backtop


Print 39 comment(s) - last by Dribble.. on Jun 7 at 5:30 AM


Sony Picture's Russian site was hacked this weekend, shortly after its American counterpart was compromised, exposing over 1 million users.

The attacker was a familiar face, of late -- LulzSec.  (Source: LulzSec)

LulzSec decided to publish a small number of user accounts following the breach -- many of which belonged, reportedly, to elderly users. Some of these users have since been victimized. Where's the "lulz" in that?  (Source: AP Photo)
There's no real winners with the latest Sony hack

Sometimes there's just a story that's just plain sad all around.  This is arguably the case with the latest hack of Sony Corp (6758), in which the company saw the compromise of another 1 million user records and hackers published private information on elderly users. 

I. An Unsympathetic Cast

On the one side you have Sony -- a Japanese corporate giant.  The company has long reveled in its dominant position and hasn't been afraid to flex its muscle over users.  Back in 2005, the company installed root kits on users' computers via music CDs.  The botched copy protection effort allowed malicious hackers to infect unwitting users' machines.  

Likewise, Sony initially promoted Linux for the PlayStation 3, only to reverse position and turn its back on Linux PS3 users.  It could have merely cut support, but instead it actively tried to lock users with internet-connected consoles out of Linux, citing supposed "security concerns".  And when hardware hacker George "GeoHot" Hotz posted information to restore support (via jailbreaking the console) Sony harassed him in U.S. court, abusing questionable judicial decision to invade the young man's privacy.

As unsympathetic a character as Sony is, on the other hand you have an equally flagrant party opposing it.  Much as Sony has abused its corporate power over users, hackers -- most notably Lebanese-based Idahc (Twitter) and the international group "LulzSec" (Lulz Security) -- have lorded their superior security skills over the clueless giant, constantly mocking and lashing it.

Caught in the midst of this battle are the company's millions of users, who are having their private information exposed.  Hackers gleefully have posted torrents of users passwords, addresses, birthdays, and more online.

While it's possible that the lax security at Sony could have allowed some malicious users to access this information in the first place, the hackers have taken all the difficulty out of it.  Now your every day clueless criminal can enjoy the same level of access as a sophisticated cyberthief.  Thus the risks have greatly raised for anyone who gave information to Sony.  

II. Attacking the Elderly

LulzSec, who recently lashed out at veteran hacker publication 2600 and "th3j35t3r" -- a prominent anti-terrorist hacktivist -- yet again humiliated Sony's incompetent cyber security efforts this weekend.  This time the group hacked Sony Pictures servers, gaining access to (allegedly) over 1 million user records in a database that had been used to store entrants in a promotional contest.

The group didn't have to try that hard at this one.  Where as they had to slave over kernel vulnerabilities in their recent pro-Wikileaks attack on news organization PBS, they were able to exploit Sony with an SQL injection attack -- a method that takes advantage of sloppy coding in handling URL requests to your databases.  Yes, this is the same "Little Bobby Tables" attack as XKCD famously nicknamed it, which was use to exploit various Sony databases several times over the last few months [1] [2] [3].

The Sony Pictures Russian website was also hacked [Pastebin] over the weekend, though it is unknown how many admin and public accounts were compromised.  LulzSec joked in its post accompanying this intrusion:

In Soviet Russia, SQL injects you...

The group says they were not responsible for directly attacking the Russian site, indicating other parties were to blame.

In questionable judgment, the group reportedly decided to publish excerpts of the user record set from the Sony Pictures breach, including elderly users (aged 60 and older) who were featured at the start of the file.  They posted the information in a torrent that included names, home addresses, passwords, and e-mail addresses.

Password reuse is rife among even moderately internet-savvy young people today and among the majority of elderly users it's virtually a given.  Thus it is not surprising that there have been reports of malicious users hacking users' other web accounts, committing malicious and possibly financially damaging mischief.

LulzSec remains unsympathetic for these attacks on the elderly, stating via Twitter:

I hear there's been some funny scamming with jacked Sony accounts. That's what you get for using the same password everywhere. Hey innocent people whose data we leaked: blame @Sony.

The data appears to be authentic -- the Associated Press has confirmed multiple users/addresses to be real.  Some account information appears to be faked -- likely by users who didn't wish to enter their real data for the contest.

III. What Can be Done Here?

These hacks should be a wake up call for Sony.  The company is used to being the bully.  Now it's getting bullied.  With nearly 105 million user records lost [1][2], the company should give a long hard thought to changing its corporate culture.  A small dose of humble can go a long way.

