s beginning to seem like maybe Sony hadn’t quite learned its lesson the first time.
Doesn’t this Sound Familiar?
Yes, it should. A little history first. In April of 2011, Sony claimed that the hacktivist group, Anonymous, breached their security and accessed sensitive client information. Anonymous denied responsibility for the attacks but what remained irrefutable is that the billing information for 77 million online customers and personal profiles including billing information of another 24.6 million Playstation users had all been compromised.
That was terrible for Sony’s users, and it didn’t get much better for their executives who were publically admonished for their handling of the breach. Declining to attend the Congressional Subcommittee on Commerce, Manufacturing, and Trade hearing that followed this attack only drew the ire of chairwoman Rep. Mary Bono Mack (R-Calif.) who called the company’s handling of the situation, “half-hearted and half-baked,” and said, ”these stunning thefts… shake the confidence of everyone who types in a credit card number and hits enter.” The subcommittee, and the country at large, adjourned with a consensus that companies like Sony have to do more to protect the security of their customers.
Second Time’s the Charm?
Not quite. Fast-forward to last week and Sony have seemingly found themselves in the same situation. This time, however, the root cause of their problems isn’t something far flung like a coordinated series of probing attacks from a hostile group or a reprisal from an angry communist state that, thankfully, you and I will not likely ever have to fend off. What makes this recent attack so frightening is how it is exactly the type of situation that you and I are likely to be targeted with. Spoiler alert, you’ve heard this about a million times- your password security is entirely too weak.
Close to Home
Lets try to forget for a second how a multi-billion company like Sony can let public admonishment, embarrassment over such elementary lapses in security, and over 100 million angry and potentially exposed customers all roll off its back and not result in more stringent security protocol. I know it’s hard, but just try. Provided you can overlook all of that outside pressure, though, the problems that got them into this mess should look fairly familiar.
Most businesses and home enterprises don’t have the massive resources that Sony has so we may not be as familiar with the complex strategies that are required to breach a system of that size. We all, however, should be able to see the error of taping the key to your safety deposit box onto said box. Someone should tell Sony that. Sony kept its plaintext password lists in folders cleverly titled with red herrings like, “Password,” and, “Master_Password_Sheet,” in the same folders where they kept comprehensive corporate credit card numbers and other sensitive information. This is tantamount to investing in a top-of-the-line floor safe for valuable jewelry and then tacking the combination onto a post-it note for easy reference.
So how can I benefit from this?
For starters, change any password you have that is the name of your pet, partner, child, or hometown. If your password is, “password,” forget anything I’ve said, you’re good. There are also plenty of password generators and password managers (for the more trusting folks) out there for you to use. I like the random generators but think the password managers is a little too egg-in-one-baskety for my liking.
If nothing else, this can at least make us all feel less foolish to know that some of the boneheaded mistakes we may have made are also committed by people who get paid specifically for their information security expertise. I might add that they are being paid well, according to the Sony salary information that was also leaked, coincidentally.
Once you take the team of security experts, the executives’ promises for reform, and the potential to lose billions from leaked marketing and syndication plans out of the equation, the core of how this all happened is a legitimate threat no matter what the stakes are. Regularly check your system’s security, create strong passwords, and rely on more secure communication methods whenever you need to send or receive sensitive documents. We aren’t perfect, but by creating better habits with our online behaviors we can improve our online security and reduce our chances of falling victim to similar violations as Sony has. Good luck out there.