Print 57 comment(s) - last by Uniprint QLD.. on Jun 2 at 11:21 PM

Sony has proven itself to be utterly inept when it comes to security.  (Source: AFP)
Holy hacking, Batman, these guys are clueless!

The display of security incompetence Sony Corp. (6758) is astonishing.  Weeks after losing the contents of its two largest databases -- the PlayStation Network (PSN) database and the Sony Online Entertainment (SOE) database -- the company appears to have lost yet more information after experiencing an attack almost identical to one just days prior.

I. Sony Fails to Block Identical Attack

On Sunday, The Hacker News revealed that Sony BMG Greece (the Greek unit of the company's music branch) was hacked using an SQL injection attack and lost 8,000+ customer records.

It now appears that just days later a group called LulzSecurity -- known for formerly hacking's login database -- has used an injection attack to compromise databases on Sony BMG Japan.

Astonishingly, Sony appears to have done little to nothing in the way of escaping or parameterization to protect its databases, even in the wake of the SQL injection breach of its Greek property.

The hackers accessed an on-site tablet that did not appear to contain any personally identifiable information.  They openly mocked Sony, posting to Twitter, "LOL @Sony, Nice Japanese website dumbasses (sic)."

They later posted, "This isn't a l337 h4x0r, we just want to embarrass Sony some more.  Can this be hack number 8? 7 and a half?!"

While the hack itself was obviously just designed to target Sony and not hurt its customers, the hackers did post publicly that there was two other databases on the site that they did not look at, but should be accessible using the injection attack.

This message was likely up for hours -- at least -- before Sony heard about it and shut down access to its servers.  In the meantime it's very feasible that other users -- including outright malicious ones -- could have stolen information from these tables.  As tables on the Sony BMG Greece website contained users' names, passwords, etc. it's quite possible that one of these tables held similar information, and you can almost guarantee that there would be many more records than in the Greece table, as Japan is Sony's home nation.

II. Sony Intrusion Send Clear Message to Customers -- You Can't Trust Sony

Sophos Security researcher Chester Wisniewski , who yesterday took a gentler tone when covering the Greece intrusion, this time firmly admonished Sony, writing:

While there is an enormous target on Sony's back as a result of these very public attacks it is unclear why this is happening. Is Sony taking security seriously or are there simply so many flaws from the past that exist in their public facing sites that it will take them a long time to patch them all?

I hope this is the last time I have to report on a flaw at Sony. Sony has announced they are working with several professional organizations to get their security house in order and for their sake I hope this happens sooner rather than later.

Besides the two music site breaches, another Sony subsidiary -- the ISP So-net Entertainment Corp. -- was recently hacked, with the bandits making off with $1,225 USD in redeemable gift points.  Another hack transformed one of Sony's servers into a host for a phishing website

The problem with all these breaches is that Sony as a company has essentially left customers with no hope that it is properly protecting their data against malicious parties.  

It would not be surprising if these customers refuse to use Sony's online properties, taking business to competitors like Microsoft Corp. (MSFT) or Nintendo Comp., Ltd. (7974).  Reportedly some customers are already doing exactly that.

III. High Costs for Sony

The average cost of a system intrusion in 2010 was $318 USD per record lost, up 48 percent from a year prior.  Sony claims that the loss of 101 million records will only cost it $2 USD per record.  Unless the company has found the mother of all "bulk discounts", when it comes to data loss payouts, the company appears to be seriously understating the cost to its bottom line.

The company is currently in the throes of multiple class action lawsuits.

At the end of the day Sony, much like Gawker Media, brought on the attacks by lashing out the greater hacker community, particularly the massive hacker collective Anonymous, which has at least 10,000 members internationally.  

Sony provoked the hackers when they decided to kill homebrews and Linux on the PlayStation 3 after allowing and even supporting those popular offerings for the console's early years.  The hackers were further infuriated by the fact that Sony sued iconic hardware hacker George "GeoHot" Hotz -- something that even GeoHot's perpetual target Apple, Inc (AAPL) hadn't dared do.

The humiliation of Sony's security is proof that the online world is still very much like the Wild West.  If you anger one person enough, you may need protection; but if you anger the masses, half-baked protection outfits may not be good enough.

Sony has clearly been exposed as the inferior to the hackers in cyber-security.  With customers growing wary of the company, it may pay dearly for its failings to protect its online properties.

