Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> but as someone in the professional computer security field I know that any company or state/department/organization can be hacked by a motivated attacker.

You seem to give Sony too much credit, and also forget that they had a file server with open internal access which had a directory called "Passwords" which contained a plain text file with all the credentials to their internal servers.

That's something I'd expect to see at some small business with no professional IT on staff... certainly not from a multi-billion dollar company with thousands of employees and a full-time professional IT staff.

Sure, the attackers may very well have spearphised their way inside, but once inside, they didn't have to go through any of the normal hassles of island-hopping with more exploits, etc. They just logged in like they belonged.

Motivated attacker or script-kiddy, once inside, Sony made it awfully easy.



> You seem to give Sony too much credit, and also forget that they had a file server with open internal access which had a directory called "Passwords" which contained a plain text file with all the credentials to their internal servers.

FWIW this is my experience with multi-billion dollar companies with thousands of employees and full time professional IT staff.

Perhaps we can get other security professionals to chime in.

Once you get a foothold in a corporate environment, it is the unfortunate truth (I'm sure others will back me up here) that it is very easy to move around without 'island hopping with exploits'. For the most part, pivoting by passing-the-hash will work for 99% of networks.

It is also my understanding that the malware that was purchased for this compromise had the capability to persist across the network, to exfiltrate data, and to sabotage computers.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: