Hacker News new | past | comments | ask | show | jobs | submit login
Sony Music Brazil hacked (sucuri.net)
141 points by sucuri2 on June 5, 2011 | hide | past | web | favorite | 49 comments

At this point I'm curious if this is the result of any large company becoming the whipping boy of multiple hacking groups, or if this is just unique to Sony.

For example, if Microsoft were focused on next... or Ford or GE or IBM, would the same endless embarrassment ensue?

When Sony originally got hacked, I commented like everyone else: Sony is incompetent, their security team is subpar, etc, but after the 12th hack... is this just how shoddy most systems are and they just have the spotlight on them at the moment?

I believe back on the announcement thread of the latest hack here on HN, there was an entire sub-thread about "Is this the norm at big companies?" and the consensus was "yes". Someone mentioned security was between "horribly broken" and "totally laughable". Of course that's always juicy to read, but I wonder how true it is.

If this endless list of penetration is any sort of barometer, it looks to be true.

I'll be curious what the global fallout of this is. I would hate to be the next company that does something socially unacceptable that gets the baton passed to them from Sony.

I have personal experience shipping a web app to a bunch of large companies and educational institutions, and it's a mixed bag.

Most businesses seem to get by with as little as possible in the way of security resources. Often they don't have anyone dedicated on security (warning signal #1), and they'll let you remote into their network without many restrictions (warning signal #2). The other businesses are usually to the other extreme on security. They want documentation that you have a secure development policy, they'll do an independent security audit, they won't allow remote access under any circumstances, and some won't even allow any direct access at all (you have to prepare documentation that their people can follow for any modification that must be made to the system). So, basically, there's a minority that really gets it, and a majority that doesn't know and doesn't care.

The fallout of this is simple: there won't be any. It hasn't gotten worse enough yet. Sony's case is seen as an isolated incident of a company that got unlucky. Most business leaders won't even see it as having bad policy, just bad luck. Programmers will know better, but wisdom from the tech crowd generally doesn't percolate to the C-levels. However, hackers everywhere are realizing that all these big businesses are information goldmines, and the coming years we're going to see an onslaught of hacks that will eventually force a standardization of security policies.

> but after the 12th hack... is this just how shoddy most systems are and they just have the spotlight on them at the moment?

I think both. It's fairly common practice to hire your design/advertising agency to develop your web properties. Those companies have little or no in-house software development expertise and rarely employ good software development practices. I made efforts to introduce such practices, with relative success (we reduced cost and delivery times by implementing simple things like version control, code reviews and a knowledge base) but, without education and enforcement, developer turnaround and poor expectation management eventually erased all traces of good practices in a couple years.

There is one defining characteristic of a company whose products are secure: the existence of a security methodology that is followed religiously. Generally that means that for everything that gets rolled out, it goes through a security department that handles security lifecycle management and brings in external security consultants to do both SARs (security architecture reviews) and AVTs (application vulnerability tests). Every single thing that touches your company's network, whether it's a third-party product or internal, should have an AVT performed before it touches a production server, and every internal product should have a SAR performed both by dedicated internal teams and external teams (this is generally a joint test, as domain knowledge that consultants may not have can be very important).

If that process isn't in place, then it's simply a matter of time (and pissing off the wrong people) before it all ends up crumbling. I don't know anything about Sony's internal processes whatsoever, but everything I've seen and heard points to this process being completely nonexistent. Most of these vulnerabilities would've been caught by anyone familiar with security -- if they're easy to find from the outside, they're downright trivial to find from the inside.

(Full disclosure: I work as a security consultant)

"if this is just unique to Sony"..."Sony is incompetent"

More likely, Sony simply outsorces their web properties to some outside teams, which do not have proper expertise in building secure websites. This theory is especially make sense if you look at what properties were hacked - they're mostly local-market websites. So, I'd say, the only one hacked property Sony must really be embarrased for is PSN, hands down.

I worked with a guy about 7-8 years ago who went onto to manage an Indian outsourced team for the SonyStyle web store. He was terribly frustrated with the situation and the quality of the engineering staff. Stopped having lunch with him as every time it seemed to devolve into a rant session. Note that he was Indian born/educated himself. It was sad as we collaborated closely on a project for over a year and he was one of the sharpest, happiest, most positive engineers I ever worked with.

They definatly don't take security seriously at Sony, if you get hacked with a sql injection - you suck. When I was creating PHP websites as a 12 year old kid, they where even protected against sql-injections -- and it's not that i was a super smart or paranoid kid

I don't think that if anonymous would target Microsoft (or a normal company) that it would be the same.

Indeed. The smart folks were protecting against SQL injection and similar exploits 10 and 15 years ago. Today, there's absolutely zero excuse.

What I wonder about is to what extent this is going on with other companies without anyone hearing about it.

The thing is, Sony seems to have made itself the target of people who are hacking "for a cause (or whatever you might call it)" which is why they advertise the fact that the hack took place.

Surely, there are plenty of other black hats without a cause, who will not deface the website or put out a PR release and so you are only going to hear about it if A) the company notices and B) the company tells you about it.

To what extent do they have to tell? Is there any way for them to get caught if they don't? What (if any) are the consequences if they don't?

I'm curious. How many intrusions get swept under the carpet?

Sony Music, Computer Entertainment (PlayStation), Electronics, Pictures, Online Entertainment, Network Entertainment -- all separate companies.

I think you are right that this is a hugely widespread problem. Does anyone know what security solutions are out there now?

Big companies better start seeking out people like tptacek and quick. More than just consulting, I think a Heroku-like product with a heavy emphasis on security (in addition to ease) could be a great product/SaaS.

Security products are a hard sell. And, there's a lot of snake oil and voodoo that gets passed off as useful. One of our competitors had (maybe still has) a slew of security issues, existing for years, and yet people kept buying and deploying the product at an alarming rate (it was extremely cheap, and had a tremendously long feature list)...it took a disaster at the company to change things to where we no longer view that product as a real threat in the marketplace. But, I never could figure out how people could overlook the abysmal security record.

Security is sort of an amorphous concept that most people just can't really wrap their head around. What does secure software look like? How do you know it's secure? Non-technical users have no way of knowing; expensive software is just as likely (if not more likely) to have security issues as Open Source software. Software that claims to be secure can be just as insecure as software that makes no such claims.

Security is a process not a product. You can't buy security. Things like proxies, mod_security, firewalls, IDS, etc. are all bandaids that you put over problems, and they're usually "preventing" ancient exploits that have already been fixed in the underlying software (assuming you're running the latest version). They might prevent some attacks, but if you're running insecure versions of your software underneath, a determined attacker will find a way in.

In short: Security is hard. The new hotness is easy and is an easier sell.

I think there will be increased demand for such a thing, but the security features a secure PaaS could provide (network and application firewalls) are never going to be a 100% solution. There is no substitute for building your product securely and no PaaS will do that for you.

i think there are 2 factors here, one being the unanimity of hacker community in regards to sony's treatment of geohotz, other hackers, and it's early adopter fan base.

secondly, there seems to be systemic incompetence all over the shoppe, so many entry points for attack, it's just a matter of time before attackers find them.

i don't generally form strong opinions on topics like these, but in this case, i will definitely be using the rays from their victory candescence to stay warm this winter.

You only need one junior dev to touch software before the whole site is at risk.

If they have a security team (which I hope they do), I feel bad for them (considering the last few weeks). Probably were under staffed and ignored for a long time and now are under a terrible pressure.

And they will probably be lucky not to be fired, instead of getting what they should, which is getting more funding. Of course this is assuming that your guess is correct.

It's not more funding they need; it's people that actually know what they're doing. Let's face it: all systems are hackable in some way, but it is the security's job to make those hacks have minimal effects. This skill requires people who actual know the general security principles that are taught at most technical institutes today.

You can't possible make that judgement from outside. If their security team consisted of two people, the surface area was just too large. In that situation, id be worried about protecting trade secrets and intellectual property and to hell with the web sites.

If it consisted of 20 people, I would agree with you: they would still be hackable, but the embarrassing simplicity of the hacks should have been covered.

Without knowing details of the team, it is just an unsubstantiated guess and/or heaping crap on Sony (who, as a company, i can't stand).

If their team consisted of two competent people, they would have made a stink about storing passwords in plaintext. They wouldn't have been able to make sure the website was secure, but they could have minimized the fallout from a breach.

Not with as distributed as Sony is. Remember, Sony is not a single company. It is like a gazillion companies, divided by country and business type. Have you ever tried communicating across business units in a large, multi-national company? It is a nightmare.

I'm not excusing Sony: they screwed up big time. I'm simply saying that we can't infer that their security team (if it even exists) is incompetent.

Agreed. They're loosing customer data, which is bad, but they're not a web company. If the schematics and firmware for their computers, TVs, cameras, media players, or PlayStations was leaked, then Sony would be more concerned.

I'm surprised the hackers are still going after customer data, and haven't started targeting IP yet.

My guess is that the hackers are going more for publicity than for anything else. As much as it should be, stealing the firmware for the PS3 isn't really "newsworthy"; stealing a million credit cards gets you on every front page in North America.

We would likely have no way of knowing if the hackers were going after the IP. Sony just may have that security right.

I don't know why we are so sympathetic towards them - either they are just bad at security or understaffed and thus just can't maintain everything. Both options are about as probable.

Obscure hack that was hard to defend against (DNS or OS vuln) I'd feel sad about.

Not encrypting customer data and transport, plain text passwords, etc.. doesn't make me feel sad, at all.

All of this started with the geohot affair?

I think this started 2005 with the Sony Rootkit. [1]

At that time it was pretty clear that they didn't care much about their customers' security. However, it was not (yet) clear that they didn't care much about their servers' security, either.

[1] http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...

More or less.

1. Sony removes "Install Other Operating Systems" option from the PS3 OS.

2. Out of frustration at corporate policy for REMOVING major features from hardware/device paid for and owned by millions, the hackers start working.

3. Months later, GeoHot releases (what I understand to be) the root private encryption keys for the device.

3.5 (forgot this) fail0verflow group circumvents the PS3's security system using this work from GeoHot - http://www.youtube.com/watch?v=4loZGYqaZ7I

4. Other hacking groups, now with the keys to the kingdom, begin working on hacking the PS3 to allow the installation of any software, not just officially released/signed/blessed releases. This results in a "jailbreak" for the PS3, much like what jailbreaking does to the lock-down security on an iPhone.

(This is when things start to go south)

5. A technique for loading your own software onto the PS3, circumventing the system's security checks comes out.

(Now the door to pirating PS3 games is open. Download images, burn the Blu-rays, pop them in the PS3 and play).

6. Another hacking group, using some portion of this manipulation, actually manage to get their PS3's logged into the private developer-based PSN network (it's a full copy of the real PSN network specifically for developers actively working on titles that need to test things like updates or addon downloads/installs).

7. It is discovered that the PSN-Dev network does not do real credit card authentication before items are purchased and downloaded. So for example, if I work at BioWare, and I'm on PSN-Dev, I can technically download any of the standalone games from the network and play them by entering a credit card of "111" or something silly - http://www.reddit.com/r/gaming/comments/gx6o4/im_a_moderator...

8. The hacking group is able to pull software off the network, for free, and leak it to the web.

9. Some point very shortly after this, the real PSN gets the full intrusion.

I forget if the two are related or not... I don't recall if the group went PSN-Dev > PSN and that is how they got in, or if there was another group that did the straight PSN hack.

That is the gist of the avalanche that started with "We are removing Other-OS install support". Different groups piggy-backing on each other's work to retaliate.