In a sign of the times, even as Sony hopes to restart its PlayStation Network in the U.S. after a second outage, the Japanese government is denying it permission to restart.  They say they're not convinced that Sony is any more able to protect its customers, this time around.


Comments     Threshold

This article is over a month old, voting and posting comments is disabled

LOL & Sony
By HrilL on 5/24/2011 4:00:21 PM , Rating: 5
The sad thing is that probably a lot of these fortune 500 companies have just as bad security practices or possibly worse. Are they using this as a wake up call to fix their security. Its doubtful.

RE: LOL & Sony
By JasonMick on 5/24/2011 4:05:57 PM , Rating: 5
The sad thing is that probably a lot of these fortune 500 companies have just as bad security practices or possibly worse. Are they using this as a wake up call to fix their security. Its doubtful.

That's perhaps true, but the worst thing you can do if you're incompetent is to disrespect others. That's just asking for trouble.

When Sony tried to lock its most tech-savvy customers out of legitimately using products they bought and then sued the one man who tried to help those customers regain control of their purchased devices, they essentially punched their ticket to get knocked down a peg.

I feel bad for the customers caught in the cross fire, but Sony sure dug its grave between its shoddy security, and flagrantly hostile business practices.

For Sony, the real nightmare has just begun. I mean I'm sure its hoping the government (FBI and foreign intelligence agencies) will bail it out by trying to "catch" the hackers involved, but in reality it's like hundreds, if not thousands of individuals who are actively attacking its properties.

It'd be hard enough to track down a couple hackers attacking your firm -- good luck if the entire hacking community decides to rain fire down upon you.

Game over.

RE: LOL & Sony
By quiksilvr on 5/24/2011 4:25:06 PM , Rating: 1
The best solution to tackle security? Use other people's security. Gmail + PayPal = Win.

RE: LOL & Sony
By Smilin on 5/24/11, Rating: 0
RE: LOL & Sony
By aharris02 on 5/24/2011 5:47:34 PM , Rating: 5
It's a DDoS attack... your comment is like comparing a mosquito bite to that of a Black Mamba.

On another note, I'm still waiting for someone to bring the MAFIAA down a couple of notches just like we've seen done with Sony!

RE: LOL & Sony
By spread on 5/24/2011 8:38:32 PM , Rating: 5
Sony has been bringing itself down by greed.

Spend a few peanuts (based on their profits) protecting valuable customer information? Screw that!

RE: LOL & Sony
By aharris on 5/24/2011 11:17:30 PM , Rating: 1
Agreed: as was pointed out in the article, their aggressive business tactics (and arrogantly-priced products, and terribad customer service, and...) basically had them asking for trouble.

RE: LOL & Sony
By Smilin on 5/25/2011 10:10:18 AM , Rating: 2
I suppose how a DDoS attack feels depends on whether you are a buyer or seller. Not having your money would suck.

My point: Don't hop skip and jump through a field full of daisies thinking Paypal and Google are somehow safe and immune from security issues.

Paypal has basically one DB to guard. So long as you tie them to a CC and not a bank account I would trust them.

-Google is a time bomb.
-Apple is a series of time bombs and half of them have already gone off without their userbase knowing or caring.
-Microsoft might actually be a good bet. They've been living in a bunker for decades getting "sony hacks" lobbed at them continuously. Still..
-Facebook getting hacked would be like someone poking an extra hole in swiss cheese.

RE: LOL & Sony
By bah12 on 5/24/2011 4:42:35 PM , Rating: 2
Agreed, this is getting laughable, but I do pity the poor sony customers for not seeing this coming.

Oh and Jason...
Just days later it now appears that just days later a group called LulzSecurity

Was that just days later or just days later, or perhaps just days later. Odd phrasing is all, might want to redo that one. Don't normally care, but it was the first paragraph of significance. Usually my reading entails skimming the first few paragraphs that are merely recap, but this one stuck out as an odd one.

RE: LOL & Sony
By JasonMick on 5/24/2011 4:47:39 PM , Rating: 2

Fair enough.

Just a bit redundant, it was quite a bit redundant.

Fixed. :)

RE: LOL & Sony
By Mitch101 on 5/25/2011 9:23:47 AM , Rating: 2

Are these really new hacks or were these systems compromised during the first attack and are just being discovered or used now by the hackers?