At this point Sony also needs to make some major adjustments to its security staff.  It needs to implement rigorous competence testing to identify who has necessary skills to work in such a high-pressure position and who doesn't.  Incompetent and/or unproductive employees must be let go.

Likewise Sony needs a major change in its security management.  Managers are responsible for their employees’ failings, so if their staff gets cut, they should as well.  Sony needs to bring in talent from outside -- either experienced hires or contracted help.  But it must improve its staff, which -- as a whole -- has unquestionably proven its incompetence.

Likewise Sony needs to swallow its pride and take down all databases off its web servers that it hasn't carefully secured.  It needs to switch from defense action to a more proactive approach.  It should consider any database not yet attacked a probable target.  Likewise it needs to take down any poorly secured pages and repost only after rigorous penetration testing to ensure there are no gaping holes.

As for LulzSec the group joked:

We could just DDoS every Jihad website Jester takes down for 30 minutes at a time, but then the poor schizo bastard would have nothing left.

Well if they can do that, why don't they?  There are plenty of groups that deserve to be taken offline and deserve a whole boatload (LulzSec pun intended) of "Wild West" style web justice handed to them, including:

  1. Terrorists (who murder innocent civilians)
  2. Hate groups (which promote killing based on race or sexual orientation)
  3. Pedophiles (who assault defenseless youth)

Sony is no role model as far as customer treatment goes, but it's hard to argue that it's a greater villain that an al-Qaida suicide attacker or a child molester.

Griefing can seem enjoyable when its target is someone unpopular -- much like bullying.  But ultimately acting as a griefer (which arguably can be said of LulzSec) is a self-destructive choice.  

We doubt this is the last hack of Sony given their atrocious track record and the fact that the hacker sharks have smelled the lustful aroma of blood in the water.

But before hackers continue to whale on the hapless Sony, perhaps they should watch the movie Gran Torino.  Walt could have easily have brought his gun and shot those local gang members when he confronted then.  But would his fictitious stand have a fraction of the meaning or power, had he sunk to their level?

Update:  Monday June 6, 2011, 7:05 p.m.

The article was initially worded in a way that implied that the archive solely included records of the elderly.  We've since obtained the archive and verified that it has multiple records -- including those of both elderly users and younger users.  Multiple news sources initially indicated that the record solely targeted the elderly.

This appears to be based upon the start of the record set being comprised of users born in the 1920s (81 or older), 1930s (71 or older), and 1940s (61 or older).

We've update the text to reflect this clarification.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Why?
By Camikazi on 6/5/2011 9:42:04 PM , Rating: 4
Actually both are held accountable, since when you take another persons important information you are expected to keep it safe and not do stupid things like leaving vault information around and doors unlocked. The bank would be held accountable for not using sufficient and easily found security measures to keep your information safe.


RE: Why?
By chick0n on 6/5/11, Rating: -1
RE: Why?
By Etsp on 6/6/2011 3:26:57 AM , Rating: 2
Two words: SQL Injection.

There are methodologies for entering user information into databases that are quite secure and immune to injection attacks. These methodologies are considered to be best practice when dealing with user input.

Based on the fact that Sony fell victim to this type of attack, in multiple locations, indicates that they have a significant issue in their security policy.


RE: Why?
By Whedonic on 6/6/2011 6:16:51 AM , Rating: 2
Not to mention that Sony, in their wisdom, decided to store user information as plain text documents.


RE: Why?
By EricMartello on 6/6/11, Rating: 0
RE: Why?
By chick0n on 6/6/11, Rating: -1
RE: Why?
By woofersus on 6/6/2011 12:16:30 PM , Rating: 4
Right, so helping some scammer screw grandma out of her life savings is ok, because then she'll have learned her lesson about putting all that info on her facebook page? That'll serve her well in her last 5 years of life which will now be spent in poverty.

And in some cases, you ARE required to give a company certain private information in order to receive services. Should we be deprived of all services that require such information? No, nobody forced them, but shouldn't they have the right to obtain the services they desire without fear?

Sure lots of people should be smarter about what they do online, but that doesn't give anybody the right to abuse them for it.


RE: Why?
By wranglerangler on 6/6/2011 10:08:30 AM , Rating: 1
As someone deeply involved in securing corporate information for a number of years now, I have a professional interest and have followed this story very closely. I can say unequivocally that Sony does indeed suck at security.

You are clearly the one who doesn't understand the situation if you are trying to defend them in this.


“So far we have not seen a single Android device that does not infringe on our patents." -- Microsoft General Counsel Brad Smith














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki