

Sony Music Brazil hacked  - sucuri2
http://blog.sucuri.net/2011/06/sony-music-brazil-hacked.html

======
rkalla
At this point I'm curious if this is the result of any large company becoming
the whipping boy of multiple hacking groups, or if this is just unique to
Sony.

For example, if Microsoft were focused on next... or Ford or GE or IBM, would
the same endless embarrassment ensue?

When Sony originally got hacked, I commented like everyone else: Sony is
incompetent, their security team is subpar, etc, but after the 12th hack... is
this just how shoddy most systems are and they just have the spotlight on them
at the moment?

I believe back on the announcement thread of the latest hack here on HN, there
was an entire sub-thread about "Is this the norm at big companies?" and the
consensus was "yes". Someone mentioned security was between "horribly broken"
and "totally laughable". Of course that's always juicy to read, but I wonder
how true it is.

If this endless list of penetration is any sort of barometer, it looks to be
true.

I'll be curious what the global fallout of this is. I would hate to be the
next company that does something socially unacceptable that gets the baton
passed to them from Sony.

~~~
meterplech
I think you are right that this is a hugely widespread problem. Does anyone
know what security solutions are out there now?

Big companies better start seeking out people like tptacek and quick. More
than just consulting, I think a Heroku-like product with a heavy emphasis on
security (in addition to ease) could be a great product/SaaS.

~~~
SwellJoe
Security products are a hard sell. And, there's a lot of snake oil and voodoo
that gets passed off as useful. One of our competitors had (maybe still has) a
slew of security issues, existing for years, and yet people kept buying and
deploying the product at an alarming rate (it was _extremely_ cheap, and had a
tremendously long feature list)...it took a disaster at the company to change
things to where we no longer view that product as a real threat in the
marketplace. But, I never could figure out how people could overlook the
abysmal security record.

Security is sort of an amorphous concept that most people just can't really
wrap their head around. What does secure software look like? How do you know
it's secure? Non-technical users have no way of knowing; expensive software is
just as likely (if not more likely) to have security issues as Open Source
software. Software that claims to be secure can be just as insecure as
software that makes no such claims.

Security is a process not a product. You can't buy security. Things like
proxies, mod_security, firewalls, IDS, etc. are all bandaids that you put over
problems, and they're usually "preventing" ancient exploits that have already
been fixed in the underlying software (assuming you're running the latest
version). They might prevent some attacks, but if you're running insecure
versions of your software underneath, a determined attacker will find a way
in.

In short: Security is hard. The new hotness is easy and is an easier sell.

------
sucuri2
If they have a security team (which I hope they do), I feel bad for them
(considering the last few weeks). Probably were under staffed and ignored for
a long time and now are under a terrible pressure.

~~~
jamaicahest
And they will probably be lucky not to be fired, instead of getting what they
should, which is getting more funding. Of course this is assuming that your
guess is correct.

~~~
systemizer
It's not more funding they need; it's people that actually know what they're
doing. Let's face it: all systems are hackable in some way, but it is the
security's job to make those hacks have minimal effects. This skill requires
people who actual know the general security principles that are taught at most
technical institutes today.

~~~
SoftwareMaven
You can't possible make that judgement from outside. If their security team
consisted of two people, the surface area was just too large. In that
situation, id be worried about protecting trade secrets and intellectual
property and to hell with the web sites.

If it consisted of 20 people, I would agree with you: they would still be
hackable, but the embarrassing simplicity of the hacks should have been
covered.

Without knowing details of the team, it is just an unsubstantiated guess
and/or heaping crap on Sony (who, as a company, i can't stand).

~~~
reemrevnivek
Agreed. They're loosing customer data, which is bad, but they're not a web
company. If the schematics and firmware for their computers, TVs, cameras,
media players, or PlayStations was leaked, then Sony would be more concerned.

I'm surprised the hackers are still going after customer data, and haven't
started targeting IP yet.

~~~
saulrh
My guess is that the hackers are going more for publicity than for anything
else. As much as it should be, stealing the firmware for the PS3 isn't really
"newsworthy"; stealing a million credit cards gets you on every front page in
North America.

------
jjm
Obscure hack that was hard to defend against (DNS or OS vuln) I'd feel sad
about.

Not encrypting customer data and transport, plain text passwords, etc..
doesn't make me feel sad, at all.

------
dudurocha
All of this started with the geohot affair?

~~~
rkalla
More or less.

1\. Sony removes "Install Other Operating Systems" option from the PS3 OS.

2\. Out of frustration at corporate policy for REMOVING major features from
hardware/device paid for and owned by millions, the hackers start working.

3\. Months later, GeoHot releases (what I understand to be) the root private
encryption keys for the device.

3.5 (forgot this) fail0verflow group circumvents the PS3's security system
using this work from GeoHot - <http://www.youtube.com/watch?v=4loZGYqaZ7I>

4\. Other hacking groups, now with the keys to the kingdom, begin working on
hacking the PS3 to allow the installation of any software, not just officially
released/signed/blessed releases. This results in a "jailbreak" for the PS3,
much like what jailbreaking does to the lock-down security on an iPhone.

(This is when things start to go south)

5\. A technique for loading your own software onto the PS3, circumventing the
system's security checks comes out.

(Now the door to pirating PS3 games is open. Download images, burn the Blu-
rays, pop them in the PS3 and play).