RE: LOL & Sony
By nUNYAbIZ on 5/24/2011 4:43:56 PM , Rating: 5
@ JasonMick

I agree with you completely. I'm still pissed about their root kit BS years ago.

RE: LOL & Sony
By Uncle on 5/26/2011 2:03:16 AM , Rating: 3
And do you remember the payback to the consumers after sony borked their machines. A new cd without the rootkit. Ah lets see, thats 25 cents per customer, and sony thought that was fair compensation.

RE: LOL & Sony
By Chaser on 5/24/11, Rating: 0
RE: LOL & Sony
By EricMartello on 5/24/2011 10:04:57 PM , Rating: 4
In your idealized world nobody deserves "bad things" but the reality of the situation is that Sony chose to put itself at odds with its customers, including it did in fact set itself up for what's happening now. It would have been wiser for Sony to simply back off and let people use their PS3s as they see fit - after all the people bought and paid for the consoles so there should be no restrictions on what software can be used on there.

Cry stupid all you want but if you plan to start shit be prepared to finish it. Sony, obviously, was not prepared to fight the fight they started here...and it is solely Sony's fault for whatever 'collateral damage' occurs to its customers.

RE: LOL & Sony
By Reclaimer77 on 5/24/11, Rating: -1
RE: LOL & Sony
By anyman on 5/25/2011 5:17:00 AM , Rating: 4
It just happens to be that a lot of PS3 owners can't even play Blu-rays on their systems.

Sony has done nothing about it and imho deserves what they're getting now.

RE: LOL & Sony
By Reclaimer77 on 5/25/2011 10:09:22 AM , Rating: 1
Oh please. Firmware updates routinely break functionality in devices. Hell my first Intel SSD was broken because of the TRIM firmware.

If every company who made buggy firmware deserved to be hacked and shut down, we wouldn't have many tech companies left.

RE: LOL & Sony
By EricMartello on 5/26/2011 3:04:27 AM , Rating: 2
It's a console. If you want to run ANYTHING on it you want with no restrictions, get a PC. Sony's only obligation is to make sure you have a fully working console. You make it seem like they told people they could no longer play games on it or something or broke key functionality.

Wrong. It's not an issue of Sony's obligations; Sony first allowed "homebrew" applications on the PS3 and in fact promoted it as being usable in applications other than gaming. They then did a 180 without any justification. Sony didn't provide any kind of support for homebrew users, but they did actively attempt to disable it and disband the "official" homebrew community. THAT is a big part of the problem - Sony forcefully trying to control what someone does with a product they paid for.

Oh please. Firmware updates routinely break functionality in devices. Hell my first Intel SSD was broken because of the TRIM firmware.

If every company who made buggy firmware deserved to be hacked and shut down, we wouldn't have many tech companies left.

Again, buggy firmware isn't the issue. Sony did try to root peoples' computers in the name of "anti piracy". They're also a member of the RIAA and MPAA. That alone is enough to justify what was done to them, and more.

RE: LOL & Sony
By artemicion on 5/24/11, Rating: 0
RE: LOL & Sony
By BansheeX on 5/25/2011 4:31:12 AM , Rating: 2
Maybe they should have never offered the option in the first place like MS and Nintendo. Then people would love them!

RE: LOL & Sony
By Aloonatic on 5/25/2011 8:23:26 AM , Rating: 2
Even if 1 person cares, it's still selling something to someone and then taking it back.

When my PS3 had come to the end of its useful life, i.e. the PS4 was out (which I might have bought, but almost certainly wont now) I would probably have had a play around with the otherOS thing. Sure, it wasn't the main or deciding factor in my purchase, but it's something that I still wanted to do.

Anyway, that aside.

I ask this on each of these threads, but wasn't one of the reasons that they had the otherOS feature a way to get around import tax/tariff issues? The theory being that it mean that a PS 3 could be imported as a PC (linux/otherOS enabled) rather than an entertainment device/games console? I might be misremembering something from way back when, or it is complete rubbish that didn't happen. It just seems like something that might come back to haunt Sony later, if true.

RE: LOL & Sony
By Strunf on 5/25/2011 12:02:34 PM , Rating: 2
You're talking to a wall... these days if you don't follow the trend you'll only get rated down if not worst.

I find this whole thing very "American" in no other country you would see so many people cheering and finding justifications for something that is illegal... on a second thought the rest of world would probably cheer just as much each time a US company or a US agency gets hit, there seems to be a balance... today SONY tomorrow the Pentagon ? or maybe the US power grid?

RE: LOL & Sony
By Uncle on 5/26/2011 2:07:28 AM , Rating: 2
Someone should ask sony if they would consider putting a rootkit update on all their ps3's.LOL

RE: LOL & Sony
By Pitbull0669 on 5/24/2011 9:18:05 PM , Rating: 2
Amen Bro. GREAT Post. :)

RE: LOL & Sony
By robinthakur on 5/25/2011 7:03:09 AM , Rating: 2
Serves them right for prematurely killing off the beloved Dreamcast with BS lies about the Emotion engine!!! Karma is a beatch!

RE: LOL & Sony
By tng on 5/26/2011 4:03:14 PM , Rating: 2
Love my Dreamcast.....

I was so pissed when they announced that it was being discontinued. There were games in developement that I wanted at the them that just went away......

RE: LOL & Sony
By Reclaimer77 on 5/25/11, Rating: 0
RE: LOL & Sony
By formulav8 on 5/25/2011 11:45:11 AM , Rating: 2
The situation that Sony is in, will/would/could the government step in and basically make a ruling that Sony cannot be sued or anything? Basically can the Government kill all of the law suits against Sony (Especially the current Class-Action suits)? Just wondering if Sony will be begging the government to step in and help lessen the blow...

RE: LOL & Sony
By allometry on 5/24/2011 4:09:00 PM , Rating: 3
RE: LOL & Sony
By Some1ne on 5/24/2011 6:01:43 PM , Rating: 3
The really sad thing is that these companies are still using an architecture that allows this kind of attack in the first place. It means that somewhere they have literal SQL statements that they are manually inserting parameters into.

What they should be doing is using an ORM layer that abstracts away all the database interactions and which is smart enough internally to properly escape any potentially unsafe input characters automatically. Not using an ORM layer in this day and age is just idiotic.

Let's all feel bad for Sony!
By spread on 5/24/2011 3:51:57 PM , Rating: 5
The poor company! After they infected user's computers with malware rigged CDs. Wrote firmware to disable paid for features on customer laptops and failed to follow basic security practices to protect their customer's confidential information.

Fuck Sony.

RE: Let's all feel bad for Sony!
By nUNYAbIZ on 5/24/2011 4:49:08 PM , Rating: 1
Yup, few remember that. I never got hit, but the fact that they did that was abhorrent!

RE: Let's all feel bad for Sony!
By SiliconJon on 5/24/2011 4:55:06 PM , Rating: 1
Karma, you b!t(h!

Best job app ever!
By The Raven on 5/24/2011 4:23:03 PM , Rating: 2
Didn't George call them out for having horrible security and say that he would help Sony if they hired him?

Why don't they just hire him already lol?

RE: Best job app ever!
By The Raven on 5/24/2011 4:30:26 PM , Rating: 3
Ah here it is from a past article...
He writes: props to fail0verflow for the asymmetric half no donate link, just use this info wisely i do not condone piracy

if you want your next console to be secure, get in touch with me. any of you 3. it'd be fun to be on the other side.

...and this is a real self, hello world although it's not NPDRM, so it won't run off the hard drive shouts to the guys who did PSL1GHT without you, I couldn't release this

This part of the same article makes me laugh especially hard given the events that followed.
The Xbox 360's DRM protections were cracked some time ago. Microsoft has worked to ban modded consoles from online play, though, so don't be surprise if SCEI resorts to similar measures.

What will surprise me is if Sony ever "beats" this.

Is it time to...
By Aloonatic on 5/24/2011 4:39:28 PM , Rating: 3
... update the idiom [as easy as/like] shooting fish in a barrel, with [as easy as/like] hacking a Sony database?

Not that it excuses...
By adiposity on 5/24/2011 5:23:29 PM , Rating: 2
Not that it excuses anything, but it could be hard to audit every website sony has out there for sql injection attacks. We will probably see more of these, if the same group/company that did all their web design.

Well put
By mosu on 5/25/2011 4:19:31 AM , Rating: 2
quote: The humiliation of Sony's security is proof that the online world is still very much like the Wild West. If you anger one person enough, you may need protection; but if you anger the masses, half-baked protection outfits may not be good enough.

Like I've said, Sony must hire better (software) engineers, not lawyers.Sad moments for a company once renowned for quality products and amazing novelties.

And again
By OCedHrt on 5/25/2011 7:58:24 AM , Rating: 2
And now Sony Ericsson Canada as well.

By trisct on 5/25/2011 9:24:02 AM , Rating: 2
Too bad - I was hoping to download free games today. However, this is nearly as entertaining. I was disappointed in Sony's stance on Linux as well. It was useful having a PPC based Linux box around, while it lasted.

I'll still use Sony's network but only the free parts. They will not get my credit card info again.

Boo to Sony
By Uniprint QLD on 6/2/2011 11:21:14 PM , Rating: 2
Boo to Sony..

You should all buy an X Box!

From the team at Uniprint QLD

Man it would be awesome...
By Motoman on 5/24/11, Rating: -1
RE: Man it would be awesome...
By FITCamaro on 5/24/11, Rating: -1
RE: Man it would be awesome...
By Smilin on 5/24/2011 4:56:36 PM , Rating: 2
Consumers are allowed to voice their dissatisfaction by personally boycotting a company. If you're going to tell him what he can and can't do just to just because someone is *entitled* to work at a successful company then punch your own self.

RE: Man it would be awesome...
By Motoman on 5/24/2011 5:09:31 PM , Rating: 2
Sorry...stupid should hurt. And Sony is a stupid as they come.

Unless you want to trot out the "too big to fail" argument. Those good folks can get jobs at all the other companies that will suddenly be increasing production to fill the void left by Sony.

...or most likely, actually, keep their same job after someone buys Sony and it's assets and keeps them in production after a re-org.

RE: Man it would be awesome...
By Reclaimer77 on 5/24/11, Rating: -1
RE: Man it would be awesome...
By kraeper on 5/24/2011 8:24:36 PM , Rating: 3
Big enough that their last two failures were from their music division.

Wake up and smell the coffee
By Beenthere on 5/24/11, Rating: -1
RE: Wake up and smell the coffee
By JasonMick on 5/24/2011 4:18:56 PM , Rating: 3
Maybe now people will start to understand the price of hacking and why the only good hacker is very dead?

Interesting suggestion, considering that the systems being hacked wouldn't even have been made without the inspiration of former hackers. Bill Gates, Steve Jobs and other tech visionaries got their start in the hacking scene of their day.

If we executed your vision of death penalties for anyone who's ever "hacked" (explored networked systems), I think there might only be a couple IT people and programmers left in the U.S.

RE: Wake up and smell the coffee
By nUNYAbIZ on 5/24/2011 4:44:48 PM , Rating: 1
@ Beenthere. Yur an idiot!

RE: Wake up and smell the coffee
By RjBass on 5/24/2011 5:05:12 PM , Rating: 2
And none of them would be any good.

RE: Wake up and smell the coffee
By JediJeb on 5/24/2011 5:24:33 PM , Rating: 2
And we would probably still be using command line interfaces and playing text adventure games like Zork :)

By Reclaimer77 on 5/24/2011 8:07:27 PM , Rating: 2
Bill Gates, Steve Jobs and other tech visionaries got their start in the hacking scene of their day.

*rolls eyes*

Gates and Jobs hacked OS CODE! They did not shut down networks, launch DoS attacks, or steal peoples information from companies.

Jason, Sony is dicks, we get it. But your continued attempt to make these hackers out to be some kind of Robin Hood or vigilantes for truth and justice is coming off a bit sophomoric.

You can take Sony to task WITHOUT legitimizing criminal behavior.

RE: Wake up and smell the coffee
By spread on 5/24/2011 6:13:27 PM , Rating: 4
Looking at your posting history since 2006, I see pages of 0 and -1.

It's one thing to disagree with the popular opinion, it's another to oppose it almost all the time.

Do you ever get tired of being wrong?

RE: Wake up and smell the coffee
By erple2 on 5/25/2011 8:43:40 AM , Rating: 2
Who said popular opinion was ever right?

"Folks that want porn can buy an Android phone." -- Steve Jobs

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki