At this point I'm curious if this is the result of any large company becoming the whipping boy of multiple hacking groups, or if this is just unique to Sony.
For example, if Microsoft were focused on next... or Ford or GE or IBM, would the same endless embarrassment ensue?
When Sony originally got hacked, I commented like everyone else: Sony is incompetent, their security team is subpar, etc, but after the 12th hack... is this just how shoddy most systems are and they just have the spotlight on them at the moment?
I believe back on the announcement thread of the latest hack here on HN, there was an entire sub-thread about "Is this the norm at big companies?" and the consensus was "yes". Someone mentioned security was between "horribly broken" and "totally laughable". Of course that's always juicy to read, but I wonder how true it is.
If this endless list of penetration is any sort of barometer, it looks to be true.
I'll be curious what the global fallout of this is. I would hate to be the next company that does something socially unacceptable that gets the baton passed to them from Sony.
I have personal experience shipping a web app to a bunch of large companies and educational institutions, and it's a mixed bag.
Most businesses seem to get by with as little as possible in the way of security resources. Often they don't have anyone dedicated on security (warning signal #1), and they'll let you remote into their network without many restrictions (warning signal #2). The other businesses are usually to the other extreme on security. They want documentation that you have a secure development policy, they'll do an independent security audit, they won't allow remote access under any circumstances, and some won't even allow any direct access at all (you have to prepare documentation that their people can follow for any modification that must be made to the system). So, basically, there's a minority that really gets it, and a majority that doesn't know and doesn't care.
The fallout of this is simple: there won't be any. It hasn't gotten worse enough yet. Sony's case is seen as an isolated incident of a company that got unlucky. Most business leaders won't even see it as having bad policy, just bad luck. Programmers will know better, but wisdom from the tech crowd generally doesn't percolate to the C-levels. However, hackers everywhere are realizing that all these big businesses are information goldmines, and the coming years we're going to see an onslaught of hacks that will eventually force a standardization of security policies.
> but after the 12th hack... is this just how shoddy most systems are and they just have the spotlight on them at the moment?
I think both. It's fairly common practice to hire your design/advertising agency to develop your web properties. Those companies have little or no in-house software development expertise and rarely employ good software development practices. I made efforts to introduce such practices, with relative success (we reduced cost and delivery times by implementing simple things like version control, code reviews and a knowledge base) but, without education and enforcement, developer turnaround and poor expectation management eventually erased all traces of good practices in a couple years.
There is one defining characteristic of a company whose products are secure: the existence of a security methodology that is followed religiously. Generally that means that for everything that gets rolled out, it goes through a security department that handles security lifecycle management and brings in external security consultants to do both SARs (security architecture reviews) and AVTs (application vulnerability tests). Every single thing that touches your company's network, whether it's a third-party product or internal, should have an AVT performed before it touches a production server, and every internal product should have a SAR performed both by dedicated internal teams and external teams (this is generally a joint test, as domain knowledge that consultants may not have can be very important).
If that process isn't in place, then it's simply a matter of time (and pissing off the wrong people) before it all ends up crumbling. I don't know anything about Sony's internal processes whatsoever, but everything I've seen and heard points to this process being completely nonexistent. Most of these vulnerabilities would've been caught by anyone familiar with security -- if they're easy to find from the outside, they're downright trivial to find from the inside.
(Full disclosure: I work as a security consultant)
"if this is just unique to Sony"..."Sony is incompetent"
More likely, Sony simply outsorces their web properties to some outside teams, which do not have proper expertise in building secure websites. This theory is especially make sense if you look at what properties were hacked - they're mostly local-market websites. So, I'd say, the only one hacked property Sony must really be embarrased for is PSN, hands down.
They definatly don't take security seriously at Sony, if you get hacked with a sql injection - you suck. When I was creating PHP websites as a 12 year old kid, they where even protected against sql-injections -- and it's not that i was a super smart or paranoid kid
I don't think that if anonymous would target Microsoft (or a normal company) that it would be the same.
What I wonder about is to what extent this is going on with other companies without anyone hearing about it.
The thing is, Sony seems to have made itself the target of people who are hacking "for a cause (or whatever you might call it)" which is why they advertise the fact that the hack took place.
Surely, there are plenty of other black hats without a cause, who will not deface the website or put out a PR release and so you are only going to hear about it if A) the company notices and B) the company tells you about it.
To what extent do they have to tell? Is there any way for them to get caught if they don't? What (if any) are the consequences if they don't?
I'm curious. How many intrusions get swept under the carpet?
I think you are right that this is a hugely widespread problem. Does anyone know what security solutions are out there now?
Big companies better start seeking out people like tptacek and quick. More than just consulting, I think a Heroku-like product with a heavy emphasis on security (in addition to ease) could be a great product/SaaS.
i think there are 2 factors here, one being the unanimity of hacker community in regards to sony's treatment of geohotz, other hackers, and it's early adopter fan base.
secondly, there seems to be systemic incompetence all over the shoppe, so many entry points for attack, it's just a matter of time before attackers find them.
i don't generally form strong opinions on topics like these, but in this case, i will definitely be using the rays from their victory candescence to stay warm this winter.
If they have a security team (which I hope they do), I feel bad for them (considering the last few weeks). Probably were under staffed and ignored for a long time and now are under a terrible pressure.
And they will probably be lucky not to be fired, instead of getting what they should, which is getting more funding. Of course this is assuming that your guess is correct.
4. Other hacking groups, now with the keys to the kingdom, begin working on hacking the PS3 to allow the installation of any software, not just officially released/signed/blessed releases. This results in a "jailbreak" for the PS3, much like what jailbreaking does to the lock-down security on an iPhone.
(This is when things start to go south)
5. A technique for loading your own software onto the PS3, circumventing the system's security checks comes out.
(Now the door to pirating PS3 games is open. Download images, burn the Blu-rays, pop them in the PS3 and play).
6. Another hacking group, using some portion of this manipulation, actually manage to get their PS3's logged into the private developer-based PSN network (it's a full copy of the real PSN network specifically for developers actively working on titles that need to test things like updates or addon downloads/installs).
7. It is discovered that the PSN-Dev network does not do real credit card authentication before items are purchased and downloaded. So for example, if I work at BioWare, and I'm on PSN-Dev, I can technically download any of the standalone games from the network and play them by entering a credit card of "111" or something silly - http://www.reddit.com/r/gaming/comments/gx6o4/im_a_moderator...
8. The hacking group is able to pull software off the network, for free, and leak it to the web.
9. Some point very shortly after this, the real PSN gets the full intrusion.
I forget if the two are related or not... I don't recall if the group went PSN-Dev > PSN and that is how they got in, or if there was another group that did the straight PSN hack.
That is the gist of the avalanche that started with "We are removing Other-OS install support". Different groups piggy-backing on each other's work to retaliate.
The endless backlash against Sony seems to have been the result of them going after GeoHot.Then at some point it stopped being about retribution for him and just became the popular thing to do.
It is sort of getting old, so unless Sony does something to re-ignite the flames, I imagine the groups will move on in a month or two.
I think this started 2005 with the Sony Rootkit. [1]
At that time it was pretty clear that they didn't care much about their customers' security. However, it was not (yet) clear that they didn't care much about their servers' security, either.
Despite the noble 'Little guy fights back' story. I'm starting to wonder if this will have an overall detrimental effect?, Give wings to Sarkozy's desire to police and control the internet, and overall limit consumer and business confidence in web security?
This is the first time that I have looked at any of these 'Sony' hacks. I had a quick look at their website, and the credits at the bottom clearly say that it was designed, developed and run by two third parties - yet they aren't mentioned in the headline.
I guess this serves as a proof that some large corporations don't take security seriously enough. And we're supposed to trust them with our data. I think we should have a "Hall of Shame" for all this companies that fail from a security perspective.
Okay, this is sad. Not that Sony got hacked again, but that I'm putting Sony getting hacked and Yet-Another-Groupon-Article into the same basket: do we really need to post this. I mean, at this point, I'll assume Sony is constantly being backed. Come back in 100 days and post a 100-days since Sony was hacked. That would probably be more informative. As for Groupon: everyone has a weasel-filled opinion.
[+] [-] rkalla|15 years ago|reply
For example, if Microsoft were focused on next... or Ford or GE or IBM, would the same endless embarrassment ensue?
When Sony originally got hacked, I commented like everyone else: Sony is incompetent, their security team is subpar, etc, but after the 12th hack... is this just how shoddy most systems are and they just have the spotlight on them at the moment?
I believe back on the announcement thread of the latest hack here on HN, there was an entire sub-thread about "Is this the norm at big companies?" and the consensus was "yes". Someone mentioned security was between "horribly broken" and "totally laughable". Of course that's always juicy to read, but I wonder how true it is.
If this endless list of penetration is any sort of barometer, it looks to be true.
I'll be curious what the global fallout of this is. I would hate to be the next company that does something socially unacceptable that gets the baton passed to them from Sony.
[+] [-] Joeri|15 years ago|reply
Most businesses seem to get by with as little as possible in the way of security resources. Often they don't have anyone dedicated on security (warning signal #1), and they'll let you remote into their network without many restrictions (warning signal #2). The other businesses are usually to the other extreme on security. They want documentation that you have a secure development policy, they'll do an independent security audit, they won't allow remote access under any circumstances, and some won't even allow any direct access at all (you have to prepare documentation that their people can follow for any modification that must be made to the system). So, basically, there's a minority that really gets it, and a majority that doesn't know and doesn't care.
The fallout of this is simple: there won't be any. It hasn't gotten worse enough yet. Sony's case is seen as an isolated incident of a company that got unlucky. Most business leaders won't even see it as having bad policy, just bad luck. Programmers will know better, but wisdom from the tech crowd generally doesn't percolate to the C-levels. However, hackers everywhere are realizing that all these big businesses are information goldmines, and the coming years we're going to see an onslaught of hacks that will eventually force a standardization of security policies.
[+] [-] rbanffy|15 years ago|reply
I think both. It's fairly common practice to hire your design/advertising agency to develop your web properties. Those companies have little or no in-house software development expertise and rarely employ good software development practices. I made efforts to introduce such practices, with relative success (we reduced cost and delivery times by implementing simple things like version control, code reviews and a knowledge base) but, without education and enforcement, developer turnaround and poor expectation management eventually erased all traces of good practices in a couple years.
[+] [-] daeken|15 years ago|reply
If that process isn't in place, then it's simply a matter of time (and pissing off the wrong people) before it all ends up crumbling. I don't know anything about Sony's internal processes whatsoever, but everything I've seen and heard points to this process being completely nonexistent. Most of these vulnerabilities would've been caught by anyone familiar with security -- if they're easy to find from the outside, they're downright trivial to find from the inside.
(Full disclosure: I work as a security consultant)
[+] [-] jimbobimbo|15 years ago|reply
More likely, Sony simply outsorces their web properties to some outside teams, which do not have proper expertise in building secure websites. This theory is especially make sense if you look at what properties were hacked - they're mostly local-market websites. So, I'd say, the only one hacked property Sony must really be embarrased for is PSN, hands down.
[+] [-] jvandenbroeck|15 years ago|reply
I don't think that if anonymous would target Microsoft (or a normal company) that it would be the same.
[+] [-] pushingbits|15 years ago|reply
The thing is, Sony seems to have made itself the target of people who are hacking "for a cause (or whatever you might call it)" which is why they advertise the fact that the hack took place.
Surely, there are plenty of other black hats without a cause, who will not deface the website or put out a PR release and so you are only going to hear about it if A) the company notices and B) the company tells you about it.
To what extent do they have to tell? Is there any way for them to get caught if they don't? What (if any) are the consequences if they don't?
I'm curious. How many intrusions get swept under the carpet?
[+] [-] swaits|15 years ago|reply
[+] [-] meterplech|15 years ago|reply
Big companies better start seeking out people like tptacek and quick. More than just consulting, I think a Heroku-like product with a heavy emphasis on security (in addition to ease) could be a great product/SaaS.
[+] [-] foxhill|15 years ago|reply
secondly, there seems to be systemic incompetence all over the shoppe, so many entry points for attack, it's just a matter of time before attackers find them.
i don't generally form strong opinions on topics like these, but in this case, i will definitely be using the rays from their victory candescence to stay warm this winter.
[+] [-] teyc|15 years ago|reply
[+] [-] sucuri2|15 years ago|reply
[+] [-] jamaicahest|15 years ago|reply
[+] [-] jjm|15 years ago|reply
Not encrypting customer data and transport, plain text passwords, etc.. doesn't make me feel sad, at all.
[+] [-] dudurocha|15 years ago|reply
[+] [-] rkalla|15 years ago|reply
1. Sony removes "Install Other Operating Systems" option from the PS3 OS.
2. Out of frustration at corporate policy for REMOVING major features from hardware/device paid for and owned by millions, the hackers start working.
3. Months later, GeoHot releases (what I understand to be) the root private encryption keys for the device.
3.5 (forgot this) fail0verflow group circumvents the PS3's security system using this work from GeoHot - http://www.youtube.com/watch?v=4loZGYqaZ7I
4. Other hacking groups, now with the keys to the kingdom, begin working on hacking the PS3 to allow the installation of any software, not just officially released/signed/blessed releases. This results in a "jailbreak" for the PS3, much like what jailbreaking does to the lock-down security on an iPhone.
(This is when things start to go south)
5. A technique for loading your own software onto the PS3, circumventing the system's security checks comes out.
(Now the door to pirating PS3 games is open. Download images, burn the Blu-rays, pop them in the PS3 and play).
6. Another hacking group, using some portion of this manipulation, actually manage to get their PS3's logged into the private developer-based PSN network (it's a full copy of the real PSN network specifically for developers actively working on titles that need to test things like updates or addon downloads/installs).
7. It is discovered that the PSN-Dev network does not do real credit card authentication before items are purchased and downloaded. So for example, if I work at BioWare, and I'm on PSN-Dev, I can technically download any of the standalone games from the network and play them by entering a credit card of "111" or something silly - http://www.reddit.com/r/gaming/comments/gx6o4/im_a_moderator...
8. The hacking group is able to pull software off the network, for free, and leak it to the web.
9. Some point very shortly after this, the real PSN gets the full intrusion.
I forget if the two are related or not... I don't recall if the group went PSN-Dev > PSN and that is how they got in, or if there was another group that did the straight PSN hack.
That is the gist of the avalanche that started with "We are removing Other-OS install support". Different groups piggy-backing on each other's work to retaliate.
The endless backlash against Sony seems to have been the result of them going after GeoHot.Then at some point it stopped being about retribution for him and just became the popular thing to do.
It is sort of getting old, so unless Sony does something to re-ignite the flames, I imagine the groups will move on in a month or two.
[Links]
fail0verflow's presentation on how they circumvented the PS3's security (really cool presentation): http://www.youtube.com/watch?v=4loZGYqaZ7I
Post supposedly from one of the internal Sony folk during the total media black-out when the network first went down explaining the console-Dev-PSN-network issue: http://www.reddit.com/r/gaming/comments/gx6o4/im_a_moderator...
[+] [-] vog|15 years ago|reply
At that time it was pretty clear that they didn't care much about their customers' security. However, it was not (yet) clear that they didn't care much about their servers' security, either.
[1] http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...
[+] [-] paulnelligan|15 years ago|reply
[+] [-] themal|15 years ago|reply
[+] [-] plainOldText|15 years ago|reply
[+] [-] yhlasx|15 years ago|reply
[+] [-] johndbritton|15 years ago|reply
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] Kwpolska|15 years ago|reply
[+] [-] jbk|15 years ago|reply
http://attrition.org/security/rants/sony_aka_sownage.html
[+] [-] jasonlotito|15 years ago|reply
And I thought /. was plagued by duping stories.
[+] [-] nuromancer|15 years ago|reply