Forgot your password?
typodupeerror
Security Sony

Sony Suffers Yet More Security Breaches 288

Posted by Unknown Lamer
from the flogging-a-dead-sony dept.
Oldcynic writes "As Sony struggles to restore the Playstation Network we receive news today of another breach, this time at Sony Ericsson in Canada. 'Sony Corp. spokesman Atsuo Omagari said Wednesday that names, email and encrypted passwords may have been stolen from the Sony Ericsson Canada website, but no credit card information was taken.' Another group managed to penetrate Sony Entertainment Japan yesterday as well. I almost feel bad for them.
This discussion has been archived. No new comments can be posted.

Sony Suffers Yet More Security Breaches

Comments Filter:
  • by elrous0 (869638) * on Wednesday May 25, 2011 @10:46AM (#36238814)

    I've always said that Sony is the most control-freak tech company in the world (making even Nintendo and Apple look sedate by comparison), a company that would happily shoot itself in the foot rather than lose even an *inch* of control of it's media, it's IT, or its technology.

    From the rootkit fiasco, their obsessive lockdown of blu-ray (which of course, was cracked), and (many) assorted other lawsuits--Sony has established itself as the kind of company who would happily put a spycamera in everyone's home to make sure that no one is watching a pirated copy of Spiderman 3 (though why anyone would want to watch even a free version of that or just about any other Sony movie is beyond me).

    But now they've removed a little-used and fairly innocuous Linux feature from the PS3, and then busted a guy who jailbroke the machine in response. Not only did they send in thugs to kick his door down and take all his shit (then strongarm him into admitting guilt to something that, before the DMCA, wouldn't even be considered a crime), but they even went as far as to try to force ISP's to hand over the identities of everyone who even DISCUSSED the hack on his website or blog.

    Well, was it worth it, Sony?

    • by somaTh (1154199) on Wednesday May 25, 2011 @10:54AM (#36238894) Journal

      Sony has established itself as the kind of company who would happily put a spycamera in everyone's home

      So THAT's what the PlayStation Eye is for!

    • now they've removed a little-used and fairly innocuous Linux feature from the PS3, and then busted a guy who jailbroke the machine in response

      They actually removed that feature as a response to GeoHot announcing he was going to crack the PS3. But the end result is the same.

      • by Duradin (1261418)

        "The Doctor: People assume that time is a strict progression of cause to effect, but actually, from a non-linear non-subjective viewpoint, it's more like a big bowl of wibbly wobbly timey wimey... stuff. "

        Understand that and you'll understand the Church of St. George and save yourself a bunch of karma.

      • by h4rr4r (612664) on Wednesday May 25, 2011 @11:53AM (#36239690)

        So instead of fixing their security issue they decided to steal value from consumers. What a wonderful company.

        • There "security issue" to get into the system wasn't known at that point, nor is there any way to realistically stop someone cracking DRM on any system in the long run. They just wanted to make it harder for him to do so. The types of managerial doofuses that pulled it probably even believed that they would stop him by doing so. I'm not saying that Sony is wonderful, I was just correcting the facts.

      • by Legion303 (97901)

        "They actually removed that feature as a response to GeoHot announcing he was going to crack the PS3."

        They actually have never said anything of the sort. And let's be clear about what Geohot actually said, while we're at it: he wanted to modify OtherOS to take full advantage of the PS3's hardware rather than the limited set it could use as released. So Sony *may* have removed OtherOS as a response to someone uncrippling it and making it somewhat useful, but there is zero evidence for this theory.

        • Zero evidence? [wikipedia.org]. It's not a 100% guaranteed link I suppose, but the timing and Sony's actions since make it 99.9999999999999% likely that was the reason.

    • ...admitting guilt to something that, before the DMCA, wouldn't even be considered a crime...

      There are indeed many things in life that were not illegal until they were.

      • by _Sprocket_ (42527) on Wednesday May 25, 2011 @11:06AM (#36239038)

        ...admitting guilt to something that, before the DMCA, wouldn't even be considered a crime...

        There are indeed many things in life that were not illegal until they were.

        That is actually a fundamental concept in law - whether one has inherent rights and law adds restrictions or whether one's rights are expressly granted by law.

    • by DurendalMac (736637) on Wednesday May 25, 2011 @11:20AM (#36239246)
      Yeah, but it's just getting excessive now. When Moe pokes Curly in the eyes, it's funny. When Moe beats Curly to death with a lug wrench and then dismembers him with a chainsaw, then...well, actually, it's still funny.

      Carry on.
    • by DarkOx (621550)

      I still have not seen any shred of evidence that any of these attacks are in response to the removal of the other OS feature or the lawsuit against Geh0t(or whatever his handle was). I think if these attacks were retaliatory the people behind them would find some way of making that publicly and certainly known. It would do more for their cause.

      Its just as likely possibly more likely that the first big attack on PSN was entirely opportunistic somebody spotted a hole and figured it was good change to get ho

  • Somewhere out there, there's a hacker with a world map and a bunch of pins. Also, an intense dislike of Sony.
    • Re:Again? (Score:4, Insightful)

      by somersault (912633) on Wednesday May 25, 2011 @11:03AM (#36238988) Homepage Journal

      More likely a lot of separate individuals/groups who want to join in on the Sony bashing trend.

    • Somewhere out there, there's an army of hackers with a world map and a bunch of pins. Also, an intense dislike of Sony.

      FTFY.

      Sony pissed off exactly the wrong people. Many many many times over. They've had this coming for awhile.

      Disclaimer: I am in no way affiliated with any said army. I am simply surmising based on the massive and intense hatred of sony amongst groups of people among whom I have several acquaintances. All for similar reasons, each with his/her own particular straw that broke the camels back. Recent events are really just fanning the flames of a fire sony had already started.

      • by socsoc (1116769)
        Good thing you posted a disclaimer.

        Disclaimer: I in no way agree with parent and fully support Sony with my money and first born child.

      • Re:Again? (Score:4, Insightful)

        by Allicorn (175921) on Wednesday May 25, 2011 @11:22AM (#36239274) Homepage

        Why extract the database of users' information if your goal is only to give a slap in the face to the evil corporation?

        It's almost as if the goal of this criminal activity wasn't heroic anti-corporatist hactivism at all...

        • Of course it isn't. That is one of the reasons that Sony in particular is being targeted however.

          From what I can gather of the situation people that may not want to be involved in criminal activity are pissed off enough to help those that have no such qualms in some easily-denied way.

          Basically, Sony has pissed off enough people that it has painted a large target on its back saying "Come get me". This has an effect of making Sony the largest path of least resistance for anyone with questionable morals.

          • The bad guys heard in the news, "Sony hacked -- Cause: Unpatched Apache web servers," and just realized, "Holy shit that's the dumbest thing ever! Sony is totally crackable; Let's go crack the other vulnerable Sony servers -- If they were dumb once, they were likely dumb all over the place!"

            Granted, pissing off a bunch of hackers/crackers is not a smart move, but being known for having poor security practices is even worse.

        • by StikyPad (445176)

          I expect it's because simply destroying assets would only garner sympathy for Sony, whilst exposing customer data will undermine their credibility and customer faith, things which can't easily be replaced from backups or by installing new hardware. If attackers are successful in mounting a prolonged attack, breaching Sony's systems on a regular basis, eventually they could erode all customer (and creditor) support, and the company could crumble.

        • by drinkypoo (153816)

          It's very likely that this is a mix of hacktivism and actual crime. One disguises the other and both sides benefit from the confusion.

          It's hard to feel bad for Sony or Sony's customers either way. Sony's customers are funding this kind of crap.

        • Hard to tell, there's a ton of ways this could be

          1. Greedy thieves hear about anon vs sony, launch an attack to steal valubles, and leave an anon was here note to keep the authorities and sony chasing 13 year old kids instead of coming after them

          2. Activists realized actually harming the customers was bad for their message, takes information without using it to force sony to admit and apologize to a breach, without directly harming the users

          3. Activists are launching DDOS and other attacks keeping securi

        • by eepok (545733)

          Indeed. People love railing against "The Man", but their lack of perspective as it pertains to the genuine victims (the users) is disgusting and despicable. Sony will come out unharmed (minus a couple million dollars), but there is going to a massive rash of identity theft which will empty private citizens bank accounts, destroy credit, and likely ruin lives.

          But these jerks keep on like they're cheering on Robin Hood or something. The rich are well-insulated. The norms of the world will be bearing the real

        • Why extract the database of users' information if your goal is only to give a slap in the face to the evil corporation?

          Because stealing user information causes a much bigger hit to Sony's reputation among the customers than, say, defacing their website?

  • Karma (Score:3, Insightful)

    by what2123 (1116571) on Wednesday May 25, 2011 @10:47AM (#36238824)
    It's not sad to see this happening considering their reputation for the past 10 years. You cannot continually screw your revenue sources and expect to remain on top of the pyramid. Eventually it will all fallout from underneath you, one way or another.
    • Unfortunately, their customers are getting hurt in the process, which is what makes this sad. If it were just a matter of Sony getting beat down everywhere they turned, I would have no problem.
  • by Anonymous Coward on Wednesday May 25, 2011 @10:48AM (#36238836)
    Period.
    • You're probably right. After the initial attacks, the investigators have been there collecting evidence. The difference between Sony being the victim of a crime and the hackers committing crimes has significant ramifications. I expect that there will be a number of people who spend some time getting sodomized in federal prisons around the world followed up by the inability to ever hold a job in the IT industry, ever get any credit, ever hold a job of any trust, or ever accumulate any money as anything they

  • Security? (Score:5, Interesting)

    by muffen (321442) on Wednesday May 25, 2011 @10:52AM (#36238864)
    After it was discovered that Sony was installing rootkits on people's machines, Mr Thomas Hesse, president of Sony BMG's global digital business said, "Most people I think don't even know what a rootkit is, so why should they care about it?"

    They are just taking the same approach to Security, since they don't know what it is, why care about it?
  • the fucking you get for the fucking you get.

    • by outsider007 (115534) on Wednesday May 25, 2011 @11:08AM (#36239064)

      Agree. Sony has screwed more kids than the catholic church.

    • There's something oddly recursive about that statement.

      Please subscribe me to your newsletter.

      • The stop condition is "when a fucker that fucks someone that ain't fucked over anyone, in a particularly upsetting manner, in recent memory, gets fucked, the fucker fucking this fucker doesn't deserve to be fucked."

        It's simple. A child could understand it.
        • The stop condition is "when a fucker that fucks someone that ain't fucked over anyone, in a particularly upsetting manner, in recent memory, gets fucked, the fucker fucking this fucker doesn't deserve to be fucked." It's simple. A child could understand it.

          I'm glad you like the word "fuck"; However, it has clouded your logic. You just said: When someone who doesn't fuck any others has recently been brutally fucked, the person that fucked the innocent person does not deserve to be fucked.

          In short: The Bad guys can hurt innocents, and the bad guys don't deserve any retaliation. I don't think that's anywhere close to a stop condition. I think that spawns a new train of fuckers fucking, or at least one new fucker, due to the revenge said innocent is likely

  • by antifoidulus (807088) on Wednesday May 25, 2011 @10:55AM (#36238904) Homepage Journal
    From TFA:

    "E-mail, password, and names of thousands of users were exposed via text file"

    Why...why...WHY do people still insist on plain text passwords? Have these people ever heard of a hash? There is 0 reason ever to store a plaintext password, end of story. Anyone who designs a system that stores passwords in plain text should be fired on the spot.
    • Well, it looks like at least some of the passwords were hashed(also, please stop saying "encrypted" passwords, there is a world of difference between encryption and hashing!), but it's not clear that all the passwords were hashed.....
    • by xaxa (988988)

      Anyone who designs a system that stores passwords in plain text should be fired on the spot.

      Off-topic: my bank asks for the Lth, Mth and Nth characters of my password, which is better than asking for the whole lot. Is it possible to have a system like that without storing the password encrypted (rather than hashed)?

      • by Relayman (1068986)
        No. Any good encryption scheme encrypts your password as a complete character string. The password systems I work with use a one-way encryption method; if you have the encrypted value, you can't decrypt it to get the password. Having just three characters of your password should not be able to determine its validity unless they are decrypting your password (vulnerability) or storing it as plain text (vulnerability). This is an unacceptable method.
        • by vlm (69642)

          Having just three characters of your password should not be able to determine its validity unless they are decrypting your password (vulnerability) or storing it as plain text (vulnerability).

          There's a third possibility, Sony seems to operate at just the right level of clue to store each individual character in a separate column, although each individual character hashed of course for security reasons. (if you're reading this, and don't get the joke, please don't program anything using a password, unless you work at Sony, OK?)

        • by amorsen (7485)

          You cannot encrypt a password both in transfer and on disk (unless you use a separately encrypted channel with separate authentication, but then why do you need a password?). For a lot of things it is more important that you can use the password to establish a secure channel than it is to store the password as a hash.

          E.g. with the simple "ask for three specific characters from the password" method you gain almost-one-time-passwords, so a keylogger on a public terminal cannot empty your bank account afterwar

          • by h4rr4r (612664)

            You also just reduced the length of the password to 3 chars. Nice and guessable. Even if it changes which three, you are increasing the odds of a collision.

            • by canajin56 (660655)
              Mixed case alphanumeric is 62 characters. So even if nobody uses symbols at all, that "nice and guessable" is one in 238,328. Yeah, so fucking trivial. You can basically get in each time. Well, except that if an IP makes multiple failed attempts it will be locked out. So you'll need several hundred thousand nodes in your botnet. And each individual account will also get locked as its being hammered. So if you have some 80,000 bots odds are even that as you target 80,000 peoples accounts, you'll proba
            • by bryan1945 (301828)

              If they changed which 3 characters for each failed attempt (and even successful attempts), with a timed lock out after X failed attempts, the odds decrease a bit. I'm not doing the math.

          • by makomk (752139)

            You cannot encrypt a password both in transfer and on disk (unless you use a separately encrypted channel with separate authentication, but then why do you need a password?)

            Technically that's not true; take a look at some of the various password-authenticated key agreement [wikipedia.org] schemes out there. Unfortunately it appears to be a bit of a patent minefield...

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Also from TFA, it says the passwords were "encrypted". What wasn't in TFA is the phrase "plain text" - that part YOU added. Way to get worked up over something that you formulated.

    • by mcrbids (148650)

      Why...why...WHY do people still insist on plain text passwords? Have these people ever heard of a hash? There is 0 reason ever to store a plaintext password, end of story. Anyone who designs a system that stores passwords in plain text should be fired on the spot.

      I agree that saving passwords as hashes presents a much better security model, but you are just wrong to think that there is no reason to keep them in plain text.

      The real world isn't quite so black and white!

      1) It's "unfriendly" to require users to

  • by AAWood (918613) <aawood@@@gmail...com> on Wednesday May 25, 2011 @10:57AM (#36238918)
    Seriously, how long until Sony head office just tells every department to yank their network cables until a full security audit is done? This is just embarrassing at this point.
    • by lennier1 (264730) on Wednesday May 25, 2011 @11:02AM (#36238976)

      I get the impression they're not even trying anymore.

      • I get the impression they're not even trying anymore.

        If they were trying in the first place, we probably wouldn't be hearing about all these breaches.

    • by Captain Spam (66120) on Wednesday May 25, 2011 @12:05PM (#36239846) Homepage

      Seriously, how long until Sony head office just tells every department to yank their network cables until a full security audit is done? This is just embarrassing at this point.

      What costs more, cutting off all online sales and hiring an audit team for X amount of time, or closing your eyes and ears reeeeeeeeeeally tight until everyone forgets about this in a couple months?

      Er... hang on, let me clarify: What costs more in the short term, within the attention span of the CEO/CIO a modern multi-bazillion dollar megaconglomerate? Remember to factor in that "admitting we made a mistake" is a near-infinite cost in this case! If you never admit it, it never happened!

  • Pinkertons (Score:5, Interesting)

    by Gotung (571984) on Wednesday May 25, 2011 @10:59AM (#36238944)
    I wonder if this rise in internet vigilante-ism is going to birth a corporate funded internet version of the Pinkertons. I.E. a group of black hat hackers paid by big corporations to hunt down and ruin groups like Anonymous through less than legal means.
    • Or ruin other companies.

      It's funny, the first time I read Neuromancer years ago everything in it seemed so far fetched. Sorry Mr. Gibson, it appears you were right on a number of things. Black hats may become a solution for everyone -- vigilantes, interest groups, corporations, criminals, ect. Why rob a bank with guns when you can combine hacking and social engineering to make money appear from nowhere and appear legitimate? If a politician's opponent is raising massive funds with a website, it can be taken

    • Re:Pinkertons (Score:4, Insightful)

      by rsborg (111459) on Wednesday May 25, 2011 @03:27PM (#36242718) Homepage

      I wonder if this rise in internet vigilante-ism is going to birth a corporate funded internet version of the Pinkertons. I.E. a group of black hat hackers paid by big corporations to hunt down and ruin groups like Anonymous through less than legal means.

      I wouldn't put it past the entrenched powers to use whatever means necessary to get this done (ie, either digital brown-shirts, or burning down the commons through excessive and unconstitutional legislation that's been "purchased"). I'm guessing it'll be a combination of both, but in the short term, expect more of the "internet death sentence" type of reaction.

      I do posit this is going to get much worse. Every day, it feels like the seemingly paranoid rants by RMS [gnu.org] seem more like the prophetic prognostications of a Cassandra who's seen the future hoping to help us avoid it.

  • Feel bad for them? The fuck? "They" are a corporation, whose only reason for existence is to make money. Sure, there might be individuals working there with morals, but the company itself has none at all--regardless of what US law says, it's not a person.

    This corporation has spied on, sued, made vulnerable to other attacks, and bullied its customers, potential customers, competitors, and little bald children with cancer who were lying in a bed that Sony had to put its muddy boot up on to tie its laces. And, probably because it thought it could get away with overworking or undertraining its net admins, it cut corners when it came to security. The security of its customers' credit card info. Who, after all the bullshit Sony pulled, still paid for their shit, and put their credit at risk, unlike those who "stole" from Sony, who won't have what they bought taken away at the first whim, who aren't badgered every time they want to watch a movie on a different device, who don't have to sit through unskippable guilt-trips and FBI warnings, and don't have to pay again when the disc gets scratched.

    Almost feel bad for them? Ha! I'm not even close to feeling bad for them. There is no possible amount of "suffering" that could make me feel bad for them. Call me when Sony wakes up one morning with a pain in its left arm and is forced to face its own mortality.

    • by Culture20 (968837)

      And, probably because it thought it could get away with overworking or undertraining its net admins, it cut corners when it came to security.

      Listen up, HR. Don't skimp on IT salary or benefits. When your IT group thinks it needs more manpower, it needs more manpower. An understaffed/undertrained IT staff is like hiring Barney Fife for your bank guard; a lot of bluster and bravado, but only one bullet kept in his shirt pocket.

      • by ddd0004 (1984672)

        You know there are some IT staff with Sony who are getting the double beat down of getting their ass chewed and working an 80+ hour week. Most places I've worked couldn't be bothered to improve security because the people who make decisions are only concerned with ROI as a number and then they attempt to choose the bigger number. It's always foot jammed on the gas pedal on new developments and no concern with of existing infrastructure.

    • Did they kick your puppy, too?

      Most of the things you mentioned were poor corporate decisions. Nothing I'd consider malicious. Sony employees have demonstrated ineptitude time and time again. I get it. But this attack on Sony is only helping the even more evil corporation over in Redmond.

      Sony's not trying to lock governments into their technologies. Almost everything they sell is a consumer device. If you don't like what they do as a company, don't buy their products. I don't have that luxury with Microsoft:

      • Did they kick your puppy, too?

        Most of the things you mentioned were poor corporate decisions. Nothing I'd consider malicious. Sony employees have demonstrated ineptitude time and time again. I get it. But this attack on Sony is only helping the even more evil corporation over in Redmond.

        I consider looking at me and seeing only a wallet and a bunch of strings to pull malicious. There is no other possible outcome of that viewpoint.

        Sony's not trying to lock governments into their technologies. Almost everything they sell is a consumer device. If you don't like what they do as a company, don't buy their products. I don't have that luxury with Microsoft: I need Windows and Office for work and my tax dollars inevitably go toward putting Windows on government computers.

        That's only a question of the products they make. If Sony made OSs, you'd better believe they'd be trying to lock their profits in. Sony would kill, and I mean that quite literally if they thought they could get away with it, they would flat-out murder to be in Microsoft's position. This isn't a question of degree, where one company is more evil than the other--com

  • I get it, they've done a ton of unpopular things, but what has all of this hacking done? Do they really think it's made them think twice about potentially unpopular business decisions? Are a ton of other hacker just jumping on a bandwagon because they can? Do you think that losing all that money will inspire them to do good by their consumers? I can only speculate as to the true intentions of the hackers out there, but it kinda bothers me when I get the impression that people are doing this to "get back at
    • by Rydia (556444)

      A bunch of crackers got a hold of boatloads of personal information that they can sell for cash money.

      That is what it's done. There may be some sort of vendetta, and there definitely is the feeling that Sony is a personal information pinata, but that's really what it is at its core.

  • Good to see their failure to correctly prioritize who is important (the actual Customer) is beginning to cause them problems.
  • Okay, the Ponemon Institute claims the average data breach cost per record in 2010 was $214. Sony exposed 77,000,000 records in the PSN breach. Ponemon has a corporate shill From TFA:

    Sony is expecting costs related to its online security woes of 14 billion yen ($173 million), covering customer support, freebie packages, legal costs, lower sales and measures to beef up security.

    calc.exe tells me: 173000000/77000000=2.2467532467532467532467532467532 So, how is it that this is costing Sony a little over 1% o

    • Sorry, meant to say:

      Ponemon has a corporate shill feel to their research, IMHO, but I can't imagine they're that far off. From TFA:

      I guess I should have used the preview button.

    • by Noughmad (1044096)

      1. Sony is covering its losses. Besides it being difficult to measure, would you admit to your shareholders that you lost that much of their money?

      2. I'm not really into Pokemon.

  • It's almost eery...

    They're either...

    1- Very incompetent on the security side
    2- Very unlucky
    3- Pissed off the wrong people

    I think 1 and 3 pretty much covers it...

    IMO, I think someone is after blood, and it won't be pretty...

  • Let's face it. If it is connected to the internet it can be hacked by outsiders. If it isn't it can be hacked by insiders. It is no different than banks. We hand them our money. It doesn't matter in the least to me if my bank is robbed my money is protected. Obviously we need some similar protection with our data.
    • by bhtooefr (649901)

      The difference between money and data is, you never lost your data, it was just copied.

      Money, if you lose it due to such an attack, can be replaced via various mechanisms. Personal data, the only way to replace it involves losing your job, all of your friends, and your relatives, and going into a witness protection program.

  • As much as Sony seems to attract this kind of attention, maybe "secretly enjoy" would be more accurate.

    What I'm seeing is a bizarre attention-seeking behavior, playing into a victimization mindset.

    IANAPs (I Am Not A Psychiatrist), though. Just reminds me of a lot of dramawhores I've know.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (2) Thank you for your generous donation, Mr. Wirth.

Working...