For example, if Microsoft were focused on next... or Ford or GE or IBM, would the same endless embarrassment ensue?
When Sony originally got hacked, I commented like everyone else: Sony is incompetent, their security team is subpar, etc, but after the 12th hack... is this just how shoddy most systems are and they just have the spotlight on them at the moment?
I believe back on the announcement thread of the latest hack here on HN, there was an entire sub-thread about "Is this the norm at big companies?" and the consensus was "yes". Someone mentioned security was between "horribly broken" and "totally laughable". Of course that's always juicy to read, but I wonder how true it is.
If this endless list of penetration is any sort of barometer, it looks to be true.
I'll be curious what the global fallout of this is. I would hate to be the next company that does something socially unacceptable that gets the baton passed to them from Sony.
Most businesses seem to get by with as little as possible in the way of security resources. Often they don't have anyone dedicated on security (warning signal #1), and they'll let you remote into their network without many restrictions (warning signal #2). The other businesses are usually to the other extreme on security. They want documentation that you have a secure development policy, they'll do an independent security audit, they won't allow remote access under any circumstances, and some won't even allow any direct access at all (you have to prepare documentation that their people can follow for any modification that must be made to the system). So, basically, there's a minority that really gets it, and a majority that doesn't know and doesn't care.
The fallout of this is simple: there won't be any. It hasn't gotten worse enough yet. Sony's case is seen as an isolated incident of a company that got unlucky. Most business leaders won't even see it as having bad policy, just bad luck. Programmers will know better, but wisdom from the tech crowd generally doesn't percolate to the C-levels. However, hackers everywhere are realizing that all these big businesses are information goldmines, and the coming years we're going to see an onslaught of hacks that will eventually force a standardization of security policies.
I think both. It's fairly common practice to hire your design/advertising agency to develop your web properties. Those companies have little or no in-house software development expertise and rarely employ good software development practices. I made efforts to introduce such practices, with relative success (we reduced cost and delivery times by implementing simple things like version control, code reviews and a knowledge base) but, without education and enforcement, developer turnaround and poor expectation management eventually erased all traces of good practices in a couple years.
If that process isn't in place, then it's simply a matter of time (and pissing off the wrong people) before it all ends up crumbling. I don't know anything about Sony's internal processes whatsoever, but everything I've seen and heard points to this process being completely nonexistent. Most of these vulnerabilities would've been caught by anyone familiar with security -- if they're easy to find from the outside, they're downright trivial to find from the inside.
(Full disclosure: I work as a security consultant)
More likely, Sony simply outsorces their web properties to some outside teams, which do not have proper expertise in building secure websites. This theory is especially make sense if you look at what properties were hacked - they're mostly local-market websites. So, I'd say, the only one hacked property Sony must really be embarrased for is PSN, hands down.
I don't think that if anonymous would target Microsoft (or a normal company) that it would be the same.
The thing is, Sony seems to have made itself the target of people who are hacking "for a cause (or whatever you might call it)" which is why they advertise the fact that the hack took place.
Surely, there are plenty of other black hats without a cause, who will not deface the website or put out a PR release and so you are only going to hear about it if A) the company notices and B) the company tells you about it.
To what extent do they have to tell? Is there any way for them to get caught if they don't? What (if any) are the consequences if they don't?
I'm curious. How many intrusions get swept under the carpet?
Big companies better start seeking out people like tptacek and quick. More than just consulting, I think a Heroku-like product with a heavy emphasis on security (in addition to ease) could be a great product/SaaS.
Security is sort of an amorphous concept that most people just can't really wrap their head around. What does secure software look like? How do you know it's secure? Non-technical users have no way of knowing; expensive software is just as likely (if not more likely) to have security issues as Open Source software. Software that claims to be secure can be just as insecure as software that makes no such claims.
Security is a process not a product. You can't buy security. Things like proxies, mod_security, firewalls, IDS, etc. are all bandaids that you put over problems, and they're usually "preventing" ancient exploits that have already been fixed in the underlying software (assuming you're running the latest version). They might prevent some attacks, but if you're running insecure versions of your software underneath, a determined attacker will find a way in.
In short: Security is hard. The new hotness is easy and is an easier sell.
secondly, there seems to be systemic incompetence all over the shoppe, so many entry points for attack, it's just a matter of time before attackers find them.
i don't generally form strong opinions on topics like these, but in this case, i will definitely be using the rays from their victory candescence to stay warm this winter.
If it consisted of 20 people, I would agree with you: they would still be hackable, but the embarrassing simplicity of the hacks should have been covered.
Without knowing details of the team, it is just an unsubstantiated guess and/or heaping crap on Sony (who, as a company, i can't stand).
I'm not excusing Sony: they screwed up big time. I'm simply saying that we can't infer that their security team (if it even exists) is incompetent.
I'm surprised the hackers are still going after customer data, and haven't started targeting IP yet.
Not encrypting customer data and transport, plain text passwords, etc.. doesn't make me feel sad, at all.
At that time it was pretty clear that they didn't care much about their customers' security. However, it was not (yet) clear that they didn't care much about their servers' security, either.
1. Sony removes "Install Other Operating Systems" option from the PS3 OS.
2. Out of frustration at corporate policy for REMOVING major features from hardware/device paid for and owned by millions, the hackers start working.
3. Months later, GeoHot releases (what I understand to be) the root private encryption keys for the device.
3.5 (forgot this) fail0verflow group circumvents the PS3's security system using this work from GeoHot - http://www.youtube.com/watch?v=4loZGYqaZ7I
4. Other hacking groups, now with the keys to the kingdom, begin working on hacking the PS3 to allow the installation of any software, not just officially released/signed/blessed releases. This results in a "jailbreak" for the PS3, much like what jailbreaking does to the lock-down security on an iPhone.
(This is when things start to go south)
5. A technique for loading your own software onto the PS3, circumventing the system's security checks comes out.
(Now the door to pirating PS3 games is open. Download images, burn the Blu-rays, pop them in the PS3 and play).
6. Another hacking group, using some portion of this manipulation, actually manage to get their PS3's logged into the private developer-based PSN network (it's a full copy of the real PSN network specifically for developers actively working on titles that need to test things like updates or addon downloads/installs).
7. It is discovered that the PSN-Dev network does not do real credit card authentication before items are purchased and downloaded. So for example, if I work at BioWare, and I'm on PSN-Dev, I can technically download any of the standalone games from the network and play them by entering a credit card of "111" or something silly - http://www.reddit.com/r/gaming/comments/gx6o4/im_a_moderator...
8. The hacking group is able to pull software off the network, for free, and leak it to the web.
9. Some point very shortly after this, the real PSN gets the full intrusion.
I forget if the two are related or not... I don't recall if the group went PSN-Dev > PSN and that is how they got in, or if there was another group that did the straight PSN hack.
That is the gist of the avalanche that started with "We are removing Other-OS install support". Different groups piggy-backing on each other's work to retaliate.
The endless backlash against Sony seems to have been the result of them going after GeoHot.Then at some point it stopped being about retribution for him and just became the popular thing to do.
It is sort of getting old, so unless Sony does something to re-ignite the flames, I imagine the groups will move on in a month or two.
fail0verflow's presentation on how they circumvented the PS3's security (really cool presentation):
Post supposedly from one of the internal Sony folk during the total media black-out when the network first went down explaining the console-Dev-PSN-network issue:
And when then GeoHot hacked the 3.21 firmware just to get OtherOS back. Sony blocked it again. This was the point forced the community's hand to looking for solutions that might also allow piracy (although the wheels may have been in motion already). Really, based on the PSP experience they should have known how this works.
Sony sought the right (and won it) to subpoena the IPs of everyone that had done something as viewed GeoHot's blog, watched YouTube, Twitter, donated via Paypal, etc .
Sony sought the right (and won) to search all of his computer equipment .
These are severely heavy-handed tactics. They wanted to embarrass and persecute him. They took this thing personal first.
And I thought /. was plagued by duping stories.