The endless backlash against Sony seems to have been the result of them going after GeoHot.Then at some point it stopped being about retribution for him and just became the popular thing to do.

It is sort of getting old, so unless Sony does something to re-ignite the flames, I imagine the groups will move on in a month or two.


fail0verflow's presentation on how they circumvented the PS3's security (really cool presentation): http://www.youtube.com/watch?v=4loZGYqaZ7I

Post supposedly from one of the internal Sony folk during the total media black-out when the network first went down explaining the console-Dev-PSN-network issue: http://www.reddit.com/r/gaming/comments/gx6o4/im_a_moderator...

There are 2 critical points leading up to that list: When the very same GeoHot released a hardware glitch for PS3 OtherOS to let you use more of the system (extra SPU and GPU access rather than software rendering). It should be noted that this was ONLY OtherOS and required soldering. Did Sony really think that people were going to commercialize homebrew games that require hardware mods? Or did they know that GeoHot was onto something big? As revenge, Sony took away OtherOS for everybody and reassigned Geoff Levand.

And when then GeoHot hacked the 3.21 firmware just to get OtherOS back. Sony blocked it again. This was the point forced the community's hand to looking for solutions that might also allow piracy (although the wheels may have been in motion already). Really, based on the PSP experience they should have known how this works.

Also, two other very critical steps:

Sony sought the right (and won it) to subpoena the IPs of everyone that had done something as viewed GeoHot's blog, watched YouTube, Twitter, donated via Paypal, etc [1].

Sony sought the right (and won) to search all of his computer equipment [2].

These are severely heavy-handed tactics. They wanted to embarrass and persecute him. They took this thing personal first.

1: http://www.wired.com/threatlevel/2011/03/geohot-site-unmaski...

2: http://www.destructoid.com/ps3-hacker-geohot-must-surrender-...

Max, thank you for the additions. I didn't actually know there had been a bit of back-and-forth before the big OtherOS-kill-off.

Thanks for the amazing compilation of sequential events.

Despite the noble 'Little guy fights back' story. I'm starting to wonder if this will have an overall detrimental effect?, Give wings to Sarkozy's desire to police and control the internet, and overall limit consumer and business confidence in web security?

This is the first time that I have looked at any of these 'Sony' hacks. I had a quick look at their website, and the credits at the bottom clearly say that it was designed, developed and run by two third parties - yet they aren't mentioned in the headline.

I guess this serves as a proof that some large corporations don't take security seriously enough. And we're supposed to trust them with our data. I think we should have a "Hall of Shame" for all this companies that fail from a security perspective.

The first case was kinda shocking for me, because, afterall it was Sony who got hacked. Now, it seems just normal. It was a very bad 30 days for them.

Link to the hacked page: http://www.sonymusic.com.br/index.asp

It's the 8th time Sony was hacked this year, right?

12 hacks in 46 days. That's a rate of 1 hack every 3.83 days. And that means we can expect to see it get hacked again by Thursday this week. Everyone keep your eyes peeled!

Do you really think every time Sony is penetrated, it's announced and everything is dumped like Lulzsec and other loud mouths do? The much more likely thing is that these vulnerabilities were known for quite awhile before.

Is quite amazing how repeated failure impacts the stock by only about $4/share or roughly 13%. I guess as long as consumers keep buying...

I don't know, 13% seems significant for a company like Sony.

It just proves that their customers don't care about anything as long as they can play...


No, because this defacing was done last year, and is still on-going, if I understand correctly.

Okay, this is sad. Not that Sony got hacked again, but that I'm putting Sony getting hacked and Yet-Another-Groupon-Article into the same basket: do we really need to post this. I mean, at this point, I'll assume Sony is constantly being backed. Come back in 100 days and post a 100-days since Sony was hacked. That would probably be more informative. As for Groupon: everyone has a weasel-filled opinion.

And I thought /. was plagued by duping stories.

Im surprised there is no discussion about the images/message of the hacked homepage.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact