[Cryptography] Sony "root" certificates exposed

[Henry Baker]

FYI --

http://arstechnica.com/security/2014/12/hackers-promise-christmas-present-sony-pictures-wont-like/

Hackers promise “Christmas present” Sony Pictures won’t like

GoP had details on every server and PC, as well as SPE’s “root” certificate.

by Sean Gallagher - Dec 15, 2014 5:08 am UTC

....
Also among the spoils in one of last week’s file dumps was a Sony Corp. CA 2 “root” certificate—-a digital certificate issued by Sony’s corporate certificate authority to Sony Pictures to be used in creating server certificates for Sony’s Information Systems Service (ISS) infrastructure.  This may have been used to create the Sony Pictures certificate that was used to sign a later version of the malware that took the company’s computers offline.  There were also certificates for a JP Morgan Chase electronic corporate banking application, SSL certificates for sites including the Sony Pictures Store e-commerce site, and other certificates associated with intranet servers and other infrastructure from multiple telecommunications providers.
....
At the top of Sony's corporate structure, the company has a history of bringing in military-grade executives in the role of Chief Information Security Officer.  In August, Sony Group CISO Phil Reitinger, the former Director of the National Cyber Security Center at the Department of Homeland Security, announced he would be stepping down.  His replacement was John Scimone, who had served as a senior security advisor for the Defense Department's Joint Task Force-Global Network Operations—-the network operations structure of US Cyber Command.  But at Sony Pictures, there were a number of archaic systems that had been in place for ages with plenty of potential attack points.