backtop


Print 39 comment(s) - last by Dribble.. on Jun 7 at 5:30 AM


Sony Picture's Russian site was hacked this weekend, shortly after its American counterpart was compromised, exposing over 1 million users.

The attacker was a familiar face, of late -- LulzSec.  (Source: LulzSec)

LulzSec decided to publish a small number of user accounts following the breach -- many of which belonged, reportedly, to elderly users. Some of these users have since been victimized. Where's the "lulz" in that?  (Source: AP Photo)
There's no real winners with the latest Sony hack

Sometimes there's just a story that's just plain sad all around.  This is arguably the case with the latest hack of Sony Corp (6758), in which the company saw the compromise of another 1 million user records and hackers published private information on elderly users. 

I. An Unsympathetic Cast

On the one side you have Sony -- a Japanese corporate giant.  The company has long reveled in its dominant position and hasn't been afraid to flex its muscle over users.  Back in 2005, the company installed root kits on users' computers via music CDs.  The botched copy protection effort allowed malicious hackers to infect unwitting users' machines.  

Likewise, Sony initially promoted Linux for the PlayStation 3, only to reverse position and turn its back on Linux PS3 users.  It could have merely cut support, but instead it actively tried to lock users with internet-connected consoles out of Linux, citing supposed "security concerns".  And when hardware hacker George "GeoHot" Hotz posted information to restore support (via jailbreaking the console) Sony harassed him in U.S. court, abusing questionable judicial decision to invade the young man's privacy.

As unsympathetic a character as Sony is, on the other hand you have an equally flagrant party opposing it.  Much as Sony has abused its corporate power over users, hackers -- most notably Lebanese-based Idahc (Twitter) and the international group "LulzSec" (Lulz Security) -- have lorded their superior security skills over the clueless giant, constantly mocking and lashing it.

Caught in the midst of this battle are the company's millions of users, who are having their private information exposed.  Hackers gleefully have posted torrents of users passwords, addresses, birthdays, and more online.

While it's possible that the lax security at Sony could have allowed some malicious users to access this information in the first place, the hackers have taken all the difficulty out of it.  Now your every day clueless criminal can enjoy the same level of access as a sophisticated cyberthief.  Thus the risks have greatly raised for anyone who gave information to Sony.  

II. Attacking the Elderly

LulzSec, who recently lashed out at veteran hacker publication 2600 and "th3j35t3r" -- a prominent anti-terrorist hacktivist -- yet again humiliated Sony's incompetent cyber security efforts this weekend.  This time the group hacked Sony Pictures servers, gaining access to (allegedly) over 1 million user records in a database that had been used to store entrants in a promotional contest.

The group didn't have to try that hard at this one.  Where as they had to slave over kernel vulnerabilities in their recent pro-Wikileaks attack on news organization PBS, they were able to exploit Sony with an SQL injection attack -- a method that takes advantage of sloppy coding in handling URL requests to your databases.  Yes, this is the same "Little Bobby Tables" attack as XKCD famously nicknamed it, which was use to exploit various Sony databases several times over the last few months [1] [2] [3].

The Sony Pictures Russian website was also hacked [Pastebin] over the weekend, though it is unknown how many admin and public accounts were compromised.  LulzSec joked in its post accompanying this intrusion:

In Soviet Russia, SQL injects you...

The group says they were not responsible for directly attacking the Russian site, indicating other parties were to blame.

In questionable judgment, the group reportedly decided to publish excerpts of the user record set from the Sony Pictures breach, including elderly users (aged 60 and older) who were featured at the start of the file.  They posted the information in a torrent that included names, home addresses, passwords, and e-mail addresses.

Password reuse is rife among even moderately internet-savvy young people today and among the majority of elderly users it's virtually a given.  Thus it is not surprising that there have been reports of malicious users hacking users' other web accounts, committing malicious and possibly financially damaging mischief.

LulzSec remains unsympathetic for these attacks on the elderly, stating via Twitter:

I hear there's been some funny scamming with jacked Sony accounts. That's what you get for using the same password everywhere. Hey innocent people whose data we leaked: blame @Sony.

The data appears to be authentic -- the Associated Press has confirmed multiple users/addresses to be real.  Some account information appears to be faked -- likely by users who didn't wish to enter their real data for the contest.

III. What Can be Done Here?

These hacks should be a wake up call for Sony.  The company is used to being the bully.  Now it's getting bullied.  With nearly 105 million user records lost [1][2], the company should give a long hard thought to changing its corporate culture.  A small dose of humble can go a long way.

At this point Sony also needs to make some major adjustments to its security staff.  It needs to implement rigorous competence testing to identify who has necessary skills to work in such a high-pressure position and who doesn't.  Incompetent and/or unproductive employees must be let go.

Likewise Sony needs a major change in its security management.  Managers are responsible for their employees’ failings, so if their staff gets cut, they should as well.  Sony needs to bring in talent from outside -- either experienced hires or contracted help.  But it must improve its staff, which -- as a whole -- has unquestionably proven its incompetence.

Likewise Sony needs to swallow its pride and take down all databases off its web servers that it hasn't carefully secured.  It needs to switch from defense action to a more proactive approach.  It should consider any database not yet attacked a probable target.  Likewise it needs to take down any poorly secured pages and repost only after rigorous penetration testing to ensure there are no gaping holes.

As for LulzSec the group joked:

We could just DDoS every Jihad website Jester takes down for 30 minutes at a time, but then the poor schizo bastard would have nothing left.

Well if they can do that, why don't they?  There are plenty of groups that deserve to be taken offline and deserve a whole boatload (LulzSec pun intended) of "Wild West" style web justice handed to them, including:

  1. Terrorists (who murder innocent civilians)
  2. Hate groups (which promote killing based on race or sexual orientation)
  3. Pedophiles (who assault defenseless youth)

Sony is no role model as far as customer treatment goes, but it's hard to argue that it's a greater villain that an al-Qaida suicide attacker or a child molester.

Griefing can seem enjoyable when its target is someone unpopular -- much like bullying.  But ultimately acting as a griefer (which arguably can be said of LulzSec) is a self-destructive choice.  

We doubt this is the last hack of Sony given their atrocious track record and the fact that the hacker sharks have smelled the lustful aroma of blood in the water.

But before hackers continue to whale on the hapless Sony, perhaps they should watch the movie Gran Torino.  Walt could have easily have brought his gun and shot those local gang members when he confronted then.  But would his fictitious stand have a fraction of the meaning or power, had he sunk to their level?

Update:  Monday June 6, 2011, 7:05 p.m.

The article was initially worded in a way that implied that the archive solely included records of the elderly.  We've since obtained the archive and verified that it has multiple records -- including those of both elderly users and younger users.  Multiple news sources initially indicated that the record solely targeted the elderly.

This appears to be based upon the start of the record set being comprised of users born in the 1920s (81 or older), 1930s (71 or older), and 1940s (61 or older).

We've update the text to reflect this clarification.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: If only...
By Mumrik on 6/5/2011 8:35:05 PM , Rating: 5
They do seem to care:

"Re: Nintendo, we just got a config file and made it clear that we didn't mean any harm. Nintendo had already fixed it anyway. <3 them!"

They also seem to be hinting that Nintendo is doing a better job than Sony.


RE: If only...
By mikeyD95125 on 6/6/2011 4:17:21 AM , Rating: 1
Who would have that it would be the Wii fanboys to finally get off the forums and do something?


RE: If only...
By Samus on 6/6/2011 10:55:59 AM , Rating: 5
Of all these companies, Nintendo has never directly threatened users who mod their consoles. Even with the rapid gameboy/ds cart copiers/memcard emulators, all Nintendo does it try to get them out of the channel or go after the companies that manufacture/sell them. But never the end-user.

They don't ban consoles. Sony/Microsoft do.

Nintendo, much like Sega, also has lax security as they spend more time on producing a quality product (reliable hardware, decent games) then on pointless security restrictions for their consoles. Although both companies are from the cartrage era, where security was unneccessary, the sega cd and gamecube had no security whatsoever (assuming you could copy the disc) and the saturn just needed a disc swap during boot (just swap an ordinary game with a copy after the saturn screen...)

Dreamcast and Wii are obviously easy bypasses, just some trickery of the laser or a software exploit.

Yet, they don't care, because they're not bullies. Even when Sega should have cared (because piracy DID have something to do with the demise of the Dreamcast) they still respected the rights of their average customer.


RE: If only...
By Mitch101 on 6/6/2011 11:34:47 AM , Rating: 2
Not sure I get where Lulzsec is going with all this. Either they know the FEDS are close to nabbing them and they are going out with a bang (Probably not likely after reading some of their conversations with 2600) or they are so good at what they do they feel invincible and are taking on huge targets maybe because they want to establish themselves as the premier group or because they are sick at what they see with major corporations lack of security? Could just be showboating their ability with a you cant catch me because they feel they lack a challenge. Hacking could be their videogame?

In the end Consumers might be the winner despite the burns because security at major organizations that get cracked should significantly improve. Those who havent might just be beefing things up at that backlash this has incurred. At this point government really needs to rethink its identity theft prevention on its antiquated design. If they dont consumers should push government for much more stricter protection. All that Lulzsec is doing is maybe forcing people to demand more protection from this stuff.

On one hand I dont understand Lulzsec but on another I cant help but be impressed by their ability and I'm waiting to see where all of this is going. I haven't seen financial greed from them so I'm reserving my judgement till all is said and done.


RE: If only...
By Natfly on 6/6/2011 1:21:34 PM , Rating: 4
quote:
Not sure I get where Lulzsec is going with all this.


Maybe they are just doing it for the lulz?


RE: If only...
By TheDoc9 on 6/6/2011 2:40:18 PM , Rating: 2
Push government for stricter protection? Don't you mean the companies involved? Perhaps you meant push government into stricter punishment.


RE: If only...
By tastyratz on 6/6/2011 1:50:05 PM , Rating: 2
it is not that they don't care, it's that they understand it's a poor investment. No matter what your security someone will break it sometimes eventually sometimes instantly. The key is to make it so it requires a level of technical expertise and clear modifications so you are not making warranty returns or getting piracy from sally mom and joe dad who are not technically proficient.
Attacking the end users is neither profitable nor good for their image, Nintendo just happens to be the only one to understand that.

If for no other reason I enjoy Nintendo existing purely as an example of integrity. No matter what they produce, they do so as a class act. I may not own or want a wii, but I support Nintendo.

Now if only we were graced with a new genesis...
A man can dream can't he?


RE: If only...
By MrBlastman on 6/6/2011 10:05:15 AM , Rating: 2
If they did care, they wouldn't be screwing the innocent after injecting Sony. I'd be fine if they just left it at tearing down the big bad company--but publishing passwords and info from those who unwittingly used Sony's services, that I think is going too far.


RE: If only...
By HrilL on 6/6/2011 11:02:29 AM , Rating: 2
while I agree with you on how they shouldn't share peoples private information. If they didn't then the damage to Sony wouldn't be as great. Once you turn their user base against them then they've got nothing. Sony looks to be on the path to failure.

This should be a wake up call for every big corporation that doesn't treat their users with respect and takes advantage of them. Surely they don't all want to fight a battle that they can not win.


"If you can find a PS3 anywhere in North America that's been on shelves for more than five minutes, I'll give you 1,200 bucks for it." -- SCEA President Jack Tretton














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki