
Sony saved thousands of passwords in a folder named 'Password' - dnetesn
http://www.telegraph.co.uk/technology/sony/11274727/Sony-saved-thousands-of-passwords-in-a-folder-named-Password.html
======
UnoriginalGuy
I normally don't have much sympathy for companies which get egg-on-face
because of their own incompetence, but I am very sympathetic to the employees
and past employees who just had their SSN and other vitals leaked onto the
internet.

As an aside SSNs really need a massive overhaul. In theory they're meant to
only be used for government stuff, but their use is now so broad (finance,
insurance, medical, et al) that their leakage is all too common and the
potential cost of a leak too damaging.

With a little bit of investment the SSA could continue to generate SSNs (for
historical reasons and government department usage) and generate a new SSID
which is just a longer unique number which companies are legally prohibited
from storing, however when they receive it they forward it to the SSA via an
API and it returns a static unique customer number (UCN) which they can then
in fact store.

This has the following advantages:

\- The SSA can update your SSID a lot. Every few years, every new card, or
when requested. Unlike SSNs which cannot be changed.

\- Updating your SSID won't break existing accounts or similar, as companies
won't store the old one anyway (only the resulting UCN). Unlike SSNs which
break stuff if changed.

\- Leaked UCNs are not as useful because you cannot enter them into a web-site
or put them on a financial form directly (it would be a different
length/format to SSIDs or SSNs on purpose). Unlike SSNs which can be directly
reused.

\- The system doesn't depend on complex cryptography. It is just a simple
perhaps JSON request over HTTPS.

You could deploy this system over ten years at minimal cost. The system is
relatively simply, and behind the scenes it can tie UCNs to SSNs in the SSA's
database system. A single customer would have three things (in this system):
Current SSID, static SSN, static UCN.

~~~
downandout
_> I am very sympathetic to the employees and past employees who just had
their SSN and other vitals leaked onto the internet._

What makes it even worse is that the SSA makes it virtually impossible obtain
a new SSN. Even showing them that you were a victim in a high profile leak
like this, for example, isn't enough. You have to prove actual misuse, such as
someone taking a credit card out or being arrested in your name, before they
will issue a new one. In almost all cases, police reports are required.

Given that a new SSN is essentially impossible, if I were a victim in this, I
would immediately freeze my credit file at all 3 major credit bureaus. In most
states this can be done for $0-$10 per bureau. This can cause hassles for
instant credit approvals etc, but they provide mechanisms to unfreeze the file
temporarily when necessary.

~~~
MatthewMcDonald
Why wait until you're a victim? It's much easier to prevent significant damage
to your credit history than it is to repair it. The hassle with credit
approvals is pretty minimal; people generally know ahead of time when they'll
need a credit check, and it only takes ~15 minutes to put a temporary lift in
place. Identity theft is often an expensive, massive headache that can take
years to fully recover from.

------
steven2012
I know someone working at Sony Pictures. She said that Sony Pictures is
literally paralyzed. They can't pay their employees and have reverted to
completely manual processes. They can't accept orders from customers or pay
their vendors as well. The hackers have completely destroyed their
infrastructure. There is no real disaster recovery and there are backups of
various systems at various levels of conoleteness but presumably those backups
are infected as well.

They need to completely rebuild their ERP system from scratch and that will
take months.

It's a complete nightmare and if this doesn't change the perceptions of CEOs
on cybersecurity, they need to be fired because it complete puts their entire
company at risk of they don't put a significant expense to ensure that their
company is secure.

------
filmgirlcw
This isn't strictly true. The thousands stored in a folder called "Passwords"
was actually a curated dump of passwords from various parts of the server that
the hackers put together and into its own dump -- looking at the data, it
doesn't appear the passwords were saved there originally.

That's not to let Sony off the hook, however. Plenty of passwords were stored
alongside the password protected documents [1] and some of the passwords used
were insanely bad (s0ny123) [2].

[1]: [http://mashable.com/2014/12/03/sony-hack-4-security-
lessons/](http://mashable.com/2014/12/03/sony-hack-4-security-lessons/) [2]:
[http://mashable.com/2014/12/02/sony-hack-
passwords/](http://mashable.com/2014/12/02/sony-hack-passwords/)

------
Pxtl
Its the company social media accounts. Managing those is always going to be a
trick, but it's actually not that big of a deal that they're lost - a tedious
job for a marketing intern to reset them all and a risk of Sony making some
embarrassing tweets or fb posts. Nothing compared to losing customer data or
credit card numbers or crypto keys or something.

Title is a bit sensationalized, really. I mean "leaked passwords" sounds
severe, but corporate social media accounts aren't exactly what the reader
expects.

~~~
TazeTSchnitzel
Yeah, I don't really see why you wouldn't write down the passwords of social
media accounts.

------
notacoward
What's the alternative? We all know (don't we?) that security through
obscurity is no security at all. Giving the folder a different name would only
affect usability, not security. The problem is not the folder name but the
fact that the data itself (including paths) was unencrypted, and that
perimeter security was lacking. Poking fun at the folder name seems to be
missing the point.

~~~
joenathan
Obscurity is part of security. I have personally found that by using non-
default ports for services that attempts to break in have gone down to zero.
For example if you leave port 5900 open I guarantee your going to have bots
trying to break in day and night. Someone would have to be specifically
targeting my network to even find the ports I use(a port scan takes a good
amount of time) and the services behind those ports. Of course that's not the
only security in place, there are many layers but obscurity plays an important
part.

~~~
justincormack
A port scan of the entire internet takes around 3 minutes if you have enough
bandwidth [1]

[1] [http://blog.erratasec.com/2013/09/masscan-entire-internet-
in...](http://blog.erratasec.com/2013/09/masscan-entire-internet-
in-3-minutes.html)

~~~
joenathan
If it doesn't DoS my firewall, a port scan like that will be easily detected
and blocked. A stealthy port scan takes a good amount of time.

~~~
justincormack
Not if you interleave the hosts, rather than the ports on each host, as you
would.

------
gioele
I also have a folder called "passwords" (actually "pw") with thousands of
passwords.

The difference is that they are all encrypted with gpg (via my little pw
utility [1]).

[1] [http://svario.it/pw](http://svario.it/pw)

------
ericcholis
Sony's IT deficit notwithstanding, somebody somewhere had to have pointed out
1Password or Lastpass.....

On another note, is anybody surprised? Take out Sony and insert Company X, I'm
sure this is a common practice in many companies.

------
ericglyman
What could go wrong?

