Poor Sony just can’t get a break. Or, maybe the opposite, a rest from being broken into. Whichever, hackers from all over continue to jump onto the Make Sony Look Bad Bandwagon by penetrating various Sony networks and websites.
From the Sony-Ericsson mobile Canadian store through an SQL injection attack to steal details of approximately 2000 accounts… To the release of a cleansed dump of Sony Music’s Japanese website database after exploiting a similar SQL-injection vulnerability, with personal information intentionally avoided to render the data mostly harmless because it was done just for fun… To yet again a similar SQL-injection vuln used to nail Sony BMG Greece and some 8385 accounts with proof of data including email addresses and password hashes… To a relatively harmless defacing of Sony Music Indonesia’s website… To a hack of Sony’s subsidiary, So-Net Entertainment where 128 accounts had approximately $1,200 worth of virtual points stolen and some 90-odd accounts had their privacy violated through the reading of their emails… To Sony’s HD World site in Thailand being used to host a phishing scam aimed at an Italian credit card company… To the updated PlayStation Network vulnerability allowing evil-doers to change anyone’s password merely by knowing the user account name and their date of birth, both pieces of information stolen in the original PSN hack… Oh, right, to the original PlayStation Network hack exposing the details of some 77 million PSN gamers and an additional 25 million Sony Online Entertainment customers.
So that makes, what, 9 successful attacks on Sony now?
Sony executives have already admitted that the PSN hack alone will cost them at least $171 million. Mind you, the rest are certainly small potatoes by comparison, but I sure wouldn’t want to be a Sony executive right now. Nor a Sony shareholder. Nor a Sony customer! Ouch.
Meanwhile, we still wait for the full assortment of PSN services to be brought back up.
And we still don’t have any real answers as to how this happened, went on undetected for as long as it did, etc.
But honestly, one of the things that actually disturbs me aside from that, is the frequency in which the phrase, “SQL injection attack” is used in these reports. Do Sony’s various website administrators not communicate with each other? One would have thought that as soon as one security hole was discovered, all of Sony’s websites would respond by patching that vulnerability. And yet…
So nine hacks now. Is this party over? Or has it only just begun?
Admittedly, with as many people as there are trying to make a fool of Sony right now, it’s really no surprise that the hackers are winning this war. But I’m far from convinced that Sony isn’t perhaps making it a little easier for the hackers than perhaps it should. For a name as big as Sony you would have perhaps expected better.
And the thing is, Sony really brought this upon themselves. I mean it started because they took away one of the big selling points of the PS3, it’s ability to run Linux, to be used as a micro-PC. And they did it all so … insultingly. But then, then, when a hackers try to break Sony’s locks so that this feature can be re-opened, what does Sony do but wig out and arm their army of lawyers against the hackers that were simply trying to restore the feature Sony wrongfully took away. So while I must re-state my still firm stance that I do not in any way condone illegal activities, I also have to point out that Sony really was asking for this mess by pissing off quasi-legal security experts / hackers. Just one of those moments where if you can’t stand up, don’t step up. Sony made of themselves a rather large and obvious target for a lot of angry people with dangerous skills. Clearly, Sony wasn’t up to their own challenge.