Sony’s security nightmare just won’t end.
Earlier this week, malicious hackers released a bundle of personal information on thousands of Sony customers that was stolen — quite easily, according to the infiltrators — from Sony’s IT systems.
That was only the latest in a long series of cyberattacks the company’s been suffering since mid-April, which forced Sony to shut down its PlayStation Network for several weeks.
There’s speculation that these attacks are being launched in retaliation for Sony’s actions against hacker George Hotz, whom Sony sued for jailbreaking the PlayStation 3 and publishing the tools and techniques he used to do so on the Web.
As part of the settlement of the case, Hotz consented to a permanent injunction, but he severely criticized Sony.
The case had angered the hacker community, which vowed revenge.
Hacker activity against major corporations is nothing new, but what’s perhaps unusual about the blows Sony’s been enduring is their frequency and repetition. Typically when an organization is successfully targeted, the attack is limited to a single breach — sometimes large, sometimes small. With Sony, however, hackers from all corners appear to be ganging up on the consumer electronics giant, launching attacks that range from irritating pranks to large-scale theft of customer information.
Could Sony’s saga indicate the rise of the socio-political hacker, one who strides the Web like a god of vengeance, striking out at any organization that angers the techie community?
“This is less of a ‘let’s just grab some credit cards for our personal benefit or grab some emails to make them look bad'” sort of incident, Chris Lytle, a senior researcher at Veracode, told TechNewsWorld. “It’s a concerted brand and image attack just because people don’t like them.”
More such attacks may surface in the future.
“We live in a persistent state of cyber-insecurity due to the lack of efficacy of traditional defenses against advanced cyberattacks,” Ashar Aziz, founder and CEO of FireEye, commented.
The Blitzkrieg Against Sony
The Japanese entertainment giant is reeling under wave after wave of attacks of varying sizes and impact.
“Sony have probably had somewhere in the neighborhood of 20 security incidents in the past few months,” Lytle said.
“Previous breaches have been a one-and-done thing; this has been a concerted group of attacks,” he stated.
Few of the attacks share the same attack vector, and the hackers are targeting different business units within Sony, Lytle said. In addition to the Playstation Network, the hackers hit Sony BMG Greece, an unmaintained Sony sweepstakes site, Sony’s Thailand site, and the company’s Indonesian website, he added.
The hackers are “targeting Sony as a monolithic organization,” and some of the breaches are “rather small,” Lytle said.
Take, for example, the attack on Sony’s Indonesian website on May 21. “That wasn’t a high-impact attack; it was a simple website defacement, of which dozens occur every day,” Lytle remarked.
At the same time, though, there were other, more serious attacks launched that had more impact on Sony, such as the theft of credit card numbers from its databases, Lytle said.
Sony did not respond to requests for comment by press time.
Is Sony’s IT Infrastructure Flawed?
Perhaps Sony should share part of the blame — companies do have the responsibility to protect data their customers share with them. However, FireEye’s Aziz contends that all enterprises are vulnerable to cyberattacks to some degree.
“There are systemic vulnerabilities in every organization, and hackers have figured out how to exploit them,” Aziz told TechNewsWorld.
Those vulnerabilities are the legacy approach to attack detection, and they rely on reactive techniques such as signatures for defensive purposes, Aziz said.
Apple found that out in short order after releasing a defense against the MacGuard malware package this week; hackers circumvented that defense within hours, and the vendor is now playing cat-and-mouse with cyberattackers.
“No organization, no matter how well-run it is, is well-protected against this kind of attacks, because the new threat landscape has effectively obsoleted traditional enterprise security defenses,” Aziz sad.
LulzSec Laughs While Sony Weeps
The hacker group Lulz Security claimed responsibility for the most recent Sony attack.
On Friday, it claimed to have compromised the personal information of 1 million users on the SonyPictures.com website.
Lulz has posted some of the data taken from the databases of various Sony companies.
What’s Lulz Got to Do With It?
The word “lulz” is defined as laughter at someone else’s expense. To attack a site “for the lulz” suggests the motive lies in personal amusement, pulling a prank or making a social or political statement, rather than personal monetary gain. Regardless of the motive, though, an attack can have serious consequences.
“There have been a lot of security breaches across a lot of companies,” Veracode’s Lytle said. “We are seeing a lot more cybercrime, but that acts as a distractor for social- or political-based hacking.”
For example, the theft of credit cards from Sony’s databases has kept it from dealing with all the other attacks against it.
“Sony’s too busy dealing with the fact that 77 million cards have been stolen to deal with the other hacks,” Lytle said. “The different hacker groups are kicking them while they’re down.”
Waves of attacks could be launched at other targets, Lytle warned, if they have a wide enough presence that they can be attacked easily — and if they have angered a group of savvy Internet users.