You do have to cut them a little slack, here. If we were talking about a coal mining company or something and terabytes of data going out the door would be pretty unusual, and SEIM systems would be trained to flag that sort of thing.

This is Sony Pictures, though, terabytes probably go out the door all the time. I mean that might be less than a few hours of uncompressed video going to a contractor for post processing or something.

No my bigger question having done this kind of thing for a living now for some time is why would a basically purely IP organization not have effective controls in place, to know what kind of data is going out the door and to put a hard stop to it the moment something that should not be there is spotted.

Ok you can't maybe do that with the aforementioned video data, but you certainly can watch for byte patterns that look like address, SS numbers, e-mails in usually great quantity etc on the wire.

You certainly do not allow anything encrypted to go out unless you MITM it. Could an attacker do something like slap some mpeg headers on top a big encrypted data stream? probably, but they'd have to know to do it.

  If my entire world was IP like Sony Pictures id probably take it a few steps further make sure my firewall devices knew the common container formats for various media types and continued to make sure sync bytes and frame markers occur where they ought to, anytime more than a hanful of megabytes of something I can't recognize flowed it would alert and some form the CERT team would pick up the phone a call whoever it was associated with that source IP. No attribution shut it down, no explanation shut it down.

The hardware and software to do this is commercially available, more or less off the shelf and has been for at least five or seven years now.

Disagree.

Lets face it the reality is lots and lots of BIG companies use things like Active Directory. Lots of this BIG companies might even have only a tiny handful of Enterprise Admins, who may even be very good at what they do. Chances are they have centralized and integrated the authentication against AD. Its not uncommon for Network infrastructure administrative interfaces to use an authentication gateway like say NPS (RAIDUS for AD).

So if you could get that Enterprise Admin access, well it might be a house cards from there. Given the recently published MS14-068 it might not even be that hard: https://www.trustedsec.com/dec...

So if you can get your foot in the door, however you do it just grabbing some tools off git hub and few blogs can get you near total ownage without having to do much of anything in the way of exploit development on your own. Consider this vuln was an off cycle patch put out in November, think there ~4 weeks on there are some big orgs that have lead times to get Windows patches applied to DCs longer than that? I would bet so, think an org like Sony stands a chance against a vuln like that when its an unpublished zero day? So get any access to the network at all, brute force one password for basically any user account crack a hash sniffed off the wire etc, and boom your a member of any windows groups you want!

Frankly I would not be surprised given the timing if MS14-068 was involved in the breach and I would not be surprised to hear of other major compromises thru leveraging it.

I did not give them a back door either. I you can check the thumbprints of the certs are not changing or not trust any third party CA's if that what YOU want to do under my scheme. For most folks that won't be practical, we will want to be able to call people and organizations we have never been in a position with to safely exchange keys; so just like on the web we will have to trust some third parties.

By making it easy to exchange certs directly with people you do meet in person you remove the CA chain from that point on and encourage the system in a way third parties can't compromise unless the cryptography is eventually broken. Nobody not a LEA or anyone else than has the capability to MITM calls between your devices from that point, provided they don't hack your phone somehow and change your settings modify your cert store etc.

My acceptable compromise isn't really with the LEAs but more with reality. You can't very well use a third parties network without them being able to identify the end points, TOR even if it was untraceable and its not would not be practical for a wireless voice network. My proposal has the benefit of being possible to implement with out replacing the existing cellular and telephone network infrastructure. You just need handsets that no how to negotiate with each other. In that sense its plausable that it could actually get off the ground because as we all know expecting AT&T or VZW to do anything ever without first bending over for the spooks is a non starter.

So AC and Mods who marked my post flamebate for some reason let me ask you?

[1] Do you have a better technical solution?
[2] Does your solution work without requiring the carriers to spend billions radically altering/upgrading their infrastructure
[3] Can your proposal somehow conceal which endpoints calls are between?
[4] Can your proposal somehow conceal the duration of the call, beyond padding it out for some additional period?
[5] Can your solution easily inter-operate on with existing endpoints?

congratulations you have just invented privateIP MPLS service.

Someone should tell ALL the major TELCOs about this, and anyone who has ever want to build a WAN link between more than two sides in the last 15 years, needing anything better than best effort service.

Yea Sony might as well pack up and go home until this thing is resolved. There isn't a lot they can do.

The U.S. on the other hand should recognize this for what it is. An act of war. Once the possibility of real physical violence and attacks were introduced it was no longer an attack on Sony Pictures but on society as a whole.

Its time for Government to step up and actually do one of the very few things its actually charged with doing, provide for the common defense! We now have a situation where a foreign actor is assaulting our citizens (putting in fear) and by extension infringing their rights of free expression.

What concerns me is that 0bama is figuring out a "proportional response" you don't "proportionally" respond to an act of war. This situation calls for a very disproportionate response.

We should do something like smart bomb Kim's palace. It would minimally impact the innocent citizens of the DPRK while sending the message acts of aggression will not be tolerated and will be met with swift and brutal reprisal against YOU, not your nation, not your people YOU. That is something a despot can understand and might actually fear. If we really luck he dies in the attack.

The Chinese need to be TOLD to just sit tight, lest they be considered conspirators in this attack against us.

Is that you number 6?

And that isn't really an option either. Sony lost lots of HR and other PII data. If you work at Sony pictures there is a good chance the "GOP" knows where you live.

If Sony releases it at all and there any attack on its own employees they might also open themselves up to lawsuits for negligence. To say nothing of the fact that they might loose their best talent due to people being afraid working their makes them a target.

The obvious solution is just have the handsets negotiate. There is absolutely no "good" reason call setup between two cellular handsets (or any other digital endpoint for that matter) should not feature some kind of certificate validation step between the end points followed by the exchange of uniquely per call generated symmetric key exchanged securely using the same PKI used to validate the certificate authenticity. Essentially SSL for phone calls.

People could use third party CAs like they do for the web today for most callers. Phone software should be easily configured to ONLY accept previously installed self signed certificates for certain subjects. IE if a call wants to identify itself as being from cousin bob's cellphone it will be rejected unless it its signed with the public key Bob previously gave me; even if the cert has a valid their part signature and is otherwise valid. Users could easily exchange keys in person using bluetooth + pin etc.

This would allow LEAs to eavesdrop by MTIMing calls between say an individual and a financial institution. With a warrant the third party CA the financial uses could be compelled to provide the LEA with valid cert for that subject hopefully with a expiry of only a few days. Of course techniques like cert pinning could be used to detect this by individuals. It would leave LEA's with no easy avenue to eavesdrop on calls between Bob and myself. I think this is a reasonable compromise.

On the other hand it still does nothing to address the mass surveillance concern. It will still be easy for instance for an LEA to obtain call records from the phone company. They won't have the content and won't be able to get at it, but they absolutely can know when, how long, and how often Bob and I spoke. They can also know who else Bob and I called. We know that this information is very revealing, its been used very effectively to identify relationships. Its less clear it violates the 4th than accessing the content. I don't like it but it might be again part of an acceptable compromise.

When your entire business in intellectual property I would expect some data leak protection to be in place. As security professional I really can't understand how a business in the IP industry does not have at least somewhat effective egress filtering.

Sure the volume in the case of Sony pictures might not have raised any red flags but their gateway/firewall whatever darn well should be capable of differentiating between a huge batch of uncompressed video and their HR documents.

Flags should have gone up..

Who said anything about them having to hit 18,000 locations simultaneously. That isn't how terrorism works. The 911 guys did not have have to hit thousands of targets, they only tried for three, managed only two (counting the WTC complex as a single target) and look at all the trouble they caused!

A coordinated attack on only a handful of movie theaters the same night would be plenty to cause an economically significant portion of this countries population spend the holiday Christmas - New Years stretch cowering in their homes rather than going out and spending money. It would almost certainly lead to all kinds of wild ill considered national security response.

Hell look at the Batman Shooting a few years ago. It takes one suicide attacker to "hit" a theater with essentially no real resources. A few thousand in counterfeit notes (which DPRK has produced in the past) would allow would be assailants to put together the arsenal they need. Its perfectly plausible even DPRK could get three or four people into this country with limited fake credentials and no access to anything privileged enough to do even a basic background check.

I am not saying "OMG we all going to die here" but you can't completely dismiss the threat either here. Having hit Sony they have already demonstrated some capability.

That was my reaction as well a week ago when the new broke. I actually heard on the NBC Nightly news first and the moment Williams said TB of data; the first thought I had was how do you ex-filtrate that much info without it being noticed by the NOC team?

  The only think I can think of is that largish transfers are probably very common for them as they push media assets out to contractors etc. Still you wonder why are they not MTIMing everything in what is essentially an all IP business and why can't their IPS/IDS system tell the difference between a 2TB of raw YUV video and their HR database?

I don't know given our current antagonistic relations with Russia and the fact we are already imposing sanctions on them I kinda think if it had Russian finger prints they'd name names.

If anything it would make Putin look worse and serve to counter Gorby's argument that Putin isn't a bad actor but Russia is just being bullied by expansionist NATO policy.

I also suspect old Vlad recognizes his current situation is tenuous and complex enough without adding direct aggression against the US homeland to the mix at least not without being prepared to take credit for it. If the Russian state had anything to do with it they'd probably be out claiming it was done to hit back US economy in response to our "unjustified" sanctions or something.

I'll admit I am just arm chairing this thing with no real info but my guess is if it was done from/in Russia its organized crime without direct ties to the Kremlin.

I agree certainly if the official line turns out to be untrue than the rest of my thinking has to be tossed out along with it. I also agree they ought to release code and show the analysis.

Trouble is if it does implicate the Chinese they have keep it under wraps for the same reasons they won't come out and say "China" in the first place. So we don't have a good way to know if its all a false flag to justify the surveillance state as I think your suggesting or if they are being truthful with us. At least until I have a little greater personal stake in this than not seeing a probably terrible Seth Rogan movie, I guess I'll take their word for it. Now once someone start proposing legislation or invading some place, etc; than I'd be very cautious of the fact that in absence of the hard facts the very real possibility they are lying as they are know to often do exists.

Right, I think that's the important difference here if there is one. In general I agree with the GP post cyber security should be the responsibility of the network/computer operator not the government. Costs should be born by the victims and their insurers; or by the perps when they can be identified and brought to justice as a general principle.

In this case though we have a threat of violence and terror on top of the simpler criminal matter. These guys are not threatening to just empty a few bank accounts and embarrass some more celebrities. They have moved from the realm of nuisance crimes to violent crimes and the state definitely has an interest preserving public safety.

As to how credible the threat is and should we be reacting to every threat to do violence out there, well I would say they have displayed at least enough capability to hack a major corporation that no doubt has a security team. They also have at least some financial resources backed by the DPRK. So this isn't an angsty 14 year old on facebook. Do I think they can project themselves into the physical world they way they claim, probably not, but its probably not worth risking that by just ignoring them entirely either.

The official line so far is "The DPRK is responsible, but the attack originated from somewhere else".

"Responsible" most likely means hired someone to do it. Knowing the DPRK they probably paid those someones in reasonably good quality counterfeit US currency. Though that is pure speculation on my part bast on past news events.

The fact they won't tell us form where else means "China" again pure speculation on my part but common its not like DPRK has exactly normal relations with anywhere else. They would tell us if it was some other pariah regime some place, so I assume it has to be China as its the only place I can think of that DPRK would have access and would be to politically sensitive to name.

Keep in mind, I can't recall if it was 2k11 or 2k12 but the Obama admin did not exactly dispute the pentagons view that "cyber" attacks could/should be viewed as an act of war. The "terror" threats against theaters have escalated things from a criminal matter, attack on a corporation, to a state matter attack on the public and order; therefore some kind of "response" is required. I am sure 0bama is trying to find a way to "do something" or appear to be without pissing off the Chinese.

Which to now purely editorialize, I think pissing off the Chinese and souring trade relations would/could be the best possible outcome here for our nation but that is a different discussion.