More Sony customer info plundered

Another 2,000 customer records were looted from a Sony-related site, this time from the Canadian branch of the online cellphone store it runs with Ericsson. The third such event in the last few weeks was executed using SQL injection, according to a cracker who has already posted half of the records online. CEO and president Howard Stringer once wisecracked about giving up on trying to figure out how many products Sony and its myriad of divisions, subsidiaries and partnerships sells. I guess they have the same situation with security flaws, too.

18

  1. This is getting old. Why don’t the people who spend time on this shit try and attack some other organisations? You know… ones who we know actually do bad things. It’s not like Sony is the only company with shoddy network security and though 1000 email addresses might seem a juicy cache of “fuck you” against “the man”, it is actually quite meaningless.

    1. I’m sorry I thought the idea that a company who so visibly failed to use basic security procedures would have invested the time and effort into making sure they were not completely stupid everywhere.

      Picking on the poor customers, yes they are going to get more spam. They did not have their credit cards handed out this time, and it looks like the passwords were actually hashed – something that can not be said of the other hacks into their holdings.

      Is the public safer if they do these things silently and sell into information off? Is the public safer assuming that Sony is doing anything to protect their information?

      Sony pissed off some hackers.
      Sony then tried to shift all of the fault onto the collective known as Anonymous, with PS3 owners screaming for their blood.
      Sony then tried to say well maybe they didn’t do it, but they made it possible.
      Sony then said we have proof, we found a text file.

      No one has called Sony on the carpet for having such lax security practices, and all Sony wants to do is claim they are innocent and this was all just talented hackers.

      You now have script kiddies running tools that should not work on any reasonably secured site, and they are hitting paydirt time and time again.

      So while some people are having their names and email addresses exposed publicly, is the greater issue at hand that Sony doesn’t care about your email address… do you think they care about your CC#?

      A reasonable person would have expected Sony to use its resources to check its holdings after they loss of the PSN as well as the SOE records. Well I think we have the answer, they will not move or do anything unless the public makes them.
      How will the public make them, because every news story about another hack against poor little Sony raises questions about how safe are you doing any sort of business with Sony.

      As to your calling them “asshat hackers”, I would expect that you yourself have not had your CC number ever compromised by a companies lax security. It doesn’t matter that Sony handed your CC# out… You have to file reports, You end up on the hook, You have to make all of the effort to prove it wasn’t you buying things on iTunes or booking flights in the far east. Sony doesn’t have to worry about having its credit ruined, or bank accounts drained, the end user gets screwed both ways.

      Sorry I feel little sympathy for a corporation with that much money playing the poor helpless me card while they time and time again do things to save a buck and their actions screw the customer and leaves them a huge mess that Sony won’t be forced to help clean up.

  2. What makes you think they’re not being attacked, and plundered? They’re just not making the so-called “news”.

  3. Posting the personal data of 1000 cellphone users seems like less of a “fuck you” to “the man” and more like hackers exploiting innocent people.

  4. What makes you think they’re not being attacked, and plundered? They’re just not making the so-called “news”.

    I don’t see the point of further harassing Sony because it’s the flavour of the week. People seem to have forgotten that Sony got massively fucked by the earthquake and tsunami in Japan. Something like 20% of their Japanese manufaturing plants were damaged or destroyed. The Japanese government is encouraging citizens and companies to ration electricity, and all these asshat hackers have to do with their time is further complicate things.

    Posting the personal data of 1000 cellphone users seems like less of a “fuck you” to “the man” and more like hackers exploiting innocent people

    That was… err… my point. In any case, the guy also stripped the user passwords, so he is not being as exploitative as he could be.

    PS: I don’t give a shit about PSN or Sony. I don’t own any Sony products. I just don’t believe in kicking people when they’re down.

  5. Sony is engaged in a so-far successful gambit to determine how much can be plundered before it’s illegal on the part of the company holding the info (i.e. Sony). The answer is: never gonna happen. Sony is setting precedent for not being held responsible, criminally.

    They can now leave their machines as wide open as they want, the only loss is yours, and they already know how many people will leave if they are the victim of information loss. They can prepare for these contingencies and probably actually insure against them, further improving their costs and margins. The costs of which are miniscule attrition and some package deal on credit monitoring for any customer who deigns to breach the morass of compensation barriers.

  6. I just don’t believe in kicking people when they’re down.

    I generally subscribe to the “don’t kick anyone, down or otherwise” philosophy, and I also don’t consider Sony to be a person.

    Personally, I think Sony is, for lack of a better term, “evil”. They will do some BAD shit to you and your stuff to get their way and ensure they make a profit; root kits, etc. And they see nothing wrong with it.

    If the governments and other entities that are supposed to protect us from this stuff won’t do anything of value, I’m not going to get worked up by a little bit of vigilantism and bad press directed their way.

    Personally, I’ll never own another Sony product or do anything that knowingly benefits them.

    But I’ll buy Cisco all day, every day.

    Crazy, eh?

    1. Hear hear, I’ll never buy another Sony product either. Why do I feel compelled to write in this space tonight? For about 4 years I’ve had a Sony external drive / CD & DVD burner, a reliable piece of machinery.

      In the process of moving to a new house recently, the power chord got lost along the way, so off I go to Radio Shack, where after sorting through over 30 different proprietary power chords (the ones with the yellow ring), NONE were of the right specs. So off I go to the Sony store, where I am told to call some toll-free number. That phone call turned out to be an hour-long nightmare in which I was bounced around on hold, back and forth between the same departments that had already redirected my call elsewhere. At the end, a puzzled shrug from a Sony employee, who said they had no info on that replacement part. Nobody did, and this for a 4 year-old drive.

      The solution? Went to an electronics repair shop and told the guy to install a universal plug on the drive, same wattage and amperage, of course.

      That company is too big and it painfully shows, especially when it comes to their greedy insistence on using only their little patents and standardizing nothing.

      So 20% of Sony’s production in Japan is offline after the quake and tsunami? Most of their stuff is made in China nowadays. Feel sorry for the workers, but management has long ago placed most of its’ eggs in other baskets.

  7. >PS: I don’t give a shit about PSN or Sony. I don’t own any Sony products. I just don’t believe in kicking people when they’re down.

    Sony isn’t “down” until they’re filing for Chapter 11.

  8. *Sony pissed off some hackers.
    -By suing someone to stop commercialisation of tools which would, in essence, remove the need for PS3 owners to purchase games. Games sales are the heart of PS’s profits – the consoles were sold at a loss to be competitive in the market.

    *Sony then tried to shift all of the fault onto the collective known as Anonymous, with PS3 owners screaming for their blood.
    -Sony did not start this rumor, but I agree they did nothing to stop it.

    *Sony then tried to say well maybe they didn’t do it, but they made it possible.
    -Citation please. I didn’t see anything of the sort.

    *Sony then said we have proof, we found a text file.
    -ditto

    As to your calling them “asshat hackers”, I would expect that you yourself have not had your CC number ever compromised by a companies lax security.

    You mean company’s, right? No.. I haven’t. Because I go to great lengths to avoid putting my credit card in places I dont trust. That includes apple’s iripoff store.

    I call them asshat hackers because they have their head so far up their own arse and they don’t have the balls or creativity to hack anything more important or itneresting. Like I said… I don’t care about Sony one way or another. I am just tired of these stories that imply to the unread that Sony is the only company that is hackable. I’d say their woes are merely indicative of wide-spread complacency in many companies.

    It is worth mentioning that while Sony has an obligation to secure data, it is still against the law to access information which does not belong to you… The cops don’t give a car theif a break if the car he stole was unlocked.

