Spotlight falls on Sony's troubled cybersecurity

Jun 03, 2011 By RAPHAEL G. SATTER , Associated Press
Spotlight falls on Sony's troubled cybersecurity (AP)
This is a Thursday, May 26, 2011 file photo of people walking by Sony Building in Tokyo's Ginza shopping district in Tokyo. Another massive data breach at Sony has left hackers exulting, customers steaming and security experts questioning why basic fixes haven't been made to the company's stricken cybersecurity program. (AP Photo/Shizuo Kambayashi, File)

(AP) -- Another massive data breach at Sony has left hackers exulting, customers steaming and security experts questioning why basic fixes haven't been made to the company's stricken cybersecurity program.

Hackers say they managed to steal a massive trove of personal information from Sony Pictures' website using a basic technique which they claim shows how poorly the company guards its users' secrets. experts agreed Friday, saying that the company's security was bypassed by a well-known attack method by which rogue commands are used to extract sensitive data from poorly-constructed websites.

"Any website worth its salt these days should be built to withstand such attacks," said Graham Cluley, of firm Sophos. Coming on the heels of a massive security breach that compromised more than 100 million user accounts associated with Sony's PlayStation and online entertainment networks, Cluley said the latest attack suggested that hackers were lining up to give the company a kicking.

"They are becoming the whipping boy of the computer underground," he said.

Culver City, California-based has so far declined to comment beyond saying that it is looking into the reported attack - which saw many users' names, home addresses, phone numbers, emails, and passwords posted on the Web.

It wasn't clear how many people were affected. The hackers, who call themselves Lulz Security - a reference to the Internetspeak for "laugh out loud"- boasted of compromising more than 1 million users' personal information - although it said that a lack of resources meant it could only leak a selection on the Web. Their claim could not be independently verified, but several people whose details were posted online confirmed their identities to The Associated Press.

Lulz Security ridiculed Sony for the ease with which it stole the data, saying that the company stored peoples' passwords in a simple text file - something it called "disgraceful and insecure."

Several emails sent to accounts associated with the hackers as well as messages posted to the microblogging site Twitter were not returned, but in one of its tweets Lulz Security expressed no remorse.

"Hey innocent people whose data we leaked: blame Sony," it said.

Sony's customers - many of whom had given the company their information for sweepstakes draws - appeared to agree.

Tim Rillahan, a 39-year-old computer instructor in Ohio, said he was extremely upset to find email address and password posted online for "the whole world to see."

"I have since been changing my passwords on every site that uses a login," he said in an email Friday. "Sony stored our passwords in plain text instead of encrypting the information. It shows little respect to us, their customers."

He and others complained that they had yet to hear from the company about the breach, news of which is nearly a day old.

John Bumgarner, the chief technology officer for the U.S. Cyber Consequences Unit - a research group devoted to monitoring Internet threats - was emphatic when asked whether users' passwords could be left unencrypted.

"Never, never, never," he said. "Passwords should always be hashed. Some kind of encryption should be used."

Bumgarner, who's been critical of Sony's security in the past, said the company needed to take a hard look at how it safeguards its data.

"It's time for Sony to press reset button on their cybersecurity program before another incident occurs," he said.

Explore further: Net neutrality balancing act

5 /5 (1 vote)
add to favorites email to friend print save as pdf

Related Stories

Hackers claim new Sony cyberattack

Jun 03, 2011

Hackers have claimed to have compromised more than one million passwords, email addresses and other information from SonyPictures.com in the latest cyberattack on the Japanese electronics giant.

Hackers claim stealing SonyPictures.com passwords

Jun 02, 2011

Hackers claimed on Thursday to have stolen more than one million passwords, email addresses and other information from SonyPictures.com in the latest cyberattack on the Japanese electronics giant.

More Sony websites hacked, 8,500 Greek accounts hit

May 24, 2011

Sony on Tuesday said its websites in three countries had been hacked with 8,500 Greek user accounts compromised, in a blow to efforts to restore confidence after a huge data breach affecting millions.

Japan orders Sony to improve data security

May 27, 2011

Sony was told by the Japanese government on Friday to strengthen its data security as the electronics and entertainment giant reels from a series of attacks by hackers.

Sony Ericsson's Canada site hacked: company

May 25, 2011

Hackers have attacked Sony Ericsson's Canadian eShop website, affecting 2,000 users, the latest online strike against the Japanese electronics and entertainment giant, a Sony spokesman said Wednesday.

Recommended for you

Net neutrality balancing act

4 hours ago

Researchers in Italy, writing in the International Journal of Technology, Policy and Management have demonstrated that net neutrality benefits content creator and consumers without compromising provider innovation nor pr ...

Twitter rules out Turkey office amid tax row

Apr 16, 2014

Social networking company Twitter on Wednesday rejected demands from the Turkish government to open an office there, following accusations of tax evasion and a two-week ban on the service.

How does false information spread online?

Apr 16, 2014

Last summer the World Economic Forum (WEF) invited its 1,500 council members to identify top trends facing the world, including what should be done about them. The WEF consists of 80 councils covering a wide range of issues including social media. Members come ...

User comments : 8

Adjust slider to filter visible comments by rank

Display comments: newest first

Raygunner
not rated yet Jun 03, 2011
I think it's time to fire the entire IT department!
J-n
not rated yet Jun 03, 2011
It's time for Sony to be Charged for criminal negligence.

Would we not do something about a bank that held all of their customers money in easy to carry plastic bags in the lobby? Hold them at least PARTIALLY responsible when a theft occurs?

This is another example of a company putting the bottom line before the safety and satisfaction of their customers.
kaasinees
not rated yet Jun 03, 2011
Hashes are not just encryption. They use rainbow tables..
Recovering_Human
not rated yet Jun 03, 2011
I would kill for my last name to be "Lulz."
MarkyMark
not rated yet Jun 04, 2011
There should be some legal requirement that such companies HAVE to use some minimal security such as encrption for such information, why hasant this been done?
FrankHerbert
1 / 5 (1) Jun 04, 2011
It's time for Sony to be Charged for criminal negligence.

Would we not do something about a bank that held all of their customers money in easy to carry plastic bags in the lobby? Hold them at least PARTIALLY responsible when a theft occurs?

This is another example of a company putting the bottom line before the safety and satisfaction of their customers.


Banks might not be the best example ;-)
Msean1941
not rated yet Jun 04, 2011
"hasant"? And another former teacher rolls over in their grave.
Vendicar_Decarian
not rated yet Jun 06, 2011
Sony Rolly will save them. I'm sure of it.

More news stories

Tiny power plants hold promise for nuclear energy

Small underground nuclear power plants that could be cheaper to build than their behemoth counterparts may herald the future for an energy industry under intense scrutiny since the Fukushima disaster, the ...

Hand out money with my mobile? I think I'm ready

A service is soon to launch in the UK that will enable us to transfer money to other people using just their name and mobile number. Paym is being hailed as a revolution in banking because you can pay peopl ...

Classifying cognitive styles across disciplines

Educators have tried to boost learning by focusing on differences in learning styles. Management consultants tout the impact that different decision-making styles have on productivity. Various fields have ...