backtop


Print 39 comment(s) - last by Dribble.. on Jun 7 at 5:30 AM


Sony Picture's Russian site was hacked this weekend, shortly after its American counterpart was compromised, exposing over 1 million users.

The attacker was a familiar face, of late -- LulzSec.  (Source: LulzSec)

LulzSec decided to publish a small number of user accounts following the breach -- many of which belonged, reportedly, to elderly users. Some of these users have since been victimized. Where's the "lulz" in that?  (Source: AP Photo)
There's no real winners with the latest Sony hack

Sometimes there's just a story that's just plain sad all around.  This is arguably the case with the latest hack of Sony Corp (6758), in which the company saw the compromise of another 1 million user records and hackers published private information on elderly users. 

I. An Unsympathetic Cast

On the one side you have Sony -- a Japanese corporate giant.  The company has long reveled in its dominant position and hasn't been afraid to flex its muscle over users.  Back in 2005, the company installed root kits on users' computers via music CDs.  The botched copy protection effort allowed malicious hackers to infect unwitting users' machines.  

Likewise, Sony initially promoted Linux for the PlayStation 3, only to reverse position and turn its back on Linux PS3 users.  It could have merely cut support, but instead it actively tried to lock users with internet-connected consoles out of Linux, citing supposed "security concerns".  And when hardware hacker George "GeoHot" Hotz posted information to restore support (via jailbreaking the console) Sony harassed him in U.S. court, abusing questionable judicial decision to invade the young man's privacy.

As unsympathetic a character as Sony is, on the other hand you have an equally flagrant party opposing it.  Much as Sony has abused its corporate power over users, hackers -- most notably Lebanese-based Idahc (Twitter) and the international group "LulzSec" (Lulz Security) -- have lorded their superior security skills over the clueless giant, constantly mocking and lashing it.

Caught in the midst of this battle are the company's millions of users, who are having their private information exposed.  Hackers gleefully have posted torrents of users passwords, addresses, birthdays, and more online.

While it's possible that the lax security at Sony could have allowed some malicious users to access this information in the first place, the hackers have taken all the difficulty out of it.  Now your every day clueless criminal can enjoy the same level of access as a sophisticated cyberthief.  Thus the risks have greatly raised for anyone who gave information to Sony.  

II. Attacking the Elderly

LulzSec, who recently lashed out at veteran hacker publication 2600 and "th3j35t3r" -- a prominent anti-terrorist hacktivist -- yet again humiliated Sony's incompetent cyber security efforts this weekend.  This time the group hacked Sony Pictures servers, gaining access to (allegedly) over 1 million user records in a database that had been used to store entrants in a promotional contest.

The group didn't have to try that hard at this one.  Where as they had to slave over kernel vulnerabilities in their recent pro-Wikileaks attack on news organization PBS, they were able to exploit Sony with an SQL injection attack -- a method that takes advantage of sloppy coding in handling URL requests to your databases.  Yes, this is the same "Little Bobby Tables" attack as XKCD famously nicknamed it, which was use to exploit various Sony databases several times over the last few months [1] [2] [3].

The Sony Pictures Russian website was also hacked [Pastebin] over the weekend, though it is unknown how many admin and public accounts were compromised.  LulzSec joked in its post accompanying this intrusion:

In Soviet Russia, SQL injects you...

The group says they were not responsible for directly attacking the Russian site, indicating other parties were to blame.

In questionable judgment, the group reportedly decided to publish excerpts of the user record set from the Sony Pictures breach, including elderly users (aged 60 and older) who were featured at the start of the file.  They posted the information in a torrent that included names, home addresses, passwords, and e-mail addresses.

Password reuse is rife among even moderately internet-savvy young people today and among the majority of elderly users it's virtually a given.  Thus it is not surprising that there have been reports of malicious users hacking users' other web accounts, committing malicious and possibly financially damaging mischief.

LulzSec remains unsympathetic for these attacks on the elderly, stating via Twitter:

I hear there's been some funny scamming with jacked Sony accounts. That's what you get for using the same password everywhere. Hey innocent people whose data we leaked: blame @Sony.

The data appears to be authentic -- the Associated Press has confirmed multiple users/addresses to be real.  Some account information appears to be faked -- likely by users who didn't wish to enter their real data for the contest.

III. What Can be Done Here?

These hacks should be a wake up call for Sony.  The company is used to being the bully.  Now it's getting bullied.  With nearly 105 million user records lost [1][2], the company should give a long hard thought to changing its corporate culture.  A small dose of humble can go a long way.

At this point Sony also needs to make some major adjustments to its security staff.  It needs to implement rigorous competence testing to identify who has necessary skills to work in such a high-pressure position and who doesn't.  Incompetent and/or unproductive employees must be let go.

Likewise Sony needs a major change in its security management.  Managers are responsible for their employees’ failings, so if their staff gets cut, they should as well.  Sony needs to bring in talent from outside -- either experienced hires or contracted help.  But it must improve its staff, which -- as a whole -- has unquestionably proven its incompetence.

Likewise Sony needs to swallow its pride and take down all databases off its web servers that it hasn't carefully secured.  It needs to switch from defense action to a more proactive approach.  It should consider any database not yet attacked a probable target.  Likewise it needs to take down any poorly secured pages and repost only after rigorous penetration testing to ensure there are no gaping holes.

As for LulzSec the group joked:

We could just DDoS every Jihad website Jester takes down for 30 minutes at a time, but then the poor schizo bastard would have nothing left.

Well if they can do that, why don't they?  There are plenty of groups that deserve to be taken offline and deserve a whole boatload (LulzSec pun intended) of "Wild West" style web justice handed to them, including:

  1. Terrorists (who murder innocent civilians)
  2. Hate groups (which promote killing based on race or sexual orientation)
  3. Pedophiles (who assault defenseless youth)

Sony is no role model as far as customer treatment goes, but it's hard to argue that it's a greater villain that an al-Qaida suicide attacker or a child molester.

Griefing can seem enjoyable when its target is someone unpopular -- much like bullying.  But ultimately acting as a griefer (which arguably can be said of LulzSec) is a self-destructive choice.  

We doubt this is the last hack of Sony given their atrocious track record and the fact that the hacker sharks have smelled the lustful aroma of blood in the water.

But before hackers continue to whale on the hapless Sony, perhaps they should watch the movie Gran Torino.  Walt could have easily have brought his gun and shot those local gang members when he confronted then.  But would his fictitious stand have a fraction of the meaning or power, had he sunk to their level?

Update:  Monday June 6, 2011, 7:05 p.m.

The article was initially worded in a way that implied that the archive solely included records of the elderly.  We've since obtained the archive and verified that it has multiple records -- including those of both elderly users and younger users.  Multiple news sources initially indicated that the record solely targeted the elderly.

This appears to be based upon the start of the record set being comprised of users born in the 1920s (81 or older), 1930s (71 or older), and 1940s (61 or older).

We've update the text to reflect this clarification.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

If only...
By dagamer34 on 6/5/2011 8:20:55 PM , Rating: 5
it stopped at Sony. But LulzSecurity hacking Nintendo this past weekend just shows that they don't care who they attack, they just think of it as a kid's game. Quite childish if you ask me.




RE: If only...
By Mumrik on 6/5/2011 8:35:05 PM , Rating: 5
They do seem to care:

"Re: Nintendo, we just got a config file and made it clear that we didn't mean any harm. Nintendo had already fixed it anyway. <3 them!"

They also seem to be hinting that Nintendo is doing a better job than Sony.


RE: If only...
By mikeyD95125 on 6/6/2011 4:17:21 AM , Rating: 1
Who would have that it would be the Wii fanboys to finally get off the forums and do something?


RE: If only...
By Samus on 6/6/2011 10:55:59 AM , Rating: 5
Of all these companies, Nintendo has never directly threatened users who mod their consoles. Even with the rapid gameboy/ds cart copiers/memcard emulators, all Nintendo does it try to get them out of the channel or go after the companies that manufacture/sell them. But never the end-user.

They don't ban consoles. Sony/Microsoft do.

