Print 57 comment(s) - last by Uniprint QLD.. on Jun 2 at 11:21 PM

Sony has proven itself to be utterly inept when it comes to security.  (Source: AFP)
Holy hacking, Batman, these guys are clueless!

The display of security incompetence Sony Corp. (6758) is astonishing.  Weeks after losing the contents of its two largest databases -- the PlayStation Network (PSN) database and the Sony Online Entertainment (SOE) database -- the company appears to have lost yet more information after experiencing an attack almost identical to one just days prior.

I. Sony Fails to Block Identical Attack

On Sunday, The Hacker News revealed that Sony BMG Greece (the Greek unit of the company's music branch) was hacked using an SQL injection attack and lost 8,000+ customer records.

It now appears that just days later a group called LulzSecurity -- known for formerly hacking's login database -- has used an injection attack to compromise databases on Sony BMG Japan.

Astonishingly, Sony appears to have done little to nothing in the way of escaping or parameterization to protect its databases, even in the wake of the SQL injection breach of its Greek property.

The hackers accessed an on-site tablet that did not appear to contain any personally identifiable information.  They openly mocked Sony, posting to Twitter, "LOL @Sony, Nice Japanese website dumbasses (sic)."

They later posted, "This isn't a l337 h4x0r, we just want to embarrass Sony some more.  Can this be hack number 8? 7 and a half?!"

While the hack itself was obviously just designed to target Sony and not hurt its customers, the hackers did post publicly that there was two other databases on the site that they did not look at, but should be accessible using the injection attack.

This message was likely up for hours -- at least -- before Sony heard about it and shut down access to its servers.  In the meantime it's very feasible that other users -- including outright malicious ones -- could have stolen information from these tables.  As tables on the Sony BMG Greece website contained users' names, passwords, etc. it's quite possible that one of these tables held similar information, and you can almost guarantee that there would be many more records than in the Greece table, as Japan is Sony's home nation.

II. Sony Intrusion Send Clear Message to Customers -- You Can't Trust Sony

Sophos Security researcher Chester Wisniewski , who yesterday took a gentler tone when covering the Greece intrusion, this time firmly admonished Sony, writing:

While there is an enormous target on Sony's back as a result of these very public attacks it is unclear why this is happening. Is Sony taking security seriously or are there simply so many flaws from the past that exist in their public facing sites that it will take them a long time to patch them all?

I hope this is the last time I have to report on a flaw at Sony. Sony has announced they are working with several professional organizations to get their security house in order and for their sake I hope this happens sooner rather than later.

Besides the two music site breaches, another Sony subsidiary -- the ISP So-net Entertainment Corp. -- was recently hacked, with the bandits making off with $1,225 USD in redeemable gift points.  Another hack transformed one of Sony's servers into a host for a phishing website

The problem with all these breaches is that Sony as a company has essentially left customers with no hope that it is properly protecting their data against malicious parties.  

It would not be surprising if these customers refuse to use Sony's online properties, taking business to competitors like Microsoft Corp. (MSFT) or Nintendo Comp., Ltd. (7974).  Reportedly some customers are already doing exactly that.

III. High Costs for Sony

The average cost of a system intrusion in 2010 was $318 USD per record lost, up 48 percent from a year prior.  Sony claims that the loss of 101 million records will only cost it $2 USD per record.  Unless the company has found the mother of all "bulk discounts", when it comes to data loss payouts, the company appears to be seriously understating the cost to its bottom line.

The company is currently in the throes of multiple class action lawsuits.

At the end of the day Sony, much like Gawker Media, brought on the attacks by lashing out the greater hacker community, particularly the massive hacker collective Anonymous, which has at least 10,000 members internationally.  

Sony provoked the hackers when they decided to kill homebrews and Linux on the PlayStation 3 after allowing and even supporting those popular offerings for the console's early years.  The hackers were further infuriated by the fact that Sony sued iconic hardware hacker George "GeoHot" Hotz -- something that even GeoHot's perpetual target Apple, Inc (AAPL) hadn't dared do.

The humiliation of Sony's security is proof that the online world is still very much like the Wild West.  If you anger one person enough, you may need protection; but if you anger the masses, half-baked protection outfits may not be good enough.

Sony has clearly been exposed as the inferior to the hackers in cyber-security.  With customers growing wary of the company, it may pay dearly for its failings to protect its online properties.

In a sign of the times, even as Sony hopes to restart its PlayStation Network in the U.S. after a second outage, the Japanese government is denying it permission to restart.  They say they're not convinced that Sony is any more able to protect its customers, this time around.


Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Wake up and smell the coffee
By Beenthere on 5/24/2011 4:07:14 PM , Rating: -1
Sony customers are the ones being harmed by hackers. Instead of attacking Sony you should be pissed that your personal data has been stolen by hackers and that your world could be turned upside down for the next decade. Maybe now people will start to understand the price of hacking and why the only good hacker is very dead?

RE: Wake up and smell the coffee
By JasonMick on 5/24/2011 4:18:56 PM , Rating: 3
Maybe now people will start to understand the price of hacking and why the only good hacker is very dead?

Interesting suggestion, considering that the systems being hacked wouldn't even have been made without the inspiration of former hackers. Bill Gates, Steve Jobs and other tech visionaries got their start in the hacking scene of their day.

If we executed your vision of death penalties for anyone who's ever "hacked" (explored networked systems), I think there might only be a couple IT people and programmers left in the U.S.

RE: Wake up and smell the coffee
By nUNYAbIZ on 5/24/2011 4:44:48 PM , Rating: 1
@ Beenthere. Yur an idiot!

RE: Wake up and smell the coffee
By RjBass on 5/24/2011 5:05:12 PM , Rating: 2
And none of them would be any good.

RE: Wake up and smell the coffee
By JediJeb on 5/24/2011 5:24:33 PM , Rating: 2
And we would probably still be using command line interfaces and playing text adventure games like Zork :)

By Reclaimer77 on 5/24/2011 8:07:27 PM , Rating: 2
Bill Gates, Steve Jobs and other tech visionaries got their start in the hacking scene of their day.

*rolls eyes*

Gates and Jobs hacked OS CODE! They did not shut down networks, launch DoS attacks, or steal peoples information from companies.

Jason, Sony is dicks, we get it. But your continued attempt to make these hackers out to be some kind of Robin Hood or vigilantes for truth and justice is coming off a bit sophomoric.

You can take Sony to task WITHOUT legitimizing criminal behavior.

RE: Wake up and smell the coffee
By spread on 5/24/2011 6:13:27 PM , Rating: 4
Looking at your posting history since 2006, I see pages of 0 and -1.

It's one thing to disagree with the popular opinion, it's another to oppose it almost all the time.

Do you ever get tired of being wrong?

RE: Wake up and smell the coffee
By erple2 on 5/25/2011 8:43:40 AM , Rating: 2
Who said popular opinion was ever right?

"DailyTech is the best kept secret on the Internet." -- Larry Barber

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
Snapchat’s New Sunglasses are a Spectacle – No Pun Intended
September 24, 2016, 9:02 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki