I’ve been hoping for a bit more detail on how the “hack” (really a “crack” or break-in) was done. I’m not particularly fond of spouting off about what was done ‘wrong’ when I don’t know just what was done. But details are sparse.
What is known is mostly what was taken. The usual emails. Some other docs, and the cream of it all – movie files.
So what can be done to prevent this kind of thing?
I’ve spent a good many years in computing, and particularly in computer security. I’ve worked contracts at major companies (like Charles Schwab and Disney) in computer security related areas. For 7 1/2 years at Apple Computer my group kept the Engineering Network secure (and ran “Apple.com” – even when The Internet Worm took down many companies, it did not take US down.) So I have a rather significant degree of experience with keeping companies secure.
A General Approach and Caveat
The caveat is that since the NSA has leaned on folks to leave back doors and exposures in their network equipment and operating systems, it is no longer possible to run commercial software and have real security. That’s not a political statement, or any kind of “position”. It’s just my observation of what the exposure means. Since the ’80s there has been a constant pressure from The Feds to leave things just insecure enough that they could break in, but (hopefully) individuals could not. (Anyone old enough to remember the fight over 56 bit DES – Data Encryption Standard – where they wanted fewer bits for their cracking pleasure? Or the persecution of folks over using PGP – Pretty Good Privacy?) So this is not new. It’s a long standing behaviour.
What has changed is that they have now largely succeeded. Apple ‘caved’ in about 2012 (the Snowden leaks give the exact dates for each major maker ‘giving in’ to the Prism program). Now it is simply vain and arrogant to think that such exposures will not be found by others and exploited by them. That they are not in the news does not mean they have not been found. A smart system cracker keeps his best cracks private.
So first and foremost, you must accept that if you have not “rolled your own” you ARE pre-cracked, buggered, bagged and tagged, and exposed. Period. Full stop. Let that sink in…
The good news is that there is a not-too-hard way out of that. China figured this out and has started rolling out their own official software for Chinese companies. Even better news is that this is based on a BSD or Linux core, with only modest added hardening. That’s the same thing my group was using at Apple. So a ‘quick start’ is just to take a look at what they have done with Kylin. Oh, and it handles kanji (Chinese characters) well ;-)
There are many other folks using the same base for secure computing. I was part of evaluating a secure / hardened Unix at Schwab, and it came from Israel. This is a well known place to look for security.
For a simple starting point, OpenBSD is a security oriented Unix. You can do anything desired on Unix / Linux systems. Some things may be a bit harder than you are familiar with (like running Excel in an emulated PC); but others are just as easy (like using Open Office instead of Excel). Yes, it is different. You can be hacked, cracked and served up as sushi, or you can run your shop securely. You have already seen what happens if you take the easy / cheap path…
Now that, alone, is not enough. Even Unix and Linux can be configured badly and have exposures; so for a major company like you, pop the bucks to hire some decent Unix / Linux guys and listen to them when they say it’s a bad idea to do something… (I’m presently available if you need someone to fix things right. My last contract just ended after 18 months; but there are plenty of folks as good as me and a fair number who are better.)
So, assuming you are converting your core servers to some form of Unix / Linux, have it properly hardened, and are following best practices for things like penetration testing and active monitoring; you are well along. Now your major remaining exposure is all those desktops running Microsoft and the Cisco routers with NSA doors in them that are your “firewall”. What can you do?
An Architectural View
The first thing that entered my mind on hearing of the hack and movie theft was: WHY oh WHY do you have your movie archive on your main corporate network?
Now at Apple, we had a top secret project. I think I can talk about it a bit now, as the time for that tech is long past. We were designing a new approach to desktops that was about 10 years ahead of the time, and about 5 years ahead of the competition. OK, that’s something a LOT of folks would like to get a peek at. We defended it in a fairly simple way. Segmenting the network.
The network was in 4 major ‘chunks’ that were NOT connected to each other in any direct (complete or network level) way. The innermost secure zone was able to log into the secure side of our main compute engine (a Cray Supercomputer) and get to the various services inside our building. The rest of Engineering could connect to the Cray as well, but only via a different network interface and that was automatically put into a “chroot” or “change root” limited compute space. Someone who broke into the main Engineering area would not even see all the very secure area systems or storage. No, it doesn’t need a Cray. Any Unix box will do. We just happened to be using that one. Folks in the secure area could initiate connections outbound, but outside could not initiate them inbound. Today, with the exposure of browsers and Java in virtual machines, I’d not allow them on desktop machines used for secure projects. Give those folks two computers. They are cheap compared to the risk. One is used for the day to day stuff of email and browsing. The other for secure work like rendering movies and such. An air gap is your friend.
Next up, all corporate functions were on their own network. Engineering was a distinct network. If one broke into the Engineering side, they could not get to the Corporate side. (Or the other way). We had an email bridge between them, but not much more than that. (Today I’d likely add some shared file services – again with chroot barriers inside the machines). Now a break in to the tech side does not expose corporate email logs.
So those three segments (secret areas, engineering, corporate) were the major breaks. But we had more. There was a semi-public network. A boundary network, if you will. Apple.com lived in it, as did a few other machines and services. We let most anyone in the company have an account on that machine if they wanted it for wide open internet access (we didn’t allow many services from inside the secret or secure zones… so things like FTP File Transfer Protocol were limited or controlled). Now there was the ability to pull a file from the Apple.com zone into the Engineering zone, so folks could get things, but it was a 2 step process. We also had a fairly slow and limited connection between the two networks so any unusual activity would show up very rapidly on monitoring. Folks could even get email accounts for spouses, if they wanted. Everyone had to agree that they understood this was for Non-secure and often non-work purposes. No important stuff to be left on that machine / network.
Why do that? Honeypot.
That whole network (now often called a DMZ or Demilitarized Zone network) was littered with traps, detectors, and Apple.com was a giant ‘honey pot’. It LOOKED like the right place to attack, but it wasn’t. A whole lot of folks tried. Some even managed to break into it. All the time they were doing that, we were watching. What was their skill set? What wares (tools) did they use? Did they have any new tricks? We had “buggered” all the navigation and inspection commands (things like ls to list files and cd to change directory) to look at if you had become root. IFF so, you had to have done it via a special method that left a marker in a secret spot. If you were root, but not via that method, alarms went off in the systems area and we started watching. Every hack was caught in that honeypot area and none made it to the inside. (This would now fail on things like phishing and using browser weaknesses to get directly to desktops, so one would need a different set of protections against that. See the above statement about having two computers, one on the secure net and one for outside facing activities…)
So folks would bang on Apple.com and it was so bad we had custom cut ‘login shells’ for user names “steve”, “jobs”, and “woz”. They would just let you try to log in, grab your screen, print something along the lines of “Go away and come back when you have more skilz” and drop your connection. Dozens a day. But if an ‘interesting’ attack came along, we got time to inspect it. There was a very limited router in the back of that network, named in an obscure way, that only let email and some limited other information go ‘inbound’. (NetNews in the days before browsing, and some log file transfers, mostly.) That router was very strongly locked down, monitored like crazy, and not very powerful. Turns out that was a feature…
The internet worm cracked into Apple.com but was not able to break through that stupid limited router to the inside before it had brought Apple.com to it’s knees on performance. We later figure out it eventually might have gotten in, but by then our honeypot / limited communications strategy had already brought the staff to alert and we had downed the equipment.
Now not all this is suited to today. It is shown as an example of how to think about things, not as a recipe for you, now. Each site needs it’s own approach.
The key elements, though, are relevant. Have a honeypot and a honeypot network. Booby trap and rig that thing for so many ways of watching and measuring that nothing much can be changed without someone taking a look. Segment your networks (and not just with segments inside some router… use things that can’t be bypassed with config changes or software – real hard wire segmentation.) Yes, it will cost a bit more and not be as fast or efficient. Security is always a bit more costly and slows things down. Put your company secrets and most valuable assets where they are NOT connected to the general network. Either on completely isolated networks, or not even on line at all. WHY is a movie on live disks on the network once it is a ‘wrap’? Once it has gone to a master, put those masters off line. Unplug the box or put it on a tape on the shelf. (I never have understood why folks think they need to put things like power plants and dams on the internet. Leave them disconnected, or put them on a private leased line if you must have remote access.) Put choke points between major segments of business function. Monitor those choke points heavily, and limit what they can do.
It really isn’t very hard to set up one email server for the executives, another for the general staff, and a third for engineering (and maybe even a 4th for marketing / sales, and…) Put them on their own segments, and now a system cracker has to break into 3 or 4 different machines (and discover them first) to ‘get it all’. They also have to traverse several choke points, find yet more (and sometimes different ;-) security traps and monitors. Eventually they might be able to do it all, but the time it takes drastically increases the odds they will get caught. Pay some folks to monitor those log files of crack attempts, not just look at them after the attack. We had a twisted pair hard wire from the system console for Apple.com that went to a different building a couple of blocks away where it printed the console log directly to ‘green stripe’ paper. We could have just left it as a patch of disk used for a file. We could have saved a box of paper every few days. Yet, one day, the operator was changing the paper and realized it was printing the log faster than it should have been. A systems guy looked into it and found the machine was under attack. The attacker had nuked the log file on disk… but could not erase the paper log… Our sysprog rapidly saw all that had been done, and owned the guy. A small cost, a bit of awareness, some more ‘indirect’ ways of doing things. The difference between a catch and being pwned… (now I’d likely send that log to another small log file server with ‘write once’ media).
The Hard Nut To Crack
The Desktop is going to be your largest point of grief. Between web browsers being hackable, phishing, the dominance of a known insecure system (Microsoft – aka Virus Central) and users not being so bright… Frankly, I don’t think it can be made secure. Given the MSoft dominance of workspace tools (Office / Word / Excel) and the general I.T. Dept attitude that MS is OK (often under pressure from the V.P. Finance… I’ve been there…) it would be very hard to convince folks to use something else.
Apple Macintosh is based on a Unix core. It’s pretty darned secure (especially compared to Microsoft). Were it not for their participation in the NSA ‘pre-buggered-R-Us’ program, I’d say to use them. They will keep out most folks, but not all. Doing a ‘roll your own’ on the desktop OS using Red Hat or OpenBSD will be quite a bit harder than just buying an Apple, a Chromebook (also pre-buggered but otherwise secure), or similar. Probably not worth doing it for the general desktop; but worth doing it for secure operations. The only way, frankly, that I can see to make the desktop reasonably secure today, would be to put in two networks. Put a Chromebox on each desktop for browsing and external email (all of $179 each) and have them on one network. Have a second machine for all other work (corporate documents, internal email, development). Don’t let the two networks connect. Drastic? Yes. But when each machine is known to come from the factory pre-compromised, fixing that takes drastic measures.
I was inside a secure network, on a corporate site, with a ‘locked down’ Microsoft box where I could not get admin privileges. I was able to bring up a virtual machine (on a USB drive) and from that launch a browser and have root access on my virtual machine (that means I could install all sorts of software and ‘goodies’). It is not enough to think you have the machines under administrative control. You must assume they will be compromised and put in a load of traffic analysis, penetration testing, monitoring, and intrusion detection. Having the network segmented into “gets to the internet” vs doesn’t buys a lot of safety for everything without that much trouble. Now if I ‘get root’ on a box (or a VM on that box), any attempt to send data to the outside world either fails outright, looks darned suspicious (to a person or a monitor box), or shows up as a performance hit at a choke point.
This has just been a few highlights. There’s a lot more that can be done, but that gets down into the technical weeds. The major ‘take away’ is to realize that “business as usual” or “what everyone else does” is just not good enough. The rush to convenience and cool hates security. The government hates YOUR security. The vendors have been blackmailed into making insecure products (in the false belief that the only ones good enough to exploit those things are the Government TLAs – Three Letter Agencies.) The ‘pre-buggered’ products are promoted more than the others as ‘the standard’ so following that lead is accepting insecurity. The only clear way out is via using open software systems where they have many eyes looking at them. No, that doesn’t guarantee security (as the recent OpenSSL bug shows) but it is at least saying you know it isn’t ‘buggered deliberately at the factory’. At present, that means a BSD version or Linux. China figure this out, and they are not dumb.
I’ve used 2 or 3 machines for my personal needs for several years. Usually one for email and browsing and another for ‘private stuff’ (like the GIStemp analysis). It isn’t that hard, and not very expensive. Often just not tossing out your old machine when you buy a newer one. I typically use 2 or 3 different OS types at any one time. Microsoft when forced to by a work need. Unix / Linux for my personal or secure uses. Sometimes an Apple (or now a Chromebox) for User Interface focused things (like browsing or email). Sometimes that has meant finding a way to move something from one box to another. Easier in the days of floppies and CDs; harder now that tablets often don’t even have a USB connection. But I’ve always found a way. It makes me very comfortable to know that most of the time 99%+ of all my files are ‘offline’ in unreadable media; that when I’m using a ‘browser box’ it can’t compromise my main private work, my email, or my archives. Having email on one network (now an external server) and ‘my stuff’ on a separate one, only connected when needed and then usually via a network box with ‘blinky lights’ that let me know when data is moving. I’ve so far avoided any significant hack or virus. The only ‘failure’ was a recent loss of email as AOL decided to nuke my account for low usage. Even there, I could have avoided that by using my own email server and doing an SMTP download rather than trust the vendor. But I digress… The point is that segmented use segments risk, and that’s a very good thing.
So, Sony, I suggest asking your head I.T. Guy some very pointed questions, AND asking his “customers” why they insist on convenience over security AND asking the I.T. Guy’s boss why he doesn’t listen when the I.T. Guy says something isn’t all that secure (or ask the I.T. Guy why he’s given up warning…) And ask yourself WHY everything has to be connected to everything and online at all times. If you don’t get the answer that “It doesn’t”, you aren’t talking to the right folks… No, it’s not cool, or trick, or trendy, or easy. But it is secure and effective.