By Geoff Meeker
February 2, 2015 - The cyber attack on Sony’s web site made global headlines late in 2014, resulting in embarrassing email leaks for the electronics giant and postponement of the release of its movie, “The Interview”.
President Obama claimed that North Korea – which took offence to “The Interview” – was responsible for the hack, and that may well be the case.
As ridiculous as that situation was, it unmasks a serious problem we can’t afford to ignore. That’s according to Harry Tucker, a Wall Street strategy advisor and large-scale technology architect who provides guidance on both strategy and technology – including security.
While it may be tempting to blame the Sony hack on sloppy security or bad site maintenance, the truth is that all sites are vulnerable.
“Any web site can be hacked,” said Tucker, who hails from Bell Island and now lives in Alberta. “The NSA (National Security Agency), the CIA and other government sites in the U.S. and Canada have been hacked routinely. There is no such thing as a hack-proof site.”
Most web sites have an ‘air gap’ between their public face and the more sensitive, internal information at the back end but this does not make them hack proof, Tucker explained.
“Let’s say you have a site like Amazon, which connects to order fulfillment, credit processing and other applications. The very fact that you connect to all that because of the way you do business means you are always vulnerable.”
Then there are firewalls, which can also offer a false sense of security.
“A firewall works by blocking specific traffic on certain ports, only allowing authorized traffic in. But even with those, there are gaps. Sony had a firewall on their site and it didn’t matter. There are free utilities available on the web that can scan firewalls to see what ports are open. Some ports allow remote control of physical equipment and if a port is left open by accident, someone like me can come along and it doesn’t take long to get control of that infrastructure…”
There are common sense safeguards that can be applied, such as not connecting email systems to company web sites. “Sony made the classic mistake of connecting their email to everything else. The private emails of senior executives were accessible by channeling through the web site – that’s just ludicrous.”
The biggest concern with the Sony hack is not a bunch of leaked emails or the postponement of a movie release, Tucker said.
“Here’s the issue, and this issue matters. Every week, somebody important… in the U.S. government has issued a warning that our infrastructure, utilities and defense systems are vulnerable to cyber attack. So the Sony attack is a warning that our vulnerability goes well beyond losing a couple of movies that haven’t been released yet. There is a dark warning in this that people aren’t paying attention to and that warning is, if a country like North Korea ever successfully invades our power distribution system, for example, they can turn the U.S. off.”
You may be skeptical about that. A lot of people are. After all, how could a dysfunctional and backward little country like North Korea bring the U.S. to its knees? It sounds, oddly enough, like a bad Hollywood comedy.
“When people say it can’t be done I can tell you, I’ve been to meetings with utilities for a while now who are trying to figure out how to shut down some issues they have internally. The utilities by their own private admission dread the day when someone gets in there and turns everything off. They are trying to figure out ways to prevent this, but the way our systems are all inter-connected (presents a challenge). Right now, according to military experts, it’s a matter of ‘when’ and not ‘if’.”
There can be no doubt that certain countries and extremist groups would like to launch such an attack. According to Tucker, we need to anticipate and prepare for it.
“There are 18 key infrastructures in the U.S. and 17 of them run on electricity,” he says. “So electricity is the holy grail of vulnerability. And right now, our entire distribution system is vulnerable to cyber attack. It’s just a question of who wants to do it. So the Sony stuff is in fact a warning. But we have to pay attention to it. We need to go back to our utilities and governments and hold them accountable and responsible. We need to ask them, ‘What are you doing about the things that matter to us?’”