Talk of “isolated incidents” went by the board in the last couple of days, with Sony and Sony-affiliated sites compromised in Canada, Japan and Indonesia. Let’s do the rounds: • Canada – The Hacker News reports a breach at a Sony-Ericsson mobile store, conducted through an SQL injection attack and yielding details of around 2, …
Give it up already
Why not list the numerous other individual incidents perpetrated against OTHER companies in the same period?
As for the specious question " .. Sony’s [sic]will have to answer why the same kind of vulnerability appeared across so many of its sites .. " - only an idiot would have to ask this question. The answer being obvious to anyone with half a brain.
Corporates tend to use/do the same thing to achieve the same ends whenever the same need has to be met. However a web site get's rolled out in territory A, a global corporation almost certainly will use the same tech stack in territory B, C and D etc etc.
Does it makes sense? Of course it does, until a flaw is found then - with 20:20 hindsight - it suddenly looks very stupid. Or at least other people will try to make it appear so.
Could we have some proper journalism in this area, rather than this pathetic and transparent anti-Sony agenda masquerading as such? Please?
I'm glad you said that.
I was thinking something similar, when the line "Sony’s [sic]will have to answer why the same kind of vulnerability appeared across so many of its sites" appeared my instant thought was well they paid for a solution and rolled it out across many areas.
This led me on to think that this is a non story.
We'll give it up
....when I can trust Sony to look after my personal details again.
same stack should make fixing easier
If they are running the same stack everywhere that should make rolling out any improvements easier. Congratulations, you just made the case that ongoing failures are due to Sony choosing to not roll out fixes to their entire business.
The reality is likely simpler, they have a jumble of adhoc sites and they have to deal with each individually. I'd suggest before that they need to remember where all the sites are!
It is noticeable that only customer information has been exposed. Hard to avoid thinking Sony knew how to protect themselves but didn't bother extending the same protection to users. Customer details should have been no more accesible than internal corporate data.
"Customer details should have been no more accesible than internal corporate data."
Because requiring customers to be in your building or signed in with a securid authenticated VPN connection is a great business model.
Things that expose themselves to the world get hacked more often than things that are hidden behind firewalls. Shocker.
SCE, SOE, Sony Ericsson, Sony Music are a disparate bunch of companies owned (or half-owned) by Sony Corporation. (Q. Were SCE sites ever hacked - or was the intrusion through PSN?)
I'd be amazed if their sites were remotely similar. Surely SPE or SCA would have had an intrusion by now, especially the former as they're a content provider and all content should be free?
Has nobody attacked Sony Life or Sony Bank yet? Maybe the script kiddies have never heard of them.
Maybe they should stop painting a bulls-eye on themselves. Root-kitting everyone's PC and then taking legal action against those that figured out the keys, these are red flag PR blunders. Some simple common sense in PR approach might eventually make them slightly less of a protruding nail that needs hammering down.
Sorry what? Rootkitting everyone's PCs?
Are you still blathering on about the BMG CD rootkit fiasco of more than 6 years ago as if it was current and universal? Holy crap, can we apply just a modeerate amount of perspective and stop talking like there is a current issue - which there is not? Well, not unless you count the millions of malware attacks a day that attempt to root kit your PC that have nothing to do with Sony.
Funnily enough, I thought that taking legal action to protect legally protected information and systems was...well...legal. Seems to me, that you have a chip on your shoulder about something and have elected to blame Sony for it regardless of cause.
Yes, it was a while ago but...
The rootkit thing was a truly spectacular PR failure, and more importantly, Sony's recent behavior suggests they have learned absolutely nothing from that fiasco. The law has nothing to do with it, what matters is whether Sony is going to treat its customers as friends or enemies. Clearly they took the latter tack before, and continues to do so.
Sony treats it's customers as friends
I've been a customer of theirs for decades and so far, I've yet to feel that they do not value my loyalty, in fact I would say that in my experience they do treat their *paying* customers are friends.
"Are you still blathering on about the BMG CD rootkit fiasco of more than 6 years ago as if it was current and universal?"
No, just relevant to Sony's ongoing behaviour. It's like instead of killing himself Raoul Moat put down his gun and went on a personal injury claims spree that lasted for six years.
Groundhog day: more Sony breaches
Can we change the 'FAIL' icon to a 'SONY' icon please?
lol and give sony another excuse to sue someone :)
My karma ran over your dogma*
Meanwhile in Indonesia...
"• Indonesia – This attack seems less serious: a page was altered on Sony Music Indonesia’s Website, and in response, the site has been closed."
How is this less serious? If your able to alter a page, then what stops you from running a local exploit to gain root access? $ony whole infrastructure sucks, so with root access to one of the servers, you can probably get root access to the rest of the boxes...
What makes you think they've got root access? Changing a page is somewhat misleading on the intertubes ... odds are they found a CMS user account with a crap password - which gives absolutely no indication as to what access level that user had (assuming there was some kind of RBAS on the CMS).
Oh, so every instance of web page defacing means....
...means that root access to OS and Database services was attained? Oh really? Where' did you get that computer science degree son, the box of cereal you opened this morning?
That's just a ridiculous thing to say. Website defacing has been going on since the web started and does not require or imply root level access, or much elevated access at all.
the OP was ridiculous,
but the premise that it was not serious is also ridiculous. While there is no indication that the compromise provided the attacker with elevated privileges, It is well documented that a compromised website provides a solid attack vector to many users, more over if it is a "reputable" site (meaning a large, well known corporation). Web defacings are NOT trivial, and should be delt with swiftly, removing the site, analyzing the issue and correcting it, before it is used to spread malware.
Sony need to rethink how they treat the public
“This doesn’t change the criminality of their behaviour”
Of course it doesn't, but this doesn’t change the inescapable fact protesters are often considered criminals. Sony would do well to recognise how they treat the public has a direct causal link with how some more militant elements of the public will end up treating Sony in return. History has repeatedly shown all around the world, the public will only take so much unfairness before they rise up and hit back. Usually that's against political power, but now we live in a world increasingly ruled by corporate power, so its no surprise the public will only take so much unfair behaviour before retaliating.
This is like watching a revolution against corporate power, so Sony need to rethink how they treat the public, as they need to realise their current dictatorial attitude has caused this anger. But like all dictators, they refuse to see they are wrong.
I agree absolutely...
...and it's not the rootkit that is mostly to blame for their current problems, I suspect, but revoking linux from their games machines followed by sueing people trying to undo that.
The rootkit hit a random selection of the populace and they got sued, so justice of a sort was seen to be done.
Revoking the linux was done pseudo-legally. Essentially, they defrauded the hackers and tinkerers and 'got away with it', later compounding the insult. This is precisely the demographic that I wouldn't want to be pissed off at me if I had a bunch of public-facing internet services.
I crossed Sony off my list when the rootkit was revealed, so I'm just sitting here munching popcorn and watching the show. Be interesting to see if Sony get pushed over the edge.
don't come the raw pwn with me
Nah, Sony are happy that so many of thier customers/addicts either do not read much news or they 'know' that it won't affect them. People have paid for access and after a couple of days doing nothing were clamouring to get back on no matter what.
Sony are keeping this as low as possible because the noise of selfish contentment from the blinkered who are back in thier troughs(must sort out my mixed metawotsits) is drowning out the sound of others - like the japanese governenment - going 'Hang on a minute, what was the issue and have you actually fixed anything?'
It's like snow here in Blighty, mno-one gives a toss until it cancels 'their' train.
They sued not after people tried to restore Linux to old PS3...
The sued after some a$$hat called GeoHot decided to publish the Metldr key that was not required to restore OtherOS, but which effectively allowed hackers to ignore any semblence of copy protection on games - resulting in the ability to load pirated copies of games on custom firmware systems. Get your facts straight at least.
Sony needs to re-think? Are you kidding me?
You know, if you actually go back through the history of Sony, the PS3 and all of this bullcrap that's been going on and look objectively at Sony, the various hackers and others, as well as the Media reactions, it's actually very hard to see where Sony has treated anyone particularly badly.
Sony sued GeoHot et al after the metldr key was published along with information on how to use it to circumvent all copy protection on the PS3. They obtained court orders against one German hacker who was engaged in similar works of publishing protected information about the PS3's security mechanisms. All of these actions were taken in the realm of the legal system in the relevant countries. Sony's attorneys asked for some information pertaining to the locations of people that viewed the information published by GeoHot for the very limited legal purpose of establishing the jurisdiction for the court case n California against GeoHot. That was horribly mis-reported by the world plus dog as if Sony Corporation was seeking personal information on millions of people. That was never the case, nor could it have been. the court did not order that, and the information that was ordered could only go to Sony's attorneys, not Sony. Had Sony obtained additional information and mis-used it as so many alleged they wanted to, Sony would have been near instantly indicted at a high level by government prosecutors. It's ludicrous to make the kinds of claims some do about things like those subpoenas to establish jurisdiction.
Regarding the whole OtherOS, Sony was in the end vindicated in their removal of OtherOS in response to GeoHots original hacking of the hypervisor - yes children, Sony reacted to defend their platform against hacking. the hacking predated the removal of OtherOS, not that anyone bothers to mention that little factoid anywhere. It would not be necessary for anyone to 'restore' otherOS had the little moron GeoHot not indulged in his little egofest of publicly proclaiming he had 'pwned' the PS3. Oh, but, I guess we should forget that it's HIS own fricking fault that OtherOS was removed, otherwise we can't cast the little guttersnipe as a freedom fighter trying to restore what the greedy corporation took.
Oh, I guess we should also point out that for those so married to their OtherOS that they'd rather break the law, cost companies millions of dollars and adversely affect millions of consumers than give it up, you didn't have to give up OtherOS. If you were so bloody keen on it, you simply didn't need to install the firmware upgrade that disabled it. Yeah, I know you would lose access to PSN then, well, so what? PSN is a free service and you have to meet it's requirements to use it. But is that minor inconvenience really a justification for all that has happened? Really? I mean, really? You couldn't just have put up with a minor inconvenience rather than have all that has occurred since?
Oh, and while we're at it, since GeoHot was the reason for OtherOS getting the boot, why are you blaming Sony again since it was not them that attacked the system?
Actually, when you look at it all, Sony has not been the one mistreating anyone. But I know I'll get downvoted for saying so. The media, the hackers, the anonymous, the freetard gamer population who bear no consequences for their words, these people have been treating Sony like public enemy number one. Hell, I've seen more vitriol aimed at Sony than Osama Bin Laden. That's plain stupid, but it's truly the case.
As for dictatorial actions, did you read GeoHot's terms for settlement with Sony when their action first started in court? That was dictatorial. The ultimate settlement that had GeoHot all but grovel in apology is a far cry from his demands earlier. That should tell you something about the merits of his case. Perhaps that should tell you something about the merits of this entire thing.
Ah well, I know none of this will change your mind, but perhaps someone reading it might take a moment or two to stop and actually think...
Keep on taking the pills...
Whatever Jack, whatever...
I've been following PS3 and the attempts to hack it since before GeoHot drilled his first hole in a motherboard. I know what happened and when. Facts are facts, and they do not line up with your passionately held opinions. Remember though, no matter how dear you hold your opinion, a single fact can make your opinion irrelevant.
You must be a Sony Shill
Graf did nothing to aid piracy. He is only interested in Hacking the Hypervisor. FACT. That knowledge may lead to others getting a toe hold to misuse the info. So i your world we should ban all books and texts 'cause you might learn something that can be put to bad use. Why not out law books full stop, to keep Sony & Co safe and the renters/purchasers stupid.
The 'asshat Hotz'. Yes he released the keys, but his firmware would NOT allow piracy. Maybe next time Sony will do a better job of securing them. Threatening people will not stop the thirst for knowledge but will get you hacked till kingdom come.
If I ever discovered something interesting in MY PROPERTY (PS3) then yes I would tell others. I don't recall ever signing a non disclosure agreement, nor do I know of any PS3 who signed such.
If Sony doesn't want people to own what they buy, they should rent the PS3. Also they should try to make people sign in blood that they will only use the item the 'Sony Approved' way, at the point of sale. Just so you know Highlander, I did not buy my PS3, I did not click on any EULA and nobody not even Sony can enforce terms of something that was a gift.
I'm getting the booze in for the party. You are invited.
RE: Sony needs to re-think? Are you kidding me?
The core of this is simple, but remains unaddressed in all the vitriol (in both directions). Does a consumer possess the right to do whatever they like with hardware that they have bought, or do they have to stick to the usage model that the manufacturer intended?
In the absence of a definitive ruling (which we will likely never get, because the impact would be _huge_), manufacturers will continue to try and get consumers to stick to the latter path without ever explicitly saying to consumers that they don't really "own" their own hardware.
Hardware mfrs that invest gazillions of $ in their platforms need to see return on their investment whilst simultaneously not blocking some of their sharpest users. Sony made what they thought was a sensible business decision to axe OtherOS and handled the followup badly. Conversely, GeoHot let his ego cloud his judgement and took the decision as a personal affront.
Would have been much easier for Sony to say "look everyone, we're axing OtherOS support. We're not going to support anyone who works around it or does something with their PS3 that we hadn't anticipated. But we won't prosecute them either. If they do anything illegal, for commercial gain, or that disrupts anyone who just wants to use their PS3 normally, we will come down on you like a ton of bricks". Simple, clear and fair.
Jack - people who disagree with you are not shills...
That kind of paranoid thinking has got fail written all over it. Whether Hotz firmware allowed piracy or not, the keys were released by him along with what amounted to an How To guide. You'll note, if you re-read my post I did not mention the firmware he produced, although I would definitely challenge it's legality on the basis that I don't for a nano-second believe that Hotz penned all 100% of the code he posts as firmware, and in fact he's either modifying Sony's code and/or incorporating their code in his 'custom' firmware.
Jack, if you have a PS3 and have ever played online, or started PSN, you have agreed to many terms, including the license for the firmware. The very nature of your own arguments strongly suggests that you are more than aware of the terms of the license. As to your line about your PROPERTY, you're a damned fool if you believe that. Software is licensed, hardware is sold. You do not own the software.
Zongo, Sony doesn't give a darn what you do to the hardware, as soon as you physically modify the hardware beyond the scope of permitted upgrades they consider the warranty nullified and don't care about your **hardware**. The system software running on that hardware is not part of the hardware, it is stored on the hardware but it is a separate element, and Sony does very much care what you do with that. That's why it's encumbered with license terms.
I honestly can't see what is so hard with the concept that you buy the hardware and license the software. If you break the software license, be aware of the terms is provides in the case of one or other side breaking the license.
Don't play nice in the playground, get kicked by the kids.. Capiche?
Sony = will NEVER buy.
Time to get a SoX investigation going.
I'd want to see someone cuffed for this.
LoL, xBox, LoL.
<---Check the icon.
Then run's and hides behind the couch.
Robots have run amok on the factory floor
Maybe they should just drop their prices lol
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Feast your PUNY eyes on highest resolution phone display EVER
- AMD demos 'Berlin' Opteron, world's first heterogeneous system architecture server chip