Friday, December 19, 2014

Sony Hack

During the 27-year gig we were subjected regularly to "spear phishing" hack attempts.  That's defined by someone contacting internal people via email and soliciting or evoking information that allows for greater intrusion.  It's easy to find someone's internal email address, that's often published or if not, it probably follows a standard format.  If you are any good at talking to strangers you can probably write an email that an employee will respond to.  Generally you want to avoid the representation that you are a Nigerian prince in exhile.

The first was a situation in which a senior employee received an email that appeared to be from USBank.  The logo, font and contact information was all correction.  There was a reply link that took you to a web form, also all correct looking.  At that point it asked for verification of account number, home address, you mother's maiden name, etc.  Our senior employee filled out the form and his Visa card was used about five minutes later in Ireland.

A very recent event, during my last 'transition' months involved a senior accounting member.  On a Friday afternoon they received an email requesting a wire transfer of money for a legitimate project.  The message included the name of the company's CFO and mentioned that he was unavailable according to his calendar but had approved the wire transfer.  The accounting person did several back and forth emails getting further information and was ready to sent the money.  That would have been a significant amount into a black hole. These people are good.  I would have fired the accounting person for even getting that far down the path.

So what is the implication of the Sony hack?  Anything you do on the internet is more or less recorded.  Some companies are good about keeping private what more or less should be private.  Unless you are a terrorist, Google is not going to cough you up.  The North Korean's were able to solicit via spear phishing enough information to get to a senior network administrators user ID and password.  That is all it takes.  In the 27-year gig there were just four of us who had those rights and we check on each other's integrity and practice standards all the time.

You should have complex passwords, something other than your childhood dog's name.  Don't right them down.  Don't give them to you spouse.  Don't ask computer's to remember you.

The Koreans had political intent.  There are just as many security trolls out and about doing this stuff for fun who may just like messing with people and companies.  There is also good money in this as evidenced by the hacks of Target, Home Depot, etc.  My USBank card had been lifted three times and our three small business cards from Wells Fargo have been lifted five times in total.  Cash might be good...although 20% of the $100 bills are fake.

Cloud storage is pretty convenient.  I used it all the time.  Not everything that I store on the cloud is encrypted.  Some of the cloud storage providers are a bit brazen about declaring the security of their systems and the lack of intrusions.  The Sony intrusion occurred through a relatively simple approach and may have destroyed their reputation and put a lot of movie goers under a threat of violence in theaters, and we know there's some bad stuff that has happened there in the past.  Are there Korean sleeper cells her?  That's my conspiracy comment of the day.

The really big hack, bigger than Sony, is that ICAAN was hacked recently.  This is the organization that provides all the addressing and domain assignments for the internet.  A good hack there would affect all internet traffic.

I'm going to rethink my information stored in the cloud, probably ensuring that all of is is encrypted on my side before being uploaded.  I never had a dog as a child but I do remember the name of dog that lived directly across the street.