In the continuing saga of Sony being attacked by hackers, hacking group Lulz Security has compromised and posted online the user information of customers of Sony Pictures, including full names, addresses, usernames and plaintext passwords. In addition, they have released employee usernames and passwords (also stored in plaintext), parts of a database for BMG Music in Belgium and the Netherlands, a list of 20,000 international coupons, and international codes that they state are “like magnets, we simply have no idea how they work.” (Editor’s note: I have no clue, either). There’s also a text file that shows how the tables break down. The vast majority of the usable data is in a file called Sony_Pictures_International_AUTOTRADER_USERS.txt, which has full addresses, email addresses, passwords and real names. Gaming Bus has verified that some of the personal information contained within the file is accurate.
According to the press release (titled PRETENTIOUS PRESS STATEMENT.txt), the database put up in a torrent on The Pirate Bay is a small sampling of the database that they had full control over, and that to download the entire database would have taken weeks. They noted that all information was stored on the server in plaintext (in contrast: passwords from the PlayStation Network were hashed), and that the hack was facilitated by a “very simple” SQL injection. The press release asks plainly “Why do you put such faith in a company that allows itself to become open to these simple attacks?”, and stated that the storage of plaintext passwords on their servers was “disgraceful and insecure”, noting “they were asking for it”. The SQL injection hole was a photoshopped upload of a Ghostbusters picture, which has since been taken down.
This breach comes less than 24 hours after Sony brought their PlayStation Store back online throughout the world outside of Asia. Sony have not offered comment as of press time.
Analysis: It’s important to know that, as the press release states, these aren’t master hackers at work. SQL injections are script-kiddie level shit. Now, we can all call LulzSec names for their disregard for innocent victims – customers – in all of this. That criticism is justified, especially as they didn’t just stop at putting coupon codes online; they posted sensitive user data that can be used to socially engineer vulnerable people. I’ve personally verified that at least a portion of the data in the “autotrader” file is accurate in terms of it being tied to where people actually live (I’m not committing federal crimes by logging into email addresses in the name of journalism, sorry), and if the birthdates are accurate, it’s important to know that everyone in that file, if they’re still alive, is over the age of 65 (I’ve confirmed the ages of two people through simple Google searches, and their ages are accurate). Older people tend not to be as technologically capable as younger people more in-tuned with the internet; these people, if this information is used, are highly susceptible to further damage. LulzSec – seemingly a bunch of schizophrenic teenagers with a hair trigger – should be derided for their irresponsible, even criminal manner in handling this data. There is a way to make a social point without endangering other people, and these idiots just flaunted that. You know, “for the lulz”.
But let’s not defend Sony here. As a corporation, Sony knew they pissed off some very technologically proficient people when they decided to sue George “Geohot” Hotz. At this point, any place I’ve worked in the past – my last IT job was as a security engineer at a company that provided cloud-based security to literally thousands of banks around the world – we would have had conversations about how to secure our network, just in case. Hell, we would have even brought in a third party to give us a thorough analysis of our network, and what we could do better. This is standard operating procedure. Instead, Sony’s PSN was breached, the second largest data breach in American history. OK, shit happens. This type of breach is inexcusable – especially when considering the details that came out afterwards (just the ones that Sony told us about!) – but shit happens. At this point, we would have been panicking, and this panicking would have involved us being five times more careful. “OK. OK. Shit, we got hit. OK! Make sure everything else is secure! Batten down the torpedoes! Damn the hatches! I got that backwards oh TO HELL WITH IT NOTHING GETS IN OR OUT”. Either way, we would have been really careful.
Since the time the PSN went down, various other networks relating to Sony have been breached. Stolen currency in Japan. A web page in Thailand being defaced and use for phishing. From all indications, none of these hacks were sophisticated. In fact, it’s possible the Thai hack was an SQL injection similar to this one. This is beyond a Keystone Kops level of incompetence. The people in charge of these servers should not be working in this field. Period.
We’ve also seen Sony CEO Howard Stringer do something I never thought he would have the balls to do: go on the offensive, even having the audacity to say that Sony’s one week response to the initial PSN hack was better than most other companies, and asking “is my one week not good enough?”. Whether it is or not – I think he’s full of shit – it’s a ludicrous thing to go in front of 100 million compromised customers, some of whom don’t know if their credit cards are safe, and say “hey, what do you want from me? Shit happens!”. To do that, and then suffer further indignities, is inexcusable. This latest breach is possibly the worst of them all.
I am officially, and on record, calling for either the resignation of the forced removal of Howard Stringer as CEO of Sony. I don’t do this lightly; I defended him when analysts were calling for his head at the outset of the PSN break, mainly due to other Sony failures under his watch. After this, I have determined that this man is fundamentally incapable of handling a company, especially in a period of crisis. The only person I can think of who has floundered on a level of this magnitude is former British Petrolium CEO Tony Heyward, and the only reason Heyward wins is because his screw-up permanently damaged the lives and ecosystem of an entire region while he went off and raced yachts. Nonetheless, anyone who has given anything to Sony – a company that once maliciously installed rootkits on music CDs, then tried to cover it up – is in danger of having that data compromised. Sony flat-out does not care, and never has; they are only interested in a public relations win and in getting their share price and profitability up as fast as possible. Howard Stringer is the man responsible for everything I have mentioned; he’s at the top, he sets the tone, and if his screw-ups weren’t the last straw, his response to them are.
He’s got to go. And until he does, I would carefully consider any and all purchases of Sony-related products. The only way to get action is through choking their revenue lifeblood. Otherwise, this process will repeat itself.