they stole 100 TB of data from Sony. that must have takes weeks.

I just logged in to my bank after clearing some cookies, bank did not recognized the computer and sent me a safe pass to my cell phone. I had to wait for text message to arrive (it took just a few seconds) and then I entered the safe pass, then the password.

A few days ago I logged in into ADP (payroll and attendance for my team) and again I logged in from a new computer, not only it sent me a security code to my email, I also had to answer 3 security questions and only then it would let me log in.

In other words, if you do it right, the log on protocol can be almost fool proof. I would imagine in case of Sony that they had some top notch log in protocols (but maybe they didn't). A friend who works in artificial intelligence research has a little gizmo that gives him a security code which changes every 30 seconds. anyway, you get the idea, some servers have good log in protocols.

but if GOP were able to hack Sony, I would imagine they didn't log in via the standard protocol, they must have found a way to get in through a different way. it is almost like you;re building a fence, installing an excellent gate, but then leaving holes under the fence or not even finishing the fence in the back of the house, so that's how thieves get in. what is the point of these security measures if they leave some many holes unplugged?

/rant off.

One of the easiest is drop a cool looking flash drive/phone/tablet near the executive assistant parking spaces. Infected drive installs keylogger/back door/Trojan/etc. if they don't have a truly rigorous suite of software installed.

---

In tha 360. MRF User Map

Quote
Filliam H. Muffman
One of the easiest is drop a cool looking flash drive/phone/tablet near the executive assistant parking spaces. Infected drive installs keylogger/back door/Trojan/etc. if they don't have a truly rigorous suite of software installed.

At work, only work provided flash drives are allowed, and not permitted off the property. Devices not registered with IT will be destroyed if found logged in, or plugged in to the network.



Edited 1 time(s). Last edit at 12/23/2014 07:35PM by Racer X.

[en.wikipedia.org]

---

This is a great account of what has happened: [www.reddit.com]

Quote
Mike Johnson
This is a great account of what has happened: [www.reddit.com]

Wow. "...an IT director was comprised apparently he had no background in IT and was actually a marketing exec..."

---

In tha 360. MRF User Map

All it takes is for one idiot to click on an attachment.

I heard one theory that suggested there may have been someone inside Sony who enabled the hack.

---

Northern California Coast

We are also told that three security certificates used a password of "password".

wow, just wow. if you know how to generate a security certificate, you should know to use a strong password.

Quote
space-time
We are also told that three security certificates used a password of "password".

wow, just wow. if you know how to generate a security certificate, you should know to use a strong password.

If they're self-signed, the process may have been automated and the password pre-filled by the OEM.

---

Quote
Onamuji

Quote
space-time
We are also told that three security certificates used a password of "password".

wow, just wow. if you know how to generate a security certificate, you should know to use a strong password.

If they're self-signed, the process may have been automated and the password pre-filled by the OEM.

and they don't have random number generators?

Quote
space-time

Quote
Onamuji

Quote
space-time
We are also told that three security certificates used a password of "password".

wow, just wow. if you know how to generate a security certificate, you should know to use a strong password.

If they're self-signed, the process may have been automated and the password pre-filled by the OEM.

and they don't have random number generators?

Dunno. I don't deal with certificates outside of the Mac ecosystem all that often.

When you generate a self-signed cert on a Mac server, you don't get prompted to provide a password at all.

The server app randomly generates a password that gets stored in the system keychain. Because of this, I never have to deal with assigning a password to a certificate anymore. Last time I did it... I dunno... Maybe under Leopard Server when it took work to create a certificate.

I'm certain that most Mac admins don't even know that it exists in the keychain.

...Some devices -- Routers and hardware RAIDs are examples -- come with their own self-signed or OEM certs from the factory and I have no idea what passwords they use. Potentially, every last one of them is "password" and I'd never know. You don't need the password for most activities, either because it's supplied at the appropriate time by the firmware/software when the device starts up or because it's pulled from a password-store (like the Mac keychain) as needed.

---

Like above, the short answer is that Sony did not give a damn about information security, and took no action despite failing external audits. Their 'security' was the equivalent of standing around naked saying "No pictures, please" !

Quote
steve...
I heard one theory that suggested there may have been someone inside Sony who enabled the hack.

Quote
Muffman
"...an IT director was comprised apparently he had no background in IT and was actually a marketing exec..."

---

In tha 360. MRF User Map