Cyber Attacks, This Can't Be Good

[silver surfer]

http://www.telegraph.co.uk/news/worldnews/asia/northkorea/11309376/North-Korea-internet-totally-down-as-US-cyber-attack-suspected.html

This can't be good, who knows where these spats go next? Pretty much all of my assets (apart from a house and a paltry amount of precious metals) exist as zeros and ones on some digital file.

I'll be a bit more diligent in the future about printing off hard copies of statements, but what else can a prudent person do to protect themselves?

[jammo]

Prudent persons - hmmm, I wonder what Gordon Brown would do? Something macroprudential probably. HTH

[dances with sheeple]

http://www.telegraph.co.uk/news/worldnews/asia/northkorea/11309376/North-Korea-internet-totally-down-as-US-cyber-attack-suspected.html

This can't be good, who knows where these spats go next? Pretty much all of my assets (apart from a house and a paltry amount of precious metals) exist as zeros and ones on some digital file.

I'll be a bit more diligent in the future about printing off hard copies of statements, but what else can a prudent person do to protect themselves?

Get a safe? Use a bank deposit box? How did you do it pre-internet?

[200p]

In the film Die Hard 4, they speculated that hackers could bring the world to its knees by creating a firesale event. And in Die Hard 2, hackers could disrupt air traffic control. In the film Sneakers, they had a codebreaker that could break into any system.

Hard assets are the back up store of wealth, that in turn is backed up by force.

[Errol]

This can't be good, who knows where these spats go next? Pretty much all of my assets (apart from a house and a paltry amount of precious metals) exist as zeros and ones on some digital file.

I'll be a bit more diligent in the future about printing off hard copies of statements, but what else can a prudent person do to protect themselves?

Probably not a good idea to rely on electronic wealth.

[stepho]

Just think of all those NSA back doors and holes left wide open in the vast majority of the worlds systems and network infrastructure just waiting to be exploited....

[Guest_northshore_*]

Interesting how society has turned torture into a debate and cyber threats into a terrorist crime.

[stormymonday_2011]

Systems are as secure as their owners want them to be.

I am old enough to remember when the UK government required a physical air gap between its critical IT systems and the outside world. Now they like the banks and a host of other commercial organisations insist on plugging just about everything no matter how sensitive into the internet where it can potentially be hacked by anyone anywhere in the world. Despite all the hype about how modern communication technology has 'liberated' people the truth is that the driver behind much of this this rush to get everything online is simple cost cutting. By doing it the government and the corporations have managed get the suckers on the street to pay for a large chunk of the national IT infrastructure such as their own phones, tablets, desktops, routers etc as well funding much of the networking and data centres via fees paid to the ISPs. Moreover, people who manage their affairs online are essentially gifting their labour for free to the state and businesses. In fact opting out of the online world is now perceived as not just Luddism but being an potential enemy of society. Frankly, if the UK IT systems get pwned in a major way by another states hackers it is no more than we deserve.

Edited December 23, 2014 by stormymonday_2011

[honkydonkey]

It's called progress.

Don't worry about it, if something bad happens then we're all screwed together. Just make sure your debts are greater than your assets at all times.

[200p]

Is World war 3 just around the corner? Whave Russia, North Korea, Islamic State, it just seems to be escalating.

[GinAndPlatonic]

I have no faith in the long term integrity of the net. Don`t trust it..never have done in regards to putting my stuff out there, be it personal or security in terms of money. Just keep enough in the bank to pay bills and daily stuff.

A strong safe and cash at hand along with paying for fuel and food in cash. It just seems totally ridiculous to me to place so much faith in the ether..bonkers

[GinAndPlatonic]

electronic wealth.

Scotch mist.

[long time lurking]

If man make it man will break it

[R K]

We appear to be living through the ending of godfather III

All the scores are being settled: Russia, Venuzuela, Cuba, N. Korea.

[silver surfer]

There are plenty of IT people on this forum, maybe one of them can answer these questions.

If someone can gain access to Sony's best protected electronic files, what's to prevent someone gaining access to the files of a bank like HSBC, a stockbroker like Killiks, or even NS&I; and distribute their client's account details and passwords? Is the security surrounding financial institutions on an entirely different level of impregnability, or is that just wishful thinking on my part?

[Bloo Loo]

There are plenty of IT people on this forum, maybe one of them can answer these questions.

If someone can gain access to Sony's best protected electronic files, what's to prevent someone gaining access to the files of a bank like HSBC, a stockbroker like Killiks, or even NS&I; and distribute their client's account details and passwords? Is the security surrounding financial institutions on an entirely different level of impregnability, or is that just wishful thinking on my part?

Sony, like any other hack, is likely to be inside job. Its what spies are for.

[madmax2]

all companies, governments, local businesses etc have the same barrier "preventing" hacks.

People.

and all people have the same flaws, given a large enough sample. The I.T. is at a point where it is mostly not able to be breached by simple means (computer-to-computer), but you still give humans (employees) access to parts of the network they require to do their function, and they are all exploitable in the same way.

Can any house be broken into with enough determination? Probably yes.

Networks? Probably yes.

[Sour Mash]

Just think of all those NSA back doors and holes left wide open in the vast majority of the worlds systems and network infrastructure just waiting to be exploited....

Yes, this is something that media of course totally ignore. If a state backed actor is actively working to make IT systems insecure to further its own interests, then this leaves open enormous vulnerabilities which will be exploited by third parties (even if you trust the agency of the state to do the right thing, which I certainly don't).

It's just corruption all the way along the line. Right now, the people making like bandits with these powers are limited to those on the inside, acting behind the veneer of state authority. Only a matter of time before the knowledge and corruption spreads further into the general criminal/ fraud/ corporate sphere and all aspects of our lives become vulnerable to the crooks.

[Steppenpig]

Pretty much all of my assets (apart from a house and a paltry amount of precious metals) exist as zeros and ones on some digital file.

You'll probably be allowed to keep the zeros, but someone else will end up with the ones. Technology just accelerates what happens anyway.

[GloomMonger]

I doubt Kim has any understanding of IT and this will be some poor sods fault. I can't imagine trying to explain this with the very real threat of death hanging over you.

[silver surfer]

You'll probably be allowed to keep the zeros, but someone else will end up with the ones.

[honkydonkey]

Sony has been shown to be inept with it security in the past. Bank security is far more robust.

[davidg]

Sony has been shown to be inept with it security in the past. Bank security is far more robust.

A history of not taking security seriously. Oh and then they were trying to install rootkits on their customer's PCs. They have reaped what they have sowed AFAIKS.

[goldbug9999]

I think some people here have been watching too much 24/insert-your-favourite-spy-tv-show-here. Secure systems mostly use open source software which makes it pretty much impossible to put back doors in, it was not so long ago that the NSA tried to sneak in a slightly flawed random number generator into RSA and that was outed. Paradoxically systems where everyone knows how they work are the most secure ones.

Edited December 23, 2014 by goldbug9999

[ChumpusRex]

Sony had taken precautions against hacking, and had retained an IT security specialist to protect them against cyber attack. However, while they had made some effort, they hadn't gone to the effort of "best practice".

Some of the failings that appear to have come to light in the Sony case are wide open networks, any log-in can provide access to huge numbers of servers, with little access restriction. Some servers had weak admin passwords, such as "password", and the fact that files containing other admin passwords were stored in text files on network accessible servers.

That said, the attack on Sony appears to have been a highly organised, targetted attack. It is difficult to defend against this sort of attack, because the attacker will keep trying again and again, until they get in. Indeed, it is likely that there was an element of social engineering in order to get their malware into Sony in the first place (e.g. making a custom virus, putting it on some USB sticks, and then leaving them lying around the campus, in the hope that someone picks one up, puts it in a computer and clicks on the file labelled "cute fluffy kittens").

Higher risk systems require better practice. Files and servers should be strictly compartmentalised. Individual departments or groups will have their own servers, and no one outside that group should have any access to those servers. Where practical access should be based upon a person's defined role, which may vary from shift-to-shift if they are temporarily "acting up" into a senior role for emergency cover. 2-factor authentication may be used, or in very high risk systems multiple-person multiple-factor authentication may be used.

For example, for access to the NHS summary records service (or spine), 2 factor authentication is needed. To get your authentication card, you need to visit a national IT security centre, who will check your contract of employment, check your ID on multiple national databases before issuing you a card. Issuing a card (I'm told) requires 2 people to authorise the request.

Another issue where Sony went a bit wrong was controlling network access. Good security would include separating the network into segments, with firewalls between each segment, set to allow only data which is essential to business. For example, I've recently been involved with setting up a link between a dozen or so hospitals so that they can get access to each others test systems. The networks are broken into numerous segments with many firewalls. One of the most difficult things with this project was actually working out what firewalls needed to have ports opened in order to get this system to work. On this system, there was something like 150 firewalls, each set to "deny all" with every exception explicitly stated with a specific reason. It was a huge piece of work to get this system working. In fact, when we came to test the backup servers (on a different site and different network) we found that we had missed some firewall rules which were necessary to allow the backup system to work, despite a couple of hundred man-hours being spent on mapping out and documenting every single firewall rule).