More

Sony Security Slammed By Experts Over Hacking Vulnerabilities

Sony Security

By RAPHAEL G. SATTER   06/ 3/11 10:39 PM ET   AP

Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy

LONDON -- Another massive data breach at Sony has left hackers exulting, customers steaming and security experts questioning why basic fixes haven't been made to the company's stricken cybersecurity program.

Hackers say they managed to steal a massive trove of personal information from Sony Pictures' website using a basic technique which they claim shows how poorly the company guards its users' secrets. Security experts agreed Friday, saying the company's security was bypassed by a well-known attack method by which rogue commands are used to extract sensitive data from poorly constructed websites.

"Any website worth its salt these days should be built to withstand such attacks," said Graham Cluley, of Web security firm Sophos. Coming on the heels of a massive security breach that compromised more than 100 million user accounts associated with Sony's PlayStation and online entertainment networks, Cluley said the latest attack suggested that hackers were lining up to give the company a kicking.

"They are becoming the whipping boy of the computer underground," he said.

In a joint statement from Michael Lynton, Chairman and Chief Executive Officer, and Amy Pascal, Co-Chairman, Sony Pictures Entertainment on Friday night acknowledged the breach and said the company had taken action "to protect against further intrusion."

"We have also retained a respected team of experts to conduct the forensic analysis of the attack," the statement said. It did not go into details about specific actions that will be taken to prevent future security breaches.

It wasn't clear how many people were affected. The hackers, who call themselves Lulz Security – a reference to the Internetspeak for "laugh out loud"_ boasted of compromising more than 1 million users' personal information – although it said that a lack of resources meant it could only leak a selection on the Web. Their claim could not be independently verified, but several people whose details were posted online confirmed their identities to The Associated Press.

Lulz Security ridiculed California-based Sony for the ease with which it stole the data, saying that the company stored peoples' passwords in a simple text file – something it called "disgraceful and insecure."

Several emails sent to accounts associated with the hackers as well as messages posted to the microblogging site Twitter were not returned, but in one of its tweets Lulz Security expressed no remorse.

"Hey innocent people whose data we leaked: blame Sony," it said.

Sony's customers – many of whom had given the company their information for sweepstakes draws – appeared to agree.

Tim Rillahan, a 39-year-old computer instructor in Ohio, said he was extremely upset to find his email address and password posted online for "the whole world to see."

"I have since been changing my passwords on every site that uses a login," he said in an email Friday. "Sony stored our passwords in plain text instead of encrypting the information. It shows little respect to us, their customers."

He and others complained that they had yet to hear from the company about the breach, news of which is nearly a day old.

John Bumgarner, the chief technology officer for the U.S. Cyber Consequences Unit – a research group devoted to monitoring Internet threats – was emphatic when asked whether users' passwords could be left unencrypted.

"Never, never, never," he said. "Passwords should always be hashed. Some kind of encryption should be used."

Bumgarner, who's been critical of Sony's security in the past, said the company needed to take a hard look at how it safeguards its data.

"It's time for Sony to press the reset button on their cybersecurity program before another incident occurs," he said.

___

Online:

Array

Array

FOLLOW HUFFPOST TECH

LONDON -- Another massive data breach at Sony has left hackers exulting, customers steaming and security experts questioning why basic fixes haven't been made to the company's stricken cybersecurity p...
LONDON -- Another massive data breach at Sony has left hackers exulting, customers steaming and security experts questioning why basic fixes haven't been made to the company's stricken cybersecurity p...
Related News On Huffington Post:
 

Read more from Huffington Post bloggers:
Jonathan Littman

Jonathan Littman: Sony Blames The World

Sony's CEO has forwarded a remarkable new rationale for his company's recent catastrophic network security failures.

Filed by Catharine Smith  | 

More in Technology...


 
 
  • Comments
  • 36
  • Pending Comments
  • 0
  • View FAQ
Comments are closed for this entry
View All
Favorites
Recency  | 
Popularity
Page: 1 2  Next ›  Last »  (2 total)
HUFFPOST SUPER USER
dbrett480
331 Fans
02:24 PM on 06/10/2011
It amazes me that these hackers are so proud of their crimes. They need to find a real job and actually contribute to society.
Permalink  |
photo
littlebrowngirl
809 Fans
09:54 PM on 06/06/2011
At e3 they nearly mentioned the security breach, instead focusing in gaming and the network.
Permalink  |
photo
PenguinLinux
got root ?
129 Fans
03:46 PM on 06/06/2011
Sony. the company that put a rootkit on music CDs. You expect security from these wackoffs?
Permalink  |
SwingingFromCenter
455 Fans
02:43 AM on 06/06/2011
The reality here is that Sony, even after the PSN problem, did not put down the money to hire competent security specialists. IT security is my game, and I know for a fact that they blindly gave the contract to repair their infrastructure to the lowest bidder, who designed an infrastructure that still doesn't meet PCI or SOX regulations, nor would it qualify for ITIL certification. Sony has shown they just don't care, and it's going to cost them dearly.
Permalink  |
ampere11
12 Fans
11:52 PM on 06/05/2011
Wow, Sony was still vulnerable to SQL attacks? On top of that, storing critical data in plain text. That's disgraceful.
Permalink  |
HUFFPOST SUPER USER
sdmartintc
If it's broken, fix it!
96 Fans
09:20 PM on 06/05/2011
Sony, like other greedy corporations, care more for their short-term bottom line than the security of its online customers.
Permalink  |
photo
sperx
1 Fans
04:44 PM on 06/05/2011
Is it that hard to understand that Sony Pictures and SCE have very little to do with each other, except for being part of same large corporation that employs over 160,000 people worldwide?
Permalink  |
photo
HUFFPOST SUPER USER
fgbouman
Curmudgeon & Designer
210 Fans
09:25 AM on 06/05/2011
"Hey innocent people whose data we leaked: blame Sony," Baloney. That's every terrorist's excuse for the horrors that they commit. Sony is wrong to treat its customers' data so casually but the troglodytes at Lulz Security make Sony look like a white knight. This is not funny stuff. This isn't the movies boys, and it isn't the comics and it isn't a game.
Permalink  |
HUFFPOST SUPER USER
LittleSanityLeft
90 Fans
01:39 PM on 06/05/2011
If the hackers didn't hack Sony's system to say "hey look Sony's asleep at the wheel" then that would've left Sony vulnerable to other hackers who are out to generate profit with other peoples data rather then mischievous which these Sony hackers seem to be.

If you know the story behind why Sony is getting targeted by these hacks then you may come to see, as I do, that Sony asked for this war and are getting exactly what they should have expected. Big corporate lawyers aren't going to scare off everybody.
Permalink  |
photo
ls1z28chris
We're on the side of the demons, chief.
351 Fans
08:36 PM on 06/05/2011
Your argument evaporates, at a minimum, the moment customer data is stolen. Your argument is erased from all concept of existence, past, present, and future, the moment customer data is posted on the internet.

Talk about how wrong Sony is for what they did to Geohot all you want. That doesn't excuse taking third party customer information and putting it on the internet so innocent people have their identities stolen.
Permalink  |
photo
ls1z28chris
We're on the side of the demons, chief.
351 Fans
08:50 PM on 06/05/2011
I'll go one step further. These attacks make the hackers look like crazy fundamentalist terrorist muslims. Remember a few months ago when that pastor in Florida burned a koran, and in response muslims in Afghanistan beheaded innocent third parties who had nothing to do with the original event?

That is what these hackers are doing. Sony goes after a hacker, so other hackers go into Sony's network and compromise the financial security of millions of innocent people.

Way to look sane and just!
Permalink  |
photo
littlebrowngirl
809 Fans
12:58 AM on 06/05/2011
If you can't safeguard the data, don't ask for it.
Permalink  |
photo
onlyahumanshell
11 Fans
 
02:16 AM on 06/05/2011
Fanned and favorite cause you are called yourself "brown girl." But how "little" are you?
Permalink  |
photo
bottleneck88
0 Fans
12:18 AM on 06/05/2011
It's about time Government law makers and it's officails to intervene into new innovation that gives it's Cyber Security Department, Corporation Security and Consumers, guarantee protection against Cyber Hackers.

Design Advantages: Automatically gives priority e-mailers
Permalink  |
SwingingFromCenter
455 Fans
02:44 AM on 06/06/2011
What the heck are you talking about?
Permalink  |
photo
HUFFPOST SUPER USER
ResearchtheFacts
1497 Fans
05:24 PM on 06/04/2011
HP your system worked better before the merger. Whatever this is could be shored up too.
Permalink  |
photo
jsarets
913 Fans
06:35 PM on 06/04/2011
At the very least, HTTPS support would be nice...
Permalink  |
photo
HUFFPOST SUPER USER
ResearchtheFacts
1497 Fans
05:23 PM on 06/04/2011
Sony made a statement that "they done all they can do" and security is tight.
Permalink  |
photo
HUFFPOST SUPER USER
Madmac
357 Fans
03:54 AM on 06/05/2011
To which I and anyone who works in Technology say Bu!l!
Permalink  |
photo
HUFFPOST SUPER USER
Wiggly the Wonderworm
21 Fans
05:22 PM on 06/04/2011
lulz does not = laugh out loud... but props for the aweosme picture of the fella in the trendy eyewear,
Permalink  |
photo
HUFFPOST SUPER USER
bkerensa
Evangelist at Ubuntu
523 Fans
 
03:59 PM on 06/04/2011
I hear Sony spent tens of millions to supposedly secure their infrastructure after the first hack and yet for a easy $1 million I would have done a better job of hardening the kernels and patching basic exploits.... Sony is a joke.
Permalink  |
photo
onlyahumanshell
11 Fans
 
12:23 AM on 06/05/2011
If Sony contacted certain people, an easy one million dollars could've been charged and paid, but they took the route of paying more to equate better service and quality. Coming from Sony, I can see why they did such a thing. The public tends to understand figures, so tens of millions sounds more impressive than $1 million because the public wants to see a large corporation pay out of its behind to secure personal information. Oh well, live and learn. However, one million dollars sounds like a decent price tag to fix the "basic exploits."

Sony makes me think of a funny phrase now: "I'm in your website, and SQL injecting all over you!" Sounds a bit gross, lol.

Get it together, Sony. You can do it!
Permalink  |
photo
HUFFPOST SUPER USER
CmdrTomalak
I am... and proud of it.
136 Fans
 
03:39 PM on 06/04/2011
WTG Sony. So what are you going to do know to appease your customers? More free outdated games? More useless virtual items from Playstation Home? How about a class action lawsuit? Nothing says you love your customers like cold hard cash!
Permalink  |
Page: 1 2  Next ›  Last »  (2 total)