    1. -By suing someone to stop commercialisation of tools which would, in essence, remove the need for PS3 owners to purchase games. Games sales are the heart of PS’s profits – the consoles were sold at a loss to be competitive in the market.

      I would love to see citations for this. It’s my understanding that it’s been a while since a game console was sold at a loss.

      They sued a guy who reverse engineered the console and provided the software he created in the process, for free. There was no commercialization. And it had nothing to do with “never buying games”. It had EVERYTHING to do with their not wanting people to use PS3’s in any way other than how they want it to be used.

      The fact that they were successful in stopping him from doing what he wanted with a piece of hardware he owned sickens me.

    2. >-By suing someone to stop commercialisation of tools which would, in essence, remove the need for PS3 owners to purchase games.

      Citation needed.

      Geohot specifically said he would NEVER release the code for people to play burned games. Despite the character assassination Sony spun in the media, the fact remains Geohot was not out to destroy Sony. He wanted access to the feature he bought the machine for, that Sony decided to remove from the system. He played around in the machine, and Sony left the door open for him to return Other OS because they failed to secure the hypervisor key. (oh look more security flaws from Sony).

      >No.. I haven’t. Because I go to great lengths to avoid putting my credit card in places I dont trust. That includes apple’s iripoff store.

      Umm okies maybe you are aware… the rest of the people on teh interwebs… not so much. They assume that a multinational company might have a system with more security than a webpage run by a dude hosting on GoDaddy (shudder). Something your seemingly unaware of – a great deal of stolen card numbers are cycled thru iTunes as a trial run to see if they have been shutdown yet.

      http://www.computerworld.com/s/article/9216312/Sony_finds_no_apparent_Anonymous_link_to_PlayStation_attack

      Oh and here is another fun lie from Sony in that article…
      “Sony said there is a high possibility the hacker stole personal information on millions of registered uses, but it has found no evidence that a database of credit card numbers was accessed. If true, that appears to rule out a financial motive behind the attack.”

      Yet if you look a little more you can find many people reporting in the arstechnica coverage that they had PSN accounts linked to cards they used for NOTHING else who were getting bogus charges before Sony ever admitted how deep into their system the hack went.

      And yes there was a Sony statement saying that while Anonymous might not be directly responsible, it was their DDOS that provided cover for the real attack on the system.

      https://www.infosecisland.com/blogview/13558-Sony-Tells-Congress-Anonymous-DDoS-Aided-Breach.html

      ““Just weeks before, several Sony companies had been the target of a large-scale, coordinated denial of service attack by the group called Anonymous… Whether those who participated in the denial of services attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know. In any case, those who participated in the denial of service attacks should understand that – whether they knew it or not – they were aiding in a well planned, well executed, large-scale theft that left not only Sony a victim, but also Sony’s many customers around the world,” Hirai’s letter said.”

      They also spend time putting more spin in the delay in reporting the very clear hack… remember there is a text file in the root of a server called ANONYMOUS.TXT supposedly at this time…

      “”Throughout the process, Sony Network Entertainment America was very concerned that announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence,” Hirai’s letter said.”

      And while you feel this doesn’t need more coverage, I think it really needs more. Sony lied to their customers, Sony lied to the media, Sony quite possibly lied to Congress. And yes the hackers should have better things to do, and its wrong… but gee we reward other whistleblowers for exposing things that are damaging to the public. And the methods that are being used are really on the outside edge of being called true hacking.

      Oh and don’t forget the phishing site being run on their servers in Thailand. Maybe we should raid F-Secure for finding that little gem and reporting it.

      http://games.slashdot.org/story/11/05/20/2111252/Phishing-Site-Discovered-On-Sony-Thailand-Servers

      I suppose you think that Defcon and any other black hat conference should be raided and everyone put in jail when they expose massive flaws in everyday systems the public count on to be secure.

      I think this is a very fast and visible way to show that Sony was praying security by obscurity was going to be the best model to use. I think they got their answer loud and clear.

  9. Citation needed.
    The trend of noobs making this demand without fulfilling it themselves is getting out of control!

    Geohot specifically said he would NEVER release the code for people to play burned games. Despite the character assassination Sony spun in the media, the fact remains Geohot was not out to destroy Sony.
    ^See above.

    It is my understanding that work done by Geohot and fail0verflow led to the development of USB dongles like this:
    http://arstechnica.com/gaming/news/2010/08/the-ps3-jailbroken-usb-hack-allows-homebrew-copied-games.ars

    Yet if you look a little more you can find many people reporting in the arstechnica coverage that they had PSN accounts linked to cards they used for NOTHING else who were getting bogus charges before Sony ever admitted how deep into their system the hack went.

    I don’t believe anyone has a credit card they owned solely for use on the PSN. That is simply bullshit. I tend not to believe random rants written on the internet by people who are irate they can’t play networked console games.

    They also spend time putting more spin in the delay in reporting the very clear hack… remember there is a text file in the root of a server called ANONYMOUS.TXT supposedly at this time…

    This means nothing. Any decent criminal leaves a false trail. Whoever perpetrated the PSN hack certainly knew about Anonymous’ attitude towards Sony.

    Sony quite possibly lied to Congress.

    Go have a cry at the statue of liberty…. how do you make the jump to this ridiculous conclusion? The link that Chava kindly provided above includes the paragraph:

    “The letter to Congress, written by Chairman of the Board of Directors of Sony Computer Entertainment America, Kazuo Hirai, does not explicitly accuse Anonymous of hacking the PlayStation Network.”

    Oh and don’t forget the phishing site being run on their servers in Thailand. Maybe we should raid F-Secure for finding that little gem and reporting it.

    Not at all guaranteed to be the result of a hack. Much more likely to be the sneaky work of someone employed to manage that server.

    I suppose you think that Defcon and any other black hat conference should be raided and everyone put in jail when they expose massive flaws in everyday systems the public count on to be secure.

    Nice straw-man. Actually, I never said anything that would lead a rational person to conclude that. Those guys are most certainly working on something better than this lame and meaningless hack.

    @Tylith: Thanks

    It’s my understanding that it’s been a while since a game console was sold at a loss.
    @Nettdata: You stand corrected.

    1. Please explain how the dongle relates to Geohot.
      He did not create it, he did not market it.

      While research Geohot did MIGHT have been used to craft such a thing, holding him liable is the same as suing someone who built a car that was used in a crime.

      So people on ars are just making things up, like you and your belief that he made the dongle. But your right and they are just whiners… got it.

      Yes a false trail, that Sony took to the media and touted as being proof that Anonymous was behind it. They later changed their story, but the first reports were Sony proves Anonymous did it with the file. Sony has made every effort to shift the focus to anything but themselves and their methods.

      “does not explicitly accuse” see that word explicitly… it means they beat around the bush on it and left “suggestions” that Anonymous was at fault. They also told Congress their systems were up to date, which by posts from a public forum followed by Sony showed their Apache install was NOT currently at the current patch level and had been so for a while.

      So not Sonys fault when someone they are paying to run a server starts a phishing operation? They lack the ability to check their own sites for security risks/breaches and your completely ok with this because they have been picked on enough?

      We agree on one thing, the methods used for this last “hack” were lame. The difference is I see it as endemic of an entire culture at Sony of not taking security seriously. The fact that script kiddies are hauling out all of this information should scare the crap out of anyone. If a script kiddy can get this much, how much could a real hacker get or already have?

      Think of the script kiddys “hacks” as a canary in a coal mine. If they are getting any traction with push button “hack” tools, what does that say about Sony’s commitment to security of customer data?

      But you lament poor picked on Sony, how about the people who had their card info gone for a week before Sony got around to mentioning oh yeah we fibbed about them not being able to get your CC#’s… your all screwed… here have some lame credit monitoring.

Comments are closed.