6\. Another hacking group, using some portion of this manipulation, actually
manage to get their PS3's logged into the private developer-based PSN network
(it's a full copy of the real PSN network specifically for developers actively
working on titles that need to test things like updates or addon
downloads/installs).

7\. It is discovered that the PSN-Dev network does not do _real_ credit card
authentication before items are purchased and downloaded. So for example, if I
work at BioWare, and I'm on PSN-Dev, I can technically download any of the
standalone games from the network and play them by entering a credit card of
"111" or something silly -
[http://www.reddit.com/r/gaming/comments/gx6o4/im_a_moderator...](http://www.reddit.com/r/gaming/comments/gx6o4/im_a_moderator_over_at_psxscenecom_the_real/)

8\. The hacking group is able to pull software off the network, for free, and
leak it to the web.

9\. Some point very shortly after this, the real PSN gets the full intrusion.

I forget if the two are related or not... I don't recall if the group went
PSN-Dev > PSN and that is how they got in, or if there was another group that
did the straight PSN hack.

That is the gist of the avalanche that started with "We are removing Other-OS
install support". Different groups piggy-backing on each other's work to
retaliate.

The endless backlash against Sony seems to have been the result of them going
after GeoHot.Then at some point it stopped being about retribution for him and
just became the popular thing to do.

It is sort of getting old, so unless Sony does something to re-ignite the
flames, I imagine the groups will move on in a month or two.

[Links]

fail0verflow's presentation on how they circumvented the PS3's security
(really cool presentation): <http://www.youtube.com/watch?v=4loZGYqaZ7I>

Post supposedly from one of the internal Sony folk during the total media
black-out when the network first went down explaining the console-Dev-PSN-
network issue:
[http://www.reddit.com/r/gaming/comments/gx6o4/im_a_moderator...](http://www.reddit.com/r/gaming/comments/gx6o4/im_a_moderator_over_at_psxscenecom_the_real/)

~~~
Maxious
There are 2 critical points leading up to that list: When the very same GeoHot
released a hardware glitch for PS3 OtherOS to let you use more of the system
(extra SPU and GPU access rather than software rendering). It should be noted
that this was ONLY OtherOS and required soldering. Did Sony really think that
people were going to commercialize homebrew games that require hardware mods?
Or did they know that GeoHot was onto something big? As revenge, Sony took
away OtherOS for everybody and reassigned Geoff Levand.

And when then GeoHot hacked the 3.21 firmware just to get OtherOS back. Sony
blocked it again. This was the point forced the community's hand to looking
for solutions that might also allow piracy (although the wheels may have been
in motion already). Really, based on the PSP experience they should have known
how this works.

~~~
mishmash
Also, two other very critical steps:

Sony sought the right (and won it) to subpoena the IPs of everyone that had
done something as viewed GeoHot's blog, watched YouTube, Twitter, donated via
Paypal, etc [1].

Sony sought the right (and won) to search all of his computer equipment [2].

These are severely heavy-handed tactics. They wanted to embarrass and
persecute him. They took this thing personal first.

1: [http://www.wired.com/threatlevel/2011/03/geohot-site-
unmaski...](http://www.wired.com/threatlevel/2011/03/geohot-site-unmasking/)

2: [http://www.destructoid.com/ps3-hacker-geohot-must-
surrender-...](http://www.destructoid.com/ps3-hacker-geohot-must-surrender-
computer-to-sony-193787.phtml)

------
paulnelligan
Despite the noble 'Little guy fights back' story. I'm starting to wonder if
this will have an overall detrimental effect?, Give wings to Sarkozy's desire
to police and control the internet, and overall limit consumer and business
confidence in web security?

------
themal
This is the first time that I have looked at any of these 'Sony' hacks. I had
a quick look at their website, and the credits at the bottom clearly say that
it was designed, developed and run by two third parties - yet they aren't
mentioned in the headline.

------
plainOldText
I guess this serves as a proof that some large corporations don't take
security seriously enough. And we're supposed to trust them with our data. I
think we should have a "Hall of Shame" for all this companies that fail from a
security perspective.

------
yhlasx
The first case was kinda shocking for me, because, afterall it was Sony who
got hacked. Now, it seems just normal. It was a very bad 30 days for them.

------
johndbritton
Link to the hacked page: <http://www.sonymusic.com.br/index.asp>

------
Kwpolska
It's the 8th time Sony was hacked this year, right?

~~~
jbk
No, we are 12 now.

<http://attrition.org/security/rants/sony_aka_sownage.html>

~~~
ballard
Is quite amazing how repeated failure impacts the stock by only about $4/share
or roughly 13%. I guess as long as consumers keep buying...

~~~
afterburner
I don't know, 13% seems significant for a company like Sony.

------
jasonlotito
Okay, this is sad. Not that Sony got hacked again, but that I'm putting Sony
getting hacked and Yet-Another-Groupon-Article into the same basket: do we
really need to post this. I mean, at this point, I'll assume Sony is
constantly being backed. Come back in 100 days and post a 100-days since Sony
was hacked. That would probably be more informative. As for Groupon: everyone
has a weasel-filled opinion.

And I thought /. was plagued by duping stories.

~~~
nuromancer
Im surprised there is no discussion about the images/message of the hacked
homepage.

