Sony has been hacked again. This time more than 90,000 accounts for Sony Entertainment Network, PlayStation Network (PSN) and Sony Online Entertainment services were compromised in what looks like a simple Brute Force attack where the attacker or attackers simply tried common passwords against user accounts until they got in.

This attack strategy is hardly new and has been favoured in the past by Chinese hackers amongst others. Why? Its the oldest hack in the book. Its simple, easy to implement and relies on the fact that people are lazy or stupid or just dont care that passwords like “password” or “secret” or “s3cr3t” are easy to guess.

Whats surprising is that Sony STILL hasn’t implemented a strong enough password policy to force users into using at least moderately secure passwords.

How many times do they need to get compromised before they follow simple information security best practice guidance that is taught to EVERY information security officer as part of EVERY training or certification.

Sony’s CISO has posted a comforting blog message saying that this represented less than 0.1% of their user base and that no credit cards were compromised by the attackers (wouldn’t want to fall foul of PCI now would we…). Hes also said that compromised accounts have been locked and that Sony will help roll back any unauthorised transactions.

You can read his blog post here: *http://blog.us.playstation.com/2011/10/11/an-important-message-from-sonys-chief-information-security-officer/

I have to say as a CISO he certainly has his job cut out for him if he doesn’t want Sony to take Microsoft’s place as the company routinely trashed for having consistently bad security practice.

It took microsoft YEARS of hard work to escape that image (if they even have fully yet),

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Marc Rogers

Marc has been a hacker since the 80's and has worked in the security industry for almost 20 years. Some of Marc's professional highlights include a decade managing security in the operator Vodafone plc, and 5 years as working as the CSO for a real estate and asset management conglomerate in South Korea. Known as "Cyberjunky", "Cjunky" or just "CJ" in the hacker community Marc is the Head of Security and part of the CFP review board for DEF CON, the worlds largest hacker conference. After spending more than 15 years wrangling hackers, criminals and spooks Marc has seen it all. Sometimes several times at once. Professionally Marc uses his skills as a whitehat hacker and security evangelist to bring a positive outlook on security to today's global organizations. It's this outlook that Marc used when he helped put together the award winning BBC series "The Real Hustle". Today Marc works as the Principal Security Researcher for Lookout Mobile Security.

Category

Uncategorized