Sony Pictures hacked
Hacking group Lulzsec has compromised Sony Pictures, leaking details of over 60,000 users.
Data was posted to BitTorrent by a hacking group calling itself LulzSec. The group claims it was able to access the details of over a million customers, along with admin usernames and passwords for Sony staff. The group also accessed around 3.5 million music coupons and 75,000 music codes as well.
LulzSec released a statement saying that the hack was performed by an SQL injection and that Sony stored passwords in plain text, without encryption.
‘This is disgraceful and insecure,’ reads a Lulzsec statement. ‘They were asking for it...Why do you put such faith in a company that allows itself to become open to these simple attacks?'
The hacker group came to light earlier in the week for hacking US TV station PBS' website as retaliation for a Wikileaks documentary that they deemed to be unfair.
This attack hits Sony just after they have restored the PSN and updated many security systems. Sony is announcing the re-launch of the PlayStation Network by offering a free trial of their premium service and a selection of free games to customers as way of apology for the outage.
Let us know your take on the attacks against Sony in the forums.
Previous Article
41 Comments
Discuss in the forums Reply...it didn't?
oh no sorry, my bad, it just got moved from the news section to the main articles section. my apologies.
In my opinion this is beginning to become stupid. The hackers don't give Sony a chance to improve before they strike them again. How are you supposed to get up if you keep getting kicked down?
So we should give the massive tech company, with limitless resources, the benefit of the doubt for failing to adequately protect it's customers' details? Really?
I'm no fan of these large hacking groups, but they have at least highlighted just how lax and irresponsible Sony have been.
They did ask for it.
As a costumer you expect that your private information will be at least encrypted.
There is an expectation of some kind of protection.
Without at least that how could you confidently give any financial or even personal information to companies?
Data privacy is a part of there service and they are ripping you off if they can't even manage that (in my opinion).
For a company this size there is no excuse.
Just be glad that Sony was not hacked by truly malicious people who might have done much worse with that or other information.
As they dodn't seem to have had a security stratergy there are probably hundreds of these random small sites set up by some guy in marketing that aren't maintained properly.
Maybe by doing a proper security review after the first time they got hacked and keeping "at risk" or poorly secured systems off line until until they can be secured.
Given the recent spate of attacks on Sony, keeping passwords in plain text was just looking for trouble, switch it off if you cant keep it secure.
Yeah, really. Will these kids just go away already. All their statements reek of flimsy rationalization to me. It's one thing to be a complete dick, and another to act all high and mighty about doing so. Infuriating.
This really is cyber terrorism, folks. Fear and intimidation used to coerce (companies, in this case) into their agenda. A vigilante group making all sorts of broad political demands and choosing to wreak havoc and destruction in ostensible support of those ends. We're even seeing the classic "fight them" vs. "appeasement" debate played out over the internet.
To me, it doesn't matter if you think Sony is evil. Just like it doesn't matter if you think Western society is decadent and our Middle East policy is screwed up. There are acceptable means of protest and then there's terrorism. And just because in this case they're not physically harming anyone doesn't mean it's okay.
I don't think anyone is saying Sony has had ideal, or even acceptable security. These people though are actually trying to make the argument that if the vault doors weren't sturdy enough it's perfectly okay to stroll in and steal what you want. I reject that.
Get it right first time?
The fact that the act of hacking or stealing is immoral does not negate the responsibility of these companies to protect this data.
Just because the rain storm was not your fault or intention does not negate the need to shut your windows.
There will always be hackers and people who would do immoral things. To ignore this and to justify a lack of security in this way is just foolish.
Your crude analogy is rather misleading, of course you should avoid criminal activity of any kind, however once you are aware of an issue then why not take steps to mitigate just in case? The hack is criminal, yes, however the mentality of the criminal is to go for the easy take down, you must conclude the reason Sony is being reported as being breached again is because compared to others it is possible.
Over a month ago it became clear, Sony does not encrypt sensitive data and has particularly weak network security on at least one of its networks. This failure should act as a stimulus to secure any other system that behavess like this immediately, Sony should take action but it will send shockwaves through the industry, everyone will be scrutinising their security. Scroll to today, a security breach has occured at Sony with entirely the same hallmarks, the passwords are unecrypted and out in the open, why wasn't this changed? The mind boggles.
I just hope other companies are learning from Sony's mistake and bolt all the doors shut on their systems.
Should it have been done to begin with? Certainly, should they have set things up so that they weren't vulnerable to SQL injection attacks, deffinitely. That doesn't mean something wasn't overlooked and wasn't discovered in testing.
Once it is discovered it takes time to fix. Its not like we are talking a single system here that they haven't fixed. We are talking dozens and dozens of systems and hundred of applications. Probably that took a few tens of thousands of work years to put together all together. It doesn't take a single programmer 45 minutes to fix. It probably takes a couple of hundred several months to fix everything and that is assuming there is nothing preventing them from making the changes quickly (like having to implement a system wide change all at once instead of being able to roll it out piece meal).
As an IT worker your perspective is odd, it sounds more like a management perspective. I remember at my last firm the system was so old it creaked, passwords were not encrypted there either. Engineers and developers would be battling management everyday to try and get these things improved, they were mostly ignored and they made their feelings of frustration about how sh1t it was very vocal indeed! When the Risk team finally took interest and started to do some calculations the improvements very suddenly started to happen, new IT contractors appeared very sharply indeed.
You can do this in the technology industry in the private sector, just depends how serious you are about it. Sony could have taken down everything, checked it and put it back up when it was fixed like PSN, they decided it was cheaper not to.
Welcome to my boat!
No, this is just criminal behavior coupled with publicly bragging about the results. You want to highlight the holes in Sony's security? Fine. Own up to it, put your name to the actions, and work with Sony to fix the problem.
I agree. Both parties could gain. The company would gain by getting free information on how to secure their systems, and the hacker groups would gain by getting the recognition they seek. But the moment they post information online or use that info in any way, they are criminals.
Your kidding right?
I've just hacked bit tech... oh you want proof, err, erm I don't really want to expose any info that could be used to prove I did it...
How do you propose they work with Sony? How do you know that they didn't already send a warning email?
This is what happens in the hacker world, they find an exploit, let the party know about it, then a week later release it to the public to speed up the addressing of said exploit. Where have you been these last few years?
This is one seriously flawed analogy. Your juvenile reasoning implies that Sony is the sole victim of the incident, whereas the true victims were the innocent customers who put their faith in Sony to keep their personal information secure. Sony has had enough time and resource to make corrections in their security, or lack thereof. This just proves that PSN wasn't just a freak accident, but a timebomb waiting to happen. If Sony doesn't wake up and tighten the security in the rest of their branches, the catastrophes would be massive.
Same here. I'm thoroughly enjoying this conniption.
No, this doesn't happen in the hacker world. In the IT Security world, real poeple, with real names, own up to an exploit they find and inform the party invovled, not run off to twitter, first tweeting about said attack, then days later posting the stolen information. These guys just want attenttion, and are far from any sort of group fighting any "injustice". They are criminals at best.
I'll try to dig up the article, but I also read that these guys tried to drag a former member into this by outting his username as having paid them to do it. Seriously? People are rooting for that?
Edit: Unfortunately Fox is where I found the article so I'm not posting that because I can't say wether it's %100 true. The article states that Branndon Pike was the person Lulzsec identified on their twitter when they referenced Shadow DXS as having paid them to hack the PBS website.
Like I said, work with the company. The company being slow to react is not justification to screw over thousands of people who have nothing do with the company's IT security.
EDIT:
To the person saying they are trying to coerce them into doing something their way, it seems to me they are only trying to get them to upgrade their lax security which will only benefit Sony and their customers. if they just rang up and said "these accounts/sites need better security" what do you think Sony would do?
I wouldnt say its irresponsible of Sony not learning from the whole PSN saga, they must have hundreds of sites, and this is just one of them. What IS irresponsible is the fact that clearly Sony give no value to storing personal and confidential data in plain text, not encrypted. Store it backwards at least Sony, make some sort of effort with the data that people trust you to keep hold of and protect.
The whole hacking thing doesnt concern me at all either, if 1 Scottish chap can hack into servers used by NASA, CIA, FBA, US Military etc looking for proof of aliens and environmental coverups for over a YEAR... how is Sony meant to stay foolproof on a network designed to allow 77m people to connect to it?? The real concern is they clearly dont do all they can to ensure IF hacked, the data is worthless to those people.
And for some reason people want to glorify people terrorizing innocent customers. I don't even want to think about how many account holders are completely non-tech savvy and don't care or know about any of this yet end up having their account stolen thanks to their passwords being exposed because a group of neck-beards (no offense) want to tell them where to take their business.
http://arstechnica.com/tech-policy/news/2011/06/lulz-sony-hackers-deny-responsibility-for-misuse-of-leaked-data.ars
According to LulzSec, hacks using the data have already begunbut don't blame them! Releasing all these e-mail addresses and passwords was Sony's fault.
Oh, and trying to work "With" a company is a good way to have them litigate and report you. It's probably not a good idea. Now where's a handy class-action I can join against this lumbering company?
It's unlikely my bank will get hit because my bank (and basicly every single other one) stores data encrypted, not in plain text.
I agree with llamafur and Mentai, this is great fun:).
Sony will or at least should shut it down and make it safe. As a lot of people have already said, they should also be liable for everything, they have been negligent, plain and simple. I'd love to live in a nice utopian world but I'm a realist, we simply don't. It's why I lock my house and car when I am not in them.