backtop


Print 95 comment(s) - last by AntDX316.. on May 27 at 8:42 AM


Sony Ericsson Canada was among the latest Sony online properties to be hacked and lose customer records. Sites in Indonesia and Thailand were also compromised and take down.  (Source: Wayfaring)
Should Sony quit the internet?

It's almost unprecedented.  We haven't seen something quite like this, since -- well, the days of the great Sony Corp. (6758battery recall.  It seems like every day there's a new Sony web property that's been compromised.

In recent weeks the company's two largest databases -- the PlayStation Network (PSN) database and the Sony Online Entertainment (SOE) database -- were fully compromised, multiple music sites/databases [1] [2] were compromised via SQL injection, $1,225 USD in points were stolen from a Sony ISP subsidiary, and Sony's servers were found to be hosting a malicious phishing page.

Now yet another attack has struck the befuddled company.

This time around hackers have struck Sony Ericsson’s Eshop online store for mobile phones in Canada, making off with 2,000 customer records.  The records include names, email addresses and encrypted passwords, Sony wrote in a statement it released late yesterday.

Idahca, a Lebanese hacking group, has claimed responsibility in a Pastebin dump of user records for the attack.  The hackers said that they could have gathered more sensitive details like credit cards, but declined to.

Sony sites in Thailand and Indonesia were also compromised, bringing the total of major breaches to 10 or possibly 11, based on our accounting.  It appears that all of these sites were infiltrated using the same SQL injection attack route (affectionately nicknamed a "Little Bobby Tables" attack), which took down the Sony BMG Greece and Japan sites earlier this week.  Sony appears to have done nothing effective to prevent its other sites, even after the earlier compromises.

Credit card information is stored on an e-commerce website, a standalone platform.  This platform is separate from the servers on which the user database is found.  Idahca's comments indicate that the group claims to have had access to the e-commerce servers as well.  Sony has shut down both the user server and the e-commerce servers, while it tries to investigate the breach.

Phil Lieberman, CEO of online security consulting firm Lieberman Software, said Sony made a fatal mistake in the flagrantly hostile approach it took towards the hacking community, with regards to Linux on the Sony PlayStation 3 -- a use it initially promoted.  He states, "Telling them to bring it on is not the best strategy. I think Sony is beginning to understand it horribly underinvested in security."

He said Sony's decision to sue beloved hardware hacker George "GeoHot" Hotz provoked "nuclear responses" from hackers.  Sony's suit against GeoHot was particularly controversial as the company sought -- and was granted access by federal courts -- to GeoHot's personal Twitter, Facebook, Gmail, and other accounts -- seemingly a gross invasion of privacy.

Sony is confident it will pay only $2 USD per lost record from its various web properties.  That's less than 1 percent of the average payout of $318 USD per lost record that was the average in 2010.  And in recent years the cost of data lost has tended to increase by a factor of 1.5 each year.  Clearly Sony is hoping for some sort of miracle to save it financially.

Sony also needs some sort of miracle to prevent more attacks.  Even with plenty of forewarning, Sony still looks as inept as ever; utterly clueless at securing its online properties.  The company clearly is lost as to what to do.  Of course -- worst case scenario -- Sony could always quit the internet.

The company is currently facing returns of its products internationally and class action lawsuits from disgruntled former customers.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

A questionable statistic
By Donovan on 5/25/2011 12:39:29 PM , Rating: 1
quote:
Sony is confident it will pay only $2 USD per lost record from its various web properties. That's less than 1 percent of the average payout of $318 USD per lost record that was the average in 2010. And in recent years the cost of data lost has tended to increase by a factor of 1.5 each year. Clearly Sony is hoping for some sort of miracle to save it financially.
Just because that is the average doesn't mean it scales the way you are assuming when applied to a company the size of Sony. Many of the costs associated with a break-in are fixed, and the hit to their reputation likely plateaued several hacks ago. Also, Sony's existing gaming customers are pretty much stuck with Sony unless they want to throw their PS3s away.

Personally, I think the credit card number has outlived its usefulness. If I want to let Sony make recurring charges to my account, why do I have to give them the master number that lets ANYONE make an UNLIMITED number of charges to that account? A better solution would be to have both Sony's computer and my computer authenticate ourselves to VISA and have VISA issue some large unique number that allows only Sony to make charges to me up to a specified amount per month. Those numbers would be useless to anyone but Sony, and if Sony's authentication information were compromised they could reissue that instead of everyone's credit cards.

It's absurd that I must go to every single company I do business with and give them a new number whenever one of them screws up. That system scales abysmally, and it punishes the consumer instead of the company that lost the information in the first place.




RE: A questionable statistic
By wranglerangler on 5/25/2011 12:55:18 PM , Rating: 2
quote:
It's absurd that I must go to every single company I do business with and give them a new number whenever one of them screws up. That system scales abysmally, and it punishes the consumer instead of the company that lost the information in the first place.


In order to move to a new system that better protects consumers, companies would be required to make an investment that will yield almost no tangible returns. Executives and investors are finally starting to wake up to the potential costs of such a breach, thanks in no small part to the examples set by Sony and other companies who have not taken security seriously.

You can bet if Sony winds up shelling out as much as some people are predicting, there will be another surge in business for information security professionals as more companies are willing to make an upfront investment to protect themselves in the long run. However, I have to wonder how long that will last before complacency once again sets in even as techniques to defend against such attacks lag behind due to lack of ongoing investment. Until there is a true culture shift where data security becomes a true and lasting priority, this will be a vicious cycle.


RE: A questionable statistic
By KarmakazeNZ on 5/25/2011 5:32:35 PM , Rating: 2
You could almost say these hacks are a bunch of people getting their 'portfolio' out there. We all know the most successful hackers are hot property once they go "white hat".


"Can anyone tell me what MobileMe is supposed to do?... So why the f*** doesn't it do that?" -- Steve Jobs














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki