backtop


Print 56 comment(s) - last by BansheeX.. on May 25 at 4:36 AM


Another day, another Sony site hacked.  (Source: The Hacker News)
This time the stolen Sony database is from a Greek Sony property

It's hard to fathom how a company as big as Sony Corp. (6758) could have such porous defenses, as the events in recent weeks have unfolded.  Since late April, Sony has experienced a complete loss of customer records from its two largest international databases -- the PlayStation Network (PSN) database and the Sony Online Entertainment (SOE) database.  

Last week, the PSN network was briefly reactivated and then shut down after yet another security flaw was discovered.  And Japan announced that it would not be allowing Sony's online services to restart in its nation until the company showed proper proof that it had significantly improved its security.

Now yet those pesky hackers have compromised another Sony online property.  
 

I.  Third Sony Database Breached

This week a poster dumped a pretty interesting archive to text sharing site pastebin.  The record appears to contain a dump of the user database from Sony BMG in Greece.

Included in the post are usernames, real names, and email addresses.  

The post was eventually attributed to The Hacker News, who says they received the information from a hacker who goes by the handle "b4d_vipera".  The hacker appears to have redacted the information from certain fields, including password, telephone number, and user's company, though they claim to have this information.

In total 8,385 records were lost from SonyMusic.gr -- the website of Sony BMG in Greece.  The breach occurred May 5.

The attack was accomplished via an SQL Injection attack, a type of attack that first originated in the 1990s.  SQL Injection attacks are most commonly used on large entities with multiple websites.  The attacker finds SQL databases on various sites of the target and then tests them by sending strings that may be mishandled by the SQL Interpreter, allowing forbidden commands to be executed.

It is unclear whether the only Sony BMG in Greece was vulnerable or whether Sony BMG sites in other nations could have been vulnerable as well.

Security software and services vendor Sophos gave some interesting analysis on the breach in their Naked Security blog.   The blog suggests that the negligence likely wasn't the fault of Sony's engineers on the design side.  Writes Sophos's Chester Wisniewski:

As I mentioned in the Sophos Security Chet Chat 59 podcast at the beginning of the month, it is nearly impossible to run a totally secure web presence, especially when you are the size of Sony. As long as it is popular within the hacker community to expose Sony's flaws, we are likely to continue seeing successful attacks against them.

But Mr. Wisniewski says that Sony could have avoided these issues if had hired experts to do thorough penetration testing (fake attacks that look to simulate a malicious user to find and fix vulnerabilities).  He writes:

The lesson I take away from this is similar to other stories we have published on data breaches. It would cost far less to perform thorough penetration tests than to suffer the loss of trust, fines, disclosure costs and loss of reputation these incidents have resulted in.

He says that while Sony obviously is suffering from the barrage of attacks, at the end of the day it may be forced into having the most secure design on the market, much like Windows OS maker Microsoft Corp. (MSFT).  He comments, "While it's cruel to kick someone while they're down, when this is over, Sony may end up being one of the most secure web assets on the net."

II. The Cost to Sony

Richard Scott, a contributor of iconic infographics to BBC News and The New York Times, has set his sights on Sony with his latest graphic.  It depicts an estimated cost to Sony of $24B USD.

That estimate comes from research by The Ponemon Institute, a data-security research firm, who found that on average in 2010 a data breach cost a company $318 USD per lost record in security, user protection, and legal costs.  That represents a 48 percent increase from 2009.

Forbes suggests the $24B USD figure, but that's only
considering the PSN breach.  With the 24 million record SOE breach added in, the figure soars to $32.1B USD.

Sony is being conservative in its own cost estimates.  Its financial filings have indicated that the intrusions are clearly taking their toll on the company -- it went from predicting a ¥70B ($855M USD) profit for the year to now predicting a ¥260B ($3.14B USD) loss [source; PDF].  Sony blames much of that estimated loss on the earthquake (¥22B) and other factors.

The company say its expects only to have to pay ¥14B (about $172M USD) for the PSN intrusion.  This puts its expected expense per lost record at about $2 USD per account.

It seems Sony may be a bit too optimistic here.  If the industry average is $318 USD per lost record, it'd be extraordinary for Sony to get away with only paying $2 USD per record.

In 2010 Sony made $77.5B USD in revenue, with a $289M USD profit.  If it was forced to pay a $32.1B USD in total (based on the industry average) for the breaches it could end up with a net loss of $35B USD or more for this year.

A $35B USD loss would be equivalent to approximately half the company's annual revenue and equivalent to over 10 years in profit from relatively "good" years.  It remains to be seen exactly how dire the financial situation for Sony gets, but one thing's for sure -- the picture isn't pretty.

Sony is currently facing multiple class action lawsuits in the U.S. and abroad from former customers.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: I would normally feel sympathy for the company
By bah12 on 5/23/2011 10:16:25 AM , Rating: 5
quote:
How as Blu-Ray a burn on the customer? Or the memStick? (don't want to use it, don't buy a Sony digicam etc)
Some would argue HDDVD had as good or better characteristics as BluRay, and Sony abused their market position to push an inferior product. I don't really agree with that since they were both about the same, and I'd rather have 1 standard than 2 at the end of the day.

Memstick is and always has been a complete waste. It is a Sony only proprietary card that has no business in the market place. There were always equal (if not better) options, it is simply Sony releasing a proprietary format just for the sake of doing so. This type of fragmentation with for no reason always hurts the consumer.


By retrospooty on 5/23/2011 11:15:47 AM , Rating: 5
That and Sony has a long history of pushing proprietary standards, starting with Betamax vs VHS back in the 80's. They have always been a thorn in the side of the tech industry, slowing progress and pushing non-compliant standards. Blue ray was at least an example of them getting "some" other comanies on board of their standard. Without Sony, we would have had cheap HD-DVD players 2 years earlier than we had them, becasue of Sony's behind the scenes wrangling.

Sony exemplifies corporate arrogance at its best.


By Mitch101 on 5/23/2011 12:56:50 PM , Rating: 2
Karma's a B-I-A-T-C-H.

Sony Swings to Big Loss After Natural Disasters
http://www.nytimes.com/2011/05/24/technology/24son...


RE: I would normally feel sympathy for the company
By Burnc4 on 5/23/2011 5:31:03 PM , Rating: 5
quote:
Sony exemplifies corporate arrogance at its best.


I think Apple would give them a run for their money


RE: I would normally feel sympathy for the company
By Samus on 5/23/2011 6:16:00 PM , Rating: 5
HD-DVD was simple and cheap, while offering the same quality.

The dual-disc/backwards compatibility feature alone should have been the feature that made it win the format war.

Bluray has ridiculously complex DRM, the discs are riddled with advertisements, the Java implementation had been buggy since the beginning, and LiveBD is such crap it's almost like a joke coming from the 'professional' MPAA.

Bluray has offered nothing benificial to consumers over HD-DVD except higher prices, less compatibility, longer load times, and complex DRM, that, like most DRM, just backfires and hurts the average-joe.

Sony hasn't made a quality stand-out product in over a decade. Like the RIAA/MPAA, they are dinosaurs.


By sleepeeg3 on 5/24/2011 1:16:51 AM , Rating: 5
Blu-Ray offers 67% more space than HD-DVD did, which potentially allows longer movies and more extras. Adding an extra laser to a Blu-Ray player for backward compatibility with DVD is not really a big deal.

Am I a fan of Sony? No, but the war is over - move along.


By tastyratz on 5/24/2011 6:08:19 PM , Rating: 2
absolutely, I guess he did not get the memo that hddvd sucked.
Hddvd held less data which made it suck, and while it was touted as cheaper due to not needed sony licenses and the ability for dvd production to just be retooled for hdvd... we never saw it.

At the end of the day hddvd was the same exact price because they got greedy, it was not introduced early enough and having the support of major backers like sony makes a product sell... even though Sony happened to have made the proprietary standard this time. This is not the betamax vs vhs scenario because betamax was much better than vhs. Bluray is better than hddvd... and while hddvd pushed a gazillion layers to catch up it never would have happened in practice. video = compression and more space = win every time. Even if sony did not introduce bluray and had been a neutral player hddvd would have won.

I wish hddvd DID get released earlier and with a more realistic aggressively low pricing. At the end of the day I still can not realistically purchase blank optical media with a higher capacity than dvd for a reasonably competitive cost per gb... not even close.


By icanhascpu on 5/24/2011 2:30:38 AM , Rating: 2
Agree, except Apple actually does good things for consumers in terms of competition. Sony just screws then customers and rides on the tails of their earlier management.


RE: I would normally feel sympathy for the company
By tng on 5/23/2011 11:36:18 AM , Rating: 1
quote:
Some would argue HDDVD had as good or better characteristics as BluRay, and Sony abused their market position to push an inferior product. I don't really agree with that since they were both about the same, and I'd rather have 1 standard than 2 at the end of the day.
HDDVD was better in the fact that it was a whole new standard for HD encoding meant to get around allot of the issues in HD encoding, BD uses a modified version of what was already used (H264?) and carried all of the issues with it.

That said, the quality of the product is not what won BD it's place, but Sony paying studios hundreds of millions to switch and/or not even try HDDVD. While business at that level is cut throat, Sony was very slimy in the whole thing and maybe they are getting what they deserve


By adiposity on 5/23/2011 1:07:11 PM , Rating: 3
quote:
HDDVD was better in the fact that it was a whole new standard for HD encoding meant to get around allot of the issues in HD encoding, BD uses a modified version of what was already used (H264?) and carried all of the issues with it.


Are you talking about the codec? HD-DVD uses VC-1, h.264/AVC, or MPEG2. Blu-ray uses VC-1, h.264/AVC, or MPEG2.

quote:
That said, the quality of the product is not what won BD it's place, but Sony paying studios hundreds of millions to switch and/or not even try HDDVD.


What you say may be true. Dreamworks and Paramount are suspected of being paid off when they switched to HD-DVD. Warner is suspected of being paid off to switch to Blu-ray (though they deny it). In the end, a lot of us were just relieved somebody got paid off so the format war could end. Apparently, Sony was paying more, but both camps were trying to buy their way into dominance.


RE: I would normally feel sympathy for the company
By tng on 5/23/2011 2:52:01 PM , Rating: 3
quote:
Are you talking about the codec? HD-DVD uses VC-1, h.264/AVC, or MPEG2. Blu-ray uses VC-1, h.264/AVC, or MPEG2.
Yes I was...Read this from Amir Majidimehr Corporate Vice President of the Consumer Media Technology Group at Microsoft when the format war was on.

http://www.avsforum.com/avs-vb/showt...&&#post9931...

You make it sound as though both discs started off with the same format, they didn't. If they both used the same format, why bother?


By adiposity on 5/23/2011 3:18:02 PM , Rating: 2
quote:
Yes I was...Read this from Amir Majidimehr Corporate Vice President of the Consumer Media Technology Group at Microsoft when the format war was on.


Your link doesn't work.

quote:
You make it sound as though both discs started off with the same format, they didn't. If they both used the same format, why bother?


The war was over the disc, mostly. There was also some squabbling over using HDi/iHD or Java. The formats were an issue, but the Blu-Ray consortium nullified that issue by making all the HD-DVDs codecs mandatory on Blu-Ray. VC-1, for example, became mandatory in 2004:

http://www.microsoft.com/presspass/press/2004/sep0...


RE: I would normally feel sympathy for the company
By tng on 5/23/2011 4:10:15 PM , Rating: 2
quote:
The war was over the disc, mostly.

Suppose so.

quote:
There was also some squabbling over using HDi/iHD or Java. The formats were an issue....


This is what I remember the most about it.

Here is the link again, hopefully it works this time

http://www.avsforum.com/avs-vb/showthread.php?p=99...


By adiposity on 5/24/2011 4:01:37 PM , Rating: 2
It worked this time. I notice that this was posted in 2007, but VC-1 became a mandatory codec on Blu-ray in 2004.

Thus, even though this thread makes some very interesting points and analysis, the fact remains that VC-1 has been supported on Blu-ray since long before (~2004) the "war" began taking place in Walmarts and Targets (~2006).


By Strunf on 5/23/2011 1:56:31 PM , Rating: 2
hmm Blu-ray had higher transfer rates and higher storage space... I'm quite happy to have dual-layer Blu-ray movies instead of having to switch discs half way through the movie.


RE: I would normally feel sympathy for the company
By BansheeX on 5/23/2011 4:06:32 PM , Rating: 2
You would argue that HDDVD was better? Blu-ray has far more storage per layer (66%) and far better scratch protection than DVD or HDDVD. Blu-Ray's DRM was also defeated in short order. Given that it's likely the final consumer disc format, these advantages were far more important than getting $50 players two years sooner.


RE: I would normally feel sympathy for the company
By tng on 5/23/2011 5:33:21 PM , Rating: 2
quote:
...far better scratch protection than DVD or HDDVD.

Was this an issue really? Can't say that I slide my discs of any kind around so they get scratched. Seen people who do it and they wouldn't play anymore (always something they did, of course it was never their fault)

quote:
Blu-Ray's DRM was also defeated in short order.
Would have happened to either format. I also argue that as to the storage issue, if HDDVD had one this would have been resolved as well.


By tng on 5/23/2011 5:43:55 PM , Rating: 2
Wow, got rated down for that?


RE: I would normally feel sympathy for the company
By tayb on 5/23/2011 10:33:23 PM , Rating: 3
You are exaggerating everything you just wrote. Blu-ray had an advantage in storage capacity but it wasn't 60% and it was a pointless lead anyways. HD-DVD was making improvements to disk capacity and in fact had announced a 50GB disk before the format was killed. Not that it mattered because even at 25GB there was plenty of space to fit a movie.

Scratch protection? Seriously? Put your disk back in the case. Problem solved.

Bottom line is that HD-DVD had unmatched (to this day) features and far better pricing. Storage capacity would have been negligible down the line as both technologies matured. The consumer lost in this format war as Sony abused its market position to push an inferior format on us.


By nikon133 on 5/23/2011 6:47:30 PM , Rating: 1
Pray tell how's HDDVD as good or better than BRD - last time I checked, BRD was superior on pretty much every aspect.

Sony does have strong position in that market segment, but not the one that cannot be beaten - their Betamax was beaten by inferior VHS, back at the time. It seems to me HDDVD coalition didn't really put good fight at all - like, maybe, including HDDVD in Xbox360 - "small" things like that.


RE: I would normally feel sympathy for the company
By tayb on 5/23/2011 10:26:05 PM , Rating: 2
HD-DVD had more features than blu-ray, matched it's capacity when it was terminated, and was 30% the cost of a comparable BD setup.

Hell HD-DVD had HD-DVD/DVD combo discs (on the same double sided disc) and BD STILL does not have that. It was a better format for the consumers hands down.


By sleepeeg3 on 5/24/2011 1:29:51 AM , Rating: 1
HD-DVD never matched BRD's capacity. Quit spouting lies.


By BansheeX on 5/25/2011 4:36:20 AM , Rating: 1
You are a complete idiot. Maximum BD capacity per layer is 25GB. HDDVD is 15GB per layer. What "features" does one disc format have over another? It stores effing data. The more data, the more room you have for features without compromising the main feature's bitrate.


"If a man really wants to make a million dollars, the best way would be to start his own religion." -- Scientology founder L. Ron. Hubbard














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki