[Cryptography] Sony "root" certificates exposed
Henry Baker
hbaker1 at pipeline.com
Mon Dec 15 10:02:09 EST 2014
FYI --
http://arstechnica.com/security/2014/12/hackers-promise-christmas-present-sony-pictures-wont-like/
Hackers promise Christmas present Sony Pictures wont like
GoP had details on every server and PC, as well as SPEs root certificate.
by Sean Gallagher - Dec 15, 2014 5:08 am UTC
....
Also among the spoils in one of last weeks file dumps was a Sony Corp. CA 2 root certificate-a digital certificate issued by Sonys corporate certificate authority to Sony Pictures to be used in creating server certificates for Sonys Information Systems Service (ISS) infrastructure. This may have been used to create the Sony Pictures certificate that was used to sign a later version of the malware that took the companys computers offline. There were also certificates for a JP Morgan Chase electronic corporate banking application, SSL certificates for sites including the Sony Pictures Store e-commerce site, and other certificates associated with intranet servers and other infrastructure from multiple telecommunications providers.
....
At the top of Sony's corporate structure, the company has a history of bringing in military-grade executives in the role of Chief Information Security Officer. In August, Sony Group CISO Phil Reitinger, the former Director of the National Cyber Security Center at the Department of Homeland Security, announced he would be stepping down. His replacement was John Scimone, who had served as a senior security advisor for the Defense Department's Joint Task Force-Global Network Operations-the network operations structure of US Cyber Command. But at Sony Pictures, there were a number of archaic systems that had been in place for ages with plenty of potential attack points.
More information about the cryptography
mailing list