Sony's new security plan: so many flaws hackers tire before hitting them all

Tiny ISP subsidiary takes small hit; big sites still show big flaws

At first glance, news another Sony property has been successfully hacked looked like a death-knell for the company's efforts to lock itself down against the crack in security that was looking more and more like a revolving door.

On second glance, it looked like a minor, copycat attack – a skirmish around the edges of Sony's giant online property line.

On third glance it was back to a micro version of the first glance – more the hotel clerk hitting the desktop bell summoning Death to sound the death knell than the Slow Toll itself.

The May 20 attack (someone had to sneak in one more exploit before being Raptured) was against Sony's So-Net ISP network – a tiny target compared to the Playstation Network and SEO, which were both hacked and have been up and down like a yo-yo ever since.

Hackers took about $1,200 worth of "virtual points" – some kind of cash-equivalent promotional or customer-reward offer – but apparently not personal data on customers.

PCWorld's Matt Packham points out the comparatively trivial size of the attack and angst-inducing method: So-Net updates admitted the crack happened after the same IP address tried to access the site thousands of times before it gained entry.

That makes it very likely the hack was some amateur running a brute-force password-cracking attack – the equivalent of breaking a store window with a brick compared to a devilishly stylish, impeccably timed heist by the digital equivalent of Ocean's Eleven.

That's a pretty cheesy way to get hacked if you're one of the leading technology companies on the planet, even if you might not have had time to run all the new security you'd like to on all your varied properties because you were still distracted by the effort of getting victims of the original pillage back online.

A week before someone threw a brick through So-Net, a U.S.-based security researcher used a plain browser and Google search to find a number of easily exploitable flaws that could give hackers easy access to logins, usernames and information on security that would make other attacks far easier.

Among the invitations (too glaringly insecure to be called "flaws") found by John Bumgarner, CTO of the federally funded Internet security research company U.S. Cyber Consequences, was a sweepstakes app created for the 2001 Christmas season and defunct since then, that was designed to collect registrations and give registrees access to systems deeper in Sony's network.

Another pointed Bumgarner to a server running an identity management system that controlled access to and logins for the Sony Pictures Entertainment network.

That one provided good evidence of Sony's new security conscious IT policies: Bumgarner found it doing a Google search using the term "site:.Sony.com identity."

As if some ignorant hacker could ever figure out a trick like that.

Sony told Reuters it fixed the flaws right away. This morning the search still led the way to a Sony login server, and another and another before I got tired of looking -- but not to the actual login data. Which, I suppose, is an improvement.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies