backtop


Print 39 comment(s) - last by Dribble.. on Jun 7 at 5:30 AM


Sony Picture's Russian site was hacked this weekend, shortly after its American counterpart was compromised, exposing over 1 million users.

The attacker was a familiar face, of late -- LulzSec.  (Source: LulzSec)

LulzSec decided to publish a small number of user accounts following the breach -- many of which belonged, reportedly, to elderly users. Some of these users have since been victimized. Where's the "lulz" in that?  (Source: AP Photo)
There's no real winners with the latest Sony hack

Sometimes there's just a story that's just plain sad all around.  This is arguably the case with the latest hack of Sony Corp (6758), in which the company saw the compromise of another 1 million user records and hackers published private information on elderly users. 

I. An Unsympathetic Cast

On the one side you have Sony -- a Japanese corporate giant.  The company has long reveled in its dominant position and hasn't been afraid to flex its muscle over users.  Back in 2005, the company installed root kits on users' computers via music CDs.  The botched copy protection effort allowed malicious hackers to infect unwitting users' machines.  

Likewise, Sony initially promoted Linux for the PlayStation 3, only to reverse position and turn its back on Linux PS3 users.  It could have merely cut support, but instead it actively tried to lock users with internet-connected consoles out of Linux, citing supposed "security concerns".  And when hardware hacker George "GeoHot" Hotz posted information to restore support (via jailbreaking the console) Sony harassed him in U.S. court, abusing questionable judicial decision to invade the young man's privacy.

As unsympathetic a character as Sony is, on the other hand you have an equally flagrant party opposing it.  Much as Sony has abused its corporate power over users, hackers -- most notably Lebanese-based Idahc (Twitter) and the international group "LulzSec" (Lulz Security) -- have lorded their superior security skills over the clueless giant, constantly mocking and lashing it.

Caught in the midst of this battle are the company's millions of users, who are having their private information exposed.  Hackers gleefully have posted torrents of users passwords, addresses, birthdays, and more online.

While it's possible that the lax security at Sony could have allowed some malicious users to access this information in the first place, the hackers have taken all the difficulty out of it.  Now your every day clueless criminal can enjoy the same level of access as a sophisticated cyberthief.  Thus the risks have greatly raised for anyone who gave information to Sony.  

II. Attacking the Elderly

LulzSec, who recently lashed out at veteran hacker publication 2600 and "th3j35t3r" -- a prominent anti-terrorist hacktivist -- yet again humiliated Sony's incompetent cyber security efforts this weekend.  This time the group hacked Sony Pictures servers, gaining access to (allegedly) over 1 million user records in a database that had been used to store entrants in a promotional contest.

The group didn't have to try that hard at this one.  Where as they had to slave over kernel vulnerabilities in their recent pro-Wikileaks attack on news organization PBS, they were able to exploit Sony with an SQL injection attack -- a method that takes advantage of sloppy coding in handling URL requests to your databases.  Yes, this is the same "Little Bobby Tables" attack as XKCD famously nicknamed it, which was use to exploit various Sony databases several times over the last few months [1] [2] [3].

The Sony Pictures Russian website was also hacked [Pastebin] over the weekend, though it is unknown how many admin and public accounts were compromised.  LulzSec joked in its post accompanying this intrusion:

In Soviet Russia, SQL injects you...

The group says they were not responsible for directly attacking the Russian site, indicating other parties were to blame.

In questionable judgment, the group reportedly decided to publish excerpts of the user record set from the Sony Pictures breach, including elderly users (aged 60 and older) who were featured at the start of the file.  They posted the information in a torrent that included names, home addresses, passwords, and e-mail addresses.

Password reuse is rife among even moderately internet-savvy young people today and among the majority of elderly users it's virtually a given.  Thus it is not surprising that there have been reports of malicious users hacking users' other web accounts, committing malicious and possibly financially damaging mischief.

LulzSec remains unsympathetic for these attacks on the elderly, stating via Twitter:

I hear there's been some funny scamming with jacked Sony accounts. That's what you get for using the same password everywhere. Hey innocent people whose data we leaked: blame @Sony.

The data appears to be authentic -- the Associated Press has confirmed multiple users/addresses to be real.  Some account information appears to be faked -- likely by users who didn't wish to enter their real data for the contest.

III. What Can be Done Here?

These hacks should be a wake up call for Sony.  The company is used to being the bully.  Now it's getting bullied.  With nearly 105 million user records lost [1][2], the company should give a long hard thought to changing its corporate culture.  A small dose of humble can go a long way.

At this point Sony also needs to make some major adjustments to its security staff.  It needs to implement rigorous competence testing to identify who has necessary skills to work in such a high-pressure position and who doesn't.  Incompetent and/or unproductive employees must be let go.

Likewise Sony needs a major change in its security management.  Managers are responsible for their employees’ failings, so if their staff gets cut, they should as well.  Sony needs to bring in talent from outside -- either experienced hires or contracted help.  But it must improve its staff, which -- as a whole -- has unquestionably proven its incompetence.

Likewise Sony needs to swallow its pride and take down all databases off its web servers that it hasn't carefully secured.  It needs to switch from defense action to a more proactive approach.  It should consider any database not yet attacked a probable target.  Likewise it needs to take down any poorly secured pages and repost only after rigorous penetration testing to ensure there are no gaping holes.

As for LulzSec the group joked:

We could just DDoS every Jihad website Jester takes down for 30 minutes at a time, but then the poor schizo bastard would have nothing left.

Well if they can do that, why don't they?  There are plenty of groups that deserve to be taken offline and deserve a whole boatload (LulzSec pun intended) of "Wild West" style web justice handed to them, including:

  1. Terrorists (who murder innocent civilians)
  2. Hate groups (which promote killing based on race or sexual orientation)
  3. Pedophiles (who assault defenseless youth)

Sony is no role model as far as customer treatment goes, but it's hard to argue that it's a greater villain that an al-Qaida suicide attacker or a child molester.

Griefing can seem enjoyable when its target is someone unpopular -- much like bullying.  But ultimately acting as a griefer (which arguably can be said of LulzSec) is a self-destructive choice.  

We doubt this is the last hack of Sony given their atrocious track record and the fact that the hacker sharks have smelled the lustful aroma of blood in the water.

But before hackers continue to whale on the hapless Sony, perhaps they should watch the movie Gran Torino.  Walt could have easily have brought his gun and shot those local gang members when he confronted then.  But would his fictitious stand have a fraction of the meaning or power, had he sunk to their level?

Update:  Monday June 6, 2011, 7:05 p.m.

The article was initially worded in a way that implied that the archive solely included records of the elderly.  We've since obtained the archive and verified that it has multiple records -- including those of both elderly users and younger users.  Multiple news sources initially indicated that the record solely targeted the elderly.

This appears to be based upon the start of the record set being comprised of users born in the 1920s (81 or older), 1930s (71 or older), and 1940s (61 or older).

We've update the text to reflect this clarification.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Might redress the balance a bit?
By Dribble on 6/6/2011 5:00:21 AM , Rating: 1
If you abuse your position then sometimes you get a reaction. That reaction isn't always above board (e.g. Rodney King riots) but it often has a beneficial effect.

Big corporates have always enjoyed stepping on the little people - using their superior resources and a broken legal system that means the rich win to stop anyone opposing them.

The hackers are immune to that particular big stick. Now you can bet they will think twice before deciding to harass people and provoking an expensive reaction from people they can't sue into submission.




RE: Might redress the balance a bit?
By woofersus on 6/6/2011 1:22:51 PM , Rating: 5
So targeting the innocent is ok if it serves the larger ideological goal? Gee, what does that sound like? This is nothing more than cyber-terrorism, but instead of a religious, political, or social ideology it's about being able to put Linux on a PS3 so they can pirate their precious video games. How's that for moral high ground?

Note, I'm not comparing these attacks to people dying or anything, but my point is that the rationale is similarly selfish and lacking in perspective.

It's fine if you think Sony is wrong, and I can even see wanting to try to leverage them in some way more than the completely legal act of not buying their products. (that's how markets pick winners and losers in a non-destructive way, fyi) I could almost agree if lulzsec was just exposing Sony's ineptitude and publicly embarrassing them to force them to improve, but they've clearly stated that's not what this is about, and to steal and release other peoples' info is inexcusable. What about Sony's infringement upon their rights to use a piece of hardware however they please gives them the right to abuse the privacy of millions of people? Do those people not have rights? Do they not matter? Make no mistake here, some of those people will suffer more than a privacy breach. Many will be materially harmed, and for a lot more than the purchase of the PS3 that will only perform it's designed function instead of whatever they wanted. How about assisting other criminals? Perhaps in their own defense they should leave a note that says "Hey, blame @lulzsec" and that will make them justified.

And what goal will all of this ultimately serve? Even if Sony caves they'll still need to find other ways to prevent piracy, both of their own IP and those of game developers who they need to develop on their platform. How about when all games are cloud-based and paid by monthly subscription? Will that be better for consumers? You can't expect companies to not try to protect their IP. Not only will these people have screwed over millions for the sake of their PS3's, but they will ultimately make the user experience worse for everybody. It's like the middle of the last decade when similar groups kept writing viruses for windows XP "because Microsoft wasn't responsible about securing their software" as if they were performing some sort of service to mankind. Tons of people were inconvenienced or had to spend money to have their computers repaired, and some had their identities stolen and many got scammed. Microsoft responded with things like UAC (which most users hated even though it really worked) and other restrictions that ultimately did make things more secure, but wouldn't it have been better for everybody if it had not been necessary? Mac OS is far less secure than Windows and has been for a long time, but because of the far smaller installed user base it doesn't get targeted. If it were all about principal, why would that be? So much for altruistic hacking.

It is a laughably incorrect belief that punishing a publicly held corporation by harming its customers is protecting the little guy? How about stockholders who invested their hard earned money and hoped to earn a return from that? (which includes union pensioners and people like me with 401k accounts - not just "wall street fatcats") Are those not "little guys?" How about the employees of that company who might lose their livelihood if the company fails? There are probably only a few at the very top who can afford to have that happen and not be adversely affected. And then of course the poor customers who got screwed. Who exactly is the "big guy" in that equation? The CEO? Well congratulations on ruining his day a few times. I'm sure all those millions of people will appreciate that. How about if we're concerned about the balance of power between businesses and consumers we ask all those customers who aren't looking to pirate some company's intellectual property what they would prefer? I'm not sure I, as a consumer, can sympathize much with a group that screws me over in order to protect their rights to pirate video games.

It IS shameful that Sony did such a bad job of protecting its users' data, but the ultimate irony is that it never would have mattered if not for lulzsec. THEY are the ones who screwed all those people. THEY are the reason so many security measures are necessary. THEY are the criminals that users' have to be protected against.

Claiming some sort of moral validation for these actions is a JOKE. These people are scumbags that care only about themselves. If these attacks continue, governments will realize what a threat they are to commerce and start taking seriously the effort to track the perpetrators down. Perhaps when that happens a few of these guys will land in prison and some very large fellow inmate with an unfortunate amount of body hair will hack their colons using a backdoor exploit (no trojan required!) and say "hey, blame @evolution for leaving that gaping hole there." We'll see how much that benefits the little guy in the end.


By Dribble on 6/7/2011 5:30:06 AM , Rating: 2
I never said hacking was right, any more then the race riots in LA were right, but you can bet it will have an effect.

In LA the police now think twice before beating up black people in-case there's someone with a camcorder near by because they know what could happen then.

In future sony will think twice before suing the guy trying to use his PS3 to run linux, as will most other big companies in similar situations because they know they risk getting targeted by the hacking community.

This is something that would not have been achieved by just complaining too sony, no more then lots of black people complaining about being beaten up by the police in LA was having any effect.


"I'm an Internet expert too. It's all right to wire the industrial zone only, but there are many problems if other regions of the North are wired." -- North Korean Supreme Commander Kim Jong-il














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki