Public and private sector companies vulnerable to Sony-like attacks

Public and private sector companies vulnerable to Sony-like attacks :

Christopher Parsons, the managing director of a telecom transparency project in The Citizen Lab at the University of Toronto, said agrees with Tobok; it’s not enough for companies to leave digital security to their designated IT employees or mid-level management.

“It’s an increasingly serious issue; companies not treating it at the top do so at their own peril.”

Bigger security breaches are a reality of a more digitally-literate world, Parsons said.

“If you’re dealing with a well-resourced attacker with lots of time, there’s a reasonable chance they will find some way through.”

That’s why companies also need to invest in a strong remediation strategy in case an attack does occur, he said.

I should be particularly emphatic on one point: the hack of Sony does not constitute ‘cyberwar’. To begin, the very definition of the term is ambiguous at best. Moreover, the attack on a non-critical-systems company cannot be understood as an assault on critical infrastructure systems (e.g. dams, power grids, etc) that could be interpreted as an undeclared war-like action. What has happened to Sony is a corporate tragedy and one for the textbooks on remediation and mitigation strategies. To be clear: this is a lesson for business and security textbooks, not military strategy textbooks.

Claims that the attacks on Sony are some kind of ‘warlike’ behaviour operate on the assumption that we can attribute who is responsible for the attacks. We are unable to so ascribe action at the moment. And until the NSA or the other SIGINT agencies pull stuff from their bags of tricks to more positively establish a link between the attacks on Sony and a specific nation-state threat actor with obvious war-based intentionality, any calls that we are witnessing some kind of ‘cyberwar’ are ill-considered at best, and outright ignorant at worst.

Or, alternately, such calls might constitute efforts on the parts of those with Top Secret/Special Compartmentalized information to raise awareness about some kind of ‘behind the scenes’ action. I strongly doubt those calling the Sony attacks cyberwar have access to such kinds of deeply sensitive operational, and classified, information. But perhaps I’m wrong. And, if I am, I hope they’re leaking with authorization or have particularly terrific counsel to defend them against allegations of leaking classified information.


Sony’s Smartgrid Micropayment System

Sony is promoting a product concept: smart electric outlets that enable micro payments and authentication for energy usage at the device level. As described by The Verge:

Sony is developing power outlet technology that uses IC chips to determine a user’s identity or permissions. Possible use case scenarios include managing energy usage in large buildings, device theft prevention, and — yes — the potential for paid access to power. Sony says it expects the technology to be employed in cafes, restaurants, airport waiting lounges, and other public places. The outlets have an IC chip built-in, and send authentication information down the power line itself — this can come from an IC chip built into the plug, or potentially inside an NFC-equipped device or payment card.

This isn’t a surprising new concept – contemporary ‘smart systems’ are largely sold on these kinds of logic – but it’s telling that we would be moving payment and identity authentication into integrated ICs on the devices that we use in daily life. I’ll be incredibly curious to see the threat models and risk assessments associated with these next-generation smart systems: if they are deployed as imagined, payment security and electrical privacy issues would be incredibly serious, and challenging, issues to adequately address.