Nintendo, much like Sega, also has lax security as they spend more time on producing a quality product (reliable hardware, decent games) then on pointless security restrictions for their consoles. Although both companies are from the cartrage era, where security was unneccessary, the sega cd and gamecube had no security whatsoever (assuming you could copy the disc) and the saturn just needed a disc swap during boot (just swap an ordinary game with a copy after the saturn screen...)

Dreamcast and Wii are obviously easy bypasses, just some trickery of the laser or a software exploit.

Yet, they don't care, because they're not bullies. Even when Sega should have cared (because piracy DID have something to do with the demise of the Dreamcast) they still respected the rights of their average customer.


RE: If only...
By Mitch101 on 6/6/2011 11:34:47 AM , Rating: 2
Not sure I get where Lulzsec is going with all this. Either they know the FEDS are close to nabbing them and they are going out with a bang (Probably not likely after reading some of their conversations with 2600) or they are so good at what they do they feel invincible and are taking on huge targets maybe because they want to establish themselves as the premier group or because they are sick at what they see with major corporations lack of security? Could just be showboating their ability with a you cant catch me because they feel they lack a challenge. Hacking could be their videogame?

In the end Consumers might be the winner despite the burns because security at major organizations that get cracked should significantly improve. Those who havent might just be beefing things up at that backlash this has incurred. At this point government really needs to rethink its identity theft prevention on its antiquated design. If they dont consumers should push government for much more stricter protection. All that Lulzsec is doing is maybe forcing people to demand more protection from this stuff.

On one hand I dont understand Lulzsec but on another I cant help but be impressed by their ability and I'm waiting to see where all of this is going. I haven't seen financial greed from them so I'm reserving my judgement till all is said and done.


RE: If only...
By Natfly on 6/6/2011 1:21:34 PM , Rating: 4
quote:
Not sure I get where Lulzsec is going with all this.


Maybe they are just doing it for the lulz?


RE: If only...
By TheDoc9 on 6/6/2011 2:40:18 PM , Rating: 2
Push government for stricter protection? Don't you mean the companies involved? Perhaps you meant push government into stricter punishment.


RE: If only...
By tastyratz on 6/6/2011 1:50:05 PM , Rating: 2
it is not that they don't care, it's that they understand it's a poor investment. No matter what your security someone will break it sometimes eventually sometimes instantly. The key is to make it so it requires a level of technical expertise and clear modifications so you are not making warranty returns or getting piracy from sally mom and joe dad who are not technically proficient.
Attacking the end users is neither profitable nor good for their image, Nintendo just happens to be the only one to understand that.

If for no other reason I enjoy Nintendo existing purely as an example of integrity. No matter what they produce, they do so as a class act. I may not own or want a wii, but I support Nintendo.

Now if only we were graced with a new genesis...
A man can dream can't he?


RE: If only...
By MrBlastman on 6/6/2011 10:05:15 AM , Rating: 2
If they did care, they wouldn't be screwing the innocent after injecting Sony. I'd be fine if they just left it at tearing down the big bad company--but publishing passwords and info from those who unwittingly used Sony's services, that I think is going too far.


RE: If only...
By HrilL on 6/6/2011 11:02:29 AM , Rating: 2
while I agree with you on how they shouldn't share peoples private information. If they didn't then the damage to Sony wouldn't be as great. Once you turn their user base against them then they've got nothing. Sony looks to be on the path to failure.

This should be a wake up call for every big corporation that doesn't treat their users with respect and takes advantage of them. Surely they don't all want to fight a battle that they can not win.


RE: If only...
By Uncle on 6/6/11, Rating: 0
I'm astounded at how brave/stupid they are . . .
By faster on 6/6/11, Rating: 0
By SSDMaster on 6/6/2011 9:42:09 AM , Rating: 3
You sir, do not live in the real world. You know those movies where the FBI and CIA have super secret government projects involving sentient computers that can operate street lights and camera systems...

That's just hollywood kido. The hackers over in Russia trollin on our server's are just going to keep drinkin stoli and do what they do best.


By kaosstar on 6/6/2011 10:43:24 AM , Rating: 2
There are many people who are using public and/or cracked wifi networks, and going through 10+ anonymous proxy servers that don't keep logs. Good luck catching them.


By SSDMaster on 6/6/2011 11:02:33 AM , Rating: 2
The FBI's can catch them, because they r america. And america is made of win. America once 3 rax rushed a Korean Zerg with all their SCV's. Nuff said.


By Wiggy Mcshades on 6/6/2011 11:21:19 AM , Rating: 2
America needs to watch newbie tuesday.


By AerieC on 6/6/2011 1:05:02 PM , Rating: 2
Yeah, a planetary fortress rush would've been much better.

Is there a base in yo base son?


Might redress the balance a bit?
By Dribble on 6/6/2011 5:00:21 AM , Rating: 1
If you abuse your position then sometimes you get a reaction. That reaction isn't always above board (e.g. Rodney King riots) but it often has a beneficial effect.

Big corporates have always enjoyed stepping on the little people - using their superior resources and a broken legal system that means the rich win to stop anyone opposing them.

The hackers are immune to that particular big stick. Now you can bet they will think twice before deciding to harass people and provoking an expensive reaction from people they can't sue into submission.




RE: Might redress the balance a bit?
By woofersus on 6/6/2011 1:22:51 PM , Rating: 5
So targeting the innocent is ok if it serves the larger ideological goal? Gee, what does that sound like? This is nothing more than cyber-terrorism, but instead of a religious, political, or social ideology it's about being able to put Linux on a PS3 so they can pirate their precious video games. How's that for moral high ground?

Note, I'm not comparing these attacks to people dying or anything, but my point is that the rationale is similarly selfish and lacking in perspective.

It's fine if you think Sony is wrong, and I can even see wanting to try to leverage them in some way more than the completely legal act of not buying their products. (that's how markets pick winners and losers in a non-destructive way, fyi) I could almost agree if lulzsec was just exposing Sony's ineptitude and publicly embarrassing them to force them to improve, but they've clearly stated that's not what this is about, and to steal and release other peoples' info is inexcusable. What about Sony's infringement upon their rights to use a piece of hardware however they please gives them the right to abuse the privacy of millions of people? Do those people not have rights? Do they not matter? Make no mistake here, some of those people will suffer more than a privacy breach. Many will be materially harmed, and for a lot more than the purchase of the PS3 that will only perform it's designed function instead of whatever they wanted. How about assisting other criminals? Perhaps in their own defense they should leave a note that says "Hey, blame @lulzsec" and that will make them justified.

And what goal will all of this ultimately serve? Even if Sony caves they'll still need to find other ways to prevent piracy, both of their own IP and those of game developers who they need to develop on their platform. How about when all games are cloud-based and paid by monthly subscription? Will that be better for consumers? You can't expect companies to not try to protect their IP. Not only will these people have screwed over millions for the sake of their PS3's, but they will ultimately make the user experience worse for everybody. It's like the middle of the last decade when similar groups kept writing viruses for windows XP "because Microsoft wasn't responsible about securing their software" as if they were performing some sort of service to mankind. Tons of people were inconvenienced or had to spend money to have their computers repaired, and some had their identities stolen and many got scammed. Microsoft responded with things like UAC (which most users hated even though it really worked) and other restrictions that ultimately did make things more secure, but wouldn't it have been better for everybody if it had not been necessary? Mac OS is far less secure than Windows and has been for a long time, but because of the far smaller installed user base it doesn't get targeted. If it were all about principal, why would that be? So much for altruistic hacking.

It is a laughably incorrect belief that punishing a publicly held corporation by harming its customers is protecting the little guy? How about stockholders who invested their hard earned money and hoped to earn a return from that? (which includes union pensioners and people like me with 401k accounts - not just "wall street fatcats") Are those not "little guys?" How about the employees of that company who might lose their livelihood if the company fails? There are probably only a few at the very top who can afford to have that happen and not be adversely affected. And then of course the poor customers who got screwed. Who exactly is the "big guy" in that equation? The CEO? Well congratulations on ruining his day a few times. I'm sure all those millions of people will appreciate that. How about if we're concerned about the balance of power between businesses and consumers we ask all those customers who aren't looking to pirate some company's intellectual property what they would prefer? I'm not sure I, as a consumer, can sympathize much with a group that screws me over in order to protect their rights to pirate video games.

It IS shameful that Sony did such a bad job of protecting its users' data, but the ultimate irony is that it never would have mattered if not for lulzsec. THEY are the ones who screwed all those people. THEY are the reason so many security measures are necessary. THEY are the criminals that users' have to be protected against.

Claiming some sort of moral validation for these actions is a JOKE. These people are scumbags that care only about themselves. If these attacks continue, governments will realize what a threat they are to commerce and start taking seriously the effort to track the perpetrators down. Perhaps when that happens a few of these guys will land in prison and some very large fellow inmate with an unfortunate amount of body hair will hack their colons using a backdoor exploit (no trojan required!) and say "hey, blame @evolution for leaving that gaping hole there." We'll see how much that benefits the little guy in the end.


By Dribble on 6/7/2011 5:30:06 AM , Rating: 2
I never said hacking was right, any more then the race riots in LA were right, but you can bet it will have an effect.

In LA the police now think twice before beating up black people in-case there's someone with a camcorder near by because they know what could happen then.

In future sony will think twice before suing the guy trying to use his PS3 to run linux, as will most other big companies in similar situations because they know they risk getting targeted by the hacking community.

This is something that would not have been achieved by just complaining too sony, no more then lots of black people complaining about being beaten up by the police in LA was having any effect.


how safe is safe ?
By shaidorsai on 6/6/2011 10:10:09 PM , Rating: 3
Let me ask this...does it matter how secure a password is if the company you do business with can be hacked like Sony has been? Is there any point to creating strong passwords when the system is hacked from within like Sony has been? Im just curious how much time is wasted building strong passwords for an account with any company...




You forgot one..
By voodoochile123 on 6/6/2011 2:03:32 AM , Rating: 2
1) Terrorists (who murder innocent civilians)
2) Hate groups (which promote killing based on race or sexual orientation)
3) Pedophiles (who assault defenseless youth)
4) Sociopaths (who harm the elderly)




Demonstrative
By Autisticgramma on 6/6/2011 1:58:00 PM , Rating: 2
This is to demonstrate in the real world that Nintendo, cares about security, i.e. they understand that security is the basis of their business model.

Sony however believes they can regulate us into purchases. This is the result.




For the obvious
By Conner on 6/5/2011 8:26:03 PM , Rating: 1
quote:
Well if they can do that, why don't they? There are plenty of groups that deserve to be taken offline and deserve a whole boatload (LulzSec pun intended) of "Wild West" style web justice handed to them, including:

Terrorists (who murder innocent civilians)
Hate groups (which promote killing based on race or sexual orientation)
Pedophiles (who assault defenseless youth)


Those are the obvious evils. On the other hand, Sony and other tech companies are evil for requiring so much information and not protecting it. People should have a right to know how and where their information is stored. That way they can make an intelligent decision whether to trust their information with a company.

Again these hacker groups aren't a branch of some government. We 'have' the government to go after terrorists, hate groups, and pedophiles. The government has no place controlling a private company's decisions. Groups like Lulz and Anonymous give perspective that no govt agency could. The interwebs aren't always a safe place!

Lastly, during a depression/recession do you think the government has enough funds to add the additional agencies to handle these situations? Their too interested in having "top notch" airport security and "keeping democracy alive" in developing nations.




Why?
By icanhascpu on 6/5/11, Rating: -1
RE: Why?
By killerroach on 6/5/2011 9:19:56 PM , Rating: 5
quote:
If you were to goto the bank and put your life savings there, and the bank leaves their vault combination sitting around and the front door unlocked after hours, who is accountable when the place is robbed?


To state the blindingly obvious, how about the person who robbed the bank? They chose to break the law, after all.


RE: Why?
By Camikazi on 6/5/2011 9:42:04 PM , Rating: 4
Actually both are held accountable, since when you take another persons important information you are expected to keep it safe and not do stupid things like leaving vault information around and doors unlocked. The bank would be held accountable for not using sufficient and easily found security measures to keep your information safe.


RE: Why?
By chick0n on 6/5/11, Rating: -1
RE: Why?
By Etsp on 6/6/2011 3:26:57 AM , Rating: 2
Two words: SQL Injection.

There are methodologies for entering user information into databases that are quite secure and immune to injection attacks. These methodologies are considered to be best practice when dealing with user input.

Based on the fact that Sony fell victim to this type of attack, in multiple locations, indicates that they have a significant issue in their security policy.


RE: Why?
By Whedonic on 6/6/2011 6:16:51 AM , Rating: 2
Not to mention that Sony, in their wisdom, decided to store user information as plain text documents.


RE: Why?
By EricMartello on 6/6/11, Rating: 0
RE: Why?
By chick0n on 6/6/11, Rating: -1
RE: Why?
By woofersus on 6/6/2011 12:16:30 PM , Rating: 4
Right, so helping some scammer screw grandma out of her life savings is ok, because then she'll have learned her lesson about putting all that info on her facebook page? That'll serve her well in her last 5 years of life which will now be spent in poverty.

And in some cases, you ARE required to give a company certain private information in order to receive services. Should we be deprived of all services that require such information? No, nobody forced them, but shouldn't they have the right to obtain the services they desire without fear?

Sure lots of people should be smarter about what they do online, but that doesn't give anybody the right to abuse them for it.


RE: Why?
By wranglerangler on 6/6/2011 10:08:30 AM , Rating: 1
As someone deeply involved in securing corporate information for a number of years now, I have a professional interest and have followed this story very closely. I can say unequivocally that Sony does indeed suck at security.

You are clearly the one who doesn't understand the situation if you are trying to defend them in this.


Won't be surpised
By NullSubroutine on 6/5/11, Rating: -1
RE: Won't be surpised
By SPOOFE on 6/5/2011 11:06:33 PM , Rating: 2
At this point, any publication getting hacked would itself be a news story, and would probably only benefit the hacked publication in the form of free publicity.


RE: Won't be surpised
By Zo0noUno on 6/5/2011 11:37:33 PM , Rating: 3
I think that Lulzsec may have "good intentions," but as George Holtz commented after 77 million user accounts were stolen from PSN:

"Running homebrew and exploring security on your devices is cool, hacking into someone else's server and stealing databases of user info is not cool".


RE: Won't be surpised
By mrbangles on 6/6/2011 12:21:52 AM , Rating: 5
quote:
I don't think I would be surprised if DT would catch some flak from the group considering the tone of the articles as it seems the author(s) are not really interested in trying to understand the logic or motivations of the group.

I don't see anything wrong here. The author marked this as "editorial". What, now people don't have free speech any more? Why should LulzSec attack DT/editors for expressing a different opinion than their's? Is this 1984/Animal Farmville or something?

quote:
If the authors of these articles are really interested in the "truth" of the motivations of the group they would actually attempt to interview them and spend the time required understand their point of view.

Er... maybe the author read this...
"Lulz? Sony hackers deny responsibility for misuse of leaked data" -- ArsTechnica

Story excerpt:
quote:
Apart from Twitter, however, the group has far less interest in chatting with reporters.

"Pl0x dont post all teh sploits [exploits] on your report k?" one LulzSec user told Deleon. "And we won't use your DNS against you ;)"

"Gtfo, fucking media bullshit," added another.

"Lol. A reporter," added a third. "The twitter is all you're getting."

LulzSec doesn't want to respond to interview requests and has made that clear. Anyone who's following the story knows, that buddy.
quote:
If you don't, then just stick to the facts of what occurred.

Your understanding of the word "editorial" seems to be poor. To help you:
http://dictionary.reference.com/browse/editorial

"an article in a newspaper or other periodical presenting the opinion of the publisher, editor, or editors."

The author presents the facts (what was stolen, who was exposed, etc.), then expresses his opinion, as is his RIGHT here in America.

I don't know where you're from buddy, but please educate yourself or GTFO.


On a positive note....
By RedemptionAD on 6/6/11, Rating: -1
“So far we have not seen a single Android device that does not infringe on our patents." -- Microsoft General Counsel Brad Smith














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki