I wouldn't want to be a Sony sysadmin right now. F-Secure just blogged about evidence of a fourth hack at the electronics giant. This one is relatively harmless - a phishing scam being run from Sony servers - but this pattern of security problems should tell us a few things about Sony's SysAdmin staff:
1) They're powerless in their own organization.
2) They don't get to set IT resource policy.
3) They're furious at their bosses right now.
It's hard to generalize like this across an entire organization, but I'm willing to bet that in the affected departments this is the case. Let's look at what we know about the hacks.
The first two involved stealing millions of users' credit card information, which was stored unencrypted and vulnerable during a DoS. The hackers got in with a list of valid usernames and a dictionary attack. I don't know any SysAdmin, no matter how junior, who would leave 100 million users' financial and personal information in an unencrypted format. And on a server with access to this unencrypted financial information, who doesn't impose password standards? I can understand a vulnerability during an exceptional circumstance - a really good SysAdmin team has contingency plans for this sort of thing, but at least it's an understandable problem - but dammit, that data was just left out in the open, with only a dictionary password to protect it! The only thing the DoS did was cover for the dictionary attempts. What SysAdmin team does that?
The next "attack" was really just a vulnerability in the password reset system. If you knew a user's date of birth and email address, you could gain access to their account. Again, who actually deploys a system that vulnerable on an enterprise level? Again, this is an account that includes personal, financial data. Not even an email confirmation, or personal security question in sight! Remember this is a service that has a purpose built platform associated with it. They could ask for the serial number off the back of your PS3, or send you a code to your Playstation Mobile. They could set up an RSA-style key generator on your device, the way Google does with your mobile phone. But no - your financial data was protected by information that you publish on Facebook. What technical lead does that?
And finally, this most recent attack is a more conventional hack on a (relatively) unimportant server. It's true that by now, Sony's many arms must be the target of every wannabe hacker with a cablemodem. But seriously, don't these guys run updates? Do they have a vulnerability scanner? Nessus should give them a license as a charity case.
I think the most damning part is the response to the hacks. In a gesture to try and restore their reputation on security, Sony laid out their technical response:
Wait a moment - are they telling us they DIDN'T have these things before? SONY, of all companies, didn't have an intrusion detection system? They didn't encrypt their data? This megagiant of digital services had no internal firewalls, no security scans?
It seems like I'm going to come down on the SysAdmin team over there. I'm not. I know what it's like working in a business environment. Most importantly, I know what it's like working in an environment where a manager, not a technical person, is calling the shots. And to me, this reeks of it.
This smacks of a work environment where the technical people are told not to "waste" time on things like "updates", or to make things too complicated with "security". A workplace where the SysAdmins have been saying for months that this stuff is important, but management has set other priorities.
It's frustrating being in that kind of environment on a day to day basis, but people get by. There's plenty of new work to get to, plenty of issues that your boss thinks are more profitable than upkeep. And the admins can't understand why the bosses don't want to spend time on these critical, invisible tasks. It seems like such a simple principle, and there are a million metaphors for it: feeding the golden goose, getting your teeth checked, getting an oil change... whatever you want to call it, management is not interested. And when the irresponsibility of management priorities finally comes home to roost, it's the SysAdmins who have to stay weekends and nights to fix it. It's the SysAdmins who have to explain to everyone that data was unencrypted, that security patches weren't applied, that pentesting was never considered.
I've seen that happen at too many organizations to count, and I predict that a lot of Sony SysAdmins are secretly trying to find other jobs right now. Looking for a new SysAdmin? Pick up one of the guys at Sony! They'd be happy for a working environment that lets them do their job.
{% endraw %}
1) They're powerless in their own organization.
2) They don't get to set IT resource policy.
3) They're furious at their bosses right now.
It's hard to generalize like this across an entire organization, but I'm willing to bet that in the affected departments this is the case. Let's look at what we know about the hacks.
The first two involved stealing millions of users' credit card information, which was stored unencrypted and vulnerable during a DoS. The hackers got in with a list of valid usernames and a dictionary attack. I don't know any SysAdmin, no matter how junior, who would leave 100 million users' financial and personal information in an unencrypted format. And on a server with access to this unencrypted financial information, who doesn't impose password standards? I can understand a vulnerability during an exceptional circumstance - a really good SysAdmin team has contingency plans for this sort of thing, but at least it's an understandable problem - but dammit, that data was just left out in the open, with only a dictionary password to protect it! The only thing the DoS did was cover for the dictionary attempts. What SysAdmin team does that?
The next "attack" was really just a vulnerability in the password reset system. If you knew a user's date of birth and email address, you could gain access to their account. Again, who actually deploys a system that vulnerable on an enterprise level? Again, this is an account that includes personal, financial data. Not even an email confirmation, or personal security question in sight! Remember this is a service that has a purpose built platform associated with it. They could ask for the serial number off the back of your PS3, or send you a code to your Playstation Mobile. They could set up an RSA-style key generator on your device, the way Google does with your mobile phone. But no - your financial data was protected by information that you publish on Facebook. What technical lead does that?
And finally, this most recent attack is a more conventional hack on a (relatively) unimportant server. It's true that by now, Sony's many arms must be the target of every wannabe hacker with a cablemodem. But seriously, don't these guys run updates? Do they have a vulnerability scanner? Nessus should give them a license as a charity case.
I think the most damning part is the response to the hacks. In a gesture to try and restore their reputation on security, Sony laid out their technical response:
- Added automated software monitoring and configuration management to help defend against new attacks
- Enhanced levels of data protection and encryption
- Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns
- Implementation of additional firewalls
Wait a moment - are they telling us they DIDN'T have these things before? SONY, of all companies, didn't have an intrusion detection system? They didn't encrypt their data? This megagiant of digital services had no internal firewalls, no security scans?
Don't blame the SysAdmins
It seems like I'm going to come down on the SysAdmin team over there. I'm not. I know what it's like working in a business environment. Most importantly, I know what it's like working in an environment where a manager, not a technical person, is calling the shots. And to me, this reeks of it.
This smacks of a work environment where the technical people are told not to "waste" time on things like "updates", or to make things too complicated with "security". A workplace where the SysAdmins have been saying for months that this stuff is important, but management has set other priorities.
It's frustrating being in that kind of environment on a day to day basis, but people get by. There's plenty of new work to get to, plenty of issues that your boss thinks are more profitable than upkeep. And the admins can't understand why the bosses don't want to spend time on these critical, invisible tasks. It seems like such a simple principle, and there are a million metaphors for it: feeding the golden goose, getting your teeth checked, getting an oil change... whatever you want to call it, management is not interested. And when the irresponsibility of management priorities finally comes home to roost, it's the SysAdmins who have to stay weekends and nights to fix it. It's the SysAdmins who have to explain to everyone that data was unencrypted, that security patches weren't applied, that pentesting was never considered.
I've seen that happen at too many organizations to count, and I predict that a lot of Sony SysAdmins are secretly trying to find other jobs right now. Looking for a new SysAdmin? Pick up one of the guys at Sony! They'd be happy for a working environment that lets them do their job.