Sony has been hacked again. This time more than 90,000 accounts for Sony Entertainment Network, PlayStation Network (PSN) and Sony Online Entertainment services were compromised in what looks like a simple Brute Force attack where the attacker or attackers simply tried common passwords against user accounts until they got in.

This attack strategy is hardly new and has been favoured in the past by Chinese hackers amongst others. Why? Its the oldest hack in the book. Its simple, easy to implement and relies on the fact that people are lazy or stupid or just dont care that passwords like “password” or “secret” or “s3cr3t” are easy to guess.

Whats surprising is that Sony STILL hasn’t implemented a strong enough password policy to force users into using at least moderately secure passwords.

How many times do they need to get compromised before they follow simple information security best practice guidance that is taught to EVERY information security officer as part of EVERY training or certification.

Sony’s CISO has posted a comforting blog message saying that this represented less than 0.1% of their user base and that no credit cards were compromised by the attackers (wouldn’t want to fall foul of PCI now would we…). Hes also said that compromised accounts have been locked and that Sony will help roll back any unauthorised transactions.

You can read his blog post here: *http://blog.us.playstation.com/2011/10/11/an-important-message-from-sonys-chief-information-security-officer/

I have to say as a CISO he certainly has his job cut out for him if he doesn’t want Sony to take Microsoft’s place as the company routinely trashed for having consistently bad security practice.

It took microsoft YEARS of hard work to escape that image (if they even have fully yet),