Hacker News new | ask | show | jobs
by Alupis 4163 days ago
I believe the reason this is "a big deal" is due to how the average US citizen reacted over the recent Sony Breach and the US Government's blame of NK (I might add with no supporting evidence, most industry professionals in high doubt, and even some security companies providing evidence to the contrary of statements by the government).

The average US citizen was outraged that some other government would have the audacity to hack anything in the US. This article's goal seems to be to point out that the US Government is hacking all other nation's governments, including NK. (pot calling the kettle black)
3 comments
GabrielF00 4163 days ago
To be fair, there were other issues involved in the Sony hack that are not present in NSA spying.

- The North Koreans attempted to impose a heckler's veto on speech by private citizens of the United States.

- The Sony hack had direct and very visible consequences for Americans (economic consequences, release of personal data like salaries and health information, embarrassment of people by releasing private communications).

It's entirely possible to take the position that countries are going to engage in espionage, but that there should be norms about how intelligence services behave. Right now we're all trying to figure out what those norms are.

link
xnull1guest 4163 days ago
Thank you for mentioning international cyber operation norms. This is the center of US international cyberpolicy efforts. Ontologies describing categories of cyber operations often place destructive attacks like the one against SONY into a category of its own and these are usually considered fair only in very particular scenarios of provocation.

An addendum here regarding 'free speech'. There is some question about The Interview being a propaganda effort on behalf of the US State Department (which was given a preview as early as July) since #GOP released emails where CEO Lynton discusses the effects of the ending with RAND Corporation strategist and nuclear deterrence specialist Bruce Bennett and Lynton confirmed analysis of its effectiveness with Senior State Department officials. (It also doesn't help that the script writer was asked specifically to consider changing his character from an anonymous leader of NK to Kim Jong-Un).

link
semperfaux 4163 days ago
"To be fair," there are norms about how intelligence services behave. That we, the proletariat, aren't aware of them doesn't make them any less real. That they've either changed or that we've only just discovered what they are doesn't say anything about what they are or used to be.

"Norms" don't necessarily make things objectively or even subjectively better. They just make them standard. Asking for norms will get you absolutely nothing, even if you get what you ask for: They'll just establish what they're already doing as normal, and continue to not tell you about the new things they start doing. Because that's what intelligence is; if they told people what they were doing, for better or worse, people would make it harder for them to do.

link
xnull1guest 4163 days ago
The norms in question are those of cyber attacks. This includes but is not limited to intelligence operations. The SONY attack, for example, was not an intelligence operation. The downing of the Syrian airforce was not an intelligence operation. Nor was Stuxnet or the the Georgia cyberattack.

Norms are important because they are precursors to law (in this case international law). Norms create ground upon which a country can accuse another, a ground upon which you can achieve consensus among many parties, and norms set expectations of behavior that if loosely followed every country can benefit from.

link
wavefunction 4163 days ago
I hold Sony primarily responsible for the release of private data, due to their ignoring basic security practices. Why are health records stored on Sony Pictures servers along with everything else? Why were data silos and graduated access not in place? I never see any of these corporate officers held to account for their decisions to not spend resources for security. The only people I have any measure of sympathy for are the rank-and-file employees caught in the middle of decisions made by well-compensated executives who never have to face the consequences of their disregard for anything other than themselves and their own compensation.

I have to take issue with "norms" for intelligence services as well. These are groups with no morals or ethics, what makes you think they would ever adhere to any sort of "norm." These are criminals and criminals do not adhere to norms imposed from anyone other than themselves.

link
xnull1guest 4163 days ago
I seem to be in the minority on Hacker News, but as someone in the professional computer security field I know that any company or state/department/organization can be hacked by a motivated attacker. In the case of SONY, the attackers were able to enter the network through spearphishing emails - something that essentially no investment in security is going to prevent. The malware similarly could not have been detected, as signatures for this specific compilation were not known.

I have a hard time blaming the victim of a cyber attack that would have been practically impossible to prevent. I agree that SONY made bad decisions with regard to its hording of unnecessary data, but also recognize that this is hardly unique to SONY and not standard advice given by security professionals (it should be).

Norms are important so that you can accuse 'groups with no morals or ethics' of doing something wrong. Norms may only discourage and not prevent behavior but without norms its difficult to find common ground for behavior that may otherwise be chalked up to 'culture' or 'tradition' or 'nature'.

link
Alupis 4163 days ago
> but as someone in the professional computer security field I know that any company or state/department/organization can be hacked by a motivated attacker.

You seem to give Sony too much credit, and also forget that they had a file server with open internal access which had a directory called "Passwords" which contained a plain text file with all the credentials to their internal servers.

That's something I'd expect to see at some small business with no professional IT on staff... certainly not from a multi-billion dollar company with thousands of employees and a full-time professional IT staff.

Sure, the attackers may very well have spearphised their way inside, but once inside, they didn't have to go through any of the normal hassles of island-hopping with more exploits, etc. They just logged in like they belonged.

Motivated attacker or script-kiddy, once inside, Sony made it awfully easy.

link
xnull2guest 4163 days ago
> You seem to give Sony too much credit, and also forget that they had a file server with open internal access which had a directory called "Passwords" which contained a plain text file with all the credentials to their internal servers.

FWIW this is my experience with multi-billion dollar companies with thousands of employees and full time professional IT staff.

Perhaps we can get other security professionals to chime in.

Once you get a foothold in a corporate environment, it is the unfortunate truth (I'm sure others will back me up here) that it is very easy to move around without 'island hopping with exploits'. For the most part, pivoting by passing-the-hash will work for 99% of networks.

It is also my understanding that the malware that was purchased for this compromise had the capability to persist across the network, to exfiltrate data, and to sabotage computers.

link
Alupis 4163 days ago
> the attackers were able to enter the network through spearphishing emails - something that essentially no investment in security is going to prevent

I'd challenge that assertion. Employee's are often the first line of defense for any company, be it seeing something suspicious or knowing when to alert the right people. Investing in phising attack training can be very worth-while. Or at least adopt a strict company policy that helps ward off the basic forms of this attack.

It's not uncommon to have a company-wide policy that users are not allowed to open attachments in any email from anyone without IT's approval. It's inconvenient, sure, but it protects against multiple email-based attacks (everything from simple viruses to more advanced phishing attacks).

There's even phishing attack training specifically targeted at large enterprise (they send phishing attack emails to your targeted employees and when they fall for it, they get a quick lesson and explanation). [1]

[1] http://threatsim.com/how-it-works/

link
xnull2guest 4163 days ago
I have never seen corporate policy with regard to attachments and link following effectively thwart a spearphishing campaign and have been privy to studies done at large corporations before and after phishing-awareness training. The short of these studies is that after approximately a week employees mostly reverted to regular habits and that during the week of high alert many employees fell to the internal audit anyway.

Then again, this is only from two studies done at one large corporation.

I looked around but could not find any studies or data about the long term effectiveness of phishing awareness campaigns (only PR junk), nor could I find evidence that SONY did not engage employees with these sorts of policies and training. Do you know of any such studies?

Do you believe that #GOP would not have gotten in if there were more strict policies and more frequent training?

link
eru 4163 days ago
> In the case of SONY, the attackers were able to enter the network through spearphishing emails - something that essentially no investment in security is going to prevent.

Investment can make spearphishing much harder. Defense is not always absolute, but about raising the cost for the attacker.

link
xnull2guest 4163 days ago
I agree that all security is a cost-benefit tradeoff. This is of course folklore wisdom. The importance with regard to the SONY case is that SONY was not the victim of an opportunistic attack but was targeted specifically. In this case, it is highly likely that SONY did invest in training its employees in corporate policy and security awareness (at least as much as any other corporation).

I have trouble thinking of a cost-effective way that SONY could have prevented #GOP from getting in.

IMO SONY had two failures:

1.) The hording of data. Again I don't think that this is uncommon. I would expect to see this at pretty much any company of their size.

2.) The lack of an ability to respond to the APT once it was discovered. This is extremely tricky business, but a critical piece of security. It is common now for businesses to assume that they have been compromised and to build out the capability to recover and isolate issues as quickly as possible. Unfortunately for SONY, all of their data had been exfiltrated out of the network by the time they knew there was a problem.

link
eru 4162 days ago
> The importance with regard to the SONY case is that SONY was not the victim of an opportunistic attack but was targeted specifically.

Amazon, Google etc are specifically targeted all the time. What's different?

link
handovertheball 4162 days ago
Ditto keep in mind that so called "hacking isn't just digital. Social engineering in many instances is involved in hacks. Boil it down to not only discovering vulnerabilities in code, but people as well.
link
akshatpradhan 4163 days ago
I agree about lack of basic security, and that's the reason we have security compliance programs. Security Awareness Training, classification of health records as sensitive, and properly segmenting those sensitive health records from the rest of the environment are all appropriate controls that security compliance prescribes. It took me 6 months to decipher PCI and 3 months to implement. To others, compliance may seem like a joke, but I felt very confident that at least I had done 100% my due diligence in protecting our customers and employees. I think that's all they can ask and all we can give, 100% honest due diligence.
link
xnull1guest 4163 days ago
Interesting. I had thought it was common knowledge at this point that the US regularly hacks and is hacked by other nations.

I think the biggest splash this article may have is added narrative supporting the truthiness of USG attribution to NK - something that seems to be held in high doubt by a large percentage of the technical crowd (but that I think seems pretty reasonable).

link
onewaystreet 4163 days ago
People forget that before Snowden the story was how bad the US's cyber intelligence was compared to China, etc.
link
onewaystreet 4163 days ago
It's perfectly fine to be OK with your government hacking other countries while also being mad when those other countries do the same thing (though it's foolish to be shocked when it happens).
link
nitrogen 4163 days ago
It's perfectly fine to be OK with your government hacking other countries while also being mad when those other countries do the same thing (though it's foolish to be shocked when it happens).

I would disagree that this opinion is fine; this is only fine if one selfishly considers oneself more important than the 7000000000+ other people on the planet.

link
onewaystreet 4163 days ago
Do you really not consider yourself and family more important than most of the 7000000000+ other people on the planet? There are plenty of people more important than me, but I wouldn't sacrifice myself for any of them. In the same vein, it would be foolish for me, a US citizen, to say that my government should intentionally weaken itself for the benefit of the citizenry of other countries.
link
nitrogen 4162 days ago
...government should intentionally weaken itself for the benefit of the citizenry of other countries.

Considering that the majority of Earth's people and natural resources lie outside the US, the long-term best move for the US is to promote global stability and equality. It's not a matter of weakness vs. strength, but short-term vs. long-term thinking.

There are plenty of people more important than me, but I wouldn't sacrifice myself for any of them.

Personally, I think humanity as a whole is pretty important. I wouldn't sacrifice myself for one other person without a really good reason, but I'm more than happy to accept a small short term decrease in local living standards in exchange for the long term stability and prosperity that would come from raising global living standards.

Specifically with regards to surveillance, the NSA is weakening the long-term position of US companies by leaving their systems and software vulnerable to known exploits, and by their actions, encouraging other countries to do the same. It's a negative sum game.

link
Estragon 4162 days ago 

  Searching all directions
  with your awareness,
  you find no one dearer
  	than yourself.
  In the same way, others
  are thickly dear to themselves.
  So you shouldn't hurt others
  	if you love yourself.
http://www.accesstoinsight.org/tipitaka/kn/ud/ud.5.01.than.h...
link