backtop


Print 95 comment(s) - last by AntDX316.. on May 27 at 8:42 AM


Sony Ericsson Canada was among the latest Sony online properties to be hacked and lose customer records. Sites in Indonesia and Thailand were also compromised and take down.  (Source: Wayfaring)
Should Sony quit the internet?

It's almost unprecedented.  We haven't seen something quite like this, since -- well, the days of the great Sony Corp. (6758battery recall.  It seems like every day there's a new Sony web property that's been compromised.

In recent weeks the company's two largest databases -- the PlayStation Network (PSN) database and the Sony Online Entertainment (SOE) database -- were fully compromised, multiple music sites/databases [1] [2] were compromised via SQL injection, $1,225 USD in points were stolen from a Sony ISP subsidiary, and Sony's servers were found to be hosting a malicious phishing page.

Now yet another attack has struck the befuddled company.

This time around hackers have struck Sony Ericsson’s Eshop online store for mobile phones in Canada, making off with 2,000 customer records.  The records include names, email addresses and encrypted passwords, Sony wrote in a statement it released late yesterday.

Idahca, a Lebanese hacking group, has claimed responsibility in a Pastebin dump of user records for the attack.  The hackers said that they could have gathered more sensitive details like credit cards, but declined to.

Sony sites in Thailand and Indonesia were also compromised, bringing the total of major breaches to 10 or possibly 11, based on our accounting.  It appears that all of these sites were infiltrated using the same SQL injection attack route (affectionately nicknamed a "Little Bobby Tables" attack), which took down the Sony BMG Greece and Japan sites earlier this week.  Sony appears to have done nothing effective to prevent its other sites, even after the earlier compromises.

Credit card information is stored on an e-commerce website, a standalone platform.  This platform is separate from the servers on which the user database is found.  Idahca's comments indicate that the group claims to have had access to the e-commerce servers as well.  Sony has shut down both the user server and the e-commerce servers, while it tries to investigate the breach.

Phil Lieberman, CEO of online security consulting firm Lieberman Software, said Sony made a fatal mistake in the flagrantly hostile approach it took towards the hacking community, with regards to Linux on the Sony PlayStation 3 -- a use it initially promoted.  He states, "Telling them to bring it on is not the best strategy. I think Sony is beginning to understand it horribly underinvested in security."

He said Sony's decision to sue beloved hardware hacker George "GeoHot" Hotz provoked "nuclear responses" from hackers.  Sony's suit against GeoHot was particularly controversial as the company sought -- and was granted access by federal courts -- to GeoHot's personal Twitter, Facebook, Gmail, and other accounts -- seemingly a gross invasion of privacy.

Sony is confident it will pay only $2 USD per lost record from its various web properties.  That's less than 1 percent of the average payout of $318 USD per lost record that was the average in 2010.  And in recent years the cost of data lost has tended to increase by a factor of 1.5 each year.  Clearly Sony is hoping for some sort of miracle to save it financially.

Sony also needs some sort of miracle to prevent more attacks.  Even with plenty of forewarning, Sony still looks as inept as ever; utterly clueless at securing its online properties.  The company clearly is lost as to what to do.  Of course -- worst case scenario -- Sony could always quit the internet.

The company is currently facing returns of its products internationally and class action lawsuits from disgruntled former customers.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Angry little men
By Reclaimer77 on 5/25/2011 10:25:33 AM , Rating: 2
Oh and stealing peoples credit card information? Please try to tell me how that's just the hackers crusading against Sony for the benefit of all of us! Putting millions of people at risk for theft and identify theft nightmares, all for what?


RE: Angry little men
By dsx724 on 5/25/2011 11:22:34 AM , Rating: 5
How about you hire competent people and pay them more instead of hiring bottom feeders and stacking shitty management on top?


RE: Angry little men
By Daemyion on 5/26/2011 6:45:16 AM , Rating: 2
Throwing more engineers at the problem doesn't guarantee success. The only corporations out there that might have withstood such an onslaught are Microsoft and Google, and that's because hackers have been hammering away at them ever since they opened for business.

A security model only really gets tested in a trial-by-fire, and I doubt Sony had to contend with anything like this before.


RE: Angry little men
By mooty on 5/26/2011 9:54:39 AM , Rating: 2
Don't forget that Google was hacked recently too.


RE: Angry little men
By Daemyion on 5/26/2011 10:39:17 AM , Rating: 2
Too true... that leaves Microsoft?

God save us... ;)


RE: Angry little men
By Mitch101 on 5/25/2011 1:53:31 PM , Rating: 5
I dont disagree there are more adult ways of going about an issue like this however consider that Sony marketed this to the hacker/modder community, pulled the plug, then went after them when they tried to restore functionality then mocked them. They picked a fight and the community fired back. All it takes is one person not happy about it whos motive is not personal gain. I doubt credit information is what they were after I suspect that could be Sony saying credit card information was stolen in order to get federal support or depending on how their database was set up the query to get user information may have been in the same table as credit information and the hackers wound up getting credit card information when they pulled client data. A select statement on a database table can grab everything and if sony failed to encrypt with a salted hash then credit data was leaked possibly unintentionally received. If Sony Salted the data with a good hash the data is useless without the salt. From what Ive seen on the PS3 exploits Sony cut a lot of corners and failed to protect important data properly using the same key.

As for the downtime I suspect that's Sony's decision to collect evidence, rewrite code, patch, and secure everything. Apparently they have a lot of changes to make.


RE: Angry little men
By freeagle on 5/25/2011 2:06:46 PM , Rating: 5
It may hurt, but I guess this is the most efficient way of making the company and it's like to get more involved in securing customer information. And also make the common people interested in net security.

The conclusion from your statement would be, that the bigger the company and it's customer base, the less it needs to care about security, because who in their right mind would spoil the fun for the masses.

Sometimes we need to get burned in order to realize the stove is hot to touch...


RE: Angry little men
By quiksilvr on 5/26/2011 2:14:35 AM , Rating: 2
That's why Sony shouldn't be involved with the security?

What's the solution? Google Playstation and Paypal. Done and done. They already have a close partnership, you might as well go all out.


RE: Angry little men
By BailoutBenny on 5/25/2011 5:06:51 PM , Rating: 5
Reclaimer, you rail against the government for its shitty behavior, perhaps even practicing a little civil disobedience along the way yet you yell at the hackers for doing their thing and sticking it to the man?

I support these hackers in their actions because they weren't afraid to get in trouble to prove a point. I wish more civilians had the hacker mentality when it comes to lashing out against the government instead of doing nothing but talking and stamping their feet.


RE: Angry little men
By erple2 on 5/27/2011 1:41:05 AM , Rating: 2
I shudder to say this, but I agree with Reclaimer77. While it's nice and dandy and marvelous to figure out how to "stick it to the man", I am troubled by the swath of innocent destruction that is left in it's wake.

While it may be true that Sony dropped the ball on security, the net result is that there are millions of innocent people who are paying the price. That's unfortunately the pretty crappy part.

Also - civil disobedience last I checked didn't involve kicking the crap out of innocent bystanders. To throw a near-strawman at this, would you support dropping a nuke on, say, Tripoli because you disagreed with the policies of one member of the government there? That's a lot of dead people just to try and take out one or a small group of bad guys.

Do I think that the hackers were pretty clever to do this? Sure, though based on the details of the hack I've learned, it appears that Sony wasn't particularly keen on security. Do I think that taking a bunch of people's information that are in no way associated with Sony (other than they may have purchased a Sony product) is the right way to do it? No. Do I have a better alternative? Also no.

I'm all for sticking it to someone who's a bit high on themselves (stupidity in govt, Sony with it's corporate policies), but don't drag down innocent bystanders in your blaze of glory.


"We are going to continue to work with them to make sure they understand the reality of the Internet.  A lot of these people don't have Ph.Ds, and they don't have a degree in computer science." -- RIM co-CEO Michael Lazaridis














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki