Sony’s security nightmare just won’t end.
Earlier this week, malicious hackers released a bundle of personal information on thousands of Sony customers that was stolen — quite easily, according to the infiltrators — from Sony’s IT systems.
That was only the latest in a long series of cyberattacks the company’s been suffering since mid-April, which forced Sony to shut down its PlayStation Network for several weeks.
There’s speculation that these attacks are being launched in retaliation for Sony’s actions against hacker George Hotz, whom Sony sued for jailbreaking the PlayStation 3 and publishing the tools and techniques he used to do so on the Web.
As part of the settlement of the case, Hotz consented to a permanent injunction, but he severely criticized Sony.
The case had angered the hacker community, which vowed revenge.
Hacker activity against major corporations is nothing new, but what’s perhaps unusual about the blows Sony’s been enduring is their frequency and repetition. Typically when an organization is successfully targeted, the attack is limited to a single breach — sometimes large, sometimes small. With Sony, however, hackers from all corners appear to be ganging up on the consumer electronics giant, launching attacks that range from irritating pranks to large-scale theft of customer information.
Could Sony’s saga indicate the rise of the socio-political hacker, one who strides the Web like a god of vengeance, striking out at any organization that angers the techie community?
“This is less of a ‘let’s just grab some credit cards for our personal benefit or grab some emails to make them look bad'” sort of incident, Chris Lytle, a senior researcher at Veracode, told TechNewsWorld. “It’s a concerted brand and image attack just because people don’t like them.”
More such attacks may surface in the future.
“We live in a persistent state of cyber-insecurity due to the lack of efficacy of traditional defenses against advanced cyberattacks,” Ashar Aziz, founder and CEO of FireEye, commented.
The Blitzkrieg Against Sony
The Japanese entertainment giant is reeling under wave after wave of attacks of varying sizes and impact.
“Sony have probably had somewhere in the neighborhood of 20 security incidents in the past few months,” Lytle said.
“Previous breaches have been a one-and-done thing; this has been a concerted group of attacks,” he stated.
Few of the attacks share the same attack vector, and the hackers are targeting different business units within Sony, Lytle said. In addition to the Playstation Network, the hackers hit Sony BMG Greece, an unmaintained Sony sweepstakes site, Sony’s Thailand site, and the company’s Indonesian website, he added.
The hackers are “targeting Sony as a monolithic organization,” and some of the breaches are “rather small,” Lytle said.
Take, for example, the attack on Sony’s Indonesian website on May 21. “That wasn’t a high-impact attack; it was a simple website defacement, of which dozens occur every day,” Lytle remarked.
At the same time, though, there were other, more serious attacks launched that had more impact on Sony, such as the theft of credit card numbers from its databases, Lytle said.
Sony did not respond to requests for comment by press time.
Is Sony’s IT Infrastructure Flawed?
Perhaps Sony should share part of the blame — companies do have the responsibility to protect data their customers share with them. However, FireEye’s Aziz contends that all enterprises are vulnerable to cyberattacks to some degree.
“There are systemic vulnerabilities in every organization, and hackers have figured out how to exploit them,” Aziz told TechNewsWorld.
Those vulnerabilities are the legacy approach to attack detection, and they rely on reactive techniques such as signatures for defensive purposes, Aziz said.
Apple found that out in short order after releasing a defense against the MacGuard malware package this week; hackers circumvented that defense within hours, and the vendor is now playing cat-and-mouse with cyberattackers.
“No organization, no matter how well-run it is, is well-protected against this kind of attacks, because the new threat landscape has effectively obsoleted traditional enterprise security defenses,” Aziz sad.
LulzSec Laughs While Sony Weeps
The hacker group Lulz Security claimed responsibility for the most recent Sony attack.
On Friday, it claimed to have compromised the personal information of 1 million users on the SonyPictures.com website.
Lulz has posted some of the data taken from the databases of various Sony companies.
What’s Lulz Got to Do With It?
The word “lulz” is defined as laughter at someone else’s expense. To attack a site “for the lulz” suggests the motive lies in personal amusement, pulling a prank or making a social or political statement, rather than personal monetary gain. Regardless of the motive, though, an attack can have serious consequences.
“There have been a lot of security breaches across a lot of companies,” Veracode’s Lytle said. “We are seeing a lot more cybercrime, but that acts as a distractor for social- or political-based hacking.”
For example, the theft of credit cards from Sony’s databases has kept it from dealing with all the other attacks against it.
“Sony’s too busy dealing with the fact that 77 million cards have been stolen to deal with the other hacks,” Lytle said. “The different hacker groups are kicking them while they’re down.”
Waves of attacks could be launched at other targets, Lytle warned, if they have a wide enough presence that they can be attacked easily — and if they have angered a group of savvy Internet users.
If we had a rash of people building custom cars, then going out to intentionally run people down with them, would we be talking about, "malicious auto mechanics"? These people are criminals. A lot of halfwits would love to label anyone that puts out information about vulnerabilities, or how things work, as the same, but this is blind stupidity. If everyone doesn’t know the only people that do know will be the ones willing to use them to break, damage, steal, or deface websites, and the guy running the database would be just as clueless about the gaping holes in his system as the dude working part time in their warehouse.
Its like the gun argument. If no one was allowed guns, only criminals would have guns. The solution in that case is, don’t let *anyone* have guns. So, what is the solution here? Obviously, don’t let anyone at all have computers, which is a damn stupider concept, but only slightly stupider than, "Only arrest the people figuring it out, or using it to unlock their cell phone, or Playstation.", while all the actual criminals keep using the tools. Its just can’t work.
But, because everyone insists on calling everyone from the guy running a pre-made bot net, who can’t otherwise even install Linux properly with an instruction manual (hint, its easier to do that Windows), but **can** follow careful, step by step directions on installing a bot net application, to the guy that just figured out the latest security hole, and published it, so people could find and fix it, a hacker… Seriously, there is a *major* difference. So, you either make sure to be clear what it is, or just criminalize owning a computer. Otherwise.. anyone could be, and have been, arrested, often for some of the stupidest things imaginable, while the real threats walk off free as a bird.
Its a bit like drug arrests. Its a lot harder to arrest the guy making millions of pounds of the stuff, than the guy selling a baggy of it. So, the vast majority of the people in jail are the guys with a few ounces, and the people that are *not* in jail, are the ones manufacturing the stuff in large amounts. Same problem. The guy with $100 in non-legit software, who bought it off an illegal OEM site gets nailed, but the guy running the largest bot net on the planet isn’t probably even nameable, never mind arrested. Both, stupidly, get called hackers, when neither deserve to even be associated with the term.
And, just to add insult to injury, people like George Hotz get lumped in with them, for doing what? Letting you mod your own, personally bought, hardware. Not for showing someone how to run a bot net, hacking into a corporate DB, or building a doomsday weapon, or something, but showing people how to unlock their own property. Idiocy.